Red Hat Certification
61 practice questions with correct answers and detailed explanations. Use this guide to review concepts before taking the practice exam.
The Red Hat OpenShift Administrator (EX280) certification validates professional expertise in Red Hat technologies. This study guide covers all 61 practice questions from our EX280 practice test, complete with correct answers and explanations to help you understand each concept thoroughly.
Review each question and explanation below, then test yourself with the full interactive practice exam to measure your readiness.
You need to configure a custom certificate for the OpenShift API server. Which resource must you modify to apply a custom TLS certificate?
OpenShift uses the APIServer custom resource in the openshift-config namespace to manage API server configuration including TLS certificates. Direct file modification or kube-apiserver Deployment editing bypasses the proper configuration management.
Which command lists all custom resources (CRDs) available in an OpenShift cluster?
The 'oc get crd' command displays all CustomResourceDefinitions installed in the cluster. This is the standard way to view available CRDs and their API versions.
You are managing RBAC for a development team. Users need to deploy applications but should not have permissions to modify cluster-wide resources. Which ClusterRole is most appropriate?
The 'edit' ClusterRole allows users to create, modify, and delete most application resources within a namespace without granting cluster-wide administrative privileges. The 'admin' role is namespace-scoped while 'edit' provides broader but still restricted permissions.
An application requires persistent storage that must survive pod restarts. You create a PVC but the pod remains in Pending state. What is the most common reason for this issue?
A pending PVC typically indicates the referenced StorageClass doesn't exist, isn't available, or no storage provisioner can satisfy the request. Verify the StorageClass exists using 'oc get storageclass'.
How do you grant a ServiceAccount permission to list pods across all namespaces in an OpenShift cluster?
Cluster-wide permissions require a ClusterRole and ClusterRoleBinding. The ClusterRole must specify the 'list' verb for the 'pods' resource across all namespaces.
Which OpenShift component is responsible for managing the container runtime on worker nodes?
The kubelet is the node agent that manages the container runtime (CRI-O in OpenShift) and ensures containers run in pods as specified. kube-proxy handles networking, kube-scheduler assigns pods, and etcd stores cluster state.
You need to prevent a pod from being scheduled on nodes with a specific label. Which Kubernetes construct should you use?
Taints prevent pods from being scheduled unless they have matching tolerations. This is the standard way to exclude pods from nodes. Node affinity is used for positive scheduling preferences, while anti-affinity separates pods from each other.
What is the default authentication mechanism for users in OpenShift?
OpenShift includes an integrated OAuth 2.0 server that manages user authentication. External identity providers (LDAP, OIDC, etc.) can be integrated with this OAuth server, but OAuth 2.0 is the default mechanism.
You want to configure automatic pod scaling based on custom metrics. Which resource must you deploy and configure?
Custom metrics autoscaling requires a metrics collection system (Prometheus) and a custom metrics API adapter to expose metrics to the HorizontalPodAutoscaler. The Metrics Server only provides CPU/memory metrics.
How do you view the logs from a previous instance of a crashed pod?
The '--previous' flag retrieves logs from the previous container instance before a crash or restart. This is essential for debugging application failures.
You are setting up a multi-tenant cluster where teams should not see each other's resources. What is the primary mechanism to enforce this isolation?
RBAC is the primary access control mechanism that restricts users to their namespaces. While NetworkPolicy adds network-level isolation and service meshes add security, RBAC is the fundamental tenant isolation mechanism.
An operator deployment is stuck in a degraded state. Which resource would you check first to diagnose the issue?
The ClusterServiceVersion (CSV) for an operator contains detailed status, conditions, and phase information that indicates why an operator deployment is degraded. This is the canonical place to check operator health.
Which command creates a new project and automatically sets the current context to that project?
'oc new-project' is the OpenShift-specific command that creates a project (enhanced namespace) and switches context to it. Using 'oc create namespace' or 'kubectl create namespace' creates only the namespace without the OpenShift project wrapper.
You need to limit the number of pods a user can create across all their projects. What resource accomplishes this?
ClusterResourceQuota allows enforcement of resource limits across multiple namespaces based on label selectors, making it ideal for per-user or per-team quotas. Regular ResourceQuota only applies within a single namespace.
An image pull fails with 'ImagePullBackOff' error. The image is in a private registry. What must you configure?
Private registry access requires creating a docker-registry type Secret containing authentication credentials and referencing it via imagePullSecrets in the pod spec or ServiceAccount.
You want to ensure that a pod always has a minimum of 2 replicas running. Which resource definition is required?
A Deployment's replicas field ensures a minimum number of pod replicas are running. PodDisruptionBudget prevents disruption but doesn't create replicas; StatefulSet and DaemonSet have different purposes.
How do you configure an application to use a ConfigMap for non-sensitive configuration data?
ConfigMaps can be mounted as volumes for file-based configuration or injected as environment variables. They are designed for application configuration and should be in the same namespace as the pod.
What does the 'oc adm' command group provide to cluster administrators?
'oc adm' provides administrative commands for managing cluster resources like managing node resources, creating network policies, and managing quotas. It's designed for cluster administrators with appropriate RBAC permissions.
You need to update a running application without any downtime. Which deployment strategy should you use?
RollingUpdate is Kubernetes' native zero-downtime deployment strategy that gradually replaces old pods with new ones. Combined with PodDisruptionBudget and health checks, it ensures continuous availability.
A DaemonSet pod is not being scheduled on a specific node even though the node is Ready. What is the most likely cause?
DaemonSets respect taints and require matching tolerations to schedule pods on tainted nodes. DaemonSets don't use label selectors for nodes, and namespace is irrelevant for node-level scheduling.
How do you view the audit logs for API requests in OpenShift?
OpenShift API audit logs are stored in /var/log/audit/audit.log on control plane nodes. They can be retrieved and analyzed for security and compliance purposes through the API audit logs.
You want to restrict egress traffic from a pod to only specific destinations. Which resource should you configure?
NetworkPolicy with egress rules is the Kubernetes-native way to control outbound traffic from pods. Ingress controls inbound traffic, and service meshes are optional add-ons for advanced traffic management.
A pod has a liveness probe that keeps triggering restarts. How do you temporarily disable it for debugging?
You can either edit the Deployment to remove/modify the liveness probe or scale to 0 and run a debug pod using the same image for investigation. Direct pod editing doesn't persist, and modifying kubelet affects all pods.
What is the primary purpose of the OpenShift Container Registry (OCIR)?
The OpenShift Container Registry is the built-in container image registry that stores images for the cluster. While it can integrate with security scanning and external registries, its primary purpose is internal image storage.
You need to ensure a node is excluded from pod scheduling without removing it from the cluster. What action should you take?
Tainting a node with 'oc adm taint nodes' prevents new pods from scheduling there unless they have matching tolerations. This keeps the node in the cluster while excluding it from regular scheduling.
Which OpenShift feature allows you to automatically scale the number of nodes in a cluster based on resource demands?
ClusterAutoscaler automatically adds nodes when pods cannot be scheduled and removes unneeded nodes. HPA scales pods not nodes, MachineSets are for static definitions, and DaemonSet is for pod distribution.
You need to create a new project in OpenShift where developers can deploy applications. What command accomplishes this task?
The 'oc new-project' command creates a new project and automatically switches context to it. While 'oc create project' may work, it requires additional setup steps.
A pod is in a CrashLoopBackOff state. Which of the following is the most appropriate first troubleshooting step?
Examining pod logs is the standard first diagnostic step when a pod is crashing, as it reveals the actual error message from the application or container startup process.
You are configuring role-based access control (RBAC) for your development team. A developer needs read access to pods in a specific namespace. Which resource type should you grant?
A Role (namespace-scoped) with get, watch, and list permissions for pods is the principle of least privilege approach for read-only pod access in a single namespace.
Your cluster has three master nodes and several worker nodes. A master node fails unexpectedly. What happens to cluster functionality?
With three master nodes, losing one maintains quorum (2 out of 3) allowing etcd and the control plane to continue operating normally.
You need to ensure that a specific workload runs only on nodes labeled with 'workload=batch'. How should you configure this requirement?
The nodeSelector field in a pod specification constrains the pod to only run on nodes matching the specified labels, such as 'workload=batch'.
When configuring persistent storage for a database application, which storage type provides the best performance characteristics for high I/O operations?
Block storage provides superior I/O performance compared to NFS due to lower latency and higher throughput, making it ideal for database workloads.
You want to expose a service internally to other pods within the cluster without making it accessible from outside. What service type should you use?
ClusterIP is the default service type that creates an internal IP address accessible only from within the cluster, perfect for internal service-to-service communication.
Your organization requires that all container images be scanned for vulnerabilities before deployment. Where in the OpenShift workflow should this validation occur?
Implementing vulnerability scanning in an admission controller (ImagePolicy or similar webhook) prevents vulnerable images from being deployed before pods are created.
You have configured a StatefulSet with three replicas. The pods need persistent storage that persists even after pod deletion. What must you define?
A volumeClaimTemplate in a StatefulSet automatically creates a unique PersistentVolumeClaim for each replica, ensuring persistent storage that survives pod restarts.
You need to upgrade the OpenShift cluster from version 4.9 to 4.10. Before initiating the upgrade, what should you verify?
Before upgrading, you must verify that a valid upgrade path exists via the configured update channel and ensure etcd is backed up for disaster recovery.
A developer reports that their application cannot connect to a database running in another pod. You suspect a network policy is blocking traffic. What command helps diagnose this?
Describing all NetworkPolicies in the namespace reveals ingress and egress rules that may be blocking the required traffic between pods.
Your cluster runs multiple applications with varying resource demands. How should you implement resource management to prevent any single application from consuming all cluster resources?
ResourceQuota and LimitRange objects enforce namespace-level constraints on total resource consumption and per-pod limits, preventing resource starvation.
You need to view the current configuration of a running deployment. Which kubectl/oc command displays this information?
'oc describe' displays detailed information about a resource including its current configuration, status, and related events.
An organization uses an external LDAP directory for user management. How should you integrate OpenShift authentication with LDAP?
OpenShift's OAuth server supports LDAP identity providers through configuration, enabling automatic user provisioning based on LDAP directory queries.
You want to implement autoscaling for a deployment based on custom application metrics beyond CPU and memory. What should you deploy and configure?
Custom metrics autoscaling requires Prometheus (or similar metrics provider) and configuring the HPA to query custom metrics exposed by your application.
Your cluster is experiencing high etcd I/O latency. What is the most likely cause and recommended solution?
etcd performance is highly dependent on storage latency; slow disk I/O directly impacts cluster control plane responsiveness. Moving etcd to faster storage (SSD) is the standard solution.
A ConfigMap contains sensitive configuration data that should only be accessed by authorized pods. How should you manage this securely?
Secrets are designed for sensitive data and should always be used instead of ConfigMaps. Combined with etcd encryption, this provides proper security for sensitive configuration.
You need to configure health checks for your application pods. What are the two types of probes you should implement?
livenessProbe detects when a pod should be restarted, while readinessProbe determines when a pod is ready to receive traffic—these are the two essential probe types.
A node in your cluster is running out of disk space. What OpenShift-specific mechanism can automatically evict pods to prevent node disk pressure?
The kubelet eviction manager monitors disk space and evicts pods when thresholds are exceeded, with lower-priority pods evicted first to maintain node stability.
You want to deploy multiple versions of an application simultaneously and gradually shift traffic to the new version. Which deployment pattern best supports this?
Canary deployments allow gradual traffic shifting to new versions, enabling real-world testing before full rollout and quick rollback if issues arise.
You are implementing cluster monitoring and need to scrape metrics from application pods. Which OpenShift monitoring component should the pods be configured to work with?
OpenShift uses Prometheus for metrics collection; ServiceMonitor objects define which pods and endpoints Prometheus should scrape for metrics.
Your organization mandates that all pods must have security contexts defined with specific UID/GID settings. How should you enforce this cluster-wide?
Pod Security Standards (PSS) are the modern way to enforce security policies cluster-wide, defining restricted, baseline, and privileged levels with automatic enforcement.
You need to troubleshoot why a scheduled CronJob is not executing. What should you check first?
First, verify the CronJob schedule syntax (cron format) and check the CronJob object status; the schedule field must follow valid cron syntax to execute properly.
A multi-tenant cluster hosts applications from different business units. What is the primary benefit of using separate namespaces for each tenant?
Namespaces enable logical isolation with independent ResourceQuotas and RBAC policies per tenant. However, network isolation requires NetworkPolicies.
You need to backup the critical cluster state for disaster recovery. What is the most important component that must be backed up?
etcd contains all cluster state, configuration, and resource definitions; backing up etcd is essential for complete cluster recovery after a disaster.
You need to configure persistent storage for a database application in OpenShift. Which storage class would you typically use for high-performance, low-latency requirements?
Block storage like AWS EBS and local SSDs provide the low-latency, high-performance characteristics needed for database workloads. NFS is generally slower, object storage is for unstructured data, and emptydir is not persistent.
When configuring RBAC in OpenShift, you want to grant a user permission to view pods across all namespaces but not modify them. Which combination should you use?
A ClusterRole with 'list' and 'watch' verbs (read-only) on the 'pods' resource, bound via ClusterRoleBinding, provides read-only access across all namespaces. The '*' verb would grant all permissions including modifications.
You are troubleshooting a pod that fails to start. The pod is in Pending state after 10 minutes. Which command provides the most detailed information about why the pod hasn't been scheduled?
'oc describe pod' shows events and detailed status including scheduling failures, resource constraints, and node affinity issues. Logs are unavailable for pending pods, 'get -o wide' shows limited info, and exec won't work on pending pods.
Your organization requires all container images to be scanned for vulnerabilities before deployment. Where should you enforce this policy in OpenShift?
An admission webhook can intercept and validate ImageStreamImport events before images enter the registry, ensuring scanning occurs at the cluster level. Annotations don't enforce scanning, securityContext doesn't scan images, and external scanning bypasses cluster enforcement.
You need to ensure a critical application pod always runs on specific nodes with GPU hardware. How should you configure this?
nodeSelector and node affinity (required rules) guarantee scheduling on labeled GPU nodes. antiAffinity only excludes nodes, resource limits don't enforce scheduling, and tainting non-GPU nodes is inefficient compared to targeting GPU nodes directly.
An application requires credentials stored securely and injected as environment variables into pods. Which OpenShift resource is most appropriate?
Secrets are designed for sensitive data and can be injected as environment variables using envFrom. ConfigMaps are for non-sensitive config, PVCs are for file storage not injection, and ServiceAccount annotations are not secure for credentials.
You are implementing a canary deployment where 90% of traffic goes to the stable version and 10% to the new version. Which OpenShift/Kubernetes feature enables this traffic splitting?
Service mesh tools like Istio provide VirtualService and DestinationRule objects to define weighted traffic distribution. NetworkPolicy is for network access control, manual endpoint selection is not scalable, and basic Routes don't support percentage-based splitting.
Your cluster has limited resources. You want to prevent a single namespace from consuming excessive CPU and memory. What should you configure?
ResourceQuota enforces cluster-level limits on total resource requests/limits per namespace. LimitRange sets defaults for individual pods, NetworkPolicy controls traffic not compute, and PodDisruptionBudget manages voluntary disruptions, not resource consumption.
You need to automate scaling of your application pods based on custom metrics (e.g., message queue depth). Which component should you use?
HPA with custom metrics (via metrics server and custom.metrics.k8s.io API) can scale pods based on application-specific metrics like queue depth. VPA adjusts requests not replica count, DeploymentConfig rollouts are for updates not scaling, and custom init containers can't trigger scaling.
You want to ensure that a StatefulSet application is accessible within the cluster by a stable DNS name. What should you configure?
A Headless Service (with clusterIP: None) provides stable DNS names for each pod in the StatefulSet (e.g., pod-0.service-name.namespace.svc.cluster.local). LoadBalancer doesn't provide per-pod DNS, Ingress is for external access, and Routes don't provide per-pod DNS resolution.
You've reviewed all 61 questions. Take the interactive practice exam to simulate the real test environment.
▶ Start Practice Exam — Free