Kubernetes fundamentals, cloud native architecture, and observability. Free practice questions sampled from our full 120-question bank, with detailed explanations for every option.
Format
multi-choice
Duration
90 min
Pass mark
75%
Study time
1–6 wks
Mocks here
2
What the KCNA exam tests
The Kubernetes and Cloud Native Associate exam is structured around 4 weighted domains. Each domain link below opens a focused practice page with sample questions from that area.
One representative question per domain, drawn from the 120-question pool. Click "Reveal answer" to see the correct option plus explanations for every distractor.
Kubernetes Fundamentals
Q1. What is the primary difference between a Secret and a ConfigMap?
Reveal answer and explanations
ASecrets are immutable; ConfigMaps are mutable
Incorrect. Both can be mutable or immutable depending on configuration.
BSecrets store sensitive data with optional encryption; ConfigMaps store non-sensitive data in plain text
Correct. Secrets are intended for sensitive data and support encryption; ConfigMaps store general configuration as plain text.
CSecrets only work with environment variables; ConfigMaps only work with volumes
Incorrect. Both support both mounting methods.
DSecrets can be updated dynamically; ConfigMaps cannot
Incorrect. Both can be updated, though updates don't auto-reload.
Container Orchestration
Q2. What is containerd?
Reveal answer and explanations
AA container image repository
Incorrect. Registries store images; containerd runs them.
BA networking plugin for containers
Incorrect. containerd doesn't handle networking.
CAn OCI-compliant container runtime that manages containers
Correct. containerd is an industry-standard OCI-compliant container runtime that manages container lifecycle.
DA Kubernetes distribution
Incorrect. containerd is a runtime, not a Kubernetes distribution.
Cloud Native Application Delivery
Q3. What pattern runs a helper container beside the main application container?
Reveal answer and explanations
AAn Ingress-only networking pattern
Incorrect. Ingress exposes HTTP traffic to Services; it is not the companion-container pattern.
BThe sidecar pattern
Correct. The sidecar pattern runs a helper container alongside the main application container for concerns such as proxying, logging, or monitoring.
CA sequential batch container pattern
Incorrect. Sidecars normally run alongside the app, not as a sequential batch step.
DA multi-runtime Pod pattern
Incorrect. The pattern is about multiple containers in one Pod, not multiple container runtimes.
Cloud Native Architecture
Q4. What is a service mesh and what does it typically manage?
Reveal answer and explanations
AA Kubernetes networking plugin that handles Pod-to-Pod communication
Incorrect. Service mesh is above the network layer; CNI handles networking.
BA tool for storing application secrets
Incorrect. Secrets are stored separately.
CA layer that manages service-to-service communication, including load balancing and security policies
Correct. Service mesh (e.g., Istio, Linkerd) manages inter-service communication, traffic policies, security, and observability.
Roughly 1–6 weeks of focused study, but it depends heavily on what you already know. Engineers with hands-on production Kubernetes (or Cilium / Argo / OTel / etc. for project-specific certs) can compress this to a week or two of mocks; people coming in cold should expect the upper end. The exam is multi-choice and recall-heavy — practice exams matter more than reading documentation cover to cover. Aim for 85%+ on full timed mocks before booking the real exam.
Why this practice library
This library was built by a Platform Engineer chasing Golden Kubestronaut who got frustrated by the lack of decent practice material for the associate-tier CNCF exams. Question banks track curriculum updates from CNCF and Linux Foundation.