Docker DCA Docker Certified Associate Exam Practice Test

Answer : E

A Kubernetes node is allocated a /26 CIDR block (64 unique IPs) for its address space. This means that the node can assign up to 64 IP addresses to its resources, such as pods and containers. If every pod on this node has exactly two containers in it, then each pod will need two IP addresses, one for each container. Therefore, the node can support up to 32 pods, since 64 / 2 = 32. The other options are incorrect because they either exceed the available IP addresses or do not account for the number of containers per pod. Reference:

* CIDR Blocks and Container Engine for Kubernetes - Oracle

* How kubernetes assigns podCIDR for nodes? - Stack Overflow

Answer : C, E

To trust a self-signed certificate from a Docker Trusted Registry (DTR), you need to place the certificate in the appropriate location on all cluster nodes and restart the Docker daemon. There are two possible locations for the certificate, depending on your OS and Docker version1:

* /etc/docker/certs.d/dtr.example.com/ca.crt: This is the preferred location for Linux systems and Docker versions 1.13 and higher. This directory is scanned by Docker for certificates and keys for each registry domain2.

* Your OS certificate path: This is the fallback location for other OSes and Docker versions. You need to find the certificate store for your OS and copy the certificate there. You also need to trust the certificate system-wide, which may require additional steps depending on your OS3.

The other options are not correct because:

* Passing '-trust-certificate ca.crt to the Docker client is not a valid option. There is no such flag for the Docker client4.

* Placing the certificate in '/etc/docker/dtr/dtr.example.com.crt' is not a valid location. The certificate should be in the /etc/docker/certs.d directory, not the /etc/docker/dtr directory1.

* Passing -- insecure-registry to the Docker client is not a recommended option. This flag disables the TLS verification for the registry, which makes the communication insecure and vulnerable to attacks.

* Use self-signed certificates | Docker Docs

* Test an insecure registry | Docker Docs

* Add TLS certificates as a trusted root authority to the host OS | Docker Docs

* docker | Docker Docs

* [Deploy a registry server | Docker Docs]

Answer : B

= This is not a way to configure the Docker engine to use a registry without a trusted TLS certificate. There is no such option as IGNORE_TLS in the daemon.json configuration file.The daemon.json file is used to configure various aspects of the Docker engine, such as logging, storage, networking, and security1.To use a registry without a trusted TLS certificate, you need to either add the certificate to the trusted root certificates of the system, or configure the Docker engine to allow insecure registries2.To add the certificate to the trusted root certificates, you need to copy the certificate file to the /etc/docker/certs.d/<registry-hostname>/ directory on every Docker host2.To configure the Docker engine to allow insecure registries, you need to add the registry hostname or IP address to the ''insecure-registries'' array in the daemon.json file3. For example:

{ ''insecure-registries'' : [''myregistry.example.com:5000''] }

Note that using insecure registries is not recommended, as it exposes you to potential man-in-the-middle attacks and data corruption3.You should always use a registry with a trusted TLS certificate, or use Docker Content Trust to sign and verify your images4.Reference:

Daemon configuration file | Docker Docs

Verify repository client with certificates | Docker Docs

Test an insecure registry | Docker Docs

Content trust in Docker | Docker Docs

Answer : B

: Tagging the image with 'nginx:immutable' isnothow a user can prevent an image, such as 'nginx:latest', from being overwritten by another user with push access to the repository. Tagging the image with 'nginx:immutable' will only create a new tag for the image, but it will not prevent the original tag from being overwritten.To prevent an image tag from being overwritten in Docker Trusted Registry, the user can use the DTR web UI to make the tag immutable1.This will prevent anyone from pushing a new image with the same tag, even if they have push access to the repository1.Alternatively, the user can also use the DTR API to make the tag immutable2.Reference:Prevent tags from being overwritten), DTR API reference)

Answer : B

: = Keeping a backup copy of the image on another repository is not how a user can prevent an image, such as 'nginx:latest', from being overwritten by another user with push access to the repository. This approach does not prevent the original image from being overwritten, it only provides a way to restore it from another source. However, this may not be reliable or efficient, as the backup repository may not be in sync with the original one, or may not be accessible at all times.To prevent an image from being overwritten by another user, the user can use the DTR web UI to make the tag immutable1. This feature allows the user to lock a specific tag, so that no one can push a new image with the same tag to the repository.This ensures that the image is always consistent and secure1.Reference:

Make a tag immutable | Docker Docs

Answer : B

Answer : A

= The conditions are sufficient for Kubernetes to dynamically provision a persistentVolume, because a storageClass defines the provisioner and parameters for creating a volume on-demand. A persistentVolumeClaim that specifies a storageClass triggers the dynamic provisioning process, and Kubernetes will automatically create and bind a persistentVolume that matches the request. This eliminates the need for manual intervention by cluster administrators to provision storage volumes.Reference:

Dynamic Volume Provisioning | Kubernetes

Persistent volumes and dynamic provisioning | Google Kubernetes Engine ...

Dynamic Provisioning and Storage Classes in Kubernetes