Why is ITExamsLab the best choice for certification exam preparation?
ITExamsLab is dedicated to providing Linux-Foundation CKAD practice test questions with answers, free of charge, unlike other web-based interfaces. To see the whole review material you really want to pursue a free record on itexamslab A great deal of clients all around the world are getting high grades by utilizing our CKAD dumps. You can get 100 percent passing and unconditional promise on CKAD test. PDF files are accessible immediately after purchase.
A Central Tool to Help You Prepare for Linux-Foundation CKAD Exam
itexamslab.com is the last educational cost reason for taking the Linux-Foundation CKAD test. We meticulously adhere to the exact audit test questions and answers, which are regularly updated and verified by experts. Our Linux-Foundation CKAD exam dumps experts, who come from a variety of well-known administrations, are intelligent and qualified individuals who have looked over a very important section of Linux-Foundation CKAD exam question and answer to help you understand the concept and pass the certification exam with good marks. Linux-Foundation CKAD braindumps is the most effective way to set up your test in only 1 day.
User Friendly & Easily Accessible on Mobile Devices
Easy to Use and Accessible from Mobile Devices.There is a platform for the Linux-Foundation CKAD exam that is very easy to use. The fundamental point of our foundation is to give most recent, exact, refreshed and truly supportive review material. Students can use this material to study and successfully navigate the implementation and support of Linux-Foundation systems. Students can access authentic test questions and answers, which will be available for download in PDF format immediately after purchase. As long as your mobile device has an internet connection, you can study on this website, which is mobile-friendly for testers.
Linux-Foundation CKAD Dumps Are Verified by Industry Experts
Get Access to the Most Recent and Accurate Linux-Foundation CKAD Questions and Answers Right Away:
Our exam database is frequently updated throughout the year to include the most recent Linux-Foundation CKAD exam questions and answers. Each test page will contain date at the highest point of the page including the refreshed rundown of test questions and replies. You will pass the test on your first attempt due to the authenticity of the current exam questions.
Dumps for the Linux-Foundation's CKAD exam have been checked by industry professionals who are dedicated for providing the right Linux-Foundation CKAD test questions and answers with brief descriptions. Each Questions & Answers is checked through Linux-Foundation experts. Highly qualified individuals with extensive professional experience in the vendor examination.
Itexamslab.com delivers the best Linux-Foundation CKAD exam questions with detailed explanations in contrast with a number of other exam web portals.
Money Back Guarantee
itexamslab.com is committed to give quality Linux-Foundation CKAD braindumps that will help you breezing through the test and getting affirmation. In order to provide you with the best method of preparation for the Linux-Foundation CKAD exam, we provide the most recent and realistic test questions from current examinations. If you purchase the entire PDF file but failed the vendor exam, you can get your money back or get your exam replaced. Visit our guarantee page for more information on our straightforward money-back guarantee.
Linux-Foundation CKAD Sample Questions
Question # 1
Context
You are asked to deploy an application developed for an older version of Kubernetes on a
cluster running a recent version of Kubernetes .
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh ckad00026 Task
Fix any API -deprecation issues in the manitest file
/home/candidate/credible-mite/web.yaml
so that the application can be deployed on cluster ckad00026.
The application was developed for Kubernetes v1.15.
The cluster ckad00026 runs Kubernetes 1.29+.
Deploy the application specified in the updated manifest file
/home/candidate/credible-mite/web.yaml in namespace garfish .
Answer: See the Explanation below for complete solution.
Explanation:
ssh ckad00026
Your job is to edit /home/candidate/credible-mite/web.yaml so it uses APIs supported on
Kubernetes 1.29+, then deploy it into namespace garfish.
Because I can’t see your file from here, the most reliable exam approach is:
run a server-side dry-run to reveal the exact deprecated/removed APIs and
schema errors
edit the manifest to the modern API versions/fields
re-run dry-run until it passes
apply for real and verify rollout
1) Go to the manifest and run a server-side dry-run
cd /home/candidate/credible-mite
ls -l
sed -n '1,200p' web.yaml
Make sure the namespace exists:
kubectl get ns garfish || kubectl create ns garfish
Now run a server-side dry-run (this catches removed APIs on the cluster):
kubectl -n garfish get ingress 2>/dev/null || true
If there is a Deployment, verify rollout:
kubectl -n garfish get deploy
kubectl -n garfish rollout status deploy --all
Check pods/events if something fails:
kubectl -n garfish get pods -o wide
kubectl -n garfish describe pod <pod-name>
kubectl -n garfish get events --sort-by=.lastTimestamp | tail -n 30
Question # 2
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh ckad00029
Task
Modify the existing Deployment named store-deployment, running in namespace
grubworm, so that its containers
run with user ID 10000 and
have the NET_BIND_SERVICE capability added
The store-deployment 's manifest file Click to copy
/home/candidate/daring-moccasin/store-deplovment.vaml
Answer: See the Explanation below for complete solution.
Explanation:
ssh ckad00029
You must modify the existing Deployment store-deployment in namespace grubworm so
that its containers:
run as user ID 10000
have Linux capability NET_BIND_SERVICE added
And you’re told to use the manifest file at:
/home/candidate/daring-moccasin/store-deplovment.vaml (note: the filename looks
misspelled; follow it exactly on the host)
1) Inspect the current Deployment and locate the manifest file
kubectl -n grubworm get deploy store-deployment
ls -l /home/candidate/daring-moccasin/
Open the manifest:
sed -n '1,200p' "/home/candidate/daring-moccasin/store-deplovment.vaml"
2) Edit the manifest to add SecurityContext
Edit the file:
vi "/home/candidate/daring-moccasin/store-deplovment.vaml"
2.1 Set Pod-level runAsUser = 10000
Under:
spec.template.spec add:
securityContext:
runAsUser: 10000
2.2 Add NET_BIND_SERVICE capability at container-level
Under the container spec (for each container in containers:), add:
securityContext:
capabilities:
add: ["NET_BIND_SERVICE"]
A complete example of what it should look like (mind indentation):
apiVersion: apps/v1
kind: Deployment
metadata:
name: store-deployment
namespace: grubworm
spec:
template:
spec:
securityContext:
runAsUser: 10000
containers:
- name: store
image: someimage
securityContext:
capabilities:
add: ["NET_BIND_SERVICE"]
Important notes:
runAsUser can be set at Pod level (applies to all containers) or per-container. Podlevel is cleanest if all containers should run as 10000.
Capabilities must be set per-container (that’s where Kubernetes supports it).
kubectl -n grubworm describe pod <pod-name> | sed -n '/Security Context:/,/Containers:/p'
kubectl -n grubworm describe pod <pod-name> | sed -n '/Containers:/,/Conditions:/p'
If there are multiple containers
Repeat the container-level securityContext.capabilities.add block for each container under
spec.template.spec.containers.
Question # 3
Context
An existing web application must be exposed externally.
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh ckad00025
An application externally using the URL external.sterling-bengal.local . Any requests
starting with / must be routed to the application web-app.
To test the web application's external reachability, run
[candidate@ckad00025] $ curl http://external.sterling-bengal.local/ or open this URL in the remote desktop's browser.
Answer: See the Explanation below for complete solution.
Explanation:
ssh ckad00025
You need to expose the existing app “web-app” externally at:
Host: external.sterling-bengal.local
Path: / (and anything starting with /) route to web-app
In CKAD labs, this is almost always done with an Ingress pointing to the Service web-app.
1) Find where web-app Service lives (namespace + port)
kubectl get svc -A | grep -w web-app
You’ll get something like:
<NAMESPACE> web-app ClusterIP ... <PORT>/TCP
Set the namespace:
NS=<NAMESPACE>
Check the service port(s):
kubectl -n $NS get svc web-app -o yaml
Note the service port number (commonly 80).
Also verify it has endpoints (so it actually routes to pods):
kubectl -n $NS get endpoints web-app -o wide
If endpoints are empty, the Service selector doesn’t match pods — tell me and I’ll give the
exact fix. But usually it’s fine.
2) Create the Ingress to route / to web-app
Create a manifest (use the service port you saw; I’ll assume 80 below):
cat <<'EOF' > web-app-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-app-ingress
spec:
rules:
- host: external.sterling-bengal.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-app
port:
number: 80
EOF
Apply it:
kubectl -n $NS apply -f web-app-ingress.yaml
Verify:
kubectl -n $NS get ingress web-app-ingress
kubectl -n $NS describe ingress web-app-ingress
If your Service port is not 80, change number: 80 to the correct value and re-apply.
kubectl -n $NS get ingress web-app-ingress -o wide
C) Do we have endpoints?
kubectl -n $NS get endpoints web-app -o wide
Question # 4
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh ckad00044
Task:
Update the existing Deployment busybox running in the namespace rapid-goat .
First, change the container name to musl.
Next, change the container image to busybox:musl .
Finally, ensure that the changes to the busybox Deployment, running in the
namespace rapid-goat, are rolled out.
Answer: See the Explanation below for complete solution.
Explanation:
0) SSH to the correct host
ssh ckad00044
(Optional sanity)
kubectl config current-context
kubectl get ns | grep rapid-goat
1) Inspect the Deployment and current container name
If you don’t have that label selector, just pick a pod name from kubectl get pods and:
kubectl -n rapid-goat describe pod <pod-name> | sed -n '/Containers:/,/Conditions:/p'
Question # 5
Context
You are asked to allow a Pod to communicate with two other Pods but nothing else.
You must connect to the correct host . Failure to do so may result
in a zero score.
! [candidate@base] $ ssh ckad000
18
charming-macaw namespace to use a NetworkPolicy allowing the Pod to send and receive
traffic only to and from the Pods front and db.
All required NetworkPolicies have already been created.
You must not create, modify or delete any NetworkPolicy while working on this task. You
may only use existing NetworkPolicies .
Answer: See the Explanation below for complete solution.
Explanation:
ssh ckad00018
You cannot create/modify/delete any NetworkPolicy.
So the only way to make the existing policies “take effect” is to ensure the right Pods have
the labels/selectors those policies expect.
The task: in namespace charming-macaw, configure things so the target Pod can send +
receive traffic ONLY to/from Pods front and db.
1) Inspect what NetworkPolicies already exist (don’t change them)
kubectl -n charming-macaw get netpol
kubectl -n charming-macaw get netpol -o wide
Dump them to see the selectors they use:
kubectl -n charming-macaw get netpol -o yaml
You are looking for policies that:
select the restricted pod via spec.podSelector
and allow ingress/egress only with selectors that match front and db
often there’s also a “default deny” policy.
2) Identify the Pods and their current labels
kubectl -n charming-macaw get pods -o wide
kubectl -n charming-macaw get pods --show-labels
Specifically inspect labels for front and db:
kubectl -n charming-macaw get pod front --show-labels
kubectl -n charming-macaw get pod db --show-labels
(If they’re Deployments instead of single Pods, do:)
kubectl -n charming-macaw get deploy --show-labels
kubectl -n charming-macaw get pods -l app=front --show-labels
kubectl -n charming-macaw get pods -l app=db --show-labels
3) Figure out which pod is “the Pod” to restrict
Usually there’s a third pod (e.g., backend, api, app) besides front and db.
List pods again and identify the “other” one:
kubectl -n charming-macaw get pods
Let’s assume the pod to restrict is called app (replace as needed):
TARGET=<pod-to-restrict>
4) Match the existing NetworkPolicy selectors by labeling pods (allowed)
Because you can’t edit NetworkPolicies, you must make labels on Pods (or their
controllers) match the policies’ selectors.
4.1 Determine the label required on the TARGET pod
From the YAML, find the policy that selects the restricted pod, e.g.:
spec:
podSelector:
matchLabels:
role: restricted
Extract podSelector from each policy quickly:
kubectl -n charming-macaw get netpol -o jsonpath='{range .items[*]}{.metadata.name}{" =>
"}{.spec.podSelector}{"\n"}{end}'
Pick the selector that is meant for the restricted pod, then apply it to the TARGET pod
(example: role=restricted):
kubectl -n charming-macaw label pod $TARGET role=restricted --overwrite
Best practice (if the pod is managed by a Deployment): label the Deployment template
instead, so it persists.
Find the owner:
kubectl -n charming-macaw get pod $TARGET -o
jsonpath='{.metadata.ownerReferences[0].kind}{"
"}{.metadata.ownerReferences[0].name}{"\n"}'
If it’s a ReplicaSet, find its Deployment:
RS=$(kubectl -n charming-macaw get pod $TARGET -o
jsonpath='{.metadata.ownerReferences[0].name}')
kubectl -n charming-macaw get rs $RS -o jsonpath='{.metadata.ownerReferences[0].kind}{"
Also test inbound (from front to target, and from db to target) if the target listens on a port;
otherwise inbound testing may be limited.
What you’re doing conceptually
Existing NetPols are already correct.
Your job is to make pod labels match the NetPol selectors so:
Question # 6
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh ckad00021
Task
Create a Cronjob named grep that executes a Pod running the following single container:
name: busybox
image: busybox:stable
command: ["grep", "-i", "nameserv
er", "/etc/resolv.conf"] Configure the CronJob to:
execute Once every 30 minutes
keep 96 completed Job
keep 192 failed Job
never restart podsterminate pods after 8 seconds
Manually create and execute once job
named grep-test from the grep Cronjob
Answer: See the Explanation below for complete solution.
Explanation:
ssh ckad00021
Below is the clean, CKAD-friendly way (YAML + apply + verify + manual job).
2) Manually create and execute the one-off Job grep-test from the CronJob
Create the Job from the CronJob:
kubectl create job --from=cronjob/grep grep-test
Watch it:
kubectl get jobs grep-test
kubectl get pods -l job-name=grep-test
Get logs (most important proof):
POD=$(kubectl get pods -l job-name=grep-test -o jsonpath='{.items[0].metadata.name}')
kubectl logs "$POD"
You should see one or more nameserver ... lines from /etc/resolv.conf.
Question # 7
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh ckad00033
Task
A Dockerfile has been prepared at /home/candidate/build/Dockerfile.
Using the prepared Dockerfile, build a container image with the name macaque and tag
1.2. You may install and use the tool of your choice.
Multiple image builders and tools have been pre-installed in the base system,
including: docker, skopeo, buildah, img , and podman.
Please do not push the built image to a registry, run a container, or otherwise consume it.
Using the tool of your choice, export the built container image in OCI or Docker image
format and store it at /home/candidate/macaque-1.2.tar.
Answer: See the Explanation below for complete solution.
Explanation:
Understood — I’ll redo Question 13 without using any (or similar) icons.
ssh ckad00033
This task is only about building and exporting a container image.
You must not push it, run it, or consume it in any way.
You may use any image builder. Below are clean, correct solutions. Use one of them.
Option A: Using Docker
1) Go to the Dockerfile location
cd /home/candidate/build
ls -l Dockerfile
2) Build the image
Image name: macaque
Tag: 1.2
docker build -t macaque:1.2 .
Verify:
docker images | grep macaque
3) Export the image to a tar file
Docker image format is acceptable.
docker save macaque:1.2 -o /home/candidate/macaque-1.2.tar
Verify the file exists:
ls -lh /home/candidate/macaque-1.2.tar
Do not load or run the image.
Option B: Using Podman (rootless alternative)
1) Build the image
cd /home/candidate/build
podman build -t macaque:1.2 .
Verify:
podman images | grep macaque
2) Export the image
podman save macaque:1.2 -o /home/candidate/macaque-1.2.tar
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh ckad00027
Task
A Deployment named app-deployment in namespace prod runs a web application port
0001 A Deployment named app-deployment in namespace prod runs a web application
on port 8081.
The Deployment 's manifest files can be found at
/home/candidate/spicy-pikachu/app-deployment.yaml
Modify the Deployment specifying a readiness probe using path /healthz .
Set initialDelaySeconds to 6 and periodSeconds to 3.
Answer: See the Explanation below for complete solution.
Explanation:
Do this on ckad00027 and edit the given manifest file (that’s what the task expects).
0) Connect to correct host
ssh ckad00027
1) Open the manifest and identify the container + port
cd /home/candidate/spicy-pikachu
ls -l
sed -n '1,200p' app-deployment.yaml
Confirm the container port is 8081 in the YAML (usually under ports:).
2) Edit the YAML to add a readinessProbe
Edit the file:
vi app-deployment.yaml
Inside the Deployment, locate:
spec:
template:
spec:
containers:
- name: ...
image: ...
Add this under the container (same indentation level as image, ports, etc.):
readinessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 6
periodSeconds: 3
Notes:
Use port: 8081 (because the app runs on 8081).
Ensure indentation is correct (2 spaces per level commonly).
kubectl -n prod describe pod <pod-name> | sed -n '/Readiness:/,/Conditions:/p'
That completes the task: readiness probe on /healthz, initialDelaySeconds: 6,
periodSeconds: 3.
Question # 9
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh ckad00032
The Pod for the Deployment named nosql in the haddock namespace fails to start because
its Container runs out of resources.
Update the nosql Deployment so that the Container :
requests 128Mi of memory
limits the memory to half the maximum memory constraint set for the haddock
namespace
Answer: See the Explanation below for complete solution.
Explanation:
Goal: fix nosql Deployment in haddock so the container stops OOM’ing by setting:
memory request = 128Mi
? memory limit = half of the namespace’s maximum memory constraint
You must do this on the correct host.
0) Connect to the correct host
ssh ckad00032
1) Confirm the failing Deployment / Pods
kubectl -n haddock get deploy nosql
kubectl -n haddock get pods -l app=nosql 2>/dev/null || kubectl -n haddock get pods
If pods are crashing, check why (you’ll likely see OOMKilled):
kubectl -n haddock describe pod <pod-name>
2) Find the maximum memory constraint set for the haddock namespace
In CKAD labs, this is commonly enforced by a LimitRange (max memory per container).
Sometimes it can also be a ResourceQuota.
2A) Check LimitRange (most likely)
kubectl -n haddock get limitrange
kubectl -n haddock get limitrange -o yaml
Extract the max memory value quickly:
MAX_MEM=$(kubectl -n haddock get limitrange -o
jsonpath='{.items[0].spec.limits[0].max.memory}')
echo "Namespace max memory constraint: $MAX_MEM"
2B) If no LimitRange exists, check ResourceQuota
kubectl -n haddock get resourcequota
kubectl -n haddock describe resourcequota
If quota is used, you’re looking for something like limits.memory (but the question wording
“maximum memory constraint” usually points to LimitRange max.memory).
3) Compute “half of the max memory constraint”
Run this small snippet to compute HALF in Mi (handles Mi and Gi):
HALF_MEM=$(python3 - <<'PY'
import os, re
q = os.environ.get("MAX_MEM","").strip()
m = re.fullmatch(r"(\d+)(Mi|Gi)", q)
if not m:
raise SystemExit(f"Cannot parse MAX_MEM='{q}'. Expected like 512Mi or 1Gi.")
val = int(m.group(1))
unit = m.group(2)
# convert to Mi
mi = val if unit == "Mi" else val * 1024
half_mi = mi // 2
print(f"{half_mi}Mi")
PY
)
echo "Half of max: $HALF_MEM"
Example: if MAX_MEM=512Mi HALF_MEM=256Mi
Example: if MAX_MEM=1Gi HALF_MEM=512Mi
4) Update the nosql Deployment (DO NOT delete it)
First, get the container name (Deployment may have a custom container name):
kubectl -n haddock describe pod <new-pod-name> | sed -n '/Requests:/,/Limits:/p'
You should see:
Requests: memory 128Mi
Limits: memory <HALF_MEM>
If rollout fails (common cause)
If you accidentally set a limit above the namespace max, pods won’t start. Check events:
kubectl -n haddock describe deploy nosql
kubectl -n haddock get events --sort-by=.lastTimestamp | tail -n 20
Question # 10
Context
You are asked to set resource requests and limits for a running workload to ensure fair
resource management.
“Do not delete the existing Deployment . Failure to do so will result in a reduced score.”
Next, ensure that the total amount of resources in the namespace matches the maximum
resources the Pods from the nginx-resources Deployment can request.
Failure to do so will result in the updated Deployment failing to roll out successfully.
Answer: See the Explanation below for complete solution.
Explanation:
Below are the exact steps/commands you can run.
1) Locate the Deployment and its namespace
kubectl get deploy -A | grep nginx-resources
You should see output like:
<namespace> nginx-resources ...
Set a variable (replace <NS> with what you see):
NS=<NS>
Confirm replicas:
kubectl -n $NS get deploy nginx-resources -o jsonpath='{.spec.replicas}{"\n"}'
2) Check if there is a ResourceQuota in that namespace
kubectl -n $NS get resourcequota
kubectl -n $NS describe resourcequota
If there is a quota, note these fields (common ones):
requests.cpu
requests.memory
limits.cpu
limits.memory
3) Decide requests/limits for the Deployment (example values)
If the question (in your environment) provides specific values, use those.
If it doesn’t, a typical safe pair is:
requests: cpu: 100m, memory: 128Mi
limits: cpu: 200m, memory: 256Mi
I’ll proceed with these example values. If your lab specifies different numbers, just swap them in.
4) Update the existing Deployment (DO NOT DELETE)
Option A (fastest): kubectl set resources
Assuming the container name is the first container (we’ll detect it):
Context
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh ckad00043
A Deployment needs specific RBAC permissions.
Task
First, find the RBAC permissions needed by the scraper Deployment running in the
cute-panda namespace .
it kubectl logs may help you to find the permissions it needs.
Next, create a new ServiceAccount named scraper in the namespace cute-panda.
Answer: See the Explanation below for complete solution.
Explanation:
ssh ckad00043
You have two deliverables here:
Figure out what RBAC permissions the scraper Deployment needs (the logs will
usually show “Forbidden” with the missing verb/resource).
Create a ServiceAccount named scraper in namespace cute-panda (and in
practice, you then bind the needed permissions to it and use it in the Deployment
so it actually works).
Below is the exact CKAD-style workflow.
1) Find the missing RBAC permissions (use logs + events)
1.1 Identify the pods for the Deployment
kubectl -n cute-panda get deploy scraper
kubectl -n cute-panda get pods -l app=scraper 2>/dev/null || kubectl -n cute-panda get pods
Context
You must connect to the correct host . Failure to do so may result in a zero score.
!
[candidate@base] $ ssh ckad00028
Task
A Pod within the Deployment named honeybee-deployment and in namespace gorilla is logging errors.
Look at the logs to identify error messages.
Look at the logs to identify error messages.
Find errors, including User
"system:serviceaccount:gorilla:default" cannot list resource "pods" [ ... ] in the
namespace "gorilla"
Update the Deployment
honeybee-deployment to resolve the errors in the logs of the Pod.
The honeybee-deployment 's manifest file can be found at
/home/candidate/prompt-escargot/honey bee-deployment.yaml
Answer: See the Explanation below for complete solution.
Explanation:
ssh ckad00028
You’re seeing RBAC errors like:
User "system:serviceaccount:gorilla:default" cannot list resource "pods" … in namespace
"gorilla"
That means the Pod is running as the default ServiceAccount and needs permission to
list pods (and possibly also get/watch).
You must fix it by updating the Deployment (via its manifest file) and giving it the proper
Also confirm the pods now run with the right ServiceAccount:
kubectl -n gorilla get pods -o jsonpath='{range .items[*]}{.metadata.name}{"
sa="}{.spec.serviceAccountName}{"\n"}{end}'
You should no longer see the RBAC “cannot list pods” errors.
Question # 13
You must connect to the correct host . Failure to do so may result in a zero score.
[candidate@base] $ ssh ckad00034c
Task
A Deployment named content-marlin-deployment , running in namespace content-marlin is
exposed via Ingress content-marlin-ingress .
The manifest files for the Deployment, Service and Ingress can be found at
/home/candidate/content-marlin/.
The Deployment is supposed to be reachable at
http://content-marlin.local/content-marlin , but requesting this URL is currently returning an
error.
Answer: See the Explanation below for complete solution.
Explanation:
ssh ckad00034c
You’re debugging an Ingress Service Deployment chain. The fastest way is:
reproduce the error with the right Host header
check Ingress rules (host/path/backend)
check Service (selector/port/targetPort)
check Endpoints (do we have ready pods?)
fix the manifest(s) under /home/candidate/content-marlin/
apply + re-test
Below are the exact commands + the most common fixes for this exact symptom.
1) Reproduce the failing request correctly
Even if DNS isn’t set up, you can test with a Host header:
Identify the service that the Ingress points to (from describe ingress).
Check if the Service selector matches pod labels:
kubectl -n content-marlin get pods --show-labels
kubectl -n content-marlin get svc <SERVICE_NAME> -o jsonpath='{.spec.selector}{"\n"}'
3.2 Check endpoints (this tells you instantly if traffic can reach pods)
kubectl -n content-marlin get endpoints
kubectl -n content-marlin get endpoints <SERVICE_NAME> -o wide
?
?
?
?
?
?
If ENDPOINTS is empty Service selector doesn’t match Pods OR Pods aren’t
Ready.
3.3 If endpoints empty, check pod readiness and labels
kubectl -n content-marlin get pods -o wide
kubectl -n content-marlin describe pod <pod-name>
4) Apply the most likely fix patterns
Fix pattern A: Ingress path needs rewrite
If your app serves / but you route /content-marlin, you often need rewrite.
Edit content-marlin-ingress manifest (in /home/candidate/content-marlin/) to include:
path: /content-marlin
pathType: Prefix
annotation: rewrite to / (common for nginx ingress)
Example (typical nginx-ingress):
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: content-marlin.local
http:
paths:
- path: /content-marlin
pathType: Prefix
backend:
service:
name: <SERVICE_NAME>
port:
number: 80
If your ingress controller is not nginx, rewrite annotation may differ. But in CKAD labs, it’s
very often nginx.
Fix pattern B: Ingress points to wrong Service port
If the Ingress backend says port 80 but your Service exposes 8080 (or uses a named port),
align them:
Either change Ingress backend port.number
Or change Service spec.ports[].port / targetPort
Fix pattern C: Service selector mismatch (endpoints empty)
If pods have label app=content-marlin but service selector is app=content-marlindeployment (or vice versa), fix the Service selector to match pod labels.
Service should have:
spec:
selector:
app: <label-that-actually-exists-on-pods>
Fix pattern D: Service targetPort wrong
If container listens on 8080 but service targetPort is 80, fix it:
spec:
ports:
- port: 80
targetPort: 8080
5) Apply the corrected manifests
After editing the YAMLs under /home/candidate/content-marlin/:
kubectl apply -f /home/candidate/content-marlin/
Wait for readiness:
kubectl -n content-marlin rollout status deploy content-marlin-deployment