Question 3 - Linux CKS Real Exam Questions [March 2026 Update]

Q: 3

Create a Pod name Nginx-pod inside the namespace testing, Create a service for the Nginx-pod named nginx-svc, using the ingress of your choice, run the ingress on tls, secure port.

Your Answer

Discussion

Nora M. Feb 20, 2026 3:13 pm

Create TLS secret first. Practice this flow with kubectl and review official CKS docs.

Chloe Mar 5, 2026 6:27 pm

TLS secret first or the ingress won’t work. Trap is skipping that and trying to reference it before creation.

Casey H. Mar 7, 2026 1:49 pm

Is everyone remembering to generate the TLS certs and make the secret in the testing namespace before applying the ingress? Without that, ingress with TLS won't pick up the config right.

CarefulAnalyst1031 Mar 4, 2026 11:58 pm

Yep, you always need to create the TLS secret before the ingress otherwise Kubernetes complains about a missing secret and the ingress won't go ready. The question specifically asks for TLS so that's required. Pretty sure this order matches what's expected but open if anyone knows a shortcut.

Chloe Q. Mar 10, 2026 12:00 am

TLS secret has to be there before you apply the ingress, or else the ingress creation just fails since it tries to mount a non-existent secret. So sequence matters: secret, then pod/service, then ingress. Seen that issue in labs too, but maybe some controllers handle missing secrets differently?

Priya E. Feb 24, 2026 7:03 am

Yeah, TLS secret must be created first in the testing namespace or ingress config for TLS will fail.

Riley M. Feb 19, 2026 2:25 pm

Why not make the TLS secret first, then build out the ingress? Saw a similar question on a practice and skipping the secret step is a common trap.

Ava Z. Mar 7, 2026 9:55 pm

Definitely review the official CKS Kubernetes docs and try this in your own test cluster first.

Robin U. Feb 19, 2026 10:44 pm

Nah, you really need that TLS secret before creating the ingress or it'll just error out when it tries to reference a missing secret. Seen this trip people up on similar practice tasks. TLS order is a common trap.

Logan Z. Mar 6, 2026 9:08 pm

Had something like this in a mock: TLS secret creation in the testing namespace first, then deploy manifests for pod, service, ingress.

Be respectful. No spam.

Correct Answer:

FIRST, CREATE A TLS SECRET. THE INGRESS RESOURCE REQUIRES THIS FOR TLS TERMINATION. BASH CREATE A SELF-SIGNED CERTIFICATE AND PRIVATE KEY OPENSSL REQ -X509 -NODES -DAYS 365 -NEWKEY RSA:2048 \ -KEYOUT TLS.KEY -OUT TLS.CRT -SUBJ "/CN=NGINX.EXAMPLE.COM" CREATE THE KUBERNETES SECRET IN THE 'TESTING' NAMESPACE (AFTER CREATING IT) KUBECTL CREATE SECRET TLS NGINX-TLS-SECRET --KEY TLS.KEY --CERT TLS.CRT -N TESTING APPLY THE FOLLOWING KUBERNETES MANIFESTS: YAML 1-NAMESPACE.YAML APIVERSION: V1 KIND: NAMESPACE METADATA: NAME: TESTING --- 2-POD.YAML APIVERSION: V1 KIND: POD METADATA: NAME: NGINX-POD NAMESPACE: TESTING LABELS: APP: NGINX SPEC: CONTAINERS: - NAME: NGINX IMAGE: NGINX:1.25 PORTS: - CONTAINERPORT: 80 --- 3-SERVICE.YAML APIVERSION: V1 KIND: SERVICE METADATA: NAME: NGINX-SVC NAMESPACE: TESTING SPEC: SELECTOR: APP: NGINX PORTS: - PROTOCOL: TCP PORT: 80 TARGETPORT: 80 --- 4-INGRESS.YAML APIVERSION: NETWORKING.K8S.IO/V1 KIND: INGRESS METADATA: NAME: NGINX-INGRESS NAMESPACE: TESTING SPEC: TLS: - HOSTS: - NGINX.EXAMPLE.COM SECRETNAME: NGINX-TLS-SECRET RULES: - HOST: NGINX.EXAMPLE.COM HTTP: PATHS: - PATH: / PATHTYPE: PREFIX BACKEND: SERVICE: NAME: NGINX-SVC PORT: NUMBER: 80

Explanation

The solution creates the required resources in a logical sequence. First, a Namespace isolates the components. A Pod running Nginx is created with a label app: nginx. A Service then targets this pod using the label selector, providing a stable internal endpoint. For TLS, a Kubernetes Secret of type kubernetes.io/tls is created from a pre-generated certificate and key. Finally, the Ingress resource is defined. Its tls section references the secret to secure traffic for the specified host (nginx.example.com), and its rules section routes external traffic from that host to the internal nginx-svc. This configuration ensures traffic is served over a secure port (HTTPS/443).

References

1. Kubernetes Official Documentation

"Ingress": This document details the structure of an Ingress resource

including the tls section for specifying the secret that contains the TLS private key and certificate. See the "TLS" subsection.

Source: Kubernetes Authors

Ingress Concepts

kubernetes.io.

Reference: kubernetes.io/docs/concepts/services-networking/ingress/#tls

2. Kubernetes Official Documentation

"Service": This page explains how a Service exposes an application running on a set of Pods. It covers the use of selector to match Pod labels and ports to define the service endpoint.

Source: Kubernetes Authors

Service Concepts

kubernetes.io.

Reference: kubernetes.io/docs/concepts/services-networking/service/#defining-a-service

3. Kubernetes Official Documentation

"Secrets": This documentation describes how to manage sensitive information. The "TLS secrets" section specifically outlines the creation and usage of secrets for TLS certificates.

Source: Kubernetes Authors

Secret Concepts

kubernetes.io.

Reference: kubernetes.io/docs/concepts/configuration/secret/#tls-secrets

4. UC Berkeley EECS Courseware

CS 162: Lecture slides from this operating systems course cover Kubernetes networking concepts

including the role of Ingress in managing external access to services in a cluster

often in conjunction with TLS for security.

Source: University of California

Berkeley

Department of Electrical Engineering and Computer Sciences.

Reference: CS 162

Lecture 22: "Cloud Computing"

Slide 67 "Kubernetes Ingress". (Available via course website archives).

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE