KCNA Mock Exam Simulator

Free Kubernetes and Cloud Native Associate practice questions with full explanations on every option. Kubernetes fundamentals, cloud native architecture, and observability.

Format
multi-choice
Duration
90 min
Pass mark
75%
Study time
1–6 wks
Mocks here
2

KCNA exam domains

Free KCNA sample questions

Kubernetes Fundamentals

Q1. What is the primary difference between a Secret and a ConfigMap?

Reveal answer and explanations
  1. A Secrets are immutable; ConfigMaps are mutable

    Incorrect. Both can be mutable or immutable depending on configuration.

  2. B Secrets store sensitive data; ConfigMaps store non-sensitive config

    Correct. Secrets are intended for sensitive data; by default they are only base64-encoded (not encrypted) in etcd, with encryption-at-rest available when an EncryptionConfiguration is set on the API server, while ConfigMaps hold general non-sensitive configuration, so the distinction is the intended sensitivity of the data rather than any inherent encryption.

  3. C Secrets only work with environment variables; ConfigMaps only work with volumes

    Incorrect. Both Secret and ConfigMap objects can be projected into a Pod either via `env` / `envFrom` references or via `volumeMounts` of a Secret/ConfigMap volume; the consumption surface is identical and not what distinguishes them.

  4. D Secrets can be updated dynamically; ConfigMaps cannot

    Incorrect. Both can be updated, though updates don't auto-reload.

Container Orchestration

Q2. What is containerd?

Reveal answer and explanations
  1. A A container image repository

    Incorrect. Registries store images; containerd runs them.

  2. B A networking plugin for containers that implements the CNI specification

    Incorrect. containerd doesn't handle networking.

  3. C An OCI-compliant container runtime that manages containers

    Correct. containerd is an industry-standard OCI-compliant container runtime that manages container lifecycle.

  4. D A Kubernetes distribution

    Incorrect. containerd is a runtime, not a Kubernetes distribution.

Cloud Native Application Delivery

Q3. A team has already structured their Kubernetes manifests as a Kustomize base with per-environment overlays. A new requirement is to also publish the same workload to internal consumers as a Helm chart. Which approach is the most idiomatic way to support both?

Reveal answer and explanations
  1. A Discard the Kustomize base entirely and rewrite the manifests as a Helm chart, because the two tools cannot coexist on the same workload

    Incorrect. Helm and Kustomize routinely coexist; rewriting one as the other is not necessary to support both delivery formats.

  2. B Use a Helm post-renderer that runs Kustomize over Helm's output, keeping the Kustomize overlays while still distributing a chart to internal consumers

    Correct. The `--post-renderer` flag is the documented way to layer Kustomize patches on top of Helm-rendered output without duplicating the manifests.

  3. C Inline the Kustomize overlays as `{{ if }}` blocks inside the Helm templates so the chart does both the templating and the patching at install time

    Incorrect. Mixing Kustomize overlay logic into Helm `{{ if }}` blocks recreates the templating sprawl Kustomize was designed to avoid.

  4. D Run Kustomize inside an init container in every Pod so each Pod re-applies its own overlay on startup

    Incorrect. Per-Pod overlay application via an init container is not an idiomatic Kustomize pattern and conflicts with declarative delivery.

Cloud Native Architecture

Q4. What is a service mesh and what does it typically manage?

Reveal answer and explanations
  1. A A Kubernetes networking plugin that handles Pod-to-Pod communication

    Incorrect. Service mesh is above the network layer; CNI handles networking.

  2. B A tool for storing application secrets

    Incorrect. Application secrets are stored in Kubernetes `Secret` objects or external secret managers (HashiCorp Vault, AWS/GCP/Azure secret services); a service mesh consumes secrets for mTLS but is not itself a secret store.

  3. C Layer managing inter-service traffic, retries, and security

    Correct. Service mesh (e.g., Istio, Linkerd) manages inter-service communication, traffic policies, security, and observability.

  4. D A method for managing DNS across clusters

    Incorrect. DNS resolution in Kubernetes is provided by CoreDNS and the Service abstraction; a service mesh layers L7 routing, observability, and mTLS on top of that DNS plane rather than replacing it.

Start the full KCNA mock exam — free90-min timer · free with account

Prerequisites and background knowledge

Familiarity with containers (Docker/Podman) and basic Linux. No prior Kubernetes experience required.

Official reference: cncf.io/training/certification/kcna.

More KCNA practice resources

Free KCNA sample questions KCNA exam tips

Where to go after KCNA

Once you pass KCNA, these certs are natural next steps on the Golden Kubestronaut path:

KCSA — Kubernetes and Cloud Native Security AssociateCGOA — GitOps Certified Associate

Frequently asked questions about KCNA

What is the passing score for KCNA?

75%.

How long is the KCNA exam?

90 minutes, multi-choice format. See the official CNCF page for the current question count.

How difficult is the KCNA exam?

Rated beginner. Plan 1–6 weeks depending on your background.

How much does the KCNA exam cost?

Pricing changes periodically — check the official CNCF KCNA page at https://www.cncf.io/training/certification/kcna/.

Are these KCNA mock exams free?

The first KCNA mock exam is free with an account — no card required. The rest of the library is paid.

How is this mock exam different from the real KCNA exam?

Original questions written against the official CNCF curriculum — not scraped dumps. Format mirrors the real exam; the real one is proctored, these are self-paced.

What is the best way to study for KCNA?

Work through the official curriculum in order of domain weight (heaviest first), then run full timed mocks until you hit 85%+ consistently.