CCNA Kcna Cloud Native Arch Questions

74 of 170 questions · Page 2/3 · Kcna Cloud Native Arch topic · Answers revealed

76
MCQmedium

What is the purpose of the circuit breaker pattern in a microservices architecture?

A.To balance load across multiple instances
B.To handle authentication between services
C.To encrypt data in transit
D.To prevent a service from being overwhelmed by requests when it is failing
AnswerD

The circuit breaker pattern stops requests to a failing service, allowing it to recover.

Why this answer

Option D is correct because the circuit breaker pattern is a stability pattern that monitors for failures and prevents a service from making requests to a failing downstream service, allowing it to recover. When the failure rate exceeds a threshold (e.g., 50% of requests fail within a 10-second sliding window), the circuit 'opens' and subsequent calls fail immediately without consuming resources. This prevents cascading failures and resource exhaustion in distributed systems like Kubernetes or Spring Cloud.

Exam trap

CNCF often tests the distinction between 'preventing overload from a failing service' (circuit breaker) and 'distributing load across healthy instances' (load balancer), so candidates mistakenly pick load balancing when they see 'overwhelmed by requests' in the question.

How to eliminate wrong answers

Option A is wrong because load balancing distributes incoming traffic across healthy instances (e.g., via Round Robin or Least Connections), not preventing overload from a failing service. Option B is wrong because authentication between services is handled by mechanisms like OAuth2, JWT, or mTLS, not by the circuit breaker pattern. Option C is wrong because encrypting data in transit is achieved via TLS/SSL (e.g., HTTPS, gRPC with TLS), not by circuit breakers which operate at the application or network layer to manage fault tolerance.

77
MCQhard

The exhibit shows pod status and logs. The web pod lmn34 has restarted 3 times. What is the root cause of the liveness probe failure?

A.The container is hitting a memory limit and being OOMKilled.
B.A network policy is blocking traffic to the database.
C.The database service is not reachable, causing the application to fail its health check.
D.The readiness probe is misconfigured and not allowing traffic.
AnswerC

The log indicates a database connection failure, and the liveness probe returns 503, causing restarts.

Why this answer

The liveness probe failure is caused by the database service being unreachable, which prevents the application from completing its health check. When the database is down or network connectivity is lost, the application's health endpoint returns a non-200 status code, causing Kubernetes to restart the container. The 3 restarts indicate repeated probe failures, and the logs show connection errors to the database, confirming this as the root cause.

Exam trap

CNCF often tests the distinction between liveness and readiness probes, where candidates confuse readiness probe misconfiguration (which only affects traffic routing) with liveness probe failures (which cause container restarts).

How to eliminate wrong answers

Option A is wrong because OOMKilled would show a container exit code of 137 and a 'OOMKilled' reason in pod status, not just restarts with probe failures. Option B is wrong because a network policy blocking traffic to the database would cause persistent connection failures, but the exhibit shows no evidence of network policy configuration or related errors. Option D is wrong because readiness probe misconfiguration affects traffic routing, not container restarts; liveness probe failures cause restarts, and readiness probe failures only remove the pod from service endpoints.

78
MCQhard

A startup is designing a cloud-native application that processes IoT sensor data. The data arrives in bursts, and processing must be fault-tolerant with exactly-once semantics. The team considers Apache Kafka, RabbitMQ, and Amazon SQS. Which choice best meets the requirements of a cloud-native architecture?

A.Use Apache Kafka with idempotent producers and transactional APIs.
B.Use Amazon SQS with FIFO queues for ordering and deduplication.
C.Use RabbitMQ with publisher confirms and consumer acknowledgements.
D.Implement an HTTP endpoint that the IoT devices call directly.
AnswerA

Kafka's transactional support ensures exactly-once semantics, and its log-based architecture handles bursty data well.

Why this answer

Apache Kafka with idempotent producers and transactional APIs is the correct choice because it provides exactly-once semantics (EOS) for bursty IoT data in a cloud-native architecture. Kafka's transactional API ensures atomic writes across partitions, while idempotent producers prevent duplicate records from retries, meeting the fault-tolerance and exactly-once requirements. Kafka also scales horizontally and handles high-throughput bursts natively, aligning with cloud-native principles.

Exam trap

CNCF often tests the misconception that FIFO queues or publisher confirms provide exactly-once semantics, but they only guarantee at-least-once delivery with deduplication or ordering, not the atomic, idempotent write guarantees that Kafka's transactional API provides.

How to eliminate wrong answers

Option B is wrong because Amazon SQS FIFO queues offer at-least-once delivery with deduplication, not exactly-once semantics; deduplication relies on a 5-minute deduplication ID window, which can fail for bursty data with delayed retries. Option C is wrong because RabbitMQ with publisher confirms and consumer acknowledgements provides at-least-once delivery, not exactly-once; consumer acknowledgements can cause duplicate processing if the consumer crashes after processing but before acknowledging. Option D is wrong because an HTTP endpoint called directly by IoT devices is not fault-tolerant and cannot guarantee exactly-once semantics; HTTP is stateless and prone to duplicate requests from retries, with no built-in ordering or deduplication.

79
MCQmedium

In serverless computing, what is the primary characteristic of Function-as-a-Service (FaaS)?

A.Stateful execution
B.Always running instances
C.Auto-scaling to zero
D.Manual scaling
AnswerC

Why this answer

FaaS enables functions to scale automatically from zero based on demand, often event-driven.

80
MCQmedium

An organization wants to implement a serverless function that scales to zero when not in use. Which technology is specifically designed to achieve this on Kubernetes?

A.Knative
B.Prometheus
C.Istio
D.Kubernetes Horizontal Pod Autoscaler (HPA)
AnswerA

Knative Serving provides automatic scaling, including scaling to zero.

Why this answer

Knative Serving supports scale-to-zero, automatically scaling down pods when they are not receiving requests. This is a key feature of serverless on Kubernetes.

81
MCQmedium

Which of the following best describes 'Infrastructure as Code' (IaC)?

A.Manually configuring servers via SSH
B.Using a scripting language to automate tasks
C.Running containers on a Kubernetes cluster
D.Defining infrastructure resources in a declarative configuration file
AnswerD

IaC uses declarative or imperative code to define infrastructure, promoting version control and reproducibility.

Why this answer

IaC is the practice of managing and provisioning infrastructure through machine-readable definition files, rather than manual processes.

82
Multi-Selectmedium

Which TWO of the following are CNCF graduated projects? (Select 2)

Select 2 answers
A.Prometheus
B.Kyverno
C.Knative
D.Envoy
E.ArgoCD
AnswersA, D

Prometheus is a graduated CNCF project.

Why this answer

Prometheus and Envoy are both CNCF graduated projects. CoreDNS is also graduated, but the question asks for two; Fluentd and Helm are both graduated as well, but the correct answers here are Prometheus and Envoy.

83
MCQmedium

A development team wants to adopt a cloud-native architecture for a new application. Which set of principles BEST describes the cloud-native approach?

A.Microservices, containers, dynamic orchestration, and DevOps
B.Service-oriented architecture, bare-metal servers, static scaling, and Agile
C.Monolithic applications, virtual machines, manual scaling, and waterfall development
D.Serverless functions, virtual machines, manual provisioning, and ITIL
AnswerA

These are the core cloud-native principles as defined by the CNCF.

Why this answer

Cloud-native architectures leverage microservices, containers, dynamic orchestration, and DevOps to enable scalable, resilient applications.

84
MCQmedium

Which command would you use to apply a manifest file 'deployment.yaml' to a Kubernetes cluster?

A.kubectl run deployment.yaml
B.kubectl set image deployment.yaml
C.kubectl apply -f deployment.yaml
D.kubectl create -f deployment.yaml
AnswerC

kubectl apply creates or updates resources declaratively.

Why this answer

The 'kubectl apply' command is used to apply or update resources from a manifest file.

85
MCQeasy

What is the primary purpose of the CNCF (Cloud Native Computing Foundation)?

A.To provide commercial support for Kubernetes
B.To host and promote open-source cloud native projects
C.To certify cloud providers
D.To develop proprietary cloud software
AnswerB

CNCF's mission is to make cloud native computing ubiquitous by hosting projects like Kubernetes, Prometheus, etc.

Why this answer

The CNCF hosts and nurtures open-source, vendor-neutral cloud native projects, fostering their growth and adoption.

86
MCQeasy

Which CNCF project is commonly used for Infrastructure as Code to provision cloud resources?

A.Terraform
B.Envoy
C.Prometheus
D.CoreDNS
AnswerA

Terraform is an IaC tool, now part of CNCF as a sandbox project.

Why this answer

Terraform is a popular IaC tool for provisioning infrastructure across multiple cloud providers.

87
MCQmedium

What is the primary purpose of the sidecar container in a service mesh?

A.To run application business logic
B.To handle logging and monitoring of the main container
C.To provide persistent storage for the main container
D.To intercept and manage network traffic for the main container
AnswerD

Sidecar proxies handle communication.

Why this answer

In a service mesh, the sidecar container (typically an Envoy or Linkerd proxy) is injected alongside the main application container to intercept and manage all inbound and outbound network traffic. This allows the service mesh to enforce traffic policies, handle service discovery, implement retries and circuit breaking, and collect telemetry without modifying the application code. The sidecar operates at the network layer (L4/L7), decoupling communication concerns from business logic.

Exam trap

CNCF often tests the misconception that the sidecar's primary role is logging and monitoring, but the correct answer is always traffic interception and management, as that is the core architectural purpose of a service mesh sidecar.

How to eliminate wrong answers

Option A is wrong because the sidecar container does not run application business logic; that is the responsibility of the main container. Option B is wrong because while the sidecar can collect telemetry data as a byproduct of traffic interception, its primary purpose is not logging and monitoring—those are separate concerns often handled by dedicated agents or the control plane. Option C is wrong because persistent storage is provided by volumes or CSI drivers, not by sidecar containers, which are ephemeral and focused on network functions.

88
MCQmedium

A microservice logs errors when connecting to the database. The logs show 'connection refused'. Which troubleshooting step should be taken first?

A.Verify the database Service and Endpoints in Kubernetes
B.Scale up the microservice deployment
C.Restart the microservice pod
D.Check the logs of other microservices
AnswerA

Directly checks if the database service is available.

Why this answer

The 'connection refused' error indicates that the microservice is attempting to connect to a TCP port on the database endpoint, but no process is listening there. In Kubernetes, the first step is to verify that the database Service exists and that its Endpoints object contains the correct pod IPs and port. If the Endpoints are empty or missing, the Service is not routing traffic to any healthy database pod, which directly causes the refusal.

This aligns with the Kubernetes troubleshooting hierarchy: always check the Service and Endpoints before assuming application-level issues.

Exam trap

The trap here is that candidates often jump to restarting the pod or scaling the deployment, assuming the microservice itself is faulty, rather than recognizing that 'connection refused' is a network-level symptom pointing to the target (the database Service/Endpoints) not being available.

How to eliminate wrong answers

Option B is wrong because scaling up the microservice deployment will create more pods that all try to connect to the same unreachable database, multiplying the failure without addressing the root cause. Option C is wrong because restarting the microservice pod will only reattempt the same connection to the same database endpoint, which will still be refused if the database Service or its backing pods are misconfigured. Option D is wrong because checking logs of other microservices is a distraction; the 'connection refused' error is specific to the database connectivity and does not require cross-service log analysis to diagnose.

89
MCQmedium

An organization uses GitOps with ArgoCD to manage Kubernetes deployments. What is the PRIMARY advantage of this approach over traditional imperative deployment methods?

A.It eliminates the need for any manual approval processes
B.It provides a single source of truth for cluster state through Git
C.It allows developers to directly access the Kubernetes cluster
D.It reduces the number of containers needed in a deployment
AnswerB

GitOps uses Git as the authoritative source for desired state, enabling automated drift correction and audit trails.

Why this answer

Option C is correct. GitOps uses a Git repository as the single source of truth, enabling declarative configuration, version control, and automated reconciliation. Option A is incorrect because GitOps does not necessarily speed up deployments; it focuses on consistency.

Option B is not the primary advantage; multiple teams can still access the cluster. Option D is incorrect because manual approval workflows can still be implemented.

90
MCQhard

An application experiences intermittent failures when calling an external API. Which resilience pattern should be implemented to handle transient faults?

A.Bulkhead
B.Circuit breaker
C.Timeout
D.Retry
AnswerD

Retry handles transient failures by reattempting the operation.

Why this answer

Option D (Retry) is correct because intermittent failures when calling an external API are typically transient faults (e.g., network glitches, temporary service unavailability). The Retry pattern automatically reattempts the failed operation a configured number of times, often with exponential backoff, to overcome these short-lived issues without changing the application's overall architecture. This directly addresses the scenario's requirement to handle transient faults.

Exam trap

CNCF often tests the distinction between handling transient faults (Retry) versus preventing cascading failures (Circuit breaker), leading candidates to choose Circuit breaker when the question explicitly mentions 'intermittent' or 'transient' faults.

How to eliminate wrong answers

Option A is wrong because Bulkhead isolates resources (e.g., thread pools) to prevent failures in one component from cascading, but it does not handle transient faults in API calls. Option B is wrong because Circuit breaker prevents repeated calls to a failing service by opening the circuit after a threshold of failures, which is designed for longer-term outages, not transient faults. Option C is wrong because Timeout sets a maximum wait time for a response but does not retry the call; it only prevents indefinite blocking, leaving the failure unhandled.

91
MCQeasy

Which of the following is a core principle of the 12-factor app methodology?

A.Treat logs as event streams
B.Store configuration in the application code
C.Store logs in the local filesystem of each container
D.Use shared filesystems for persistent storage
AnswerA

Logs should be emitted as stdout/stderr and collected by a log aggregator.

Why this answer

The 12-factor app methodology emphasizes treating logs as event streams, not files, to enable centralized processing.

92
MCQeasy

Which CNCF project maturity level indicates that a project has adopted the CNCF Code of Conduct and is considered early-stage?

A.Sandbox
B.Incubating
C.Graduated
D.Experimental
AnswerA

Sandbox projects are early-stage and have accepted the CNCF Code of Conduct.

Why this answer

The CNCF has three maturity levels: sandbox (early-stage), incubating (growing), and graduated (mature). Sandbox projects are early-stage and have accepted the CNCF Code of Conduct.

93
MCQhard

Which of the following is a key principle of the 12-factor app methodology related to managing configuration?

A.Store configuration in the application code
B.Use environment variables for configuration
C.Embed configuration in the build process
D.Use a configuration file in the application directory
AnswerB

Environment variables provide a clean separation between code and config, allowing easy changes across environments.

Why this answer

The 12-factor app methodology states that configuration should be stored in environment variables (or external to the code) to vary between deployments without changing code. Hardcoding is the opposite. ConfigMaps are Kubernetes-specific but the principle is broader.

Secrets are for sensitive data but not the only way.

94
MCQmedium

Which service mesh component is responsible for handling inter-service communication as a sidecar proxy?

A.Mixer
B.Pilot
C.Envoy
D.Citadel
AnswerC

Why this answer

Envoy is the correct answer because it is the sidecar proxy component in Istio that handles all inter-service communication. It intercepts traffic between microservices and applies routing, load balancing, and security policies defined by the control plane. Envoy runs as a sidecar container alongside each service instance, managing inbound and outbound traffic at the L4/L7 layer.

Exam trap

CNCF often tests the distinction between data-plane and control-plane components, so the trap here is that candidates may confuse Pilot (control plane) with the sidecar proxy that actually handles traffic, or incorrectly associate Mixer with traffic management due to its former role in policy enforcement.

How to eliminate wrong answers

Option A (Mixer) is wrong because Mixer was a deprecated Istio component used for telemetry collection and policy enforcement, not for proxying inter-service traffic; it was removed in Istio 1.5. Option B (Pilot) is wrong because Pilot is the control plane component that translates high-level routing rules into Envoy configuration and distributes them to sidecars, but it does not handle data-plane traffic itself. Option D (Citadel) is wrong because Citadel is the Istio security component responsible for certificate issuance and key management for mTLS, not for proxying service-to-service communication.

95
MCQhard

Your organization runs a cloud-native e-commerce platform on Kubernetes. The platform consists of several microservices: a frontend service, an order service, a payment service, and a shipping service. All services communicate via HTTP REST APIs. Recently, during a flash sale event, the platform experienced a cascading failure. The order service became overwhelmed with requests and started responding slowly. This caused the frontend service to time out waiting for order responses, and eventually the frontend service crashed due to exhausted thread pools. The payment and shipping services were unaffected because they are called asynchronously via a message queue. You need to redesign the system to prevent such cascading failures in the future. Which approach is the most effective?

A.Scale up the frontend service to handle more concurrent requests
B.Convert all inter-service communication to synchronous calls with retries
C.Increase the timeout values in the frontend service configuration
D.Implement circuit breakers in the frontend service for calls to the order service
AnswerD

Circuit breakers prevent cascading failures by failing fast.

Why this answer

Option D is correct because implementing circuit breakers in the frontend service for calls to the order service prevents cascading failures by monitoring failure rates and automatically tripping the circuit when the order service becomes slow or unresponsive. This stops the frontend from exhausting its thread pools waiting for timeouts, allowing it to fail fast and return a fallback response. Circuit breakers are a proven resilience pattern in cloud-native architectures, especially for synchronous HTTP REST calls where latency spikes can propagate.

Exam trap

CNCF often tests the misconception that scaling or increasing timeouts is a sufficient fix for cascading failures, but the trap here is that these options treat symptoms rather than applying the circuit breaker pattern, which is the standard resilience mechanism for synchronous calls in cloud-native systems.

How to eliminate wrong answers

Option A is wrong because scaling up the frontend service only increases the number of concurrent requests it can handle, but does not address the root cause—the order service being overwhelmed—and may actually worsen the cascading failure by allowing more requests to pile up and exhaust thread pools faster. Option B is wrong because converting all inter-service communication to synchronous calls with retries would increase coupling and amplify failures; retries during overload can cause retry storms, further degrading the order service and increasing latency. Option C is wrong because increasing timeout values only delays the inevitable thread pool exhaustion, as the frontend will hold connections longer without reducing the load on the order service, and may lead to resource starvation under sustained high traffic.

96
MCQmedium

In a service mesh architecture, which component is responsible for intercepting and managing traffic between microservices?

A.Control plane
B.API gateway
C.Service registry
D.Sidecar proxy
AnswerD

The sidecar proxy, such as Envoy, runs alongside each service and intercepts all network traffic to and from the service.

Why this answer

The sidecar proxy (usually Envoy) is deployed alongside each service instance and handles all incoming and outgoing traffic, enabling observability, traffic management, and security. The control plane manages configuration but does not handle data plane traffic. The API gateway is a separate component for external traffic.

The service registry is a pattern but not a specific service mesh component.

97
MCQmedium

In a multi-cloud architecture, what is a common use case for a service mesh?

A.To enable secure service-to-service communication across clusters
B.To synchronize Kubernetes resources across clouds
C.To provide cloud-agnostic block storage
D.To provide a single ingress gateway for all clouds
AnswerA

Service mesh provides mTLS and traffic management across clusters.

Why this answer

A service mesh, such as Istio or Linkerd, provides a dedicated infrastructure layer for handling service-to-service communication. In a multi-cloud architecture, its common use case is to enable secure, observable, and resilient communication between services running in different Kubernetes clusters across clouds, using mutual TLS (mTLS) for encryption and traffic policies for routing.

Exam trap

CNCF often tests the misconception that a service mesh is a general-purpose tool for all cross-cloud operations, when in reality it is specifically designed for service-to-service communication (east-west traffic) and does not handle resource synchronization, storage, or ingress gateway functions.

How to eliminate wrong answers

Option B is wrong because synchronizing Kubernetes resources across clouds is typically done by tools like Karmada, Cluster API, or Terraform, not by a service mesh, which focuses on network traffic management. Option C is wrong because cloud-agnostic block storage is provided by storage abstraction layers like CSI (Container Storage Interface) drivers or solutions like Rook/Ceph, not by a service mesh, which operates at Layer 7 (HTTP/gRPC) and Layer 4 (TCP). Option D is wrong because a single ingress gateway for all clouds is the role of a multi-cluster ingress controller or global load balancer (e.g., NGINX Ingress Controller with external-dns), while a service mesh handles east-west traffic between services, not north-south ingress traffic.

98
MCQhard

A developer creates the Pod manifest shown. When the Pod runs, the liveness probe fails and the container is restarted repeatedly. What is the most likely cause?

A.The liveness probe port (8080) does not match the container port (80).
B.The initialDelaySeconds of 3 is too short for Nginx to start.
C.The periodSeconds of 5 causes too frequent probing.
D.The image nginx:latest does not have a /healthz endpoint.
AnswerA

Correct. The probe checks port 8080, but Nginx listens on port 80, so the probe fails.

Why this answer

The liveness probe is configured to check TCP on port 8080, but the container exposes port 80 for Nginx. Since the probe will never successfully connect to port 8080, it always fails, causing the container to be restarted repeatedly. The probe must target the same port that the application is listening on.

Exam trap

CNCF often tests the distinction between TCP and HTTP probes, and the trap here is that candidates assume a TCP probe can target any port without matching the container's listening port, or they confuse the probe port with the container port defined in the Pod spec.

How to eliminate wrong answers

Option B is wrong because an initialDelaySeconds of 3 is generally sufficient for Nginx to start, as Nginx starts very quickly (often under 1 second). Option C is wrong because a periodSeconds of 5 is a reasonable probing interval and does not cause failures; frequent probing alone does not cause restarts unless the probe itself is misconfigured. Option D is wrong because the liveness probe is a TCP check, not an HTTP GET request, so it does not require a /healthz endpoint; a TCP probe only checks that the port is open, which Nginx provides on port 80.

99
Multi-Selectmedium

Which THREE are key benefits of using a service mesh in a cloud-native architecture? (Choose 3)

Select 3 answers
A.Persistent storage management for stateful applications.
B.Mutual TLS (mTLS) encryption between services.
C.Automatic horizontal scaling of pods.
D.Observability through distributed tracing and metrics.
E.Traffic management such as canary deployments and circuit breaking.
AnswersB, D, E

Service mesh can enforce mTLS for secure communication.

Why this answer

Option B is correct because a service mesh, such as Istio or Linkerd, transparently enables mutual TLS (mTLS) encryption between service sidecar proxies without requiring application code changes. This ensures all inter-service communication is encrypted and authenticated, which is a core security benefit in a zero-trust cloud-native architecture.

Exam trap

CNCF often tests the misconception that a service mesh provides infrastructure-level features like storage or scaling, when in reality it is strictly a Layer 4/7 networking and security abstraction that operates independently of compute or storage resources.

100
MCQhard

Which GitOps tool is a CNCF graduated project that synchronizes Kubernetes clusters with a Git repository?

A.Argo CD
B.Tekton
C.Jenkins X
D.Flux
AnswerA

Argo CD is a CNCF graduated project.

Why this answer

Argo CD is a CNCF graduated project for GitOps on Kubernetes.

101
MCQmedium

Which of the following is a graduated CNCF project?

A.OpenTelemetry
B.K3s
C.KubeEdge
D.Prometheus
AnswerD

Prometheus is a graduated project for monitoring.

Why this answer

Prometheus is a graduated CNCF project, having reached the graduation maturity level in August 2018. It is a core monitoring and alerting toolkit widely adopted in cloud-native environments, and its graduation status reflects its stability, widespread use, and strong governance within the CNCF ecosystem.

Exam trap

The trap here is that candidates may confuse 'graduated' with 'incubating' or 'sandbox' status, especially for popular projects like OpenTelemetry or KubeEdge that are widely used but have not yet reached the highest maturity level in the CNCF lifecycle.

How to eliminate wrong answers

Option A is wrong because OpenTelemetry is an incubating CNCF project, not graduated; it is a collection of APIs and SDKs for observability but has not yet reached the graduation maturity level. Option B is wrong because K3s is a CNCF sandbox project, not graduated; it is a lightweight Kubernetes distribution designed for edge and resource-constrained environments, but it remains at the sandbox maturity level. Option C is wrong because KubeEdge is a CNCF incubating project, not graduated; it extends Kubernetes to edge computing but has not achieved graduation status.

102
MCQmedium

In an event-driven architecture using a message broker, which component is responsible for receiving events and forwarding them to subscribed services?

A.Service mesh
B.Message broker
C.API gateway
AnswerB

Message broker decouples event producers and consumers.

Why this answer

A message broker (like Kafka or RabbitMQ) receives and forwards events. An API gateway routes HTTP requests, a service mesh handles service-to-service communication, and a load balancer distributes network traffic.

103
MCQeasy

What is the primary purpose of the CNCF (Cloud Native Computing Foundation)?

A.To provide cloud infrastructure services
B.To develop proprietary cloud technologies
C.To standardize container runtimes only
D.To host and nurture open-source cloud-native projects
AnswerD

CNCF hosts projects like Kubernetes, Prometheus, and Envoy, providing governance and support.

Why this answer

The CNCF's primary purpose is to host and nurture open-source cloud-native projects, such as Kubernetes, Prometheus, and Envoy, by providing governance, community support, and a neutral home for their development. It does not provide cloud infrastructure services itself, nor does it develop proprietary technologies; instead, it fosters an ecosystem of interoperable, vendor-neutral projects. The CNCF also manages the Cloud Native Landscape and defines standards like the Open Container Initiative (OCI) for container runtimes and images, but its scope extends far beyond just standardizing container runtimes.

Exam trap

The trap here is that candidates often confuse the CNCF's role with that of a cloud provider or a standards body focused solely on containers, leading them to choose Option A or C, but the CNCF's core function is to host and nurture a broad ecosystem of open-source cloud-native projects under a neutral governance model.

How to eliminate wrong answers

Option A is wrong because the CNCF does not provide cloud infrastructure services (e.g., compute, storage, or networking); those are offered by cloud providers like AWS, Azure, or GCP. Option B is wrong because the CNCF explicitly promotes open-source, vendor-neutral projects, not proprietary technologies; its charter prohibits vendor lock-in and encourages community-driven development. Option C is wrong because while the CNCF hosts the OCI specification for container runtimes (e.g., runc), its mission encompasses the entire cloud-native stack, including orchestration (Kubernetes), service meshes (Istio), observability (Prometheus), and serverless (Knative), not just container runtimes.

104
MCQmedium

Which of the following is a benefit of using a service mesh?

A.Simplified storage management
B.Automatic scaling of applications
C.Enhanced observability and traffic control
D.Direct database access
AnswerC

Service mesh provides detailed observability and traffic management features.

Why this answer

A service mesh provides observability (metrics, tracing), traffic management (routing, load balancing), and security (mTLS) without requiring changes to application code. It does not directly manage storage or scaling.

105
MCQmedium

According to the 12-factor app methodology, how should an application store configuration that varies between deployments (e.g., database connection strings)?

A.In a configuration file that is version-controlled
B.In a database table
C.In environment variables
D.Hard-coded in the application code
AnswerC

Environment variables provide a clean separation and are easy to change per deployment.

Why this answer

The 12-factor app recommends strict separation of config from code, storing config in environment variables.

106
MCQmedium

Which CNCF project is at the 'Graduated' maturity level and is widely used for container orchestration?

A.Kubernetes
B.Prometheus
C.Envoy
D.Helm
AnswerA

Kubernetes is the first graduated CNCF project.

Why this answer

Kubernetes is the correct answer because it is the only CNCF project at the 'Graduated' maturity level that is specifically designed and widely adopted for container orchestration. It automates deployment, scaling, and management of containerized applications, making it the de facto standard in cloud-native environments.

Exam trap

CNCF often tests the distinction between a project's maturity level and its function, so the trap here is that candidates may assume any popular CNCF project (like Prometheus or Envoy) is used for orchestration, when in fact only Kubernetes fulfills that specific role at the Graduated level.

How to eliminate wrong answers

Option B (Prometheus) is wrong because, although it is a Graduated CNCF project, it is a monitoring and alerting toolkit, not a container orchestration platform. Option C (Envoy) is wrong because it is a Graduated CNCF project but functions as a high-performance proxy and service mesh data plane, not an orchestrator. Option D (Helm) is wrong because it is a package manager for Kubernetes (Incubating maturity level), not a container orchestration tool itself.

107
MCQeasy

What is the purpose of a circuit breaker pattern in microservices?

A.To distribute traffic across multiple instances
B.To stop cascading failures by preventing calls to a failing service
C.To encrypt communication between services
D.To automatically retry failed requests
AnswerB

The circuit breaker opens when failures reach a threshold, stopping calls and allowing the service to recover.

Why this answer

The circuit breaker pattern prevents an application from repeatedly trying to execute an operation that is likely to fail, allowing it to recover gracefully.

108
Multi-Selectmedium

Which TWO of the following are core principles of the 12-factor app? (Choose 2.)

Select 2 answers
A.Shared state
B.Manual deployment
C.Dependencies
D.Singleton processes
E.Config
AnswersC, E

Why this answer

The 12-factor app includes principles such as explicit dependency declaration (Dependencies) and strict separation of config from code (Config).

109
MCQeasy

In the context of the 12-factor app methodology, which factor emphasizes storing configuration in environment variables?

A.Backing services
B.Dependencies
C.Config
D.Codebase
AnswerC

Config is the factor that recommends storing configuration in environment variables.

Why this answer

Factor III of the 12-factor app methodology states that config should be stored in environment variables to keep it separate from code.

110
MCQeasy

Which CNCF project maturity level indicates that a project has successfully adopted the CNCF governance and is considered stable for production use?

A.Incubating
B.Experimental
C.Graduated
D.Sandbox
AnswerC

Graduated is the highest level, indicating production readiness.

Why this answer

The Graduated maturity level is the highest in the CNCF project lifecycle, indicating that a project has successfully adopted CNCF governance, demonstrated long-term stability, and is considered safe for production use. This requires meeting rigorous criteria including adoption by multiple end users, a defined governance structure, and completion of a security audit.

Exam trap

CNCF often tests the distinction between Sandbox and Incubating, where candidates mistakenly think Sandbox implies production readiness, but Sandbox is explicitly for early-stage projects that have not yet demonstrated stability or adopted full CNCF governance.

How to eliminate wrong answers

Option A is wrong because Incubating is an intermediate stage where projects have shown initial adoption and are working toward graduation, but they are not yet considered fully stable for production use. Option B is wrong because Experimental is not a CNCF maturity level; the CNCF uses Sandbox, Incubating, and Graduated, while Experimental is a term used by other foundations or early-stage projects outside the CNCF. Option D is wrong because Sandbox is the entry-level stage for early-stage projects that are not yet ready for production use and have not fully adopted CNCF governance.

111
Multi-Selecteasy

Which TWO of the following are key principles of cloud native architecture?

Select 2 answers
A.Immutable infrastructure
B.Infrastructure automation
C.Microservices
D.Monolithic design
E.Manual scaling
AnswersB, C

Automation is essential for managing dynamic cloud environments.

Why this answer

Infrastructure automation (B) is a key principle of cloud native architecture because it enables consistent, repeatable, and error-free provisioning and management of infrastructure through code (e.g., Terraform, AWS CloudFormation, Ansible). This aligns with the cloud native goal of reducing manual toil and enabling rapid, reliable deployments. Microservices (C) is also a core principle, as it structures applications as a collection of loosely coupled, independently deployable services that can be scaled and updated individually, which is fundamental to cloud native agility and resilience.

Exam trap

CNCF often tests the distinction between 'key principles' (like microservices and automation) and 'operational patterns' (like immutable infrastructure), leading candidates to select immutable infrastructure as a principle when it is actually a best practice derived from those principles.

112
MCQeasy

What is the primary purpose of the CNCF (Cloud Native Computing Foundation)?

A.To host and nurture open source cloud native projects
B.To develop proprietary cloud software
C.To certify individuals in cloud technologies
D.To provide commercial support for Kubernetes
AnswerA

The CNCF hosts projects like Kubernetes, Prometheus, and others to advance cloud native technologies.

Why this answer

The CNCF's mission is to make cloud native computing ubiquitous by fostering and sustaining open source projects that follow cloud native principles.

113
Multi-Selecthard

Which THREE of the following are benefits of using a service mesh? (Select three.)

Select 3 answers
A.Automatic scaling of pods
B.Increased application performance
C.Fine-grained traffic control (e.g., canary deployments)
D.Improved observability through metrics and tracing
E.Simplified service-to-service security with mutual TLS
AnswersC, D, E

Service mesh enables advanced traffic routing.

Why this answer

Option C is correct because a service mesh, such as Istio or Linkerd, provides fine-grained traffic control through features like traffic splitting, header-based routing, and weighted load balancing. This enables canary deployments by directing a small percentage of traffic to a new version of a service, allowing safe testing in production without affecting all users.

Exam trap

CNCF often tests the misconception that a service mesh improves performance or handles autoscaling, when in fact it focuses on traffic management, security, and observability at the cost of some latency.

114
Multi-Selectmedium

Which TWO of the following are core principles of the 12-factor app methodology? (Select TWO.)

Select 2 answers
A.Manual approval for all production deployments
B.Use of a single programming language across all services
C.Store logs in a local file system
D.Strict separation of config from code
E.Maximize robustness through fast startup and graceful shutdown
AnswersD, E

Config should be stored in environment variables.

Why this answer

Option D is correct because the 12-factor app methodology mandates strict separation of config from code. Config includes things like database connection strings, API keys, and environment-specific values that vary between deployments. Storing these in environment variables (or external config files not checked into version control) ensures that the same codebase can be deployed to different environments without modification, which is a core principle for cloud-native portability and security.

Exam trap

CNCF often tests the misconception that logs should be stored locally for reliability, but the 12-factor methodology treats logs as event streams to stdout, relying on the execution environment (e.g., kubectl logs, log shippers) for aggregation and persistence.

115
MCQeasy

What is the primary purpose of the CNCF (Cloud Native Computing Foundation)?

A.To develop proprietary cloud software
B.To define cloud-native standards only
C.To certify cloud providers
D.To host and support open-source cloud-native projects
AnswerD

CNCF provides governance, marketing, and support for cloud-native open-source projects.

Why this answer

The CNCF hosts, supports, and sustains open-source cloud-native projects, ensuring they are vendor-neutral and fostering community collaboration. It does not develop projects itself but provides a governance model.

116
MCQmedium

Which component in an event-driven architecture is responsible for decoupling event producers from consumers?

A.Config server
B.Event broker
C.API gateway
D.Service mesh
AnswerB

Event broker (e.g., Kafka, RabbitMQ) decouples producers and consumers by managing event streams.

Why this answer

An event broker (or message broker) acts as an intermediary that receives events from producers and delivers them to consumers, allowing loose coupling. The API gateway handles synchronous requests. The service mesh handles service-to-service communication.

The config server manages configuration.

117
MCQmedium

In a microservices architecture, which pattern is used to prevent cascading failures by limiting the number of concurrent requests to a service?

A.Bulkhead
B.Timeout
C.Retry
D.Circuit breaker
AnswerA

Bulkhead limits concurrent requests to protect resources.

Why this answer

The bulkhead pattern isolates resources to prevent failure propagation. Circuit breaker stops calls after failures, retry reattempts, and timeout limits wait time.

118
MCQeasy

Which practice is a key principle of cloud-native architecture?

A.Automated CI/CD pipelines
B.Manual configuration management
C.Tight coupling of services
D.Preferring stateful applications over stateless
AnswerA

Enables rapid and reliable deployments.

Why this answer

Automated CI/CD pipelines are a key principle of cloud-native architecture because they enable rapid, reliable, and repeatable delivery of microservices. By automating build, test, and deployment stages, teams can achieve continuous integration and continuous delivery, which aligns with the cloud-native goals of agility, scalability, and resilience. This automation reduces human error and accelerates the feedback loop, essential for managing distributed systems in dynamic cloud environments.

Exam trap

CNCF often tests the misconception that manual configuration management is acceptable in cloud-native environments, but the trap here is that candidates confuse traditional IT operations with the automated, declarative approach required for cloud-native scalability and resilience.

How to eliminate wrong answers

Option B is wrong because manual configuration management contradicts the cloud-native principle of declarative, automated infrastructure (e.g., using Kubernetes manifests or Terraform), leading to configuration drift and reduced scalability. Option C is wrong because tight coupling of services violates the microservices tenet of loose coupling, which is fundamental to independent deployability and fault isolation in cloud-native architectures. Option D is wrong because cloud-native architecture prefers stateless applications over stateful ones, as stateless services scale horizontally more easily and are simpler to manage; state is typically offloaded to external stores like databases or caches.

119
Multi-Selecteasy

Which TWO of the following are essential components of a GitOps workflow? (Select two.)

Select 2 answers
A.A separate database for storing desired state
B.A monitoring dashboard for visualizations
C.A CI/CD pipeline that manually applies changes
D.An operator that synchronizes the cluster state with the Git repository
E.A Git repository storing declarative configurations
AnswersD, E

The operator continuously watches Git and applies changes.

Why this answer

Option D is correct because a GitOps workflow relies on an operator (such as Argo CD or Flux) that continuously reconciles the actual cluster state with the desired state declared in a Git repository. This operator automatically detects drift and applies changes to ensure the cluster matches the Git source, which is the core feedback loop of GitOps.

Exam trap

CNCF often tests the misconception that a CI/CD pipeline is the core of GitOps, but the trap here is that GitOps replaces manual or pipeline-driven deployments with an automated reconciliation loop driven by an operator and a Git repository as the source of truth.

120
MCQmedium

Which of the following best describes the purpose of the CNCF (Cloud Native Computing Foundation)?

A.To foster and sustain the cloud native ecosystem through project lifecycle management
B.To standardize cloud computing APIs across cloud providers
C.To own and maintain the Kubernetes project exclusively
D.To provide cloud infrastructure services to open source projects
AnswerA

The CNCF manages projects through graduated, incubating, and sandbox stages to foster the cloud native ecosystem.

Why this answer

Option C is correct. The CNCF's primary purpose is to foster and sustain the ecosystem of cloud native technologies, including managing projects through graduation, incubation, and sandbox stages. Option A is incorrect because the CNCF does not own Kubernetes; it is governed by the CNCF but owned by the community.

Option B is incorrect because the CNCF does not provide cloud services. Option D is incorrect because the CNCF is not a standards body like the IETF.

121
MCQhard

In event-driven architecture, which pattern is commonly used to decouple producers and consumers, allowing asynchronous communication?

A.Event broker (message queue or event bus)
B.Shared database
C.Circuit breaker pattern
D.Synchronous REST API calls
AnswerA

An event broker decouples producers and consumers by acting as an intermediary.

Why this answer

Event-driven architecture decouples producers and consumers via an event broker (e.g., message queue or event bus), enabling asynchronous communication. Direct synchronous calls would couple them.

122
Multi-Selectmedium

Which TWO tools are commonly used for GitOps? (Choose two.)

Select 2 answers
A.Flux
B.Jenkins
C.Helm
D.Terraform
E.ArgoCD
AnswersA, E

Flux is a GitOps operator for Kubernetes.

Why this answer

ArgoCD and Flux are two popular GitOps tools that automate deployment of applications from Git repositories.

123
Multi-Selecthard

Which TWO are benefits of using a service mesh in cloud-native applications?

Select 2 answers
A.Eliminates need for application monitoring
B.Advanced traffic management capabilities
C.Simplified persistent storage management
D.Automatic mTLS encryption between services
E.Reduced network latency
AnswersB, D

Traffic routing, retries, etc.

Why this answer

Option B is correct because a service mesh provides advanced traffic management capabilities such as fine-grained routing, canary deployments, and circuit breaking through sidecar proxies (e.g., Envoy). These capabilities allow operators to control traffic flow between microservices without modifying application code, enabling resilient and observable communication patterns.

Exam trap

CNCF often tests the misconception that a service mesh reduces latency or replaces monitoring, when in fact it adds a small overhead and complements, rather than replaces, existing monitoring tools.

124
Drag & Dropmedium

Drag and drop the steps to configure a Kubernetes Service of type LoadBalancer in a cloud environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First deploy the app, then define and create the LoadBalancer service, retrieve the IP, and access it.

125
MCQmedium

Which of the following is an example of Infrastructure as Code (IaC) tool?

A.Kubernetes
B.Terraform
C.Docker
D.Prometheus
AnswerB

Terraform is a declarative IaC tool for provisioning infrastructure.

Why this answer

Terraform is a widely used IaC tool that allows declarative definition of infrastructure across multiple cloud providers.

126
MCQhard

In the context of the 12-factor app methodology, which factor requires that an app's configuration be stored in environment variables?

A.Config
B.Dependencies
C.Codebase
D.Backing services
AnswerA

Why this answer

Factor III (Config) states that configuration should be stored in environment variables to decouple it from code.

127
MCQeasy

What is the primary purpose of the CNCF (Cloud Native Computing Foundation)?

A.To certify individuals in cloud-native technologies
B.To develop and maintain the Kubernetes project exclusively
C.To host and nurture open-source cloud-native projects and drive adoption
D.To provide commercial support for cloud-native software
AnswerC

CNCF's mission is to make cloud-native computing ubiquitous by hosting projects and fostering community.

Why this answer

The CNCF fosters the adoption of cloud-native technologies by hosting and nurturing open-source projects like Kubernetes, Prometheus, and Envoy.

128
MCQhard

You are a platform engineer at a fast-growing startup. The company runs a Kubernetes cluster with 50 worker nodes for its production microservices. Recently, the operations team has been struggling with manual configuration drift: developers SSH into nodes to install debugging tools, and some nodes have different kernel parameters or installed packages. This has caused intermittent outages when a pod is scheduled onto a non-standard node. The CTO wants a solution that ensures each node is identical, immutable, and reproducible. The cluster uses kubeadm for bootstrapping and runs on AWS EC2. Which approach best achieves the goal of immutable nodes?

A.Use a configuration management tool like Ansible to enforce desired state on each node via periodic runs.
B.Apply Kubernetes node labels and taints to categorize nodes and prevent workloads from running on non-standard nodes.
C.Create a golden AMI using Packer with all required configurations, then use Auto Scaling groups with a launch template that references the AMI and enable instance refresh for updates.
D.Deploy a DaemonSet that runs a privileged container to enforce node configuration and remove debugging tools.
AnswerC

A golden AMI provides an identical, immutable base. Instance refresh replaces nodes rather than modifying them.

Why this answer

Option C is correct because it uses a golden AMI built with Packer to create identical, immutable nodes that are reproducible via Auto Scaling groups and launch templates. This approach ensures that every EC2 instance launched has the exact same kernel parameters, packages, and configuration, eliminating configuration drift. Instance refresh allows rolling updates to the AMI without manual intervention, aligning with the goal of immutable infrastructure.

Exam trap

The trap here is that candidates often confuse configuration management (Option A) with immutability, not realizing that periodic enforcement still allows drift and does not guarantee identical nodes at all times.

How to eliminate wrong answers

Option A is wrong because configuration management tools like Ansible enforce desired state via periodic runs, which still allows drift between runs and does not achieve true immutability; nodes remain mutable and can deviate. Option B is wrong because node labels and taints only control workload scheduling, they do not enforce node configuration or prevent nodes from being modified via SSH. Option D is wrong because a DaemonSet running a privileged container can attempt to enforce configuration but cannot prevent manual SSH changes or guarantee identical state across nodes, and it introduces security risks without solving the root cause of drift.

129
MCQhard

Which Kubernetes resource is commonly used to implement the sidecar pattern for injecting a service mesh proxy?

A.NetworkPolicy
B.Service
C.MutatingAdmissionWebhook
D.ConfigMap
AnswerC

Service meshes like Istio use a mutating webhook to automatically inject the Envoy sidecar proxy.

Why this answer

Option C is correct because a MutatingAdmissionWebhook intercepts Pod creation requests and automatically injects a sidecar container (e.g., Envoy or Linkerd-proxy) into the Pod spec. This is the standard mechanism used by service mesh control planes like Istio and Linkerd to transparently add the proxy without modifying application manifests.

Exam trap

CNCF often tests the misconception that a Service or NetworkPolicy is responsible for sidecar injection, when in fact only a mutating admission webhook can automatically modify Pod specs at creation time.

How to eliminate wrong answers

Option A is wrong because NetworkPolicy controls ingress/egress traffic at the network layer using labels and CIDR rules, not container injection. Option B is wrong because a Service provides a stable IP and DNS name for Pod discovery and load balancing, not sidecar injection. Option D is wrong because a ConfigMap stores non-sensitive configuration data as key-value pairs or files, but cannot mutate Pod specs at creation time.

130
MCQhard

In event-driven architecture, which component is responsible for decoupling event producers from consumers?

A.Event broker
B.Event consumer
C.Event producer
D.API gateway
AnswerA

Why this answer

The event broker (e.g., Apache Kafka, RabbitMQ, or AWS EventBridge) acts as an intermediary that receives events from producers and forwards them to consumers. By decoupling the two, the producer does not need to know the consumer's location or status, and the consumer does not need to be actively listening when the event is published. This enables asynchronous, scalable, and fault-tolerant communication in event-driven architectures.

Exam trap

CNCF often tests the distinction between synchronous and asynchronous communication patterns, and the trap here is that candidates mistakenly think an API gateway (which handles synchronous requests) can decouple producers and consumers in an event-driven architecture, when in fact it only routes requests without persistent event storage or asynchronous delivery.

How to eliminate wrong answers

Option B (Event consumer) is wrong because the consumer is the recipient of events, not the component that decouples producers from consumers; it relies on the broker for decoupling. Option C (Event producer) is wrong because the producer generates events but has no built-in mechanism to decouple itself from consumers without an intermediary. Option D (API gateway) is wrong because an API gateway is designed for synchronous request-response patterns (e.g., REST APIs) and does not provide the persistent, asynchronous event buffering and routing that decouples producers from consumers.

131
MCQmedium

A company wants to manage its Kubernetes resources using Git as the single source of truth, with automated synchronization. Which approach should they use?

A.Using Helm charts without version control
B.Infrastructure as Code with Terraform
C.Using kubectl apply -f with a CI/CD pipeline
D.GitOps with ArgoCD or Flux
AnswerD

GitOps uses Git as the source of truth and automatically syncs the cluster state to the desired state in Git.

Why this answer

GitOps is a practice where the entire system state is described declaratively in Git, and automated tools synchronize the cluster to match. ArgoCD and Flux are popular GitOps tools.

132
MCQmedium

What is the primary purpose of a service mesh in a cloud-native architecture?

A.To compile application code
B.To provide a dedicated infrastructure layer for handling service-to-service communication
C.To replace container orchestration
D.To store application configuration
AnswerB

The service mesh adds a layer of proxies to manage communication securely and reliably.

Why this answer

A service mesh provides observability, traffic management, and security for microservices communication, offloading these concerns from application code.

133
Multi-Selecteasy

Which TWO of the following are examples of Infrastructure as Code (IaC) tools? (Choose two.)

Select 2 answers
A.Docker
B.Terraform
C.Kubernetes
D.Prometheus
E.Pulumi
AnswersB, E

Terraform is an IaC tool by HashiCorp.

Why this answer

Terraform (B) is an Infrastructure as Code (IaC) tool that uses declarative configuration files (HashiCorp Configuration Language, HCL) to define and provision cloud and on-premises resources. It manages the full lifecycle of infrastructure through a state file and provider plugins, enabling version-controlled, repeatable deployments.

Exam trap

CNCF often tests the distinction between containerization/orchestration tools (Docker, Kubernetes) and actual IaC tools, leading candidates to confuse tools that manage applications with those that provision infrastructure.

134
Multi-Selecthard

Which THREE of the following are resiliency patterns commonly used in cloud native applications? (Choose three.)

Select 3 answers
A.Retry
B.Timeout
C.Singleton pattern
D.Circuit breaker
E.Round-robin load balancing
AnswersA, B, D

Retrying failed operations can handle transient failures.

Why this answer

The Retry pattern is a fundamental resiliency mechanism in cloud-native applications. When a transient failure occurs (e.g., a network timeout or a temporary database unavailability), the application automatically reattempts the failed operation. This pattern is often implemented with exponential backoff and jitter to avoid overwhelming the downstream service, as seen in libraries like Netflix Hystrix or Kubernetes client-go retry logic.

Exam trap

CNCF often tests the distinction between design patterns (like Singleton) and cloud-native resiliency patterns (like Retry, Timeout, Circuit Breaker), so candidates mistakenly select Singleton because it is a well-known pattern, but it does not address fault tolerance or failure recovery.

135
MCQeasy

Which CNCF project provides a graduated service mesh implementation that includes features like traffic management, security, and observability?

A.Linkerd
B.Consul
C.Envoy
D.Istio
AnswerD

Istio is a graduated CNCF project that provides a complete service mesh.

Why this answer

Istio is a graduated CNCF project that provides a service mesh with features like traffic management, security (mTLS), and observability. Linkerd is also a service mesh but is incubating. Envoy is a proxy, not a full service mesh.

Consul is not a CNCF project.

136
MCQhard

In a serverless architecture using Knative, what happens to a service that has not received traffic for an extended period?

A.It throws an error and must be redeployed
B.It continues running with one replica to reduce cold start latency
C.It scales down to zero replicas and is reactivated on the next request
D.It is automatically deleted
AnswerC

Knative supports auto-scaling to zero for idle services.

Why this answer

Knative scales to zero when idle, meaning no pods are running, thus no cost incurred.

137
Multi-Selecthard

Which THREE of the following are features typically provided by a service mesh? (Choose three.)

Select 3 answers
A.Observability through metrics and tracing
B.Auto-scaling of pods based on CPU
C.Traffic management between services
D.Security with mutual TLS (mTLS)
E.Service discovery
AnswersA, C, D

Service mesh collects telemetry data for monitoring.

Why this answer

Service mesh provides traffic management (routing, canary releases), observability (metrics, tracing), and security (mTLS, authorization). Auto-scaling is handled by Horizontal Pod Autoscaler or custom metrics, not by the service mesh. Service discovery is often built into Kubernetes itself, though service mesh can enhance it, but it's not a core feature.

138
MCQmedium

A team is implementing a multi-cloud strategy to avoid vendor lock-in. Which Kubernetes feature is most helpful for abstracting the underlying cloud provider?

A.Services
B.ConfigMaps
C.Namespaces
D.Kubernetes API
AnswerD

The API abstracts infrastructure differences.

Why this answer

The Kubernetes API server provides a consistent interface regardless of the underlying infrastructure. Namespaces organize resources, Services provide networking abstractions, and ConfigMaps store configuration.

139
MCQmedium

A retail company runs its e-commerce platform on Kubernetes. During a flash sale, the application experiences high latency. The team notices that the database pods are CPU-bound and the application pods are waiting on database responses. Which architectural change would best address this bottleneck?

A.Change the database service type from ClusterIP to NodePort.
B.Implement read replicas for the database and configure the application to use them for read operations.
C.Increase the number of application pod replicas.
D.Store database configuration in a ConfigMap to improve startup time.
AnswerB

Read replicas distribute the read load, reducing CPU pressure on the primary database.

Why this answer

The bottleneck is caused by the database being CPU-bound, meaning it cannot process requests fast enough. Implementing read replicas offloads read queries from the primary database, reducing its CPU load and allowing it to handle write operations more efficiently. The application can be configured to route read operations to the replicas, which directly addresses the latency caused by waiting on database responses.

Exam trap

CNCF often tests the misconception that scaling application pods (Option C) is a universal fix for performance issues, but here it would amplify the database bottleneck rather than resolve it.

How to eliminate wrong answers

Option A is wrong because changing the service type from ClusterIP to NodePort exposes the database externally but does nothing to reduce its CPU load or improve query processing speed. Option C is wrong because increasing application pod replicas would only increase the number of requests hitting the already CPU-bound database, worsening the bottleneck. Option D is wrong because storing database configuration in a ConfigMap improves manageability and startup time but has no impact on runtime database CPU utilization or query latency.

140
MCQmedium

A development team wants to deploy a serverless function that scales to zero when not in use. Which CNCF project or platform is BEST suited for this requirement?

A.Kubeless
B.AWS Lambda
C.Knative
D.OpenFaaS
AnswerC

Knative is a CNCF incubating project that provides serverless capabilities on Kubernetes, including scaling to zero.

Why this answer

Knative is a Kubernetes-based platform to build, deploy, and manage serverless workloads that can scale to zero. AWS Lambda is a proprietary offering, not CNCF. OpenFaaS and Kubeless are also serverless frameworks but Knative is the most prominent CNCF serverless project.

141
Multi-Selecteasy

Which TWO of the following are examples of Infrastructure as Code (IaC) tools? (Choose 2.)

Select 2 answers
A.Terraform
B.kubectl
C.Pulumi
D.Helm
E.Docker Compose
AnswersA, C

Why this answer

Terraform and Pulumi are popular IaC tools that allow infrastructure provisioning via code.

142
MCQmedium

A team wants to deploy a serverless function using Knative. Which core primitive does Knative rely on to run serverless workloads on Kubernetes?

A.Pod
B.Service
C.Deployment
D.Function
AnswerB

Knative Service is the top-level resource.

Why this answer

Knative Serving uses the 'Service' resource to manage serverless workloads. 'Deployment' is a lower-level resource, 'Function' is not a Kubernetes resource, and 'Pod' is too granular.

143
MCQmedium

A team wants to deploy a serverless function that scales to zero when not in use. Which CNCF project is specifically designed for this purpose?

A.Helm
B.Prometheus
C.Envoy
D.Knative
AnswerD

Knative provides serverless containers with scale-to-zero.

Why this answer

Knative is the correct answer because it is a CNCF project built on Kubernetes that provides a serverless platform specifically designed to scale workloads to zero when not in use. It achieves this through its Serving component, which automatically scales pods down to zero replicas based on traffic, and scales up from zero on the first request, enabling true serverless behavior.

Exam trap

CNCF often tests the distinction between infrastructure tools (Helm, Prometheus, Envoy) and serverless platforms (Knative), trapping candidates who confuse package management, monitoring, or proxy functions with serverless scaling capabilities.

How to eliminate wrong answers

Option A is wrong because Helm is a package manager for Kubernetes that deploys applications using charts, but it does not provide any serverless scaling or scale-to-zero functionality. Option B is wrong because Prometheus is a monitoring and alerting toolkit that collects metrics, not a serverless platform; it cannot scale functions to zero. Option C is wrong because Envoy is a high-performance sidecar proxy used for service mesh communication (e.g., in Istio), not a serverless framework for scaling functions to zero.

144
Multi-Selectmedium

Which TWO of the following are principles of the 12-factor app? (Choose two.)

Select 2 answers
A.Monolithic deployment
B.Stateful sessions
C.Config
D.Disposability
E.Manual provisioning
AnswersC, D

Config is a 12-factor principle.

Why this answer

Config is a core principle of the 12-factor app methodology, which mandates strict separation of configuration from code. Configuration (such as database URLs, credentials, or hostnames) must be stored in environment variables, not hardcoded in the application source. This allows the same codebase to be deployed across different environments (development, staging, production) without modification, adhering to the principle of config-driven behavior.

Exam trap

CNCF often tests the 12-factor app principles by pairing a correct principle like 'Config' with a plausible-sounding but incorrect option like 'Stateful sessions', exploiting the common misconception that statefulness is acceptable in cloud-native apps when in fact it must be externalized.

145
MCQhard

In event-driven architecture, what is the role of an event broker?

A.It stores events and enables asynchronous communication between producers and consumers
B.It executes business logic in response to events
C.It provides a user interface to view events
D.It converts events into HTTP requests
AnswerA

The broker persists events and routes them to interested consumers.

Why this answer

An event broker acts as a central intermediary that receives events from producers, stores them durably (often in a log or queue), and delivers them to consumers asynchronously. This decouples producers and consumers, allowing them to operate independently without blocking or direct knowledge of each other. Technologies like Apache Kafka, RabbitMQ, or AWS Kinesis exemplify this role by persisting events and enabling replay, fan-out, and load-leveling.

Exam trap

CNCF often tests the distinction between the broker's role (storage and routing) and the consumer's role (processing logic), so candidates mistakenly pick B when they conflate event handling with event brokering.

How to eliminate wrong answers

Option B is wrong because executing business logic in response to events is the role of an event consumer or a serverless function (e.g., AWS Lambda), not the broker itself — the broker only routes and stores events. Option C is wrong because providing a user interface to view events is a monitoring or management tool (e.g., Kafka UI or Confluent Control Center), not a core function of the event broker. Option D is wrong because converting events into HTTP requests is a protocol translation task typically performed by an adapter or gateway (e.g., Kafka REST Proxy), not the event broker's native role — brokers use their own protocols (e.g., Kafka protocol, AMQP) for communication.

146
Multi-Selectmedium

Which TWO of the following are benefits of using a service mesh? (Choose two.)

Select 2 answers
A.Improved observability of service-to-service communication
B.Direct management of virtual machines
C.Automated container image building
D.Replacing the need for a container runtime
E.Traffic management capabilities such as canary deployments
AnswersA, E

Service mesh captures metrics, traces, and logs for inter-service traffic.

Why this answer

Service mesh provides improved observability and enables traffic management features like canary deployments.

147
MCQmedium

An organization wants to manage infrastructure using code to ensure consistent and repeatable deployments across multiple cloud providers. Which tool is MOST suitable for this multi-cloud Infrastructure as Code approach?

A.Terraform
B.Kuberntes manifests
C.AWS CloudFormation
D.Azure Resource Manager Templates
AnswerA

Terraform supports many providers including AWS, Azure, GCP, and others.

Why this answer

Terraform is a cloud-agnostic IaC tool that supports multiple providers, enabling consistent management across clouds.

148
MCQeasy

A development team is designing a new microservices application to run on a Kubernetes cluster. They want to ensure that each microservice can be developed, deployed, and scaled independently. Which cloud native architecture principle are they primarily applying?

A.Loose coupling
B.Immutable infrastructure
C.Statelessness
D.Service discovery
AnswerA

Loose coupling allows services to be developed, deployed, and scaled independently.

Why this answer

The principle of loose coupling ensures that each microservice can be developed, deployed, and scaled independently by minimizing dependencies between services. In Kubernetes, this is achieved through well-defined APIs and service boundaries, allowing teams to update or scale one service without affecting others. This directly supports the team's goal of independent lifecycle management for each microservice.

Exam trap

The trap here is that candidates often confuse 'statelessness' with 'loose coupling' because both enable scaling, but statelessness is about session data management, not the architectural independence of service development and deployment.

How to eliminate wrong answers

Option B (Immutable infrastructure) is wrong because it focuses on replacing rather than modifying infrastructure components, which supports consistency and reliability but does not directly address independent development and scaling of microservices. Option C (Statelessness) is wrong because it refers to services not storing session state locally, which aids scalability but is not the primary principle for independent development and deployment; stateful services can also be loosely coupled. Option D (Service discovery) is wrong because it is a mechanism for services to find each other dynamically, which enables loose coupling but is not the principle itself; it is an implementation detail that supports the broader goal of loose coupling.

149
Multi-Selecthard

Which THREE are key characteristics of event-driven architecture? (Choose three.)

Select 3 answers
A.Event processing can trigger multiple downstream actions
B.Requires a central database for state
C.Synchronous communication between components
D.Components communicate by emitting and reacting to events
E.Loose coupling between event producers and consumers
AnswersA, D, E

Events can fan out to multiple consumers.

Why this answer

Event-driven architecture is based on producing, detecting, and reacting to events, with loose coupling between components and asynchronous communication.

← PreviousPage 2 of 3 · 170 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Kcna Cloud Native Arch questions.