Red Hat Certification
61 practice questions with correct answers and detailed explanations. Use this guide to review concepts before taking the practice exam.
The Red Hat OpenShift Advanced Admin (EX362) certification validates professional expertise in Red Hat technologies. This study guide covers all 61 practice questions from our EX362 practice test, complete with correct answers and explanations to help you understand each concept thoroughly.
Review each question and explanation below, then test yourself with the full interactive practice exam to measure your readiness.
When configuring network policies in OpenShift to restrict ingress traffic, which API version and kind are typically used?
NetworkPolicy is part of the Kubernetes networking.k8s.io/v1 API group and is the standard way to define network segmentation in OpenShift clusters.
Which command allows you to view the audit logs for API requests made to the OpenShift cluster?
Audit logs are typically accessed directly on control plane nodes via journalctl for the apiserver service, as they record all API requests at the system level.
In OpenShift, how do you configure a user to have cluster-admin privileges securely using RBAC?
The 'oc adm policy' command is the proper and secure way to manage RBAC bindings in OpenShift, applying the principle of least privilege through the API.
When using PersistentVolumes with local storage on OpenShift, what is a critical consideration for data availability?
Local storage is node-specific and has no built-in replication; applications must be designed to tolerate node failures or use multiple replicas across different nodes.
What is the purpose of the OpenShift ImageStream resource?
ImageStreams abstract the source of images and provide a way to track image versions and tags, enabling automatic deployments when images are updated.
Which of the following correctly describes the relationship between a DeploymentConfig and a Deployment in OpenShift?
While both manage pod replicas, DeploymentConfig is OpenShift-specific and integrates tightly with ImageStreams for automatic triggering, whereas Deployment is the standard Kubernetes resource.
How can you ensure that a pod in OpenShift is scheduled on a specific node type, such as GPU-enabled nodes?
nodeSelector is the primary method to constrain pod placement by matching labels; nodes must be labeled appropriately (e.g., gpu=true) for this to work.
When implementing a multi-tenant OpenShift cluster, which feature prevents one tenant's pods from accessing another tenant's secrets?
Kubernetes RBAC combined with namespace isolation ensures secrets in one namespace are inaccessible to other namespaces; OpenShift strengthens this with project-level isolation.
What is the correct way to configure resource quotas for a project to prevent resource exhaustion in OpenShift?
ResourceQuota objects define aggregate limits for a namespace; LimitRange objects define limits per container, and both should be used together for comprehensive resource management.
In OpenShift, which certificate is used by the kubelet to communicate with the API server?
Kubelets use client certificates signed by the Kubernetes CA to authenticate with the API server; these are typically managed by the cluster's certificate signing system.
How do you enable cluster monitoring and metrics collection in OpenShift?
OpenShift includes a built-in Prometheus-based monitoring stack that is configured and managed through the ClusterMonitoringConfig CustomResource.
What is the primary purpose of the OpenShift MachineConfigPool resource?
MachineConfigPool resources group nodes with similar purposes (e.g., masters, workers) and coordinate OS-level configuration updates through the Machine Config Operator.
Which of the following best describes how OpenShift integrates with external authentication providers like LDAP?
OpenShift's OAuth server can be configured with identity providers including LDAP, which authenticate users and provide tokens for accessing the cluster.
What does the 'oc adm drain' command do, and when should it be used?
The drain command gracefully removes pods from a node, allowing them to migrate to other nodes before the node is cordoned and taken offline for maintenance.
In OpenShift, how are container images scanned for vulnerabilities automatically?
While OpenShift provides the infrastructure, vulnerability scanning is typically implemented through external tools like Red Hat ACS that integrate with the registry and deployment workflows.
What is the correct approach to managing TLS certificates for OpenShift routes?
Routes support three TLS termination modes (edge, reencrypt, passthrough) and use certificates stored as Kubernetes secrets; cert-manager can automate renewal but is not required.
How do you troubleshoot a pod that is stuck in the 'Pending' state in OpenShift?
The 'oc describe pod' command shows detailed event logs that indicate scheduling failures such as insufficient resources, node affinity conflicts, or taints.
What is the purpose of the OpenShift Router component?
The OpenShift Router (typically running as HAProxy or similar) reads Route objects and configures itself to route external HTTP/HTTPS traffic to the appropriate services.
When implementing pod security policies in OpenShift 4.x, which approach is recommended?
OpenShift 4.x uses Pod Security Standards (evolved from PodSecurityPolicy) with profiles applied via namespace labels for better maintainability and flexibility.
What is etcd in the context of OpenShift, and why is its backup critical?
etcd stores all Kubernetes cluster state, configuration, and secrets; without backups, cluster corruption or failure can result in complete data loss of all API objects.
How can you prevent a pod from being evicted during node memory pressure in OpenShift?
High-priority pods with guaranteed QoS (requests equal to limits) are evicted last; PodDisruptionBudgets protect against voluntary disruptions but not evictions from resource pressure.
In OpenShift, what is the difference between a Service and a Route?
Services provide cluster-internal communication and DNS, while Routes expose services to external traffic with HTTP/HTTPS termination and hostname-based routing.
How do you configure pod network policies to allow traffic only from specific namespaces?
NetworkPolicy resources support namespaceSelector in their from/to fields to allow or deny traffic based on source/destination namespace labels.
What is the purpose of the OpenShift Operator Framework?
The Operator Framework provides tools and standards for building and deploying Operators that automate application lifecycle management beyond what standard Kubernetes resources provide.
When configuring a StatefulSet in OpenShift, what is the significance of the serviceName field?
The serviceName field references a headless Service (clusterIP: None) that provides stable DNS records like pod-0.service-name, critical for StatefulSet ordering and discovery.
Which of the following is a best practice for managing cluster updates in OpenShift?
The Cluster Version Operator automates OpenShift updates with built-in safety checks, gradual rollout, and automatic rollback on failure.
When implementing network policies in OpenShift, which resource type is used to define ingress and egress rules at the namespace level?
NetworkPolicy is the standard Kubernetes resource for defining network access rules. While EgressNetworkPolicy exists in OpenShift, NetworkPolicy is the primary resource for comprehensive ingress and egress control.
You need to configure persistent storage for a stateful application in OpenShift. Which storage class characteristic is MOST important for high-performance databases?
For stateful applications like databases, IOPS, latency, and binding mode (Immediate vs WaitForFirstConsumer) are critical performance factors. These characteristics directly impact application performance and data consistency.
What is the primary purpose of using a ServiceAccount in OpenShift?
ServiceAccounts provide an identity for processes running in pods, allowing them to authenticate with the Kubernetes API and access resources according to their assigned roles.
When configuring RBAC in OpenShift, what is the relationship between a ClusterRole and a ClusterRoleBinding?
ClusterRole is a collection of permissions (verbs applied to resources), while ClusterRoleBinding connects those permissions to subjects (users, groups, service accounts) at the cluster level.
You are troubleshooting a pod that fails to start with a CrashLoopBackOff status. Which command provides the most detailed information about the failure?
The '--previous' flag retrieves logs from the previous container instance, which is essential when the current container hasn't started yet. This shows the actual error that caused the crash.
In an OpenShift cluster, which component is responsible for scheduling pods to worker nodes based on resource requests and constraints?
The Kube-scheduler examines pod requirements and node capacity, then assigns pods to appropriate nodes. The kubelet runs on nodes and manages container execution, but doesn't make scheduling decisions.
When implementing resource quotas in OpenShift, you notice that pod creation is being rejected even though individual resource requests appear acceptable. What is the MOST likely cause?
Resource quotas limit the total resources consumed in a namespace. If the sum of all pod requests in a namespace exceeds the quota, new pods will be rejected regardless of individual request sizes.
You need to configure pod affinity rules so that pods from a specific deployment run on the same nodes as pods from another deployment. Which affinity type should you use?
PodAffinity with 'required' enforcement ensures co-location of pods from different deployments on the same nodes. The 'preferred' variant would allow failures, while 'required' guarantees the constraint.
What does the 'oc adm' command set primarily provide in OpenShift?
'oc adm' provides administrator-level commands for cluster operations like managing nodes, creating certificates, policy management, and other administrative tasks beyond standard user operations.
In OpenShift, which mechanism prevents a pod from being evicted during node maintenance or resource pressure?
PodDisruptionBudget (PDB) ensures minimum availability during voluntary disruptions. It prevents eviction of too many pods simultaneously, protecting application availability during maintenance or resource pressure.
When configuring OpenShift authentication, what is the primary difference between OAuth and SAML identity providers?
OAuth uses tokens for authentication while SAML uses XML assertions. SAML is commonly integrated with enterprise SSO systems like Active Directory, whereas OAuth is more commonly used with web-based identity providers.
You are configuring a custom StorageClass for your OpenShift cluster. Which parameter would you set to ensure that volumes are only provisioned on demand when a PVC is created?
WaitForFirstConsumer delays volume provisioning until a pod references the PVC, which can improve scheduling decisions and resource efficiency. Immediate binds the volume immediately when the PVC is created.
What is the primary advantage of using StatefulSets instead of Deployments for applications in OpenShift?
StatefulSets maintain stable pod identities (hostname, network), manage persistent storage binding, and handle ordered operations. These features are essential for databases and other stateful applications.
In OpenShift, which resource type allows you to run privileged containers with specific capabilities while maintaining security constraints?
SecurityContextConstraints (SCC) is OpenShift's security policy mechanism that allows fine-grained control over pod security, including capability management, privileged execution, and SELinux policies.
When scaling a Deployment in OpenShift, you set the desired replica count but the pods fail to schedule. Resource requests appear valid individually. What should you investigate first?
When pods won't schedule despite valid individual requests, the issue is typically that aggregate resource requests (requests × replicas) exceed available cluster capacity or namespace resource quotas.
You need to expose an internal OpenShift service to external traffic while maintaining TLS encryption. Which resource type should you create?
Routes are OpenShift's mechanism for exposing services externally with TLS termination. Services alone don't provide TLS termination; Routes add this capability specific to OpenShift.
When implementing image security scanning in OpenShift, which component scans container images for vulnerabilities upon admission to the cluster?
Admission webhooks intercept pod creation requests and can validate image signatures or scan images before they're admitted. ImageSignatureVerificationPolicy specifically enforces image signature verification.
In OpenShift, what is the primary purpose of a ConfigMap?
ConfigMaps store non-sensitive configuration data in key-value pairs. Secrets should be used for sensitive data like passwords. ConfigMaps can be mounted as volumes or referenced as environment variables.
You are configuring audit logging for an OpenShift cluster. Which audit policy decision would log only requests that modify cluster state?
Metadata level logs request/response metadata without request/response bodies, and filtering by write verbs (create, update, delete, patch) captures only state-modifying operations, reducing log volume while maintaining security audits.
When troubleshooting node issues in OpenShift, you notice a node is in NotReady status. Which command should you use to examine detailed node conditions and events?
'oc describe node' provides detailed information about node conditions (Ready, MemoryPressure, DiskPressure), capacity, and recent events explaining why the node entered NotReady state.
In OpenShift, which mechanism allows you to define multiple versions of an application and gradually shift traffic between them?
OpenShift Routes support traffic distribution across multiple services using weights, enabling canary deployments and blue-green strategies. Multiple Deployments alone don't provide built-in traffic shifting.
What is the correct order of operations when updating a Deployment in OpenShift using a rolling update strategy?
Rolling updates create new pods while gradually removing old ones, controlled by maxSurge (additional pods allowed) and maxUnavailable (pods allowed to be unavailable). This maintains service availability during updates.
You need to ensure that a critical application pod is never evicted due to resource pressure on a node. Which combination of features should you implement?
Guaranteed QoS (requests equal to limits) prevents eviction under normal conditions, while high PodPriority ensures the pod is only evicted if lower-priority pods cannot free enough resources. Together they provide strong protection.
In OpenShift, which API group contains resources related to application deployments such as Deployments, StatefulSets, and DaemonSets?
The apps/v1 API group contains workload resources including Deployments, StatefulSets, DaemonSets, and ReplicaSets. The core v1 group contains Pods and Services, while batch/v1 contains Jobs and CronJobs.
When implementing egress traffic control in OpenShift using network policies, what must you explicitly allow to permit pods to reach external services?
Network policies must explicitly allow DNS (typically UDP port 53) for name resolution and then allow the specific protocols and ports needed to reach external services. Without these rules, pods cannot reach external resources.
You need to configure network policies to restrict traffic between namespaces in your OpenShift cluster. Which resource type should you use to define these restrictions?
NetworkPolicy is the standard Kubernetes resource for defining network traffic rules between pods and namespaces. While EgressNetworkPolicy exists in OpenShift, NetworkPolicy is the primary and recommended approach for comprehensive network segmentation.
Your cluster has multiple projects with different resource quotas. A developer reports that their pod deployment is being rejected. What is the most likely cause if the pod spec is valid?
ResourceQuotas limit the total amount of compute resources (CPU, memory) and object counts that can be used within a namespace. If a valid pod cannot be created, the namespace quota has likely been exceeded.
You are configuring RBAC for a service account that needs to manage deployments across multiple namespaces. Which approach is most appropriate?
ClusterRoles define permissions at the cluster level and can be bound to a single service account across multiple namespaces using multiple ClusterRoleBindings. This avoids role duplication and maintains a single source of truth for permissions.
When using the OpenShift Container Platform image registry, what is the purpose of the ImageStream resource?
ImageStreams abstract container images and track tags, allowing deployments to automatically update when new images are pushed. They also integrate with builds and deployments for automated workflows.
You need to implement a custom admission controller in your OpenShift cluster. Which two resources can you use to achieve this? (Select the most accurate pair)
ValidatingWebhookConfiguration and MutatingWebhookConfiguration are the resources that define custom admission webhooks in Kubernetes/OpenShift, allowing validation and mutation of API requests respectively.
An administrator needs to ensure that all pods in a specific namespace run with restricted SELinux contexts. Where should this policy be enforced?
SecurityContextConstraints (SCCs) in OpenShift enforce security policies at the namespace level by restricting what capabilities, SELinux contexts, and privileged modes pods can use. They are applied to service accounts within a namespace.
You are troubleshooting a persistent volume (PV) that remains in an Unbound state. Which of the following is the most common reason for this issue?
A PV remains Unbound when no matching PersistentVolumeClaim can claim it. The most common reason is a mismatch in storageClassName, capacity requirements, or access modes between the PV and available PVCs.
Your OpenShift cluster uses dynamic storage provisioning. A developer creates a PersistentVolumeClaim but no PersistentVolume is automatically created. What should you verify first?
Dynamic provisioning requires a StorageClass with a valid provisioner. If the StorageClass doesn't exist or is misconfigured, the provisioner cannot create a PV automatically.
You are implementing a multi-tenant cluster where different business units need isolated container registries. Which approach best aligns with OpenShift best practices?
Using projects (namespaces) with RBAC on ImageStreams and scoped pull secrets provides multi-tenancy within a single cluster while maintaining proper isolation and security boundaries for each business unit.
When configuring a BuildConfig for a CI/CD pipeline, you need to trigger builds automatically when source code is pushed to your Git repository. Which mechanism should you configure?
GitHub webhooks (or equivalent for other Git providers) automatically notify OpenShift when code is pushed, triggering builds through the BuildConfig's generic webhook endpoint. This provides immediate feedback for CI/CD pipelines.
You've reviewed all 61 questions. Take the interactive practice exam to simulate the real test environment.
▶ Start Practice Exam — Free