CCNA Cloud Native Architecture Questions

75 of 170 questions · Page 1/3 · Cloud Native Architecture · Answers revealed

1
MCQmedium

A team wants to manage their Kubernetes infrastructure using code. Which tool is specifically designed for Infrastructure as Code (IaC) and can manage Kubernetes resources?

A.Helm
B.kubectl
C.Kustomize
D.Terraform
AnswerD

Why this answer

Terraform is a dedicated Infrastructure as Code (IaC) tool that uses declarative configuration files (HCL) to provision and manage cloud resources, including Kubernetes clusters and their workloads. It maintains state to track resource dependencies and can orchestrate Kubernetes resources via its Kubernetes provider, making it the correct choice for managing Kubernetes infrastructure as code.

Exam trap

The trap here is that candidates confuse Helm or Kustomize as IaC tools because they manage Kubernetes resources declaratively, but they lack the infrastructure provisioning and state management capabilities that define true Infrastructure as Code.

How to eliminate wrong answers

Option A is wrong because Helm is a package manager for Kubernetes that deploys pre-packaged applications (charts) but is not an IaC tool; it manages releases and templates, not infrastructure state. Option B is wrong because kubectl is a command-line client for interacting with Kubernetes API directly, used for imperative or ad-hoc operations, not for declarative infrastructure provisioning or state management. Option C is wrong because Kustomize is a configuration customization tool that overlays patches on Kubernetes manifests without managing infrastructure state or provisioning resources outside of Kubernetes.

2
MCQmedium

In the 12-factor app methodology, which factor describes the practice of storing configuration in environment variables?

A.Backing services
B.Config
C.Processes
D.Build, release, run
AnswerB

Config is Factor III.

Why this answer

The Config factor (Factor III) of the 12-factor app methodology mandates that configuration—such as database URLs, credentials, or feature flags—be stored in environment variables. This decouples configuration from code, allowing the same build to be deployed across different environments without code changes, and prevents accidental commits of secrets to version control.

Exam trap

CNCF often tests the distinction between 'Config' and 'Backing services'—candidates mistakenly think storing database credentials in environment variables is a 'Backing services' concern, but it is actually a 'Config' concern because the credentials are configuration, not the service itself.

How to eliminate wrong answers

Option A is wrong because 'Backing services' (Factor IV) treats attached services (databases, caches, message queues) as disposable resources accessed via URL or binding, not about storing configuration. Option C is wrong because 'Processes' (Factor VI) concerns stateless execution and sharing nothing between processes, not configuration storage. Option D is wrong because 'Build, release, run' (Factor V) describes the strict separation of build, release, and run stages to ensure immutability, not the mechanism for injecting configuration.

3
MCQmedium

In a service mesh architecture, which component is responsible for intercepting and managing traffic to and from a pod?

A.Sidecar proxy
B.Ingress controller
C.API gateway
D.Control plane
AnswerA

The sidecar proxy (e.g., Envoy) intercepts all traffic to and from the pod, providing service mesh capabilities.

Why this answer

The sidecar proxy (e.g., Envoy) runs alongside each service instance and intercepts all network traffic, enabling features like traffic management and observability.

4
MCQhard

In the context of the 12-factor app methodology, which factor is addressed by storing configuration in environment variables?

A.IV. Backing Services
B.III. Config
C.II. Dependencies
D.I. Codebase
AnswerB

Config specifies storing configuration in environment variables.

Why this answer

The 12-factor app's 'Config' factor (III) states that configuration should be stored in environment variables, not in code. Options A, B, and D correspond to other factors: Codebase, Dependencies, and Backing Services respectively.

5
MCQmedium

Which component in a service mesh architecture is responsible for handling inter-service communication on behalf of the application container?

A.Sidecar proxy
B.Control plane
C.Ingress controller
D.API gateway
AnswerA

The sidecar proxy runs alongside the application container and handles all network communication.

Why this answer

The sidecar proxy (e.g., Envoy) intercepts all network traffic to and from the application container, providing observability, traffic management, and security.

6
MCQmedium

In a service mesh architecture, what is the role of the sidecar proxy?

A.It provides persistent storage for the pod
B.It manages the lifecycle of the pod
C.It intercepts and controls network communication to and from the main container
D.It serves as the main application container
AnswerC

The sidecar proxy handles traffic routing, telemetry, and security policies.

Why this answer

The sidecar proxy intercepts all network traffic to/from the main container, enabling observability, traffic management, and security without modifying application code.

7
Multi-Selecthard

Which THREE of the following are key principles of cloud-native architecture according to CNCF?

Select 3 answers
A.Dynamic orchestration
B.Serverless
C.Agile development
D.Microservices
E.Containers
AnswersA, D, E

Automated management is key.

Why this answer

The CNCF defines cloud-native technologies as those that use microservices, containers, and dynamic orchestration. Serverless is an approach but not a core principle; agile development is a methodology, not unique to cloud-native.

8
MCQmedium

Your organization runs a multi-service application on a Kubernetes cluster. Each service is deployed as a set of Pods managed by a Deployment. The application experiences intermittent slowdowns during peak traffic. Monitoring shows that the database service Pods have high CPU usage, but the HorizontalPodAutoscaler (HPA) configured for the database Deployment does not scale. The HPA is based on average CPU utilization across Pods, with target 70%. The database Deployment has resource requests and limits set: requests.cpu: 500m, limits.cpu: 1000m. During peak, CPU usage reaches 800m per Pod. The HPA has a cooldown period of 3 minutes. The cluster has ample capacity. What is the most likely reason the HPA is not scaling?

A.The HPA is configured to use a different metric (e.g., memory) instead of CPU.
B.The HPA cooldown period of 3 minutes prevents scaling during the short peak duration.
C.The CPU limit of 1000m restricts the Pods from using more than 1000m, but the HPA bases scaling on requests, not limits.
D.The cluster does not have enough nodes to schedule additional Pods.
AnswerA

If the HPA is mistakenly using memory metric, it would not scale based on CPU spikes.

Why this answer

Option A is correct because the scenario states that CPU usage reaches 800m per Pod, which is 160% of the requested 500m, well above the HPA's 70% target. If the HPA were correctly configured for CPU, it would have triggered scaling. The fact that it does not scale despite high CPU usage indicates the HPA is likely configured to use a different metric (e.g., memory or custom metrics), not CPU.

This mismatch between the metric the HPA monitors and the actual resource bottleneck prevents scaling.

Exam trap

The trap here is that candidates assume the HPA is always configured for CPU by default, but the KCNA exam tests whether you recognize that an HPA can be configured for any metric, and a mismatch between the monitored metric and the actual bottleneck will prevent scaling.

How to eliminate wrong answers

Option B is wrong because the cooldown period of 3 minutes only delays scaling actions, it does not prevent scaling entirely; if CPU usage remains high for longer than 3 minutes, the HPA would still scale. Option C is wrong because the HPA bases its scaling decision on the average CPU utilization relative to the resource request (500m), not the limit (1000m); with 800m usage, utilization is 160% of the request, which should trigger scaling. Option D is wrong because the cluster has ample capacity, as stated in the question, so insufficient nodes are not the issue.

9
MCQeasy

Which of the following best describes the purpose of the Cloud Native Computing Foundation (CNCF)?

A.To promote cloud native technologies and host open source projects
B.To define the 12-factor app methodology
C.To provide cloud infrastructure services for enterprises
D.To develop and maintain the Kubernetes project exclusively
AnswerA

CNCF hosts projects, drives adoption, and fosters community.

Why this answer

The CNCF's primary purpose is to foster the adoption of cloud native technologies by hosting and governing open source projects like Kubernetes, Prometheus, and Envoy. It provides a neutral home for these projects, ensuring they are developed collaboratively under a vendor-neutral governance model. This aligns directly with option A, which captures both the promotional and hosting roles of the foundation.

Exam trap

CNCF often tests the misconception that the CNCF is synonymous with Kubernetes alone, but the trap here is that the CNCF's scope includes a wide ecosystem of cloud native projects, not just Kubernetes.

How to eliminate wrong answers

Option B is wrong because the 12-factor app methodology was defined by Heroku engineers in 2011, not by the CNCF, and while the CNCF promotes cloud native patterns, it did not create that specific methodology. Option C is wrong because the CNCF does not provide cloud infrastructure services (e.g., compute, storage, networking) — that is the role of cloud providers like AWS, Azure, or GCP; the CNCF is a foundation that hosts projects, not a service provider. Option D is wrong because while the CNCF hosts Kubernetes, it also hosts dozens of other projects (e.g., Prometheus, Fluentd, Linkerd) and is not exclusive to Kubernetes; its mission is broader than any single project.

10
MCQmedium

In an event-driven architecture, what is the role of an event broker?

A.To intermediate between event producers and consumers
B.To run event-processing logic
C.To transform events into API calls
D.To store event schemas
AnswerA

The broker ensures reliable delivery and routing.

Why this answer

In an event-driven architecture, the event broker acts as a middleware that decouples event producers from consumers by receiving events from producers and forwarding them to interested consumers. This intermediary role ensures asynchronous communication, scalability, and fault tolerance without requiring producers and consumers to be directly aware of each other. Technologies like Apache Kafka, RabbitMQ, or cloud-native services such as AWS EventBridge exemplify this pattern.

Exam trap

CNCF often tests the misconception that the event broker performs processing or transformation, but its core role is purely intermediary—routing events without executing business logic.

How to eliminate wrong answers

Option B is wrong because running event-processing logic is the responsibility of event processors or stream processing frameworks (e.g., Apache Flink, Kafka Streams), not the event broker, which focuses on routing and delivery. Option C is wrong because transforming events into API calls is a function of an API gateway or integration layer, not the event broker; brokers handle event transport, not protocol translation. Option D is wrong because storing event schemas is typically managed by a schema registry (e.g., Confluent Schema Registry) that works alongside the broker, but the broker itself does not store schemas—it stores and forwards event data.

11
Multi-Selecthard

Which THREE of the following are benefits of using a service mesh? (Choose 3.)

Select 3 answers
A.Database management
B.Security
C.Observability
D.Code compilation
E.Traffic management
AnswersB, C, E

Why this answer

A service mesh, such as Istio or Linkerd, offloads cross-cutting concerns from application code into a dedicated infrastructure layer. Security is a core benefit because the service mesh can enforce mutual TLS (mTLS) between all service-to-service communications, providing encryption, identity verification, and fine-grained access policies without modifying application code.

Exam trap

CNCF often tests the misconception that a service mesh is a general-purpose tool for all infrastructure concerns, leading candidates to incorrectly select options like database management or code compilation, when in fact the service mesh is narrowly focused on network-level traffic management, security, and observability.

12
MCQmedium

A team wants to implement Infrastructure as Code (IaC) for managing Kubernetes resources. Which tool is BEST suited for this purpose?

A.Pulumi
B.Ansible
C.Terraform
D.Helm
AnswerD

Helm is a package manager for Kubernetes that uses charts to manage applications.

Why this answer

Helm is a package manager for Kubernetes that allows you to define, install, and upgrade Kubernetes applications using charts. Terraform and Pulumi are IaC tools for infrastructure, but for Kubernetes-specific resources, Helm is more directly focused. Ansible can also manage Kubernetes but is not as specialized.

13
MCQmedium

Which component of the Istio service mesh is responsible for certificate signing and identity management?

A.Envoy
B.Citadel
C.Mixer
D.Pilot
AnswerB

Citadel manages certificates and identity.

Why this answer

Istio's security features are managed by Citadel (now part of istiod), which handles certificate signing and identity. Envoy is the proxy, Pilot provides service discovery, and Mixer was an older component for policy (now deprecated).

14
MCQhard

A company wants to implement a serverless function that processes events from an Amazon S3 bucket. The function should scale to zero when idle and only incur costs during execution. Which technology is BEST suited for this requirement?

A.Knative
B.Apache Kafka
C.AWS Lambda
D.Kubernetes CronJob
AnswerC

AWS Lambda is a FaaS platform that executes code in response to events and scales to zero when idle.

Why this answer

Option A is correct. AWS Lambda is a FaaS (Function as a Service) that scales to zero when idle and is event-driven. Option B (Apache Kafka) is a streaming platform, not serverless functions.

Option C (Knative) is serverless but runs on Kubernetes, requiring cluster management. Option D (Kubernetes CronJob) is for scheduled jobs, not event-driven, and does not scale to zero automatically.

15
MCQmedium

Which component in a service mesh is responsible for handling traffic management, security, and observability as a sidecar proxy?

A.Pilot
B.Mixer
C.Citadel
D.Envoy
AnswerD

Envoy acts as the data plane proxy.

Why this answer

Envoy is the most common sidecar proxy used in service meshes like Istio.

16
MCQmedium

A team is migrating a legacy application to Kubernetes. The application requires persistent storage and needs to maintain session affinity. Which set of Kubernetes resources should they use?

A.Deployment with a ClusterIP Service and Ingress.
B.Job with a LoadBalancer Service.
C.DaemonSet with a NodePort Service.
D.StatefulSet with a headless Service and Service with session affinity.
AnswerD

StatefulSet gives stable identities and persistent storage; session affinity ensures stickiness.

Why this answer

StatefulSet is the correct choice because it provides stable, unique network identities and persistent storage per pod, which are essential for stateful applications. A headless Service allows direct pod-to-pod communication without load balancing, while a regular Service with session affinity (using `externalTrafficPolicy: Local` or `sessionAffinity: ClientIP`) ensures client requests stick to the same pod, maintaining session state.

Exam trap

CNCF often tests the misconception that a Deployment with a standard Service is sufficient for stateful workloads, ignoring that StatefulSet is required for stable storage and identity, and that session affinity must be explicitly configured on the Service, not assumed from Ingress or LoadBalancer alone.

How to eliminate wrong answers

Option A is wrong because a Deployment with ClusterIP Service and Ingress does not guarantee stable pod identities or persistent storage per pod; Deployments treat pods as ephemeral, and Ingress alone cannot enforce session affinity at the pod level. Option B is wrong because a Job is designed for batch processing and terminates after completion, making it unsuitable for a long-running application requiring persistent storage and session affinity; a LoadBalancer Service also does not provide stable pod identities. Option C is wrong because a DaemonSet runs one pod per node, which does not provide the ordered, stable pod identities needed for persistent storage and session affinity; NodePort Service exposes pods on a static port per node but does not ensure session stickiness or stable storage.

17
MCQhard

Which of the following is a resiliency pattern that limits the number of concurrent requests to a service to prevent overload?

A.Retry
B.Timeout
C.Bulkhead
D.Circuit breaker
AnswerC

Bulkhead pattern isolates different parts of a system into separate pools to prevent failure propagation and limit concurrency.

Why this answer

Bulkhead isolates resources into pools (e.g., thread pools) so that a failure in one pool does not cascade. Circuit breaker stops calls after failures, retry repeats failed calls, and timeout limits wait time.

18
MCQeasy

Which CNCF project is classified as a 'graduated' project?

A.Linkerd
B.Kubernetes
C.Knative
D.ArgoCD
AnswerB

Kubernetes was the first graduated project and is a core CNCF project.

Why this answer

Prometheus is a graduated CNCF project, indicating it has reached a high level of maturity and adoption.

19
Multi-Selecthard

Which THREE are typical characteristics of a cloud-native application?

Select 3 answers
A.Long startup times due to heavy initialization
B.Vulnerable to cascading failures
C.Packaged as lightweight containers
D.Designed for horizontal scaling
E.Built using microservices architecture
AnswersC, D, E

Containers are standard.

Why this answer

Option C is correct because cloud-native applications are typically packaged as lightweight containers (e.g., Docker) that encapsulate the application and its dependencies, enabling fast startup, portability, and efficient resource utilization. Containers share the host OS kernel and have minimal overhead compared to virtual machines, which aligns with the cloud-native principle of agility and scalability.

Exam trap

CNCF often tests the misconception that cloud-native apps are just 'apps in the cloud' rather than specifically requiring containerization, microservices, and horizontal scaling; candidates may mistakenly associate long startup times or fragility with cloud-native, when those are anti-patterns.

20
MCQhard

You are implementing an API gateway pattern for a set of microservices. Which of the following is a typical responsibility of an API gateway?

A.Managing container lifecycle and scaling
B.Directly accessing databases to serve requests
C.Storing application state and session data
D.Enforcing authentication and rate limiting
AnswerD

These are common gateway responsibilities.

Why this answer

An API gateway handles cross-cutting concerns like authentication, rate limiting, routing, and aggregation. Direct database access (A) is an antipattern, managing container orchestration (C) is Kubernetes' job, and storing application state (D) is not a gateway function.

21
MCQhard

A team is designing a cloud-native system that must maintain high availability across multiple cloud regions. The application uses Kubernetes clusters in each region. Which approach best ensures that the system can tolerate a full region failure while minimizing complexity?

A.Deploy a single Kubernetes cluster spanning all regions
B.Use a global load balancer with active-passive regional failover
C.Run active-active in all regions with synchronous data replication
D.Implement manual failover procedures documented in runbooks
AnswerB

Simpler to implement and manage while ensuring failover.

Why this answer

Option B is correct because a global load balancer with active-passive regional failover provides a straightforward way to route traffic to a healthy secondary region when the primary fails, without the complexity of multi-region Kubernetes control planes or synchronous replication. This approach leverages DNS-based or anycast routing to detect region failure and redirect traffic, ensuring high availability while keeping the operational overhead low.

Exam trap

CNCF often tests the misconception that active-active with synchronous replication is always the best for high availability, but the trap here is that it introduces unnecessary complexity and cost for most use cases, while active-passive with a global load balancer offers a simpler, production-proven alternative for tolerating region failures.

How to eliminate wrong answers

Option A is wrong because a single Kubernetes cluster spanning multiple regions introduces significant latency, network partitioning risks, and control plane complexity, as Kubernetes is not designed for跨区域 single clusters and would violate the recommended failure domain boundaries. Option C is wrong because active-active with synchronous data replication across regions adds substantial latency, cost, and complexity, and is typically unnecessary for most applications; it also requires careful handling of conflict resolution and network reliability. Option D is wrong because manual failover procedures are slow, error-prone, and cannot meet the high availability requirements of a cloud-native system that must tolerate a full region failure automatically.

22
Multi-Selecteasy

Which TWO of the following are CNCF graduated projects? (Choose two.)

Select 2 answers
A.Helm
B.Linkerd
C.Kubernetes
D.ArgoCD
E.Prometheus
AnswersC, E

Kubernetes is a CNCF graduated project.

Why this answer

Kubernetes and Prometheus are both graduated CNCF projects. Containerd is also graduated, but since we have only two choices, Kubernetes and Prometheus are correct. Etcd is graduated as well, but not listed.

Linkerd is incubating, and Envoy is graduated but not listed. Actually, Envoy is graduated; but options here are Kubernetes, Prometheus, Linkerd, ArgoCD, and Helm. ArgoCD is graduated as of 2022, but Prometheus and Kubernetes are also graduated.

However, the question asks for two, and both Kubernetes and Prometheus are graduated. Linkerd is still incubating. ArgoCD is graduated (as of Dec 2022).

Helm is graduated. Actually, let's check: Helm is graduated (since 2020). So there are multiple.

To be safe, we'll choose the most well-known: Kubernetes and Prometheus.

23
MCQhard

In Istio, which component is responsible for enforcing traffic policies and collecting telemetry data at the pod level?

A.Mixer
B.Envoy proxy
C.Pilot
D.Citadel
AnswerB

Envoy runs as a sidecar and handles data-plane tasks.

Why this answer

Envoy proxy is the correct answer because in Istio, each pod is deployed with an Envoy sidecar proxy that intercepts all inbound and outbound traffic. This proxy enforces traffic policies (e.g., routing rules, fault injection, rate limiting) and collects telemetry data (e.g., metrics, logs, traces) at the pod level, sending it to the observability backends. The sidecar model ensures policy enforcement and telemetry collection happen without modifying the application code.

Exam trap

CNCF often tests the misconception that Mixer is still the primary policy enforcement and telemetry component, but the trap here is that Mixer was deprecated and removed; candidates who haven't kept up with Istio's evolution may incorrectly select Mixer (Option A) instead of recognizing that Envoy now handles both roles via in-proxy extensions.

How to eliminate wrong answers

Option A is wrong because Mixer was a separate Istio component responsible for access control and telemetry preprocessing, but it was deprecated in Istio 1.5 and removed in later versions; telemetry and policy enforcement are now handled directly by Envoy proxies via WebAssembly extensions and the Telemetry API. Option C is wrong because Pilot is the control plane component that translates high-level traffic rules into Envoy configuration (e.g., xDS APIs) and distributes them to proxies, but it does not enforce policies or collect telemetry at the pod level. Option D is wrong because Citadel is the security component that manages certificate issuance and mTLS key rotation (using SPIFFE identities), but it does not handle traffic policy enforcement or telemetry collection.

24
MCQhard

In a microservices application, you want to prevent cascading failures by limiting the number of concurrent requests to a downstream service. Which resilience pattern should you implement?

A.Circuit breaker
B.Timeout pattern
C.Bulkhead pattern
D.Retry pattern
AnswerC

Bulkhead pattern partitions resources to prevent a single service from exhausting all resources.

Why this answer

The bulkhead pattern isolates resources into separate pools (e.g., thread pools) to limit the impact of a failure in one service on others.

25
Matchingmedium

Match each Kubernetes object to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Ensures a copy of a pod runs on all or selected nodes

Manages stateful applications with unique network identities

Runs a finite task to completion

Runs jobs on a time-based schedule

Automatically scales pod replicas based on CPU/memory metrics

Why these pairings

Each workload resource addresses specific operational requirements.

26
MCQeasy

Which service mesh component is typically deployed as a sidecar proxy alongside application containers?

A.Kiali
B.Istiod
C.Prometheus
D.Envoy proxy
AnswerD

Envoy is often deployed as a sidecar to intercept traffic.

Why this answer

Envoy proxy is the most common sidecar proxy in service meshes like Istio and Linkerd. Istiod is the control plane component, Kiali is a visualization tool, and Prometheus is a monitoring system.

27
MCQmedium

Which service mesh provides built-in support for multi-cluster and multi-cloud deployments?

A.Kuma
B.Consul Connect
C.Istio
D.Linkerd
AnswerC

Why this answer

Istio is correct because it provides native support for multi-cluster and multi-cloud deployments through its mesh federation capabilities, including features like multi-primary and primary-remote cluster models, as well as east-west gateways for cross-cluster traffic. It leverages Envoy proxies and a unified control plane to enable service discovery, traffic management, and security across clusters, making it the only option among the listed that offers built-in, production-ready multi-cluster support.

Exam trap

CNCF often tests the misconception that all service meshes have equal multi-cluster support, leading candidates to pick Linkerd for its simplicity or Consul for its multi-datacenter reputation, but Istio is the only one with built-in, comprehensive multi-cloud and multi-cluster capabilities as a core feature.

How to eliminate wrong answers

Option A is wrong because Kuma, while supporting multi-zone deployments, is built on Envoy and primarily focuses on service mesh for Kubernetes and VMs with a simpler architecture, but it lacks the mature, built-in multi-cluster and multi-cloud features that Istio provides out-of-the-box, such as native federation and cross-cluster load balancing. Option B is wrong because Consul Connect (part of HashiCorp Consul) supports multi-datacenter deployments but is not a dedicated service mesh; it relies on Consul's service discovery and intentions for security, and its multi-cluster capabilities are more about datacenter replication rather than the seamless multi-cloud service mesh integration that Istio offers. Option D is wrong because Linkerd, while lightweight and simple, does not have built-in multi-cluster support; it requires additional tools or manual configuration for cross-cluster communication, and its focus is on single-cluster performance and simplicity, not multi-cloud deployments.

28
MCQmedium

What is the primary benefit of using an API gateway in a microservices architecture?

A.It provides a single entry point for client requests and handles cross-cutting concerns
B.It replaces the need for service meshes
C.It stores application state
D.It performs service-to-service communication
AnswerA

The gateway abstracts the backend services and provides centralized management.

Why this answer

An API gateway acts as a single entry point for clients, providing request routing, composition, and cross-cutting concerns like authentication and rate limiting.

29
MCQmedium

A company wants to adopt a GitOps workflow for managing their Kubernetes clusters. Which two tools are specifically designed for implementing GitOps on Kubernetes?

A.Flux
B.ArgoCD
C.Terraform
D.Jenkins
E.Helm
AnswerA, B

Flux is a CNCF incubating project for GitOps.

Why this answer

ArgoCD and Flux are both CNCF projects that implement GitOps principles, synchronizing cluster state with a Git repository. Helm is a package manager, Terraform is for infrastructure provisioning (not strictly GitOps for Kubernetes), and Jenkins is a CI/CD tool that can be used with GitOps but is not purpose-built for it.

30
MCQmedium

In a multi-cloud scenario, an organization wants to avoid vendor lock-in by abstracting infrastructure provisioning. Which tool is specifically designed to manage infrastructure as code across multiple cloud providers?

A.Helm
B.Istio
C.Terraform
D.ArgoCD
AnswerC

Terraform is a multi-cloud infrastructure-as-code tool that provisions resources across providers.

Why this answer

Terraform is an infrastructure-as-code tool that supports multiple cloud providers (AWS, Azure, GCP, etc.) with a declarative configuration language. Pulumi also supports multiple clouds but is less widely adopted in the CNCF ecosystem.

31
MCQeasy

Which CNCF project is a graduated project for service discovery and configuration management?

A.Prometheus
B.Fluentd
C.Envoy
D.Consul
AnswerD

Consul provides service discovery and configuration.

Why this answer

Consul is a CNCF graduated project that provides service discovery and configuration management.

32
Multi-Selecthard

Which THREE of the following are components of the GitOps workflow? (Choose three.)

Select 3 answers
A.A CI/CD pipeline that validates changes before merging
B.A configuration management database (CMDB)
C.A Git repository containing declarative configuration
D.A manual approval process for every change
E.An operator (e.g., ArgoCD) that syncs the cluster state with Git
AnswersA, C, E

CI/CD ensures changes are correct before applying.

Why this answer

GitOps relies on a Git repository as single source of truth, a CI/CD pipeline to validate changes, and an operator to sync the cluster.

33
MCQhard

A team wants to deploy a multi-cloud application that uses cloud-specific services. Which pattern is most appropriate?

A.Single-cloud vendor lock-in to reduce complexity
B.Manually managing each cloud separately without automation
C.Only using serverless functions from one provider
D.Using cloud-agnostic abstractions and infrastructure as code across providers
AnswerD

Tools like Terraform and Kubernetes enable portability across clouds.

Why this answer

Option D is correct because using cloud-agnostic abstractions (e.g., Kubernetes for container orchestration, Terraform for infrastructure as code) allows the team to deploy across multiple clouds while still integrating cloud-specific services via provider-agnostic interfaces or abstraction layers. This pattern reduces vendor lock-in, enables consistent deployment workflows, and supports portability without sacrificing the ability to use unique services from each cloud provider.

Exam trap

The trap here is that candidates may think 'cloud-agnostic' means avoiding all cloud-specific services, but the correct pattern allows using them through abstraction layers, not eliminating them entirely.

How to eliminate wrong answers

Option A is wrong because single-cloud vendor lock-in contradicts the requirement for a multi-cloud application; it increases dependency on one provider and reduces flexibility. Option B is wrong because manually managing each cloud separately without automation introduces high operational overhead, configuration drift, and inconsistent deployments, which is inefficient and error-prone for multi-cloud scenarios. Option C is wrong because only using serverless functions from one provider still results in vendor lock-in and does not address the need to use cloud-specific services across multiple providers in a multi-cloud architecture.

34
MCQhard

In the context of resiliency patterns, which pattern is designed to prevent a cascade of failures by isolating each component so that a failure in one component does not affect others?

A.Retry
B.Circuit breaker
C.Timeout
D.Bulkhead
AnswerD

Bulkhead isolates components into separate pools so that a failure in one does not affect others.

Why this answer

The bulkhead pattern isolates resources (e.g., thread pools, connections) so that a failure in one part of the system doesn't bring down other parts. Circuit breaker is for handling failures of external calls, not isolation.

35
MCQhard

An application is deployed across multiple cloud providers (AWS and GCP) to avoid vendor lock-in. This is an example of which pattern?

A.Public cloud
B.Federated cloud
C.Hybrid cloud
D.Multi-cloud
AnswerD

Multi-cloud involves using multiple public cloud providers.

Why this answer

Multi-cloud refers to using services from multiple cloud providers simultaneously.

36
Multi-Selecthard

Which TWO of the following are features of a service mesh like Istio or Linkerd? (Select 2)

Select 2 answers
A.Container image building
B.Traffic management (routing, load balancing)
C.Observability (metrics, tracing, logs)
D.Service discovery
E.Auto-scaling of services
AnswersB, C

Service mesh enables fine-grained traffic management.

Why this answer

Service mesh provides observability (metrics, tracing, logs) and traffic management (routing, load balancing). Auto-scaling is not a service mesh feature; it's handled by Kubernetes HPA or Knative. Service discovery is also not a direct feature of service mesh; it's typically provided by Kubernetes DNS.

37
MCQhard

Which of the following patterns is used to improve resilience by isolating failures to a subset of components?

A.Timeout
B.Retry
C.Circuit breaker
D.Bulkhead
AnswerD

Why this answer

The Bulkhead pattern (D) is correct because it isolates failures by partitioning resources (e.g., thread pools, connections) into separate pools for different components or services. This prevents a failure in one component from exhausting shared resources and cascading to others, directly improving resilience by containing the blast radius.

Exam trap

CNCF often tests the distinction between patterns that prevent cascading failures (Bulkhead) versus patterns that handle transient failures (Retry/Timeout) or protect against repeated failures (Circuit Breaker), leading candidates to confuse the goal of isolation with failure detection or recovery.

How to eliminate wrong answers

Option A is wrong because Timeout is a pattern that limits the wait time for a response, preventing indefinite hangs, but it does not isolate failures to a subset of components—it only terminates slow operations. Option B is wrong because Retry is a pattern that automatically reattempts a failed operation, which can help with transient failures but does not isolate failures; in fact, it can exacerbate resource exhaustion if not combined with other patterns. Option C is wrong because Circuit Breaker is a pattern that monitors for failures and stops requests to a failing service to allow recovery, but it does not isolate failures to a subset of components—it protects callers from a failing dependency, not partition resources across components.

38
Multi-Selecthard

Which TWO of the following are characteristics of serverless computing?

Select 2 answers
A.Manual server provisioning
B.Long-running processes
C.Event-driven execution
D.Auto-scaling to zero when not in use
E.Reserved capacity for predictable workloads
AnswersC, D

Functions are triggered by events.

Why this answer

Serverless computing is event-driven and auto-scales to zero when idle. Long-running processes are not suitable, and you do not manage the underlying servers. Reserved capacity is a concept for traditional cloud.

39
MCQhard

An application deployed on Kubernetes is experiencing intermittent failures due to network latency. Which resiliency pattern should be implemented to gracefully handle such failures?

A.Circuit breaker
B.Bulkhead
C.Retry
D.Timeout
AnswerC

Retry pattern handles transient failures by reattempting the operation after a delay.

Why this answer

Retry pattern automatically retries failed operations, which is appropriate for transient failures like network latency. Circuit breaker prevents repeated calls to a failing service. Timeout sets a maximum wait.

Bulkhead isolates resources.

40
MCQmedium

In GitOps, what is the role of a tool like ArgoCD?

A.To automatically apply changes from a Git repository to a Kubernetes cluster
B.To monitor application performance
C.To create Docker images from source code
D.To manage container registries
AnswerA

ArgoCD is a GitOps operator that ensures the cluster matches the Git repo.

Why this answer

ArgoCD synchronizes the cluster state with the desired state defined in a Git repository.

41
MCQeasy

A cloud-native application is designed with multiple microservices that need to handle a sudden spike in traffic without manual intervention. Which Kubernetes feature best enables this?

A.VerticalPodAutoscaler
B.Cluster Autoscaler
C.HorizontalPodAutoscaler
D.PodDisruptionBudget
AnswerC

Automatically scales pod replicas based on CPU/memory or custom metrics.

Why this answer

The HorizontalPodAutoscaler (HPA) automatically scales the number of pod replicas in a deployment based on observed CPU/memory utilization or custom metrics. This directly addresses the need to handle a sudden traffic spike without manual intervention by adding more pod instances to distribute the load.

Exam trap

CNCF often tests the distinction between scaling pods (HPA) versus scaling nodes (Cluster Autoscaler) versus scaling pod resources (VPA), and the trap here is that candidates confuse 'scaling the application' with 'scaling the cluster infrastructure'.

How to eliminate wrong answers

Option A is wrong because VerticalPodAutoscaler (VPA) adjusts resource requests and limits (CPU/memory) of existing pods, not the number of replicas, so it cannot handle a traffic spike by increasing capacity. Option B is wrong because Cluster Autoscaler adds or removes worker nodes to the cluster, not pods; it works at the infrastructure layer and does not directly scale the application itself. Option D is wrong because PodDisruptionBudget (PDB) limits the number of voluntary disruptions (e.g., node drains) to maintain availability, but it does not scale pods up or down in response to traffic changes.

42
MCQmedium

An application requires external configuration that varies between environments (dev, staging, prod). Following the 12-factor app methodology, how should this configuration be provided?

A.Use environment variables
B.Store configuration in a config file that is version-controlled
C.Use a centralized database for configuration
D.Hard-code the configuration in the application code
AnswerA

12-factor apps store configuration in environment variables to keep it separate from code.

Why this answer

The 12-factor app methodology recommends storing configuration in environment variables to keep it separate from code and vary per deploy.

43
Multi-Selecthard

Which THREE of the following are features provided by a service mesh like Istio? (Select THREE.)

Select 3 answers
A.Container image building
B.Traffic routing and load balancing
C.Observability including metrics and distributed tracing
D.Security through mTLS and access policies
E.Database schema migrations
AnswersB, C, D

Service mesh can route traffic based on rules.

Why this answer

Service mesh provides traffic management (routing), observability (metrics, tracing), and security (mTLS, policies).

44
Multi-Selectmedium

Which TWO of the following are core principles of cloud native architecture according to the CNCF?

Select 2 answers
A.Static scaling based on predefined thresholds
B.Microservices architecture
C.Dynamic orchestration
D.Manual infrastructure management
E.Monolithic deployment
AnswersB, C

Microservices decompose applications into small, independent services, a core cloud native principle.

Why this answer

Options A and D are correct. Microservices architecture and dynamic orchestration are fundamental cloud native principles. Option B (monolithic deployment) is antithetical to cloud native.

Option C (manual infrastructure management) contradicts automation. Option E (static scaling) is not a principle; cloud native emphasizes dynamic scaling.

45
MCQmedium

A development team wants to implement a GitOps workflow for their Kubernetes deployments. Which tool is specifically designed for GitOps on Kubernetes?

A.ArgoCD
B.Helm
C.Jenkins
D.Terraform
AnswerA

Why this answer

ArgoCD is a declarative GitOps tool built specifically for Kubernetes.

46
MCQeasy

What is the role of an API gateway in a microservices architecture?

A.To schedule pods on nodes
B.To store application configuration
C.To monitor container resource usage
D.To provide a single entry point for external clients to access multiple backend services
AnswerD

The API gateway routes requests to appropriate microservices and can aggregate responses.

Why this answer

An API gateway acts as a single entry point for client requests, handling routing, authentication, rate limiting, and other cross-cutting concerns.

47
MCQeasy

A development team is containerizing a monolithic application into microservices. Which practice aligns with cloud-native architecture principles?

A.Use a shared database for all microservices to ensure data consistency.
B.Use JSON Web Tokens for authentication between microservices in the same cluster.
C.Design each microservice with its own data store and communicate via APIs.
D.Ensure all microservices have identical resource requests and limits.
AnswerC

Each microservice owning its data store enables independent scaling and evolution.

Why this answer

Option C is correct because cloud-native architecture principles advocate for decentralized data management, where each microservice owns its private data store and exposes functionality via well-defined APIs. This ensures loose coupling, independent scalability, and resilience, as services can evolve without impacting others. The pattern aligns with the Database per Service pattern, a core tenet of microservices design.

Exam trap

CNCF often tests the misconception that 'shared data ensures consistency' (Option A) or that 'identical resource limits simplify management' (Option D), while the correct answer emphasizes data autonomy and API-based communication as the hallmark of cloud-native design.

How to eliminate wrong answers

Option A is wrong because a shared database creates tight coupling between microservices, violating the principle of bounded contexts and making independent deployments and scaling impossible; it also introduces a single point of failure and contention. Option B is wrong because JSON Web Tokens (JWTs) are used for stateless authentication between services, but within the same cluster, internal service-to-service communication should leverage mutual TLS (mTLS) or a service mesh (e.g., Istio) for stronger security, not rely on JWT alone which can be intercepted without transport encryption. Option D is wrong because requiring identical resource requests and limits for all microservices ignores the fact that different services have distinct resource profiles (e.g., CPU-intensive vs. memory-intensive), leading to inefficient cluster utilization and potential throttling or waste.

48
MCQhard

A cloud-native application experiences periodic timeouts when calling a downstream service. The downstream service is running in the same Kubernetes cluster. Which design pattern should be implemented to handle this gracefully?

A.Circuit breaker pattern
B.Bulkhead pattern
C.Retry with exponential backoff
D.Health check endpoint
AnswerA

Prevents cascading failures.

Why this answer

The Circuit Breaker pattern is correct because it prevents cascading failures by monitoring for failures and, once a threshold is exceeded (e.g., 5 consecutive timeouts), it opens the circuit and immediately fails fast without waiting for the downstream service. This allows the application to handle periodic timeouts gracefully by avoiding wasted resources and providing a fallback response, which is critical for cloud-native resilience in Kubernetes.

Exam trap

CNCF often tests the distinction between 'handling' a failure (Circuit Breaker) and 'preventing' a failure (Bulkhead), so candidates mistakenly choose Bulkhead when the question asks for graceful handling of timeouts rather than resource isolation.

How to eliminate wrong answers

Option B (Bulkhead pattern) is wrong because it isolates resources (e.g., thread pools) to prevent one failing component from exhausting shared resources, but it does not address handling periodic timeouts from a downstream service; it focuses on fault isolation, not failure response. Option C (Retry with exponential backoff) is wrong because while it can help with transient failures, periodic timeouts suggest a persistent or overloaded downstream service, and retries can exacerbate the problem by adding load and delaying failure detection. Option D (Health check endpoint) is wrong because it only provides a way to probe the service's liveness or readiness (e.g., via Kubernetes probes), but it does not handle the timeout scenario itself; it is a detection mechanism, not a graceful handling pattern.

49
MCQeasy

Which of the following is a graduated CNCF project?

A.Prometheus
B.Flux
C.Linkerd
D.ArgoCD
AnswerA

Why this answer

Prometheus is a graduated CNCF project, having reached the graduation maturity level in August 2018. The CNCF graduation criteria require projects to demonstrate adoption, governance maturity, and long-term stability, which Prometheus meets as a core monitoring and alerting toolkit widely used in cloud-native environments.

Exam trap

CNCF often tests the distinction between CNCF project maturity levels, and the trap here is that candidates may assume any popular or widely used project (like Flux or ArgoCD) is graduated, when in fact they are still at the incubating stage.

How to eliminate wrong answers

Option B (Flux) is wrong because Flux is a CNCF incubating project, not graduated; it is a GitOps tool for continuous delivery but has not yet reached the graduation stage. Option C (Linkerd) is wrong because Linkerd is also an incubating CNCF project, serving as a service mesh, and has not graduated. Option D (ArgoCD) is wrong because ArgoCD is an incubating CNCF project, focused on declarative GitOps for Kubernetes, and has not achieved graduated status.

50
MCQmedium

A team is designing a cloud-native application that requires each microservice to have its own database. This pattern is known as:

A.Saga pattern
B.Database-per-service pattern
C.Shared database pattern
D.CQRS pattern
AnswerB

Each service has its own private database.

Why this answer

The Database-per-service pattern is the correct answer because it ensures each microservice owns and manages its own database, enforcing loose coupling and data encapsulation. This aligns with the cloud-native principle of decentralized data management, where services communicate only via APIs and never access each other's databases directly. It prevents tight coupling at the data layer, which is critical for independent scaling, deployment, and resilience in a microservices architecture.

Exam trap

CNCF often tests the misconception that the Saga pattern defines database ownership, when in fact it is a transaction coordination pattern, not a data isolation strategy.

How to eliminate wrong answers

Option A is wrong because the Saga pattern is a distributed transaction management pattern used to maintain data consistency across multiple services, not a database ownership model. Option C is wrong because the Shared database pattern contradicts the requirement for each microservice to have its own database, as it forces all services to access a single database, creating tight coupling and single points of failure. Option D is wrong because CQRS (Command Query Responsibility Segregation) is a pattern that separates read and write operations into different models or databases, but it does not define per-service database ownership.

51
Multi-Selectmedium

Which THREE of the following are core principles of cloud native computing as defined by the CNCF? (Select 3)

Select 3 answers
A.Dynamic orchestration
B.Waterfall development
C.Monolithic architecture
D.Microservices
E.Containers
AnswersA, D, E

Dynamic orchestration (e.g., Kubernetes) is a core principle.

Why this answer

The CNCF defines cloud native as using microservices, containers, dynamic orchestration, and DevOps. The three correct options are microservices, containers, and dynamic orchestration. DevOps is also a principle, but the question asks for three; the other options are not core principles.

52
Multi-Selectmedium

Which TWO are benefits of using a service mesh? (Choose two.)

Select 2 answers
A.Observability of service-to-service communication
B.Automatic database scaling
C.Traffic management (e.g., canary deployments)
D.Container image building
E.Load balancing of external requests
AnswersA, C

Service mesh collects metrics and traces for inter-service calls.

Why this answer

Service mesh provides observability (e.g., metrics, tracing) and traffic management (e.g., routing, retries) between services.

53
MCQeasy

Which of the following best describes the purpose of the CNCF (Cloud Native Computing Foundation)?

A.To develop proprietary cloud native software
B.To define the 12-factor app methodology
C.To host and promote open source cloud native projects
D.To provide certification exams for Kubernetes administrators
AnswerC

Why this answer

The CNCF's mission is to make cloud native computing ubiquitous by fostering and sustaining open source projects.

54
MCQhard

A cloud-native application experiences intermittent failures when calling an external API. The team implements a pattern that allows the application to temporarily stop calling the failing API and serve stale data or a fallback response. Which resiliency pattern does this describe?

A.Circuit Breaker pattern
B.Retry pattern
C.Bulkhead pattern
D.Timeout pattern
AnswerA

The circuit breaker opens to stop calls and allows fallback.

Why this answer

The circuit breaker pattern prevents repeated calls to a failing service, allowing the system to degrade gracefully.

55
MCQhard

An organization wants to manage infrastructure across multiple cloud providers using a single declarative configuration language. Which tool is best suited for this requirement?

A.Kustomize
B.Helm
C.Terraform
D.Pulumi
AnswerD

Pulumi supports multi-cloud and allows infrastructure as code using TypeScript, Python, Go, etc.

Why this answer

Pulumi supports multiple clouds and allows infrastructure definition using general-purpose programming languages, enabling multi-cloud management with a single tool.

56
MCQeasy

Which of the following is a core principle of cloud native architecture as defined by the CNCF?

A.Monolithic application design
B.Manual scaling of applications
C.Static infrastructure provisioning
D.Microservices packaged in containers
AnswerD

Microservices in containers are a key cloud native principle.

Why this answer

The CNCF defines cloud native architecture as using microservices, containers, dynamic orchestration, and DevOps.

57
MCQeasy

Which GitOps tool is specifically designed for Kubernetes and follows the declarative GitOps pattern, continuously reconciling the desired state from a Git repository?

A.ArgoCD
B.Helm
C.Terraform
D.Jenkins
AnswerA

ArgoCD is purpose-built for GitOps on Kubernetes.

Why this answer

ArgoCD is a declarative GitOps continuous delivery tool for Kubernetes that syncs application state with a Git repository.

58
MCQmedium

A development team wants to deploy a serverless function that triggers when a file is uploaded to an S3 bucket. Which cloud native technology is most appropriate for this scenario?

A.AWS Lambda
B.Helm
C.Knative
D.Istio
AnswerC

Knative is a CNCF incubating project that provides serverless capabilities on Kubernetes, including event-driven functions.

Why this answer

Knative is a Kubernetes-based platform to build, deploy, and manage serverless workloads, including event-driven functions. AWS Lambda is a proprietary service, not a cloud native project.

59
Multi-Selectmedium

Which TWO of the following are key characteristics of cloud-native applications? (Select two.)

Select 2 answers
A.Monolithic architecture
B.Microservices architecture
C.Containerized deployment
D.Manual scaling
E.Long-lived virtual machines
AnswersB, C

Microservices are a core pattern in cloud-native.

Why this answer

Cloud-native applications are designed as microservices and use containers for deployment, enabling scalability and resilience.

60
Multi-Selectmedium

Which THREE are core principles of the Twelve-Factor App methodology?

Select 3 answers
A.Store config in codebase for traceability
B.Explicitly declare and isolate dependencies
C.Tight coupling to backing services
D.Treat logs as event streams
E.One codebase tracked in revision control, many deploys
AnswersB, D, E

Dependencies declared in manifest.

Why this answer

Option B is correct because the Twelve-Factor App methodology mandates that dependencies must be explicitly declared and isolated via a dependency declaration manifest (e.g., Gemfile, package.json, requirements.txt) and a dependency isolation tool (e.g., Bundler, npm, pip). This ensures that the application never implicitly depends on system-wide packages, eliminating 'it works on my machine' issues and guaranteeing consistent behavior across all environments.

Exam trap

CNCF often tests the misconception that storing configuration in the codebase provides traceability, but the Twelve-Factor App explicitly forbids this to maintain strict separation of config from code and avoid accidental exposure of secrets.

61
MCQmedium

What is the primary function of a service mesh like Istio?

A.To build container images
B.To handle inter-service communication with features like traffic control and security
C.To manage container orchestration
D.To provide persistent storage for stateful applications
AnswerB

Service mesh adds a dedicated infrastructure layer for managing service-to-service communication.

Why this answer

A service mesh provides observability, traffic management, and security for microservices communication.

62
MCQeasy

An organization wants to adopt a cloud-native approach for its new application. Which characteristic is most important for the application to be considered cloud-native?

A.It stores all state in local files on the container filesystem.
B.It is designed to be resilient, scalable, and manageable in a dynamic environment.
C.It runs as a single monolithic process for simplicity.
D.It is deployed exclusively on on-premises infrastructure.
AnswerB

Resilience, scalability, and manageability are core cloud-native characteristics.

Why this answer

Option B is correct because cloud-native applications are fundamentally defined by their ability to operate in dynamic, distributed environments. They leverage principles like microservices, containerization, and orchestration (e.g., Kubernetes) to achieve resilience, scalability, and manageability. This characteristic is the core tenet of cloud-native architecture as defined by the CNCF, enabling the app to handle failures gracefully and scale on demand.

Exam trap

CNCF often tests the misconception that cloud-native simply means 'running in containers' or 'using Kubernetes,' but the defining characteristic is the architectural property of being resilient, scalable, and manageable in a dynamic environment, not the deployment technology itself.

How to eliminate wrong answers

Option A is wrong because storing state in local container filesystems violates the cloud-native principle of statelessness; containers are ephemeral, and local state is lost on restart, making the application non-resilient and unscalable. Option C is wrong because a monolithic process contradicts the cloud-native preference for microservices, which allow independent scaling, deployment, and fault isolation; monoliths become bottlenecks in dynamic environments. Option D is wrong because cloud-native applications are designed to be infrastructure-agnostic and typically run in multi-cloud or hybrid environments, not exclusively on-premises; being tied to on-premises infrastructure limits portability and cloud benefits.

63
Multi-Selecthard

Which THREE of the following are benefits of using an event-driven architecture? (Choose three.)

Select 3 answers
A.Simpler debugging and tracing
B.Better resilience through decoupled components
C.Improved scalability through asynchronous processing
D.Reduced need for monitoring
E.Loose coupling between services
AnswersB, C, E

Failure in one component does not directly affect others.

Why this answer

Event-driven architecture enables loose coupling, scalability, and asynchronous processing.

64
MCQmedium

Which of the following is a key principle of the 12-factor app methodology?

A.Treat logs as event streams
B.Bind services at build time
C.Use local disk storage for persistence
D.Store configuration in the codebase
AnswerA

Logs should be emitted as event streams and not be concerned with routing or storage.

Why this answer

The 12-factor app includes the principle of treating logs as event streams, not as files.

65
MCQhard

Which of the following is a benefit of using an API gateway pattern?

A.It reduces the number of microservices needed
B.It replaces the need for a service mesh
C.It provides a single entry point for clients and handles cross-cutting concerns
D.It stores application state
AnswerC

API gateway centralizes routing, auth, rate limiting, etc.

Why this answer

API gateway can offload cross-cutting concerns like authentication from individual microservices.

66
MCQhard

A cloud-native application uses a service mesh (Istio) for traffic management. The team notices increased latency in inter-service communication. Which likely cause should be investigated first?

A.Kubernetes Network Policies blocking traffic
B.Misconfigured sidecar proxy settings
C.Application code is not optimized for the mesh
D.mTLS encryption overhead
AnswerB

Can cause significant latency.

Why this answer

In Istio, the sidecar proxy (Envoy) intercepts all inbound and outbound traffic for the application container. Misconfigured proxy settings—such as incorrect timeouts, retry policies, or circuit breaker thresholds—can introduce significant latency by causing unnecessary retries, connection delays, or queueing. This is the most common and immediate cause of increased latency in a service mesh, as the data plane is directly in the request path.

Exam trap

CNCF often tests the misconception that mTLS encryption is a major source of latency, but in practice its overhead is negligible compared to misconfigured proxy settings that directly impact request handling.

How to eliminate wrong answers

Option A is wrong because Kubernetes Network Policies operate at the IP/port level and would block traffic entirely rather than cause increased latency; they do not introduce gradual performance degradation. Option C is wrong because application code optimization is a separate concern—the service mesh handles traffic management at the infrastructure layer, and unoptimized code would cause latency regardless of the mesh. Option D is wrong because mTLS encryption overhead in Istio is minimal (typically under 5% latency increase) and is a known, accepted cost of zero-trust security; it would not be the first suspect for a noticeable latency spike.

67
MCQmedium

What is the primary purpose of an API gateway in a microservices architecture?

A.To manage service-to-service communication within a cluster
B.To replace DNS for service discovery
C.To act as a single entry point for external clients
D.To directly connect databases to clients
AnswerC

Why this answer

An API gateway acts as a single entry point for clients, routing requests to appropriate microservices and providing cross-cutting concerns like authentication and rate limiting.

68
Multi-Selectmedium

Which TWO statements are true about cloud-native architecture?

Select 2 answers
A.Applications are typically monolithic for simplicity
B.Infrastructure is treated as immutable
C.Manual scaling is the default approach
D.Services can be scaled independently
E.Stateful components are preferred for performance
AnswersB, D

Immutable infrastructure provides consistency.

Why this answer

Option A is correct because microservices enable independent scaling. Option B is correct because immutable infrastructure ensures consistency. Option C is wrong because stateful components are not preferred.

Option D is wrong because manual scaling is not desired. Option E is wrong because monolithic is not cloud-native.

69
MCQeasy

Which CNCF project is primarily focused on providing a unified way to define and manage cloud-native applications using declarative configuration stored in Git?

A.Helm
B.ArgoCD
C.Prometheus
D.Envoy
AnswerB

ArgoCD is a declarative GitOps CD tool for Kubernetes that synchronizes application state with Git repositories.

Why this answer

GitOps uses Git as the single source of truth for declarative infrastructure and application configuration. ArgoCD is a CNCF graduated project that implements GitOps for Kubernetes. Flux is also a GitOps tool but ArgoCD is more widely recognized as the primary GitOps project.

70
Multi-Selecthard

Which TWO practices are recommended for designing cloud-native microservices? (Choose 2)

Select 2 answers
A.Share a common database schema across all services.
B.Store configuration in environment variables inside the container image.
C.Implement health check endpoints for each service.
D.Use synchronous HTTP calls for all inter-service communication.
E.Design services around business capabilities.
AnswersC, E

Health checks enable orchestration platforms to manage service lifecycle.

Why this answer

Option C is correct because health check endpoints (e.g., /healthz or /ready) are a fundamental pattern in cloud-native microservices. They allow orchestration platforms like Kubernetes to perform liveness and readiness probes, ensuring that traffic is only routed to healthy instances and that unhealthy pods are automatically restarted. This aligns with the cloud-native principle of designing for resilience and self-healing.

Exam trap

The trap here is that candidates often confuse 'configuration in environment variables' (which is acceptable when injected at runtime) with 'storing configuration inside the container image' (which is an anti-pattern), leading them to incorrectly select Option B.

71
MCQeasy

Which resource in Kubernetes is used to expose a set of pods as a network service?

A.Pod
B.Deployment
C.Service
D.Ingress
AnswerC

Provides stable IP and DNS name for pods.

Why this answer

Option C is correct because a Service in Kubernetes provides a stable network endpoint (IP address and DNS name) to expose a set of pods, which are ephemeral and can be replaced. Services use selectors to identify target pods and load-balance traffic across them, enabling reliable communication within or outside the cluster.

Exam trap

CNCF often tests the misconception that a Deployment can expose pods as a network service, but a Deployment only manages pod lifecycle and replicas, not network exposure.

How to eliminate wrong answers

Option A is wrong because a Pod is the smallest deployable unit in Kubernetes and has its own IP address, but it is ephemeral and cannot provide a stable network endpoint for a set of pods. Option B is wrong because a Deployment manages the desired state of replica sets and pods, but it does not expose them as a network service; it is a controller, not a networking abstraction. Option D is wrong because an Ingress is a higher-level resource that provides HTTP/HTTPS routing rules to Services, but it does not directly expose pods as a network service; it relies on a Service to do so.

72
MCQhard

In a serverless architecture using Knative, what happens when a function finishes processing an event and there are no pending events?

A.The function instance is automatically scaled down to zero replicas
B.The function instance is terminated and the container image is deleted
C.The function continues to run but stops listening for events
D.The function instance remains running for a configurable idle timeout
AnswerA

Knative supports auto-scaling to zero when there are no incoming requests.

Why this answer

Knative scales the function to zero replicas when idle, which is a key feature of serverless platforms.

73
MCQmedium

Which GitOps tool uses a pull-based approach to synchronize the desired state in a Git repository with the actual state in a Kubernetes cluster?

A.Flux
B.Terraform
C.Helm
D.ArgoCD
AnswerD

ArgoCD is a declarative, pull-based GitOps operator for Kubernetes.

Why this answer

ArgoCD is a popular GitOps tool that continuously monitors a Git repository and reconciles the cluster state with the desired state defined in the repo.

74
MCQmedium

A company wants to migrate its monolithic application to a cloud-native architecture on Kubernetes. The application currently uses a shared database and communicates via internal HTTP calls. Which design pattern should be applied first to increase resilience and enable independent scaling of components?

A.Adopt CQRS pattern to separate reads and writes
B.Use the strangler fig pattern to gradually replace monolith functionality
C.Implement database-per-service pattern
D.Deploy a sidecar container for each service
AnswerB

Allows incremental migration with minimal risk.

Why this answer

The strangler fig pattern is the correct first step because it allows the team to incrementally replace specific functionalities of the monolithic application with microservices without disrupting the existing system. This pattern routes requests to either the old monolith or new services, enabling gradual migration, independent scaling of extracted components, and improved resilience by isolating failures. It directly addresses the need to move from a shared-database, HTTP-calling monolith to a cloud-native architecture on Kubernetes.

Exam trap

CNCF often tests the misconception that you should immediately apply a database-per-service or CQRS pattern when migrating, but the strangler fig pattern is the foundational first step to safely decompose a monolith without a big-bang rewrite.

How to eliminate wrong answers

Option A is wrong because CQRS (Command Query Responsibility Segregation) is a pattern for separating read and write operations, typically used with event sourcing or complex query models; it does not address the gradual decomposition of a monolith or enable independent scaling of components during migration. Option C is wrong because implementing a database-per-service pattern prematurely would require breaking the shared database into multiple databases, which is a high-risk, all-at-once change that contradicts the gradual migration goal and can cause data consistency issues without first establishing service boundaries. Option D is wrong because deploying a sidecar container for each service is a deployment pattern for adding auxiliary functionality (e.g., logging, proxies) to a pod, but it does not help in decomposing the monolith or enabling independent scaling of components; it is an operational pattern applied after services are defined.

75
Multi-Selectmedium

Which TWO of the following are CNCF graduated projects? (Choose two.)

Select 2 answers
A.Helm
B.Linkerd
C.Knative
D.Envoy
E.Kubernetes
AnswersD, E

Envoy is a graduated CNCF project.

Why this answer

Kubernetes and Prometheus are graduated projects. Containerd is graduated, but not listed here. Etcd is graduated, but not listed.

CoreDNS is graduated, but not listed. Envoy is graduated. Knative is incubating.

Linkerd is incubating.

Page 1 of 3 · 170 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cloud Native Architecture questions.