This set focuses on day-to-day operational tasks that appear constantly in the CKAD exam: exposing services, working with logs, and managing secrets. Get these right and you're saving valuable minutes on exam day.
Question 1
What is the correct command to expose a deployment named web-app as a service on port 80?
- A)
kubectl create service web-app --port=80 - B)
kubectl service web-app --expose=80 - C)
kubectl open deployment web-app --port=80 - D)
kubectl expose deployment web-app --port=80
Answer: D: kubectl expose deployment web-app --port=80
kubectl expose creates a Service object that targets a Deployment, Pod, ReplicaSet, or ReplicationController. Option A (kubectl create service) requires specifying a service type subcommand and doesn't target an existing deployment directly. Options B and C don't exist.
Useful expose flags to know:
# ClusterIP (default, internal only)
kubectl expose deployment web-app --port=80 --target-port=8080
# NodePort (accessible on all nodes)
kubectl expose deployment web-app --port=80 --type=NodePort
# LoadBalancer (cloud provider external IP)
kubectl expose deployment web-app --port=80 --type=LoadBalancer
# Named service
kubectl expose deployment web-app --port=80 --name=web-svc
Question 2
What is the correct command to get the logs from a pod named api-server and save them to a file called api.log?
- A)
kubectl describe api-server > api.log - B)
kubectl logs api-server > api.log - C)
kubectl get logs api-server --output=api.log - D)
kubectl cat api-server > api.log
Answer: B: kubectl logs api-server > api.log
kubectl logs streams stdout/stderr from a pod's container. The shell > operator redirects it to a file. Option A (kubectl describe) gives metadata and events, not runtime logs. Options C and D are invalid syntax.
Essential log commands:
# Follow logs in real time
kubectl logs -f api-server
# Last N lines only
kubectl logs api-server --tail=50
# Logs from a specific container in a multi-container pod
kubectl logs api-server -c sidecar-container
# Logs from a crashed/previous container
kubectl logs api-server --previous
# Logs from all pods matching a label
kubectl logs -l app=api --all-containers
Question 3
What is the correct command to create a Secret named db-secret with username=admin and password=secret123?
- A)
kubectl create secret db-secret --username=admin --password=secret123 - B)
kubectl new secret db-secret username=admin password=secret123 - C)
kubectl create secret generic db-secret --from-literal=username=admin --from-literal=password=secret123 - D)
kubectl apply secret db-secret --data username=admin,password=secret123
Answer: C: kubectl create secret generic db-secret --from-literal=username=admin --from-literal=password=secret123
Secrets require the generic subtype when creating from literals. Kubernetes also supports docker-registry and tls secret types. Options A, B, and D are invalid syntax.
Important: Secret values are base64-encoded, not encrypted by default. For production, enable encryption at rest or use an external secrets manager.
# Verify the secret was created (values are base64-encoded)
kubectl get secret db-secret -o yaml
# Decode a value
kubectl get secret db-secret -o jsonpath='{.data.password}' | base64 -d
# Create a TLS secret from cert files
kubectl create secret tls tls-secret --cert=tls.crt --key=tls.key
# Create from a file (useful for entire config files as secrets)
kubectl create secret generic db-secret --from-file=config.json
Key Takeaways
kubectl exposetargets an existing resource; use--typeto control ClusterIP / NodePort / LoadBalancerkubectl logshas powerful flags:-f,--tail,-c,--previouskubectl create secret genericis the type for arbitrary key-value secrets- Secret values are only base64-encoded, not encrypted by default, without additional configuration