DEV Community: Immanuel Tikhonov The latest articles on DEV Community by Immanuel Tikhonov (@immanuel_vibe). https://dev.to/immanuel_vibe https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3346454%2F3402c149-ffba-49e9-a122-68df6c6c19e3.jpg DEV Community: Immanuel Tikhonov https://dev.to/immanuel_vibe en 55 advanced Kubernetes interview questions Immanuel Tikhonov Fri, 11 Jul 2025 18:10:31 +0000 https://dev.to/immanuel_vibe/55-advanced-kubernetes-interview-questions-172p https://dev.to/immanuel_vibe/55-advanced-kubernetes-interview-questions-172p <p>Hey folks, my name is Immanuel and I am <a href="https://x.com/immanuel_vibe" rel="noopener noreferrer">a certified Kubernetes administrator</a>. Here, I have collected some questions about Kubernetes that you can use to prepare for interviews or the CKA exam.</p> <p>So, you think you know Kubernetes? You've deployed a few apps, scaled a few pods, and now you're ready for the big leagues. Let's see how you handle some questions that go beyond the basics. Let's go)</p> <h3> 1. Explain the roles of the Kubernetes control plane components and how they interact to keep the cluster in sync </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4aclzi5gqr4kd76uo5pw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4aclzi5gqr4kd76uo5pw.png" alt="Kubernetes components" width="800" height="383"></a></p> <p><strong>Answer:</strong></p> <ul> <li> <strong>kube-apiserver</strong> is the gatekeeper for all API calls; it validates and processes requests, persists objects to etcd, and serves as the hub for control-plane communication.</li> <li> <strong>etcd</strong> is the distributed key-value store holding the cluster’s desired state.</li> <li> <strong>kube-scheduler</strong> monitors unscheduled Pods and binds them to appropriate Nodes based on resource requirements and policies.</li> <li> <strong>kube-controller-manager</strong> runs controllers (e.g., ReplicaSet, Endpoint) that reconcile actual state with the desired state.</li> <li> <strong>cloud-controller-manager</strong> handles cloud-specific controllers (e.g., load-balancer provisioning) when running in a cloud environment. They form a feedback loop: the API server writes to etcd; controllers and the scheduler watch etcd, act, and write back via the API server.</li> </ul> <h3> 2. How do you perform a rolling update without downtime? </h3> <p><strong>Answer:</strong></p> <p>This is where Deployments really shine. A rolling update allows you to update your application with zero downtime by incrementally replacing old Pods with new ones. You can control the process with <code>maxSurge</code> and <code>maxUnavailable</code>.</p> <ul> <li> <strong><code>maxSurge</code></strong>: The maximum number of Pods that can be created above the desired number of Pods.</li> <li> <strong><code>maxUnavailable</code></strong>: The maximum number of Pods that can be unavailable during the update.</li> </ul> <p><strong>Command:</strong></p> <p>To trigger a rolling update, you can use <code>kubectl set image</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">set </span>image deployment/nginx-deployment <span class="nv">nginx</span><span class="o">=</span>nginx:1.16.1 <span class="nt">--record</span> </code></pre> </div> <p>To monitor the rollout status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl rollout status deployment/nginx-deployment </code></pre> </div> <p><strong>YAML Example (Rolling Update Strategy):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-deployment</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">RollingUpdate</span> <span class="na">rollingUpdate</span><span class="pi">:</span> <span class="na">maxSurge</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxUnavailable</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">template</span><span class="pi">:</span> <span class="c1"># ... rest of the template</span> </code></pre> </div> <p><strong>And some additional info:</strong> the <code>--record</code> flag in commands like <code>kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1 --record</code> <strong>has been deprecated</strong> and is planned to be removed in future versions of kubectl.</p> <p>Currently, if you run the command without <code>--record</code>, the change cause is not recorded automatically. There is no direct built-in alternative flag that replicates <code>--record</code> functionality exactly. Instead, the recommended approach is to manually annotate the resource with the change cause using <code>kubectl annotate</code>, for example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl annotate deployment/nginx-deployment kubernetes.io/change-cause<span class="o">=</span><span class="s2">"Updated nginx image to 1.16.1"</span> </code></pre> </div> <p>This manual annotation serves as the alternative way to record the reason for changes in deployments and other resources.</p> <h3> 3. How would you design a highly available etcd cluster for Kubernetes, and secure it? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faqin19f5kyqs2qxtgxud.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faqin19f5kyqs2qxtgxud.png" alt="ETCD" width="800" height="282"></a><br> <strong>Answer:</strong></p> <ul> <li>Deploy odd-numbered etcd members (3 or 5) across failure domains to avoid split-brain.</li> <li>Use mutual TLS for client-to-server and peer-to-peer communication, generating certificates per member.</li> <li>Enable etcd encryption at rest for Kubernetes secrets (see Q24).</li> <li>Regularly back up etcd snapshots and use <code>etcdctl snapshot save</code>/restore.</li> </ul> <h3> 4. What's the difference between a Service and an Ingress? </h3> <p>Service:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faf7jsogacg8phw2x8bpv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faf7jsogacg8phw2x8bpv.png" alt="Service" width="800" height="578"></a></p> <p>Ingress:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fioc4fa5ml9gdqk2zlzgm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fioc4fa5ml9gdqk2zlzgm.png" alt="Ingress" width="800" height="264"></a></p> <p><strong>Answer:</strong></p> <p>Think of a <strong>Service</strong> as the internal load balancer for your Pods. It provides a stable IP address and DNS name for a set of Pods, so you don't have to worry about individual Pod IPs changing. There are different types of Services (<code>ClusterIP</code>, <code>NodePort</code>, <code>LoadBalancer</code>), but they all handle internal traffic.</p> <p>An <strong>Ingress</strong>, on the other hand, is an API object that manages external access to the services in a cluster, typically HTTP. It acts as a reverse proxy and can provide load balancing, SSL termination, and name-based virtual hosting. You need an Ingress Controller (like NGINX or Traefik) for the Ingress resource to work.</p> <p><strong>In short:</strong> Service is for internal traffic, Ingress is for external traffic.</p> <p><strong>YAML Example (Ingress):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">minimal-ingress</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/rewrite-target</span><span class="pi">:</span> <span class="s">/</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/testpath</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <h3> 5. Describe the CRI, CNI, and CSI interfaces and their roles in Kubernetes </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkxfohkahb31j4vyh23c0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkxfohkahb31j4vyh23c0.png" alt="CRI, CNI, and CSI" width="800" height="518"></a></p> <p><strong>Answer:</strong></p> <ul> <li> <strong>Container Runtime Interface (CRI):</strong> Pluggable interface between kubelet and container runtimes (Docker, containerd, CRI-O).</li> <li> <strong>Container Network Interface (CNI):</strong> Defines how Pods get networking (IP assignment, routes) via plugins (Calico, Flannel, Cilium).</li> <li> <strong>Container Storage Interface (CSI):</strong> Standard for volume plugins, enabling dynamic provisioning, snapshotting, and at-rest encryption for block and file storage.</li> </ul> <h3> 6. How would you troubleshoot a Pod that is stuck in a <code>CrashLoopBackOff</code> state? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fij25xocboc229lz2cjio.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fij25xocboc229lz2cjio.png" width="800" height="166"></a></p> <p><strong>Answer:</strong></p> <p>Ah, the dreaded <code>CrashLoopBackOff</code>. This means your Pod is starting, crashing, and then Kubernetes is trying to restart it, only for it to crash again. Here's the troubleshooting checklist:</p> <ol> <li> <strong>Describe the Pod:</strong> This will give you information about the Pod's state, events, and any error messages. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl describe pod &lt;pod-name&gt; </code></pre> </div> <ol> <li><p><strong>Check the image:</strong> Make sure the container image is correct and exists. A typo in the image name is a common culprit.</p></li> <li><p><strong>Check resource limits:</strong> If your application is exceeding its memory or CPU limits, it might be getting killed by the kubelet.</p></li> <li><p><strong>Check liveness and readiness probes:</strong> If your probes are misconfigured, they might be killing your Pod prematurely.</p></li> </ol> <h3> 7. What are Taints and Tolerations? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmfcpw6whlr5f59ldh23i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmfcpw6whlr5f59ldh23i.png" alt="Taints and tolerations" width="800" height="397"></a></p> <p><strong>Answer:</strong></p> <p><strong>Taints</strong> are applied to nodes, and they repel Pods that don't have a matching <strong>Toleration</strong>. This is a way to control which Pods can be scheduled on which nodes.</p> <p>For example, you might want to dedicate a set of nodes to a specific application or prevent certain Pods from running on a particular node.</p> <p><strong>Command (Taint a node):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl taint nodes node1 <span class="nv">key</span><span class="o">=</span>value:NoSchedule </code></pre> </div> <p><strong>YAML Example (Toleration in a Pod):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">tolerations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">key"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Equal"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">value"</span> <span class="na">effect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">NoSchedule"</span> </code></pre> </div> <h3> 8. Explain how to deploy a custom scheduler and integrate it with the main scheduling framework or extenders </h3> <p><strong>Answer:</strong></p> <ul> <li>Build your scheduler binary (e.g., using client-go) that implements <code>Scheduler</code> interface.</li> <li>Deploy it as a Deployment in its own namespace.</li> <li>In Pod spec, set <code>spec.schedulerName: custom-scheduler</code>.</li> <li>(Optional) Use the Scheduling Framework’s plugin model by writing and registering a plugin via <code>--plugin-config</code> to kube-scheduler.</li> <li>Extenders can be configured in the kube-scheduler config to call external HTTP endpoints for additional predicate/prioritization logic.</li> </ul> <h3> 9. What's the role of the etcd in a Kubernetes cluster? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsjtkpywmuk19590027z6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsjtkpywmuk19590027z6.png" alt="ETCD" width="800" height="379"></a></p> <p><strong>Answer:</strong></p> <p><code>etcd</code> is the brain of your Kubernetes cluster. It's a consistent and highly-available key-value store used as Kubernetes' backing store for all cluster data. Everything you see in your cluster—Pods, Services, Deployments, Secrets—is stored in <code>etcd</code>.</p> <p>If <code>etcd</code> goes down, your cluster becomes read-only. You can't create or update any resources. That's why it's so critical to have a reliable and backed-up <code>etcd</code> cluster.</p> <h3> 10. How can you debug CRI issues using <code>crictl</code>? </h3> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List pods/containers managed by CRI:</span> crictl pods crictl ps <span class="nt">-a</span> <span class="c"># Pull an image manually:</span> crictl pull nginx:latest <span class="c"># Inspect container logs:</span> crictl logs &lt;container-id&gt; <span class="c"># Exec into a paused container:</span> crictl <span class="nb">exec</span> <span class="nt">-it</span> &lt;container-id&gt; sh <span class="c"># Check runtime version:</span> crictl version </code></pre> </div> <p><code>crictl</code> talks directly to the CRI socket, bypassing kubelet.</p> <h3> 11. How do you manage secrets in Kubernetes? </h3> <p><strong>Answer:</strong></p> <p>Kubernetes <strong>Secrets</strong> are objects that let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. They are stored as base64 encoded strings, which is <em>not</em> encryption. Anyone with access to <code>etcd</code> can read them.</p> <p>For more secure secret management, you should consider using a tool like <strong>HashiCorp Vault</strong>, <strong>AWS Secrets Manager</strong>, or <strong>Azure Key Vault</strong>, and then use a Kubernetes operator to inject those secrets into your Pods.</p> <p><strong>Command (Create a secret):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic my-secret <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">password</span><span class="o">=</span><span class="s1">'s3cr3t'</span> </code></pre> </div> <p><strong>YAML Example (Using a secret in a Pod):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SECRET_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">password</span> </code></pre> </div> <h3> 12. Describe the Kubernetes networking model, including CNI and NetworkPolicies </h3> <p><strong>Answer:</strong></p> <ul> <li>Flat network: every Pod gets a unique IP, and any Pod can reach any other Pod by default.</li> <li>CNIs implement this: they allocate IPs and set up routes.</li> <li> <strong>NetworkPolicy</strong> objects define ingress/egress rules at the Pod level, enforced by the CNI plugin (e.g., Calico or Cilium).</li> </ul> <h3> 13. Explain the difference between <code>livenessProbe</code> and <code>readinessProbe</code> </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxbkozp7osi5oi3xs2w7f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxbkozp7osi5oi3xs2w7f.png" alt="Liveness probe and readiness probe" width="800" height="578"></a></p> <p><strong>Answer:</strong></p> <p>Both are used to check the health of a container, but they have different purposes:</p> <ul> <li> <strong><code>livenessProbe</code></strong>: Checks if the container is running. If the probe fails, the kubelet kills the container and restarts it. This is useful for catching deadlocks or other situations where the application is running but not responding.</li> <li> <strong><code>readinessProbe</code></strong>: Checks if the container is ready to accept traffic. If the probe fails, the container's IP address is removed from the endpoints of all Services that match the Pod. This is useful for when an application needs some time to start up before it can handle requests.</li> </ul> <p><strong>YAML Example (Probes):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/healthz</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">3</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">3</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/ready</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> </code></pre> </div> <h3> 14. Explain how a service mesh (e.g., Istio) integrates with Kubernetes and show an example <code>VirtualService</code> </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Farjyxm6istlwqu2su0jc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Farjyxm6istlwqu2su0jc.png" alt="Virtual Service" width="760" height="355"></a></p> <p><strong>Answer:</strong></p> <ul> <li>Service mesh runs sidecar proxies (Envoy) in Pods to intercept traffic.</li> <li>Control plane (Pilot, Galley) uses CRDs to configure routing and policies.</li> <li>Example: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.istio.io/v1alpha3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VirtualService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">reviews-vs</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">reviews</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">headers</span><span class="pi">:</span> <span class="na">end-user</span><span class="pi">:</span> <span class="na">exact</span><span class="pi">:</span> <span class="s2">"</span><span class="s">jason"</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">reviews</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v2</span> <span class="pi">-</span> <span class="na">route</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">reviews</span> <span class="na">subset</span><span class="pi">:</span> <span class="s">v1</span> </code></pre> </div> <p>This routes user <code>jason</code> to <code>v2</code> of the reviews service.</p> <h3> 15. What is a Persistent Volume (PV) and a Persistent Volume Claim (PVC)? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftr14lflgdrxh7m58xy3y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftr14lflgdrxh7m58xy3y.png" alt="PVC and PV" width="800" height="279"></a></p> <p><strong>Answer:</strong></p> <p>In Kubernetes, Pods are ephemeral. When a Pod dies, its data is lost. To solve this, we have <strong>Persistent Volumes (PVs)</strong> and <strong>Persistent Volume Claims (PVCs)</strong>.</p> <ul> <li> <strong>Persistent Volume (PV)</strong>: A piece of storage in the cluster that has been provisioned by an administrator. It's a resource in the cluster, just like a CPU or memory.</li> <li> <strong>Persistent Volume Claim (PVC)</strong>: A request for storage by a user. It's similar to how a Pod consumes CPU and memory. A PVC consumes PV resources.</li> </ul> <p>This separation of concerns allows developers to request storage without needing to know the details of the underlying storage infrastructure.</p> <p><strong>YAML Example (PV and PVC):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Persistent Volume</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolume</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pv</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">capacity</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">5Gi</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">hostPath</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/mnt/data"</span> <span class="nn">---</span> <span class="c1"># Persistent Volume Claim</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pvc</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">3Gi</span> </code></pre> </div> <h3> 16. How do you write and deploy a ValidatingAdmissionWebhook? Provide a sample manifest </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjyhflccqro0yjnoedk3a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjyhflccqro0yjnoedk3a.png" alt="Validating admission webhook and controller" width="800" height="306"></a></p> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">admissionregistration.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ValidatingWebhookConfiguration</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">no-latest-tag</span> <span class="na">webhooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">no-latest.example.com</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">apiVersions</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">v1"</span><span class="pi">]</span> <span class="na">operations</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CREATE"</span><span class="pi">,</span><span class="s2">"</span><span class="s">UPDATE"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pods"</span><span class="pi">]</span> <span class="na">clientConfig</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webhook-svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/validate"</span> <span class="na">caBundle</span><span class="pi">:</span> <span class="s">&lt;base64-CA-cert&gt;</span> </code></pre> </div> <p>This rejects any Pod using the <code>:latest</code> image tag in your validation logic.</p> <h3> 17. How does network policy work in Kubernetes? </h3> <p><strong>Answer:</strong></p> <p>By default, all Pods in a Kubernetes cluster can communicate with each other. <strong>Network Policies</strong> allow you to restrict this communication. They are like a firewall for your Pods.</p> <p>You can define rules that specify which Pods are allowed to communicate with which other Pods. Network Policies are implemented by a network plugin, so you need to be using a networking solution that supports them, like Calico or Cilium.</p> <p><strong>YAML Example (Network Policy):</strong></p> <p>This policy allows traffic to Pods with the label <code>app=db</code> only from Pods with the label <code>app=backend</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">db-policy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">db</span> <span class="na">policyTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Ingress</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> </code></pre> </div> <h3> 18. With PSP deprecated, how do you enforce security standards via PodSecurityAdmission? </h3> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl label ns default <span class="se">\</span> pod-security.kubernetes.io/enforce<span class="o">=</span>restricted <span class="se">\</span> pod-security.kubernetes.io/audit<span class="o">=</span>baseline </code></pre> </div> <p>This enforces the “restricted” profile on the <code>default</code> namespace, blocking privileged containers and hostPath volumes.</p> <h3> 19. What is a Sidecar container and what is it used for? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxk9q0ezwuh92rqhxcgdr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxk9q0ezwuh92rqhxcgdr.png" alt="Sidecar container and another use for an additional container" width="800" height="315"></a></p> <p><strong>Answer:</strong></p> <p>A <strong>Sidecar</strong> is a container that runs alongside your main application container in the same Pod. They share the same network namespace and can share volumes. This pattern is used to extend or enhance the functionality of the main container without changing its code.</p> <p>Common use cases for sidecars include:</p> <ul> <li> <strong>Logging:</strong> A sidecar can collect logs from the main application and forward them to a central logging system.</li> <li> <strong>Monitoring:</strong> A sidecar can export metrics from the application.</li> <li> <strong>Service Mesh:</strong> In a service mesh like Istio, a sidecar proxy (like Envoy) is injected into each Pod to handle traffic management, security, and observability.</li> </ul> <p><strong>YAML Example (Sidecar for logging):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app-with-sidecar</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">main-app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">shared-logs</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/var/log</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sidecar-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">fluentd</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">shared-logs</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/var/log</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">shared-logs</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <h3> 20. Demonstrate a <code>StorageClass</code> for CSI-based dynamic provisioning </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F14r8xa7f4i0duv38m2gk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F14r8xa7f4i0duv38m2gk.png" alt="Storage Class" width="800" height="546"></a></p> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">storage.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">csi-sc</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">csi.example.com</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">gp2</span> <span class="na">reclaimPolicy</span><span class="pi">:</span> <span class="s">Delete</span> <span class="na">volumeBindingMode</span><span class="pi">:</span> <span class="s">WaitForFirstConsumer</span> </code></pre> </div> <p>This uses the CSI driver <code>csi.example.com</code> to provision volumes on-demand.</p> <h3> 21. How would you secure a Kubernetes cluster? </h3> <p><strong>Answer:</strong></p> <p>Securing a Kubernetes cluster is a multi-layered process. Here are some key areas to focus on:</p> <ul> <li> <strong>RBAC (Role-Based Access Control):</strong> Use RBAC to control who can access the Kubernetes API and what they can do. Be as specific as possible with permissions.</li> <li> <strong>Network Policies:</strong> As discussed earlier, use Network Policies to restrict traffic between Pods.</li> <li> <strong>Pod Security Policies (or their successor):</strong> Enforce security standards for Pods, such as preventing them from running as root or accessing the host network.</li> <li> <strong>Secrets Management:</strong> Use a secure solution for managing secrets, not just the default Kubernetes Secrets.</li> <li> <strong>Image Scanning:</strong> Scan your container images for vulnerabilities before deploying them.</li> <li> <strong>Regularly update Kubernetes:</strong> Keep your cluster up to date with the latest security patches.</li> <li> <strong>Secure <code>etcd</code>:</strong> Restrict access to <code>etcd</code> and encrypt its data at rest.</li> </ul> <h3> 22. Compare <code>kube-proxy</code> modes and show how to enable IPVS </h3> <p><strong>Answer:</strong></p> <ul> <li> <strong>iptables</strong> mode uses Linux iptables rules; works universally but less performant at scale.</li> <li> <strong>IPVS</strong> uses the Linux IPVS load-balancer; highly efficient for thousands of services. To enable IPVS in <code>kube-proxy</code> ConfigMap: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kube-proxy</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">data</span><span class="pi">:</span> <span class="na">mode</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ipvs"</span> </code></pre> </div> <h3> 23. What is a Custom Resource Definition (CRD)? </h3> <p><strong>Answer:</strong></p> <p>A <strong>Custom Resource Definition (CRD)</strong> allows you to extend the Kubernetes API with your own custom resources. This is a powerful way to build custom automation and workflows on top of Kubernetes.</p> <p>When you create a CRD, you are essentially creating a new type of resource that you can manage with <code>kubectl</code>, just like you would with built-in resources like Pods and Deployments. To make these custom resources useful, you typically write a <strong>custom controller</strong> (or <strong>operator</strong>) that watches for changes to your custom resources and takes action based on them.</p> <p><strong>YAML Example (CRD):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apiextensions.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CustomResourceDefinition</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">crontabs.stable.example.com</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">stable.example.com</span> <span class="na">versions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">served</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">storage</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">schema</span><span class="pi">:</span> <span class="na">openAPIV3Schema</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">object</span> <span class="na">properties</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">object</span> <span class="na">properties</span><span class="pi">:</span> <span class="na">cronSpec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">image</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">replicas</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">integer</span> <span class="na">scope</span><span class="pi">:</span> <span class="s">Namespaced</span> <span class="na">names</span><span class="pi">:</span> <span class="na">plural</span><span class="pi">:</span> <span class="s">crontabs</span> <span class="na">singular</span><span class="pi">:</span> <span class="s">crontab</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CronTab</span> <span class="na">shortNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ct</span> </code></pre> </div> <h3> 24. How do you write a custom controller using <code>controller-runtime</code>? Outline the key components </h3> <p><strong>Answer:</strong></p> <ul> <li>Scaffold a project with Kubebuilder.</li> <li>Define a <code>Reconciler</code> struct implementing <code>Reconcile(ctx, req)</code>.</li> <li>Use <code>mgr.GetClient()</code> to <code>Get</code>, <code>Update</code>, <code>Patch</code> resources.</li> <li>Register your controller with <code>builder.ControllerManagedBy(mgr)</code>.</li> <li>Deploy as a Deployment and RBAC in-cluster.</li> </ul> <h3> 25. What is Helm and why would you use it? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi8u18kjwg7iius35ztdu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi8u18kjwg7iius35ztdu.png" alt="Helm" width="800" height="408"></a></p> <p><strong>Answer:</strong></p> <p><strong>Helm</strong> is a package manager for Kubernetes. It allows you to define, install, and upgrade even the most complex Kubernetes applications. Think of it like <code>apt</code> or <code>yum</code> for Kubernetes.</p> <p>Helm uses a packaging format called <strong>charts</strong>. A chart is a collection of files that describe a related set of Kubernetes resources. With Helm, you can:</p> <ul> <li>Manage the complexity of application deployments.</li> <li>Easily share and reuse applications.</li> <li>Perform repeatable deployments.</li> <li>Manage application releases.</li> </ul> <h3> 26. How do you enforce policies with OPA Gatekeeper? Provide a <code>ConstraintTemplate</code> and <code>Constraint</code> </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsp0mb0l2lh7bch1nkebe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsp0mb0l2lh7bch1nkebe.png" alt="Constraint Template and Constraint" width="800" height="600"></a></p> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">templates.gatekeeper.sh/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConstraintTemplate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8srequiredlabels</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">crd</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">names</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">K8sRequiredLabels</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">target</span><span class="pi">:</span> <span class="s">admission.k8s.gatekeeper.sh</span> <span class="na">rego</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">package k8srequiredlabels</span> <span class="s">violation[{"msg": msg}] {</span> <span class="s">input.review.object.metadata.labels["app"] == ""</span> <span class="s">msg := "Every resource must have an ‘app’ label"</span> <span class="s">}</span> <span class="s">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">constraints.gatekeeper.sh/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">K8sRequiredLabels</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">require-app-label</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">match</span><span class="pi">:</span> <span class="na">kinds</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">kinds</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">Pod"</span><span class="pi">]</span> </code></pre> </div> <p>This rejects Pods without an <code>app</code> label.</p> <h3> 27. How do you drain a node for maintenance? </h3> <p><strong>Answer:</strong></p> <p>To safely perform maintenance on a node, you should first <strong>drain</strong> it. This will cordon the node (mark it as unschedulable) and then evict all the Pods running on it. The evicted Pods will be rescheduled on other available nodes, as long as they are managed by a controller like a Deployment.</p> <p><strong>Command:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl drain &lt;node-name&gt; <span class="nt">--ignore-daemonsets</span> </code></pre> </div> <p>The <code>--ignore-daemonsets</code> flag is often necessary because DaemonSet Pods are not evicted.</p> <p>After maintenance is complete, you can uncordon the node to allow Pods to be scheduled on it again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl uncordon &lt;node-name&gt; </code></pre> </div> <h3> 28. Explain API aggregation and provide an <code>APIService</code> example </h3> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apiregistration.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">APIService</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">v1beta1.metrics.k8s.io</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">metrics.k8s.io</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1beta1</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metrics-server</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">caBundle</span><span class="pi">:</span> <span class="s">&lt;base64-CA-cert&gt;</span> <span class="na">groupPriorityMinimum</span><span class="pi">:</span> <span class="m">100</span> <span class="na">versionPriority</span><span class="pi">:</span> <span class="m">10</span> </code></pre> </div> <p>This makes the custom <code>metrics.k8s.io</code> API available through the main API server.</p> <h3> 29. What is the role of the kube-proxy? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwpyij80301muvsv8wlmv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwpyij80301muvsv8wlmv.png" alt="kube-proxy" width="800" height="433"></a></p> <p><strong>Answer:</strong></p> <p><code>kube-proxy</code> is a network proxy that runs on each node in your cluster. It is responsible for implementing the Kubernetes Service concept. It maintains network rules on nodes that allow network communication to your Pods from network sessions inside or outside of your cluster.</p> <p><code>kube-proxy</code> can operate in several modes, such as <code>iptables</code>, <code>ipvs</code>, or <code>userspace</code>. The <code>iptables</code> mode is the default and most common.</p> <h3> 30. How do you configure an HPA to scale on a Prometheus metric <code>rps</code>? </h3> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">autoscaling/v2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HorizontalPodAutoscaler</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">web-hpa</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">scaleTargetRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">name</span><span class="pi">:</span> <span class="s">web</span> <span class="na">minReplicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">maxReplicas</span><span class="pi">:</span> <span class="m">10</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Pods</span> <span class="na">pods</span><span class="pi">:</span> <span class="na">metric</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">rps</span> <span class="na">target</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">AverageValue</span> <span class="na">averageValue</span><span class="pi">:</span> <span class="m">100</span> </code></pre> </div> <p>Install and configure <code>prometheus-adapter</code> with rules mapping PromQL to <code>custom.metrics.k8s.io</code>.</p> <h3> 31. What are StatefulSets and how are they different from Deployments? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo4e09i24iarycglk27gh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo4e09i24iarycglk27gh.png" alt="Deployment vs StatefulSets" width="800" height="400"></a></p> <p><strong>Answer:</strong></p> <p><strong>StatefulSets</strong> are used to manage stateful applications, such as databases. They are similar to Deployments, but they provide a few key features that are important for stateful apps:</p> <ul> <li> <strong>Stable, unique network identifiers:</strong> Pods in a StatefulSet have a persistent, unique hostname based on their name and an ordinal index (e.g., <code>web-0</code>, <code>web-1</code>).</li> <li> <strong>Stable, persistent storage:</strong> Each Pod in a StatefulSet gets its own persistent storage that is tied to its identity. If a Pod is rescheduled, it will be reattached to the same storage.</li> <li> <strong>Ordered, graceful deployment and scaling:</strong> Pods in a StatefulSet are created, updated, and deleted in a specific order.</li> <li><strong>Ordered, automated rolling updates.</strong></li> </ul> <p><strong>YAML Example (StatefulSet):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StatefulSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">web</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">nginx"</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">template</span><span class="pi">:</span> <span class="c1"># ...</span> <span class="na">volumeClaimTemplates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">www</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">ReadWriteOnce"</span> <span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">1Gi</span> </code></pre> </div> <h3> 32. Show a <code>ServiceMonitor</code> to scrape metrics from a Pod </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fohx9s9l72kqpkxumr8iz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fohx9s9l72kqpkxumr8iz.png" alt="ServiceMonitor" width="800" height="374"></a></p> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">monitoring.coreos.com/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceMonitor</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-service-monitor</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">team</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">endpoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="s">http-metrics</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/metrics</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">30s</span> </code></pre> </div> <p>Prometheus Operator watches this CRD and configures scraping accordingly.</p> <h3> 33. How can you limit resource usage for a Pod? </h3> <p><strong>Answer:</strong></p> <p>You can limit the CPU and memory resources that a Pod can use by setting <strong>resource requests and limits</strong> in the Pod's specification.</p> <ul> <li> <strong>Requests:</strong> The amount of resources that are guaranteed for the container. If a container requests a resource, Kubernetes will only schedule it on a node that can provide that amount.</li> <li> <strong>Limits:</strong> The maximum amount of resources that a container can use. If a container tries to exceed its limit, it may be terminated (for memory) or throttled (for CPU).</li> </ul> <p><strong>Resource requests and limits for Pod may look like:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">64Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">250m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">128Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> </code></pre> </div> <h3> 34. How do you use ephemeral containers to debug a running Pod? </h3> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl debug <span class="nt">-it</span> my-pod <span class="se">\</span> <span class="nt">--image</span><span class="o">=</span>nicolaka/netshoot <span class="se">\</span> <span class="nt">--target</span><span class="o">=</span>my-pod <span class="se">\</span> <span class="nt">--</span> /bin/bash </code></pre> </div> <p>This attaches a debug container into the Pod’s namespace, letting you run tools like <code>tcpdump</code> or check in-Pod logs.</p> <h3> 35. What is a DaemonSet? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2ly9r3miekwdgserxizz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2ly9r3miekwdgserxizz.png" alt="Daemonset" width="800" height="383"></a></p> <p><strong>Answer:</strong></p> <p>A <strong>DaemonSet</strong> ensures that all (or some) nodes run a copy of a Pod. As nodes are added to the cluster, Pods are added to them. As nodes are removed from the cluster, those Pods are garbage collected.</p> <p>This is useful for deploying cluster-wide services, such as:</p> <ul> <li>A log collector like Fluentd or Logstash.</li> <li>A node monitoring agent like Prometheus Node Exporter.</li> <li>A cluster storage daemon like Glusterd or Ceph.</li> </ul> <p><strong>YAML Example (DaemonSet):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DaemonSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">fluentd-elasticsearch</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">fluentd-elasticsearch</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">fluentd-elasticsearch</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">fluentd-elasticsearch</span> <span class="na">image</span><span class="pi">:</span> <span class="s">quay.io/fluentd_elasticsearch/fluentd:v2.5.2</span> <span class="c1"># ...</span> </code></pre> </div> <h3> 36. How do you rotate component certificates using Kubernetes CSR API? </h3> <p><strong>Answer:</strong></p> <ul> <li>Generate CSR manifest: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">certificates.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CertificateSigningRequest</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kube-apiserver-csr</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">request</span><span class="pi">:</span> <span class="s">&lt;base64-CSR&gt;</span> <span class="na">signerName</span><span class="pi">:</span> <span class="s">kubernetes.io/kube-apiserver-client</span> <span class="na">usages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">client auth</span> </code></pre> </div> <ul> <li>Create with <code>kubectl apply -f csr.yaml</code>.</li> <li>Approve: <code>kubectl certificate approve kube-apiserver-csr</code>.</li> <li>Fetch signed cert: <code>kubectl get csr kube-apiserver-csr -o jsonpath='{.status.certificate}' | base64 -d &gt; apiserver.crt</code>.</li> </ul> <h3> 37. How do you troubleshoot a service that is not accessible? </h3> <p><strong>Answer:</strong></p> <p>If you can't access a Service, here's a troubleshooting guide:</p> <ol> <li> <strong>Check the Service description:</strong> Make sure the Service exists and has the correct labels. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl describe service &lt;service-name&gt; </code></pre> </div> <ol> <li> <strong>Check the endpoints:</strong> Verify that the Service has endpoints (i.e., it's connected to running Pods). </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl get endpoints &lt;service-name&gt; </code></pre> </div> <p>If there are no endpoints, check the label selector in your Service and the labels on your Pods. They must match.</p> <ol> <li><p><strong>Check the Pods:</strong> Ensure that the Pods targeted by the Service are running and healthy.</p></li> <li><p><strong>Check Network Policies:</strong> If you are using Network Policies, make sure they are not blocking traffic to the Service.</p></li> <li><p><strong>Check DNS:</strong> Try to resolve the Service's DNS name from another Pod in the cluster.<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl <span class="nb">exec</span> <span class="nt">-it</span> &lt;another-pod&gt; <span class="nt">--</span> nslookup &lt;service-name&gt; </code></pre> </div> <h3> 38. Demonstrate <code>postStart</code> and <code>preStop</code> hooks in a Pod </h3> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">lifecycle-demo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">demo</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">lifecycle</span><span class="pi">:</span> <span class="na">postStart</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">,</span><span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span><span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'Started'</span><span class="nv"> </span><span class="s">&gt;</span><span class="nv"> </span><span class="s">/usr/share/message"</span><span class="pi">]</span> <span class="na">preStop</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">,</span><span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span><span class="s2">"</span><span class="s">nginx</span><span class="nv"> </span><span class="s">-s</span><span class="nv"> </span><span class="s">quit"</span><span class="pi">]</span> </code></pre> </div> <p><code>postStart</code> runs right after container start; <code>preStop</code> runs before termination.</p> <h3> 39. What is the Operator pattern? </h3> <p><strong>Answer:</strong></p> <p>The <strong>Operator pattern</strong> is a way to package, deploy, and manage a Kubernetes application. An Operator is a custom controller that uses Custom Resource Definitions (CRDs) to manage an application and its components.</p> <p>The goal of an Operator is to automate the entire lifecycle of a complex, stateful application, including:</p> <ul> <li>Deployment and configuration.</li> <li>Scaling and high availability.</li> <li>Backups and recovery.</li> <li>Upgrades.</li> </ul> <p>Essentially, an Operator encodes the operational knowledge of a human operator into software.</p> <h3> 40. How do you deploy VPA for automatic resource right-sizing? </h3> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> https://github.com/kubernetes/autoscaler/raw/master/vertical-pod-autoscaler/deploy/vpa-v1-crd-gen.yaml kubectl apply <span class="nt">-f</span> vpa-rbac.yaml </code></pre> </div> <p>Then create:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">autoscaling.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VerticalPodAutoscaler</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sample-vpa</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">targetRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">apps/v1"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sample-deployment</span> <span class="na">updatePolicy</span><span class="pi">:</span> <span class="na">updateMode</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Auto"</span> </code></pre> </div> <p>VPA’s Recommender, Updater, and Admission Controller components handle resource adjustments.</p> <h3> 41. How would you handle a situation where a node is <code>NotReady</code>? </h3> <p><strong>Answer:</strong></p> <p>A <code>NotReady</code> status means the node controller has not heard from the node within the <code>node-monitor-grace-period</code>. This could be due to a network partition, the kubelet crashing, or the node being down.</p> <ol> <li> <strong>Describe the node:</strong> Get more information about the node's status and any events. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl describe node &lt;node-name&gt; </code></pre> </div> <ol> <li> <strong>Check the kubelet:</strong> SSH into the node and check the status of the kubelet service. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> systemctl status kubelet </code></pre> </div> <p>Check the kubelet logs for errors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> journalctl <span class="nt">-u</span> kubelet </code></pre> </div> <ol> <li><p><strong>Check network connectivity:</strong> Ensure the node can communicate with the master nodes.</p></li> <li><p><strong>Check resources:</strong> The node might be under heavy resource pressure (CPU, memory, or disk), which could be preventing the kubelet from functioning correctly.</p></li> </ol> <h3> 42. How do you write a Falco rule to detect shells inside containers? </h3> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">rule</span><span class="pi">:</span> <span class="s">Detect Shell in Container</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Alert when bash is spawned in a container</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">container.id != host and proc.name = bash</span> <span class="na">output</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Shell</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">container</span><span class="nv"> </span><span class="s">(user=%user.name</span><span class="nv"> </span><span class="s">container=%container.id)"</span> <span class="na">priority</span><span class="pi">:</span> <span class="s">WARNING</span> </code></pre> </div> <p>Apply via <code>falco_rules.local.yaml</code> and restart Falco.</p> <h3> 43. What are init containers and when would you use them? </h3> <p><strong>Answer:</strong></p> <p><strong>Init containers</strong> are containers that run before the main application containers in a Pod. They must run to completion before the main containers are started. If an init container fails, the Pod will be restarted.</p> <p>You can use init containers for setup tasks that need to complete before the application starts, such as:</p> <ul> <li>Waiting for a database or another service to be available.</li> <li>Cloning a git repository into a volume.</li> <li>Performing database migrations.</li> <li>Setting up necessary permissions or configuration files.</li> </ul> <p><strong>YAML Example (Init Container):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app-pod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-app-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">sh'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">-c'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">echo</span><span class="nv"> </span><span class="s">The</span><span class="nv"> </span><span class="s">app</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">running!</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">sleep</span><span class="nv"> </span><span class="s">3600'</span><span class="pi">]</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">init-myservice</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">sh'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">-c'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">until</span><span class="nv"> </span><span class="s">nslookup</span><span class="nv"> </span><span class="s">myservice;</span><span class="nv"> </span><span class="s">do</span><span class="nv"> </span><span class="s">echo</span><span class="nv"> </span><span class="s">waiting</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">myservice;</span><span class="nv"> </span><span class="s">sleep</span><span class="nv"> </span><span class="s">2;</span><span class="nv"> </span><span class="s">done;'</span><span class="pi">]</span> </code></pre> </div> <h3> 44. How do you enable etcd at-rest encryption for Secrets? </h3> <p><strong>Answer:</strong></p> <ol> <li>Create <code>/etc/kubernetes/enc/encryptionConfig.yaml</code>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apiserver.config.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">EncryptionConfiguration</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">secrets</span> <span class="na">providers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">aescbc</span><span class="pi">:</span> <span class="na">keys</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">key1</span> <span class="na">secret</span><span class="pi">:</span> <span class="s">&lt;base64-32-byte-key&gt;</span> <span class="pi">-</span> <span class="na">identity</span><span class="pi">:</span> <span class="pi">{}</span> </code></pre> </div> <ol> <li>Edit <code>/etc/kubernetes/manifests/kube-apiserver.yaml</code> to add: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> - <span class="nt">--encryption-provider-config</span><span class="o">=</span>/etc/kubernetes/enc/encryptionConfig.yaml - <span class="nt">--encryption-provider-config-type</span><span class="o">=</span>aescbc </code></pre> </div> <ol> <li>Restart API server pods; now Secrets are stored encrypted in etcd.</li> </ol> <h3> 45. How does Kubernetes handle container runtime interfaces (CRI)? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8r1ock43uf5my0w81bl0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8r1ock43uf5my0w81bl0.png" alt="CRI" width="800" height="333"></a></p> <p><strong>Answer:</strong></p> <p>The <strong>Container Runtime Interface (CRI)</strong> is a plugin interface that enables the kubelet to use a wide variety of container runtimes, without the need to recompile. The kubelet acts as a client, and the CRI shim for a given runtime acts as the server.</p> <p>This allows you to use different container runtimes like <strong>containerd</strong> or <strong>CRI-O</strong> instead of the historically used Docker (via dockershim, which is now deprecated). This modularity is a key strength of Kubernetes.</p> <h3> 46. How do you capture traffic between two Pods using <code>netshoot</code> and <code>tcpdump</code>? </h3> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Launch netshoot sidecar</span> kubectl debug <span class="nt">-it</span> my-pod <span class="nt">--image</span><span class="o">=</span>nicolaka/netshoot <span class="nt">--target</span><span class="o">=</span>my-pod <span class="c"># Inside netshoot shell:</span> tcpdump <span class="nt">-i</span> any <span class="nt">-nn</span> dst port 80 <span class="nt">-w</span> /tmp/traffic.pcap </code></pre> </div> <p>Or use <code>kubectl netshoot run tmp-shell</code> via plugin.</p> <h3> 47. What is the difference between a <code>ClusterIP</code>, <code>NodePort</code>, and <code>LoadBalancer</code> service type? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh7r5dnqbo86lf7zv9cph.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh7r5dnqbo86lf7zv9cph.png" alt="Node Port and Load Balancer" width="800" height="416"></a></p> <p><strong>Answer:</strong></p> <p>These are the three main types of Kubernetes Services:</p> <ul> <li> <strong><code>ClusterIP</code></strong>: This is the default service type. It exposes the Service on an internal IP in the cluster. This IP is only reachable from within the cluster.</li> <li> <strong><code>NodePort</code></strong>: This exposes the Service on a static port on each node's IP. You can access the Service from outside the cluster by requesting <code>&lt;NodeIP&gt;:&lt;NodePort&gt;</code>. <code>ClusterIP</code> is automatically created.</li> <li> <strong><code>LoadBalancer</code></strong>: This exposes the Service externally using a cloud provider's load balancer. <code>NodePort</code> and <code>ClusterIP</code> services are automatically created, and the external load balancer routes to them.</li> </ul> <h3> 48. Show basic Velero commands to back up and restore a namespace </h3> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install Velero (once)</span> velero <span class="nb">install</span> <span class="nt">--provider</span> aws <span class="nt">--bucket</span> velero-backups <span class="nt">--secret-file</span> ./credentials-velero <span class="c"># Backup namespace</span> velero backup create nginx-backup <span class="nt">--include-namespaces</span> nginx-example <span class="c"># Simulate disaster</span> kubectl delete ns nginx-example <span class="c"># Restore</span> velero restore create <span class="nt">--from-backup</span> nginx-backup </code></pre> </div> <p>For PV snapshotting, add <code>--snapshot-volumes</code>.</p> <h3> 49. How do you manage cluster upgrades? </h3> <p><strong>Answer:</strong></p> <p>Upgrading a Kubernetes cluster is a critical operation that needs to be done carefully. The general process is:</p> <ol> <li> <strong>Read the release notes:</strong> Carefully read the release notes for the version you are upgrading to. Pay attention to any deprecated APIs or breaking changes.</li> <li> <strong>Upgrade the master nodes:</strong> Upgrade the master components (<code>kube-apiserver</code>, <code>kube-scheduler</code>, <code>kube-controller-manager</code>) one at a time.</li> <li> <strong>Upgrade the kubelet on worker nodes:</strong> After the master nodes are upgraded, you can upgrade the <code>kubelet</code> on the worker nodes. This is typically done by draining each node, performing the upgrade, and then uncordoning it.</li> <li> <strong>Upgrade <code>kube-proxy</code>:</strong> Upgrade the <code>kube-proxy</code> DaemonSet.</li> <li> <strong>Upgrade other components:</strong> Upgrade other cluster components like CoreDNS, CNI plugin, etc.</li> </ol> <p>Using a managed Kubernetes service (like GKE, EKS, or AKS) can greatly simplify this process.</p> <h3> 50. How do you renew all kubeadm-managed certificates? </h3> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check expirations</span> kubeadm certs check-expiration <span class="c"># Renew all certs</span> kubeadm certs renew all <span class="c"># Restart control-plane static pods (kube-apiserver, controller-manager, scheduler)</span> </code></pre> </div> <p>On HA clusters, run on each control-plane node.</p> <h3> 51. What is a Pod Disruption Budget (PDB)? </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdp6a2n9tj5d95ufa95u9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdp6a2n9tj5d95ufa95u9.png" alt="Pod Disruption Budget" width="800" height="533"></a></p> <p><strong>Answer:</strong></p> <p>A <strong>Pod Disruption Budget (PDB)</strong> limits the number of Pods of a replicated application that are simultaneously down from voluntary disruptions. For example, when you drain a node, the PDB will ensure that a certain number of Pods for your application remain running.</p> <p>This is crucial for maintaining the availability of your applications during planned maintenance.</p> <p><strong>YAML Example (PDB):</strong></p> <p>This PDB ensures that at least 2 Pods with the label <code>app=nginx</code> are available at all times.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">policy/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PodDisruptionBudget</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-pdb</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">minAvailable</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span> </code></pre> </div> <h3> 52. How do you configure the audit policy and log backend for the API server? </h3> <p><strong>Answer:</strong></p> <ol> <li>Create <code>/etc/kubernetes/audit-policy.yaml</code>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">audit.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Policy</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">level</span><span class="pi">:</span> <span class="s">Metadata</span> </code></pre> </div> <ol> <li>Mount in <code>kube-apiserver</code> static Pod and add flags: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> --audit-policy-file=/etc/kubernetes/audit-policy.yaml --audit-log-path=/var/log/kubernetes/audit/audit.log --audit-webhook-config-file=/etc/kubernetes/audit-webhook.yaml </code></pre> </div> <ol> <li>Optionally configure batching and webhook.</li> </ol> <h3> 53. How can you control the scheduling of a Pod to a specific node? </h3> <p><strong>Answer:</strong></p> <p>There are several ways to control where a Pod gets scheduled:</p> <ul> <li> <strong><code>nodeSelector</code></strong>: The simplest way. You add a <code>nodeSelector</code> field to your Pod specification with a set of key-value pairs. The Pod will only be scheduled on nodes that have all of those labels.</li> <li> <strong><code>nodeAffinity</code></strong>: A more expressive way to specify node selection. It allows you to use more complex rules, like "soft" preferences (<code>preferredDuringSchedulingIgnoredDuringExecution</code>) and more advanced operators.</li> <li> <strong><code>podAffinity</code> and <code>podAntiAffinity</code></strong>: These allow you to schedule Pods based on the labels of other Pods that are already running on a node. For example, you can co-locate Pods of the same service on the same node (<code>podAffinity</code>) or spread them across different nodes (<code>podAntiAffinity</code>).</li> <li> <strong>Taints and Tolerations</strong>: As discussed earlier, this is another mechanism to control scheduling.</li> </ul> <p><strong>YAML Example (nodeAffinity):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">affinity</span><span class="pi">:</span> <span class="na">nodeAffinity</span><span class="pi">:</span> <span class="na">requiredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="na">nodeSelectorTerms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">disktype</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ssd</span> </code></pre> </div> <h3> 54. Demonstrate how to create a <code>PriorityClass</code> and a high-priority Pod that can preempt lower ones </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3mosyce62hmmpftbg5ta.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3mosyce62hmmpftbg5ta.png" alt="PriorityClass" width="800" height="363"></a></p> <p><strong>Answer:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">scheduling.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PriorityClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">high-priority</span> <span class="na">value</span><span class="pi">:</span> <span class="m">1000000</span> <span class="na">globalDefault</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Critical</span><span class="nv"> </span><span class="s">workload"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">critical-pod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">priorityClassName</span><span class="pi">:</span> <span class="s">high-priority</span> </code></pre> </div> <p>Higher-priority pods enter the scheduling queue first, and preempt lower ones if resources are scarce.</p> <h3> 55. What is the role of the cloud-controller-manager? </h3> <p><strong>Answer:</strong></p> <p>The <strong>cloud-controller-manager</strong> is a Kubernetes control plane component that embeds cloud-specific control logic. It allows you to link your cluster into your cloud provider's API, and separates out the components that interact with that cloud platform from components that just interact with your cluster.</p> <p>It is responsible for things like:</p> <ul> <li> <strong>Node Controller:</strong> For checking the cloud provider to determine if a node has been deleted in the cloud after it stops responding.</li> <li> <strong>Route Controller:</strong> For setting up routes in the underlying cloud infrastructure.</li> <li> <strong>Service Controller:</strong> For creating, updating, and deleting cloud provider load balancers.</li> </ul> <p>Well, that's all for now. I hope you successfully answered all 55 questions and found the answers useful, helping to increase your understanding of Kubernetes. </p> <p>If some questions were too difficult or if you were unfamiliar with any of these Kubernetes concepts, feel free to share your thoughts in the comments.</p> <p>And if you want to get in touch with <a href="https://x.com/immanuel_vibe" rel="noopener noreferrer">me</a>, you can find me on X (twitter) — <a class="mentioned-user" href="https://dev.to/immanuel_vibe">@immanuel_vibe</a>. Bye!</p>