2025年最新のCKAD問題集にはKubernetes Application Developer認証済み試験問題と解答
実際に出ると確認されたCKAD試験問題集と解答でCKAD無料更新
質問 # 107
You have a Node.js application that runs in a Kubernetes cluster. The application requires access to a MySQL database hosted externally on a different server. Due to security concerns, you cannot directly expose the database to the application pod. Describe how you can implement a network policy to enable secure communication between the application pod and the MySQL database.
正解:
解説:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a Network Policy:
- Create a Network Policy that allows traffic only from the application pods to the MySQL database server-
- Define the podSelector' to specify the application pods that should be allowed to connect to the database.
- Use 'ingress' rules to define the allowed incoming traffic from the application pods.
- Specify the 'from' field to identify the source pods using labels or namespaces-
- Set the 'to' field to specify the target IP address or range of the MySQL database server
2. Deploy the Network Policy: - Apply the Network Policy to your Kubernetes cluster using 'kubectl apply -f mysql-access.yamr 3. Configure the Application: - Configure your Node.js application to connect to the MySQL database using the IP address or hostname of the database server. - Ensure that the Node.js application has appropriate security credentials to access the database. 4. Test the Application: - Run your application and verify that it can connect to the MySQL database successfully. Note: This example provides a basic implementation. You might need to adjust the configuration based on your specific security requirements and network setup. You can further enhance the network policy by using specific ports, protocols, and other security measures as needed.,
質問 # 108
Refer to Exhibit.
Task:
Create a Deployment named expose in the existing ckad00014 namespace running 6 replicas of a Pod.
Specify a single container using the ifccncf/nginx: 1.13.7 image Add an environment variable named NGINX_PORT with the value 8001 to the container then expose port 8001
正解:
解説:
Solution:


質問 # 109
You have a Deployment named 'wordpress-deployment' that runs a WordPress application. You want to ensure that Kubernetes automatically restarts pods if tney experience an unexpected termination, such as a container crasn. Implement the necessary configuration for your deployment.
正解:
解説:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
I). Update the Deployment YAML:
- Add the 'restartpolicy: Always to the 'spec.template_spec.containers' section of your Deployment YAML. This ensures that the pod will always be restarted if a container terminates unexpectedly.
2. Apply the Deployment - Apply the updated Deployment YAML using: bash kubectl apply -f wordpress-deployment-yaml 3. Test the Restart Policy: - Simulate a container crash within a pod (e.g., by sending a SIGKILL Signal to the container). - Observe the pod status using 'kuactl get pods -l app=wordpress' . You snould see the pod being automatically restarted, and the 'STATUS should become 'Running' again. Important Note: - The restaAPolicy: Always' is the default setting for Kubernetes deployments. By explicitly adding it to your YAML, you ensure that this behavior is documented and consistent within your deployment configuration.,
質問 # 110
You are running a web application in a Kubernetes cluster. You have a deployment named 'web- app' with two replicas. You need to implement a Network Policy that allows only traffic from pods with the label app: database' to access the 'web-app' deployment on port 8080. You also need to block all other traffic to the 'web-app' deployment.
正解:
解説:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create the Network Policy:
- Create a YAML file named 'web-app-network-policy.yamr with the following content:
2. Apply the Network Policy: - Apply the Network Policy to your cluster: bash kubectl apply -f web-app-network-policy.yaml 3. Verify the Network Policy: - Verify that the Network Policy has been applied correctly by listing the Network Policies in your namespace: bash kubectl get networkpolicies -n default # Replace with your namespace You should see the 'web-app-network-policy' listed. 4. Test the Network Policy: - From a pod with the label 'app: database' , try to access the 'web-app' deployment on port 8080. This should be successful. - From any other pod, try to access the 'web-app' deployment on port 8080. This should be blocked. - The 'podSelector' in the Network Policy specifies that it applies to pods with the label 'app: web-app'. - The 'ingress' section defines the allowed incoming traffic. In this case, it allows traffic from pods with the label 'app: database' on port 8080. - The 'egress' section defines the allowed outgoing traffic. In this case, it allows all outgoing traffic except on port 8080. This ensures that only pods with the 'app: database' label can access the 'web-ap$ deployment on port 8080. Note: - You may need to update the 'namespace' in the Network Policy YAML file to match the namespace where your 'web-app' deployment is running. - Make sure that pods with the label 'app: database' are allowed to access the 'web-app' deployment by other means, such as Service or Ingress, if needed.,
質問 # 111
Context
Anytime a team needs to run a container on Kubernetes they will need to define a pod within which to run the container.
Task
Please complete the following:
* Create a YAML formatted pod manifest
/opt/KDPD00101/podl.yml to create a pod named app1 that runs a container named app1cont using image Ifccncf/arg-output with these command line arguments: -lines 56 -F
* Create the pod with the kubect1 command using the YAML file created in the previous step
* When the pod is running display summary data about the pod in JSON format using the kubect1 command and redirect the output to a file named /opt/KDPD00101/out1.json
* All of the files you need to work with have been created, empty, for your convenience
正解:
解説:
Solution:





質問 # 112
Context
Task:
Modify the existing Deployment named broker-deployment running in namespace quetzal so that its containers.
1) Run with user ID 30000 and
2) Privilege escalation is forbidden
The broker-deployment is manifest file can be found at:
正解:
解説:
Solution:


質問 # 113
Context
Context
Your application's namespace requires a specific service account to be used.
Task
Update the app-a deployment in the production namespace to run as the restrictedservice service account. The service account has already been created.
正解:
解説:
Solution:
質問 # 114
You have a Kubernetes cluster with a deployment named 'myapp'. This deployment utilizes a service account named 'my-sas to access a private registry. You need to grant this service account access to pull images from the registry, which requires an image pull secret named 'my-secret How would you configure the service account to use this image pull secret and ensure your myapp' deployment can successfully pull images?
正解:
解説:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a Service Account:
- If you haven't already, create a service account named 'my-sa':
- Apply this YAML file using 'kubectl apply -f my-sa.yaml. 2. Create an Image Pull Secret: - Create a secret containing the necessary credentials for your private registry:
- Replace with the base64 encoded contents of your Docker configuration file. You can obtain this by using 'cat ~/.docker/config.json | base64'. - Apply the YAML file using 'kubectl apply -f my-secret.yaml' 3. Associate the Secret with the Service Account: - Add the 'my-secret' secret to tne 'my-sa' service account:
- Apply this YAML file using ' kubectl apply -f my-sa_yamr 4. Update Deployment with Service Account - Update the deployment configuration for 'myapp' to use the 'my-sa' service account.
- Ensure that 'your-private-registry', 'your-image', and 'your-tag' match the details of your private registry image. - Apply the updated deployment configuration using 'kubectl apply -f myapp.yamr 5. Verify Deployment: - Check the status of the deployment using ' kubectl get deployments myapp'. You should see the pods successfully pulling images from your private registry Important Notes: - Security Best Practices: Always use dedicated service accounts with minimal permissions. - Image Pull Secret: The 'my-secret' secret should be securely stored and managed. - Namespace: Ensure that both the service account and secret are in the same namespace as your deployment. - Registry Authentication: Ensure your private registry is configured with proper authentication for your service account credentials.,
質問 # 115
You're working on a Kubernetes application that involves retrieving data from a database. You have a Deployment With multiple pods, each accessing the database directly. To improve the application's performance and reliability, you want to implement an adapter pattern that introduces a service layer to handle database interactions. This layer should be responsible for connection pooling, caching, and error handling, making the application more resilient to database outages.
正解:
解説:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a Service Account:
- Create a service account for the application. This will be used by the service layer to access the database.
- Apply the service account to the cluster: 'kubectl apply -f db-setvice-account.yamr 2. Create a Role and Role8inding: - Create a role that grants tne necessary permissions to access the database.
- Create a role binding that associates the role with the service account
- Apply the role and role binding to the cluster: - 'kubectl apply -f db-access-role.yaml' - 'kubectl apply -f db-access-binding.yaml 3. Create the Service Layer Deployment: - Deploy the service layer component. This can be a containerized application that handles database interactions.
- Apply the deployment: 'kubectl apply -f db.-service-yaml 4. Create a Secret for Database Credentials: - Create a secret to store sensitive database credentials.
- Apply the secret 'kubectl apply -f db-credentials.yaml' 5. Create a Service for the Service Layer: - Create a service to expose the service layer to the application pods.
- Apply the service: 'kuoectl apply -f db-seMce.yaml' 6. Llpdate the Application Deployment: - Update the Deployment for your main application to use the service layer.
T Test and Verify' - Verify the changes: - Check the logs for both the service layer and the application. - Test your application's functionality. Note: - Ensure to replace placeholders like ''. ''. ''. ''. ''. ''. and with your actual values. - This is a basic example, and you may need to adjust the configuration based on your specific service layer and database implementation. ,
質問 # 116
You have a Kubernetes cluster With several deployments using secrets for sensitive information. You need to implement a mechanism to ensure that these secrets are rotated regularly to enhance security. Explain how you can achieve this using Kubernetes native features, and provide a detailed example demonstrating the process of secret rotation for a deployment called "myapp" which utilizes a secret named "myapp-secret".
正解:
解説:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a Secret Rotation Job:
- Define a CronJob:
- This job will be scheduled to run periodically to trigger the secret rotation process.
- In the CronJob definition, specify the desired schedule (e.g., daily, weekly, monthly) using a cron expression.
2. Update Deployment to Use New Secret: - Modify the Deployment Configuration: - Update the Deployment YAML tile of "myapp" to utilize the newly generated secret. - Replace the old secret name with the new secret name.
3. Apply the Changes: - Run the Update Commands: - Apply the CronJ0b definition using kubectl apply -f myapp-secret-rotator.yamr - Apply the updated Deployment configuration using 'kubectl apply -f myapp-deployment.yamr. 4. Verification: - Monitor tne CronJob and Deployment: - Use ' kubectl get cronjobs myapp-secret-rotator' to confirm the CronJob is running and triggering the rotation. - Monitor the 'myapp' Deployment to ensure the pods are utilizing the newly generated secret using 'kubectl get pods -l app=myapp' - Observe the output of the Deployment to verifry the rotation is successful. Key Points: - Secret Rotation Logic: The CronJob runs a script that deletes the old secret ( ' myapp-secret) and creates a new secret with updated credentials. - Deployment Update: The Deployment is updated to use tne new secret, ensuring tne application uses the latest credentials. - Automated Process: This approach automates the secret rotation process, eliminating manual intervention and enhancing security. This example demonstrates how to implement automated secret rotation for deployments using Kubernetes. You can modify the script in the CronJob and the deployment configuration to suit your specific environment and credential management needs. ,
質問 # 117 
Task
You have rolled out a new pod to your infrastructure and now you need to allow it to communicate with the web and storage pods but nothing else. Given the running pod kdsn00201 -newpod edit it to use a network policy that will allow it to send and receive traffic only to and from the web and storage pods.

正解:
解説:
See the solution below.
Explanation
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: internal-policy
namespace: default
spec:
podSelector:
matchLabels:
name: internal
policyTypes:
- Egress
- Ingress
ingress:
- {}
egress:
- to:
- podSelector:
matchLabels:
name: mysql
ports:
- protocol: TCP
port: 3306
- to:
- podSelector:
matchLabels:
name: payroll
ports:
- protocol: TCP
port: 8080
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
質問 # 118
You have a Deployment named that runs 3 replicas of a Wordpress container. You need to implement a rolling update strategy that allows for a maximum or two pods to be unavailable at any given time during the update process. Additionally, you want to ensure that the update process is triggered automatically whenever a new image is pushed to the Docker Hub repository 'wordpress/wordpress:latest'.
正解:
解説:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. IJPdate the Deployment YAMLI
- Update the 'replicas to 2.
- Define 'maxunavailable: 2 and 'maxSurge: O' in the 'strategy.rollingupdate' section to control the rolling update process.
- Configure a 'strategy-type' to 'RollinglJpdate' to trigger a rolling update when the deployment is updated.
- Add a 'spec-template-spec-imagePullPolicy: Always" to ensure that the new image is pulled even if it exists in the pod's local cache.
2. Create the Deployment - Apply the updated YAML file using 'kubectl apply -f wordpress-deploymentyamr 3. Verify the Deployment: - Check the status of the deployment using 'kubectl get deployments wordpress-deployment to confirm the rollout and updated replica count. 4. Trigger the Automatic Update: - Push a new image to the 'wordpress/wordpress:latest' Docker Hub repository. 5. Monitor the Deployment: - Use 'kubectl get pods -l app=wordpress' to monitor the pod updates during the rolling update process. You will observe that two pods are terminated at a time, while two new pods with the updated image are created. 6. Check for Successful Update: - Once the deployment is complete, use 'kubectl describe deployment wordpress-deployment' to see that the 'updatedReplicas' field matches the 'replicas' field, indicating a successful update.
質問 # 119 
Context
A container within the poller pod is hard-coded to connect the nginxsvc service on port 90 . As this port changes to 5050 an additional container needs to be added to the poller pod which adapts the container to connect to this new port. This should be realized as an ambassador container within the pod.
Task
* Update the nginxsvc service to serve on port 5050.
* Add an HAproxy container named haproxy bound to port 90 to the poller pod and deploy the enhanced pod.
Use the image haproxy and inject the configuration located at /opt/KDMC00101/haproxy.cfg, with a ConfigMap named haproxy-config, mounted into the container so that haproxy.cfg is available at
/usr/local/etc/haproxy/haproxy.cfg. Ensure that you update the args of the poller container to connect to localhost instead of nginxsvc so that the connection is correctly proxied to the new service endpoint. You must not modify the port of the endpoint in poller's args . The spec file used to create the initial poller pod is available in /opt/KDMC00101/poller.yaml See the solution below.
正解:
解説:
Explanation
Solution:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-nginx
spec:
selector:
matchLabels:
run: my-nginx
replicas: 2
template:
metadata:
labels:
run: my-nginx
spec:
containers:
- name: my-nginx
image: nginx
ports:
- containerPort: 90
This makes it accessible from any node in your cluster. Check the nodes the Pod is running on:
kubectl apply -f ./run-my-nginx.yaml
kubectl get pods -l run=my-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE
my-nginx-3800858182-jr4a2 1/1 Running 0 13s 10.244.3.4 kubernetes-minion-905m my-nginx-3800858182-kna2y 1/1 Running 0 13s 10.244.2.5 kubernetes-minion-ljyd Check your pods' IPs:
kubectl get pods -l run=my-nginx -o yaml | grep podIP
podIP: 10.244.3.4
podIP: 10.244.2.5
質問 # 120
Refer to Exhibit.
Task:
A pod within the Deployment named buffale-deployment and in namespace gorilla is logging errors.
1) Look at the logs identify errors messages.
Find errors, including User "system:serviceaccount:gorilla:default" cannot list resource "deployment" [...] in the namespace "gorilla"
2) Update the Deployment buffalo-deployment to resolve the errors in the logs of the Pod.
The buffalo-deployment 'S manifest can be found at -/prompt/escargot/buffalo-deployment.yaml
正解:
解説:
Solution:








質問 # 121
You have a Kubernetes deployment named 'my-app' that runs an application with a specific configuration defined in a ConfigMap named 'my-config'. You need to implement a strategy to automatically update tne deployment wnen tne ConfigMap is changed.
正解:
解説:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a 'ConfigMap' named 'my-configs with the following contents:
2. Create a 'Deployment' named 'my-app' that mounts the 'my-config' ConfigMap as a volume:
3. Apply the ConfigMap and Deployment bash kubectl apply -f configmap.yaml kubectl apply -f deployment.yaml 4. Update the ConfigMap with new values:
5. Apply the updated ConfigMap: bash kubectl apply -f configmap.yaml - The 'kustomization.yamr file defines the resources (the 'deployment_yamr file) and the patches to apply. - The 'deployment_yamr file contains the base configuration for the deployment. - The patch.yamr tile applies a strategic merge patch to the deployment, configuring rolling updates and automatic updates triggered by new images. - The 'maxSurge' and 'maxunavailable' settings in the 'patch_yaml' define the maximum number of pods that can be added or removed during the update process. - The 'imagePullPolicy: Always' ensures that the new image is pulled from Docker Hub even if it exists in the pod's local cache, triggering the update.
質問 # 122
You have a Deployment running a container image for a web application. The application's configuration files are currently stored within the image itself. you want to move the configuration files to a ConfigMap so that they can be updated independently or the application image. Describe the steps involved in modifying the Deployment and creating a ConfigMap to achieve this separation.
正解:
解説:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
1. Create a ConfigMap:
- Create a ConfigMap using 'kubectl create configmap' with the configuration files. For example:
kubectl create configmap webapp-config -from-literal=config.json='{"port": 8080, "database_url": "mongodb://localhost27017"}'
- Replace 'config_json' with the name of your configuration file and the JSON content with your actual configuration values.
2. Modify the Deployment:
- Modify your Deployment YAML file to mount the ConfigMap as a volume. Here's an example:
- Modify your application code to read configuration files from '/etctwebapp/config' 3. Apply the Changes: - Apply the updated Deployment using 'kubectl apply -f deployment_yamr 4. Verify the Update: - Check the logs of the pods using 'kubectl logs -f You should see the application loading configuration values from the ConfigMap. 5. Update the Configuration: - You can now update the configuration files within the ConfigMap without rebuilding the image. For example.
- This will update the ConfigMap and trigger a rolling update of the Deployment, effectively updating the application configuration without rebuilding the image.
質問 # 123
You have a Deployment named 'web-app-deployments that runs a web application in a containerized environment. The application is designed for high availability and scalability, but you need to ensure that no more than two pods are ever terminated simultaneously during a rolling update process. This is to minimize the impact on service availability during the update. How would you implement this rolling update strategy using Deployment resources?
正解:
解説:
See the solution below with Step by Step Explanation.
Explanation:
Solution (Step by Step) :
I). Update the Deployment YAML:
- Modify the 'strategy.roIIinglJpdate' section of the Deployment YAML to configure the rolling update behavior.
- Set 'maxunavailable: 1 ' to allow only one pod to be unavailable at a time during the update.
- Set 'maxSurge: 1 ' to permit only one additional pod to be created beyond the desired replica count during the update.
2. Apply the Updated Deployment: - Use ' kubectl apply -f web-app-deployment-yamr to update the Deployment. 3. Monitor the Rolling Update: - Observe the pod updates using 'kubectl get pods -I app=web-app' - You will see that during the rolling update, only one pod is terminated, while one new pod is created, ensuring that no more than two pods are ever terminated at the same time. 4. Verify the Update: - Once the rolling update is complete, check the 'updatedReplicaS field in the Deployment description Ckubectl describe deployment web-app- deployment) to verify that it matches the 'replicas' field.
質問 # 124
Context
Context
As a Kubernetes application developer you will often find yourself needing to update a running application.
Task
Please complete the following:
* Update the app deployment in the kdpd00202 namespace with a maxSurge of 5% and a maxUnavailable of 2%
* Perform a rolling update of the web1 deployment, changing the Ifccncf/ngmx image version to 1.13
* Roll back the app deployment to the previous version
正解:
解説:
Solution:



質問 # 125
Exhibit:
Context
Your application's namespace requires a specific service account to be used.
Task
Update the app-a deployment in the production namespace to run as the restrictedservice service account. The service account has already been created.
- A. Solution:

- B. Solution:

正解:B
質問 # 126
......
実際問題を使ってCKAD問題集で100%無料CKAD試験問題集:https://jp.fast2test.com/CKAD-premium-file.html
CKAD試験問題集、テストエンジン練習テスト問題:https://drive.google.com/open?id=1YHGdZkd7WuWAlMl6oRk5eRZxcJ0_vo_K