Skip to main content
Hashnodethiru's blog

Command Palette

Search for a command to run...

🚀Kubernetes Interview Questions

Crack the Devops Interview

Updated
•26 min read
🚀Kubernetes Interview Questions
S
SRINIVAS TIRUNAHARI

1. What is the primary role of the kube-scheduler?

a. Monitor application health
b. Assign pods to nodes
c. Authenticate API requests
d. Manage network policies

2. Which controller ensures the desired number of pod replicas are running at all times?

a. Job
b. ReplicaSet
c. Deployment
d. DaemonSet

3. What happens when a pod exceeds its memory limit?

a. It restarts automatically
b. It is throttled
c. It is terminated with an OOMKill
d. It is scheduled to another node

4. What is a valid use case for a DaemonSet?

a. Deploying a web app
b. Running batch jobs
c. Running logging agents on each node
d. Deploying Helm charts

5. How does a StatefulSet differ from a Deployment?

a. StatefulSet does not support rolling updates
b. Pods in StatefulSet have persistent identities
c. Deployment manages persistent volumes
d. Deployment supports init containers

6. Which component is responsible for communicating with the container runtime?

a. kube-scheduler
b. kube-apiserver
c. kubelet
d. etcd

7. What is the default network policy behavior in Kubernetes if no policy is defined?

a. All traffic is allowed
b. All traffic is denied
c. Only ingress is allowed
d. Only egress is allowed

8. How does Kubernetes implement rolling updates?

a. Stops all old pods, then starts new ones
b. Gradually replaces old pods with new ones
c. Reboots each node
d. Reschedules the entire deployment

9. Which Kubernetes resource defines how to expose a pod to external traffic?

a. Deployment
b. ConfigMap
c. Service
d. Volume

10. What happens if you delete a Deployment in Kubernetes?

a. All pods are deleted, and nothing remains
b. Pods managed by the deployment are deleted
c. Persistent volumes are deleted
d. The namespace is deleted

11. Which one is used to manage sensitive configuration data like passwords?

a. ConfigMap
b. Secret
c. Volume
d. Pod

12. Which of the following is NOT a valid Kubernetes workload type?

a. Deployment
b. DaemonSet
c. StatefulSet
d. GroupSet

13. What mechanism does Kubernetes use to track the current state of a resource?

a. Helm
b. etcd
c. kube-proxy
d. Ingress

14. What kind of service is used for communication across different clusters?

a. ClusterIP
b. NodePort
c. LoadBalancer
d. ExternalName

15. Which resource allows you to schedule a pod to run once and exit upon completion?

a. Job
b. CronJob
c. DaemonSet
d. StatefulSet

16. Which plugin handles actual pod scheduling decisions?

a. kube-scheduler
b. kube-controller-manager
c. kubelet
d. kube-proxy

17. Which controller watches for changes to the etcd data store?

a. kube-proxy
b. kube-apiserver
c. controller-manager
d. scheduler

18. Which of the following is true regarding Persistent Volumes?

a. Bound to a single namespace
b. Created by the pod
c. Cluster-wide resource
d. Tied to ConfigMaps

19. How can Kubernetes secrets be stored encrypted at rest?

a. Use Helm
b. Use annotations
c. Use base64 encoding
d. Enable EncryptionConfiguration

20. Which command is used to display detailed information about a resource?

a. kubectl get
b. kubectl run
c. kubectl describe
d. kubectl apply

21. What is a taint in Kubernetes?

a. Prevents pods from running on a node
b. Prevents service access
c. Denies ingress
d. Allows only admin pods

22. What is the purpose of node affinity?

a. Protect the node from failures
b. Assign CPU limits
c. Define network policies
d. Schedule pods to specific nodes based on labels

23. Which volume type is suitable for multi-pod access in ReadWriteMany mode?

a. hostPath
b. NFS
c. emptyDir
d. configMap

24. What happens when a pod's readiness probe fails?

a. The pod is deleted
b. The pod is restarted
c. The pod is marked not ready to receive traffic
d. The container exits

25. What is the maximum number of pods per node in a Kubernetes cluster (default limit)?

a. 100
b. 110
c. 255
d. Unlimited

26. What is the role of kube-proxy?

a. Scheduling
b. Volume mounting
c. Network traffic routing
d. Secrets management

27. What is a Custom Resource Definition (CRD)?

a. A script to create deployments
b. A way to define custom Kubernetes resources
c. A network plugin
d. A Helm chart

28. What does kubectl rollout undo do?

a. Reverts to the previous deployment revision
b. Deletes the deployment
c. Pauses the deployment
d. Deletes all pods

29. Which controller is used for ensuring a specified number of pods run at all times?

a. Job
b. StatefulSet
c. DaemonSet
d. ReplicaSet

30. What is the function of livenessProbe?

a. Monitors CPU utilization
b. Deletes the pod when it fails
c. Restarts the container when it becomes unhealthy
d. Checks if the pod is ready for traffic

31. How are ConfigMaps mounted into pods?

a. Via annotations
b. As environment variables or volumes
c. As secrets
d. As services

32. What is an Init Container?

a. A container that runs before the main container starts
b. The main application container
c. A container that handles probes
d. Used only in StatefulSets

33. What is the Kubernetes object for grouping multiple containers?

a. Deployment
b. ConfigMap
c. Pod
d. Volume

34. What does kubectl taint do?

a. Deletes pods
b. Labels nodes
c. Enables autoscaling
d. Prevents pods from scheduling unless tolerated

35. What is a limitRange in Kubernetes?

a. A policy to set default resource requests/limits
b. Controls network policies
c. Sets user permissions
d. A scheduler extension

36. What is a valid reason for a pod to be in a CrashLoopBackOff state?

a. Wrong node selector
b. Container keeps crashing
c. Toleration missing
d. Node out of memory

37. Which command lists all resources in a namespace?

a. kubectl list all
b. kubectl get *
c. kubectl get all
d. kubectl list resources

38. How does Kubernetes handle node failure?

a. Deletes all pods immediately
b. Reschedules pods to healthy nodes
c. Pauses cluster operation
d. Reboots the node

39. What is the default port for kube-apiserver?

a. 443
b. 6443
c. 80
d. 8080

40. Which type of service is only accessible from inside the cluster?

a. NodePort
b. LoadBalancer
c. ClusterIP
d. ExternalName

41. What does a Kubernetes label do?

a. Attaches identifying metadata to resources
b. Encrypts pods
c. Monitors CPU usage
d. Prevents autoscaling

42. What does RBAC control in Kubernetes?

a. Monitoring
b. Logs
c. Metrics
d. Permissions

43. Which tool is typically used to template and package Kubernetes manifests?

a. kubectl
b. Helm
c. Prometheus
d. Fluentd

44. What is the default namespace used when none is specified?

a. system
b. public
c. kube-public
d. default

45. How do you set a pod to run on a specific node?

a. Taints
b. Tolerations
c. NodeSelector
d. Secrets

46. Which of these is a valid Kubernetes resource type?

a. VolumeMount
b. ContainerGroup
c. ReplicaController
d. CronJob

47. What is Horizontal Pod Autoscaler based on?

a. CPU/memory usage
b. Disk usage
c. Number of users
d. Node status

48. Which Kubernetes object defines access to external HTTP/S traffic?

a. Service
b. DaemonSet
c. Ingress
d. Secret

49. What does the finalizer field in a resource do?

a. Deletes associated nodes
b. Prevents deletion of namespaces
c. Defines volume size
d. Delays deletion until cleanup logic is run

50. What is the default scheduler used in Kubernetes?

a. kube-controller
b. default-scheduler
c. kube-router
d. kube-proxy

51. What is the function of a PriorityClass in Kubernetes?

a. Assigns pods to nodes based on resource needs
b. Controls the restart policy
c. Sets the priority for pod eviction
d. Defines pod CPU requests

52. Which field in a PodSpec ensures that a container always restarts after a crash?

a. restartMode
b. restartPolicy: Always
c. lifecycle: restart
d. autoRestart

53. Which field does the scheduler use to determine if a pod can be scheduled on a node?

a. nodeGroup
b. podAffinity
c. nodeSelector
d. tolerations

54. What is the primary use of the PodSecurityPolicy (deprecated in v1.21)?

a. Control pod-level security settings
b. Restart crashed pods
c. Define Helm chart roles
d. Manage kubelet certificates

55. What is a mutating webhook used for?

a. Validating configs
b. Auto-scaling pods
c. Changing a pod spec before it is persisted
d. Managing service IPs

56. Which of the following enables canary deployments in Kubernetes?

a. Jobs
b. Istio or Service Mesh
c. Secrets
d. kubelet

57. What is the default behavior when a node becomes unreachable?

a. All pods are moved immediately
b. The node is cordoned
c. The node is marked NotReady, pods are evicted after a grace period
d. kube-proxy disables service

58. What does kubectl port-forward do?

a. Opens firewall ports
b. Forwards traffic from a local port to a pod
c. Updates DNS
d. Deploys a pod

59. Which of the following is a valid volume type in Kubernetes?

a. secretFile
b. mountedVolume
c. sharedVolume
d. emptyDir

60. What happens if a pod requests more resources than available on a node?

a. It is killed immediately
b. It runs with degraded performance
c. It is not scheduled
d. It is evicted

61. Which API version is used for managing CustomResourceDefinitions (CRDs)?

a. apps/v1
b. core/v1
c. apiextensions.k8s.io/v1
d. extensions/v1beta1

62. What is the purpose of kubectl cordon?

a. Schedule a pod
b. Mark node unschedulable
c. Delete node
d. Reboot node

63. What component in Kubernetes is responsible for maintaining network rules on nodes?

a. kubelet
b. etcd
c. scheduler
d. kube-proxy

64. Which strategy is used for rolling updates by default in Deployments?

a. RollingUpdate
b. Recreate
c. Parallel
d. OnDelete

65. What is the use of the readinessProbe in a pod spec?

a. Kill the container when unhealthy
b. Auto-restart container
c. Determine if a container is ready to receive traffic
d. Prevent init container from running

66. What is the minimum Kubernetes object needed to deploy a container?

a. Deployment
b. ReplicaSet
c. Service
d. Pod

67. What does the --dry-run=client flag do in kubectl?

a. Executes on server
b. Simulates the command locally without applying
c. Deletes all objects
d. Prints logs

68. What field in a Deployment ensures a certain number of old pods stay available during updates?

a. minSurge
b. maxUnavailable
c. strategy
d. updatePolicy

69. What is a valid reason for a deployment to be stuck in “Progressing” state?

a. Readiness probe failing
b. Missing ConfigMap
c. Node label not matching
d. Running as root

70. What type of container runtime is used by default in newer Kubernetes versions?

a. Docker
b. containerd
c. cri-o
d. rkt

71. What can you use to restrict access to specific Kubernetes APIs for users?

a. Helm
b. PodSecurityContext
c. RBAC
d. kubeadm

72. What does kubeadm primarily help with?

a. Debugging
b. Ingress setup
c. Network monitoring
d. Bootstrapping Kubernetes clusters

73. What does a PodAntiAffinity rule do?

a. Schedules pods away from specified pods
b. Binds pods to specific services
c. Avoids DNS clashes
d. Allows volume sharing

74. What is the primary role of the Kubernetes controller manager?

a. Maintain etcd health
b. Monitor and reconcile cluster state
c. Serve APIs
d. Schedule workloads

75. Which of the following ensures scheduled execution of jobs?

a. DaemonSet
b. ReplicaSet
c. Job
d. CronJob

76. What is the default namespace for Kubernetes system components?

a. default
b. kube-system
c. kube-public
d. kube-config

77. Which kubelet configuration can help isolate workloads between different tenants?

a. Cgroups
b. Namespaces
c. PodSecurityPolicy
d. Node Affinity

78. What is the purpose of kubectl rollout status?

a. Shows node health
b. Displays current deployment rollout status
c. Deletes old ReplicaSets
d. Initiates blue/green deployment

79. Which object defines lifecycle hooks for containers?

a. Service
b. Deployment
c. PodSpec
d. kubelet

80. What is the difference between Job and CronJob?

a. Job runs in parallel, CronJob is single-threaded
b. CronJob creates Jobs on a schedule
c. CronJob is used for real-time data
d. Job is scheduled, CronJob is not

81. What command allows you to fetch logs from a container?

a. kubectl fetch
b. kubectl logs
c. kubectl view
d. kubectl status

82. What is the benefit of using a ServiceAccount in Kubernetes?

a. Reduce cost
b. Improve node communication
c. Define taints
d. Provide pod-level API access

83. Which resource would you use to limit network access to a pod?

a. NetworkPolicy
b. Role
c. Service
d. NodePort

84. Which object does a Helm chart generate when installed?

a. Container
b. Kubernetes manifests
c. Virtual machine
d. Docker image

85. What command do you use to update a resource declaratively?

a. kubectl replace
b. kubectl run
c. kubectl edit
d. kubectl apply

86. What causes a pod to enter ImagePullBackOff state?

a. CrashLoop
b. Node failure
c. Image registry issues
d. Failed liveness probe

87. What’s the default restartPolicy in a Pod spec?

a. Always
b. OnFailure
c. Never
d. Manual

88. What does kubectl exec do?

a. Runs a container
b. Forwards logs
c. Applies a manifest
d. Runs a command inside a pod

89. What does the ttlSecondsAfterFinished field in a Job do?

a. Extends pod life
b. Deletes completed jobs after timeout
c. Prevents job retry
d. Pauses job execution

90. Which Kubernetes resource defines port mappings for pods?

a. Deployment
b. ReplicaSet
c. Service
d. CronJob

91. How are RBAC permissions grouped?

a. Namespaces
b. Nodes
c. StorageClasses
d. Roles and ClusterRoles

92. What does a PodDisruptionBudget prevent?

a. CPU starvation
b. High memory usage
c. Too many concurrent pod evictions
d. Node upgrades

93. Which command can help you debug pod scheduling issues?

a. kubectl get pods
b. kubectl config
c. kubectl describe pod <name>
d. kubectl proxy

94. What does Helm’s values.yaml file do?

a. Defines Kubernetes secrets
b. Sets default configurations for templates
c. Generates Dockerfiles
d. Stores release history

95. What is the Downward API used for in Kubernetes?

a. Inter-node communication
b. Volume mounting
c. Allow pods to access their metadata
d. Horizontal scaling

96. What does setting hostNetwork: true in a PodSpec do?

a. Disables service discovery
b. Assigns the pod a random IP
c. Makes the pod share the node's network namespace
d. Forces traffic to go through ingress

97. What is the purpose of a PodDisruptionBudget?

a. Limits the number of pods created
b. Controls the number of evictions during voluntary disruptions
c. Defines the minimum resources for scheduling
d. Prevents autoscaling of pods

98. What does a CustomResourceDefinition (CRD) enable?

a. Creating custom API servers
b. Defining user-created resources in Kubernetes API
c. Modifying system resources
d. Running custom kubelet plugins

99. Which Kubernetes object can define Ingress rules?

a. Service
b. ConfigMap
c. Deployment
d. Ingress

100. What tool would you typically use for observability in Kubernetes?

a. Helm
b. Prometheus
c. kubelet
d. kubectl

🔐 Full Answer Key (1–100)

1-b   2-b   3-c   4-c   5-b   6-c   7-a   8-b   9-c   10-b  
11-b  12-d  13-b  14-d  15-a  16-a  17-c  18-c  19-d  20-c  
21-a  22-d  23-b  24-c  25-b  26-c  27-b  28-a  29-d  30-c  
31-b  32-a  33-c  34-d  35-a  36-b  37-c  38-b  39-b  40-c  
41-a  42-d  43-b  44-d  45-c  46-d  47-a  48-c  49-d  50-b  
51-c  52-b  53-c  54-a  55-c  56-b  57-c  58-b  59-d  60-c  
61-c  62-b  63-d  64-a  65-c  66-d  67-b  68-a  69-a  70-b  
71-c  72-d  73-a  74-b  75-d  76-b  77-a  78-b  79-c  80-b  
81-b  82-d  83-a  84-b  85-d  86-c  87-a  88-d  89-b  90-c  
91-d  92-c  93-c  94-b  95-c  96-c  97-b  98-b  99-d  100-b

(Let’s Revise)

Kubernetes Interview Questions and Answers for DevOps Engineer

1. What is Kubernetes?

Answer: Kubernetes is an open-source container orchestration platform that automates deployment, scaling, and management of containerized applications.

2. How does Kubernetes handle service discovery?

Answer: Kubernetes uses built-in DNS (CoreDNS) and Services to expose pods via internal DNS names and virtual IPs.

3. What are the components of the Kubernetes control plane?

Answer: kube-apiserver, etcd, kube-scheduler, kube-controller-manager, and cloud-controller-manager.

4. What is etcd used for?

Answer: etcd is a distributed key-value store used for storing all cluster data and state.

5. What is a Pod?

Answer: A Pod is the smallest deployable unit in Kubernetes. It can hold one or more containers that share network and storage.

6. What is a Deployment in Kubernetes?

Answer: A Deployment manages ReplicaSets to ensure the desired number of pod replicas are running, and allows rolling updates and rollbacks.

7. Explain StatefulSet vs Deployment.

Answer: StatefulSet maintains persistent identity and storage per pod (useful for databases), while Deployment is for stateless apps with interchangeable pods.

8. What is the role of kubelet?

Answer: kubelet is the agent that runs on each node and ensures that containers are running as expected.

9. What is a DaemonSet?

Answer: A DaemonSet ensures that a pod runs on all (or selected) nodes in the cluster, commonly used for log collection, monitoring, etc.

10. How does Kubernetes schedule pods?

Answer: kube-scheduler assigns pods to nodes based on resource requests, constraints, affinity rules, taints/tolerations, and policies.

11. What are taints and tolerations?

Answer: Taints prevent pods from being scheduled on nodes unless the pod has matching tolerations.

12. What is a Node in Kubernetes?

Answer: A node is a worker machine (VM or physical) where Kubernetes deploys pods.

13. What are Init Containers?

Answer: Init containers run before the app container starts, often used for setup tasks like config download or validation.

14. How does Kubernetes perform rolling updates?

Answer: Deployments use rolling updates by gradually replacing old pods with new ones while maintaining availability.

15. What are ReplicaSets?

Answer: ReplicaSets ensure a specified number of pod replicas are running at all times.

16. What is a Service?

Answer: A Service exposes a group of pods as a network service, allowing stable access via a virtual IP or DNS name.

17. Types of Services in Kubernetes?

Answer: ClusterIP (default), NodePort, LoadBalancer, ExternalName, and Headless.

18. What is Ingress?

Answer: Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster using Ingress controllers.

19. What are ConfigMaps and Secrets?

Answer: ConfigMaps store non-sensitive config data. Secrets store sensitive info like passwords, both are used as env vars or mounted volumes.

20. How does livenessProbe and readinessProbe work?

Answer: livenessProbe restarts a failing container. readinessProbe controls whether the pod is added to a service endpoint.

21. What is a Namespace in Kubernetes?

Answer: Namespaces are virtual clusters within a Kubernetes cluster that isolate resources like pods, services, and deployments for multi-tenancy or environment segregation.

22. What is the use of NetworkPolicies?

Answer: NetworkPolicies define how groups of pods are allowed to communicate with each other and with other network endpoints, controlling ingress and egress traffic.

23. How do you perform zero-downtime deployments in Kubernetes?

Answer: Use rolling updates via Deployments with proper readiness probes and health checks to ensure new pods are ready before old ones are terminated.

24. What is a Custom Resource Definition (CRD)?

Answer: CRDs let you extend Kubernetes by defining custom resource types that behave like built-in resources.

25. What is the purpose of kube-proxy?

Answer: kube-proxy handles networking rules on each node, directing traffic to the correct pod via iptables or IPVS.

26. How can you access a pod running on a private cluster?

Answer: Use kubectl port-forward, set up a bastion host, or expose via NodePort/Ingress with authentication.

27. What is Helm and how is it used?

Answer: Helm is a package manager for Kubernetes, used to deploy pre-configured resources using charts.

28. What are Jobs and CronJobs?

Answer: Jobs run once until completion. CronJobs schedule Jobs based on time (like cron in Linux).

29. What is Horizontal Pod Autoscaler (HPA)?

Answer: HPA automatically adjusts the number of pod replicas based on CPU/memory or custom metrics.

30. How do you implement Pod Affinity and Anti-Affinity?

Answer: By adding affinity rules in pod specs to control co-location (affinity) or separation (anti-affinity) of pods based on labels.

31. How is application configuration managed in Kubernetes?

Answer: Using ConfigMaps for non-sensitive data, Secrets for sensitive data, and environment variables or volume mounts to inject them.

32. What is a ServiceAccount?

Answer: A ServiceAccount provides an identity for processes in a pod to interact with the Kubernetes API.

33. How do you restrict a user’s access to resources?

Answer: Use RBAC (Role-Based Access Control) with Roles/ClusterRoles and RoleBindings/ClusterRoleBindings.

34. What is a headless service and when would you use it?

Answer: A headless service (ClusterIP: None) allows direct access to pod IPs, often used for StatefulSets and service discovery.

35. What’s the difference between Requests and Limits?

Answer: Requests are guaranteed minimum resources, while limits are the maximum a container can use.

36. What is the CrashLoopBackOff error and how do you troubleshoot it?

Answer: It occurs when a pod repeatedly crashes. Use kubectl describe pod and kubectl logs to check for errors and misconfigurations.

37. What are taints and tolerations used for in real-world clusters?

Answer: Used to reserve or isolate nodes for specific workloads like system-critical apps, GPU-intensive workloads, or specific tenants.

38. How do you monitor Kubernetes clusters?

Answer: Use Prometheus, Grafana, kube-state-metrics, and tools like Metrics Server, ELK, Datadog, or Cloud-native monitoring solutions.

39. How can you restrict container privileges in Kubernetes?

Answer: Use PodSecurityContext, SecurityContext, and enable Pod Security Admission (PSA) with restricted, baseline, or privileged profiles.

40. What is the difference between kubectl apply and kubectl create?

Answer: kubectl create is used to create resources. kubectl apply is used for declarative configuration and supports updates.

41. How do you perform a rollback in Kubernetes?

Answer: Use kubectl rollout undo deployment <name> to revert to the previous revision.

42. What is nodeSelector?

Answer: It assigns pods to specific nodes by matching node labels in the pod spec.

43. What are Admission Controllers?

Answer: Pluggable components in kube-apiserver that modify or validate incoming API requests before they are persisted.

44. How does Kubernetes handle Secrets securely?

Answer: Secrets are base64-encoded by default and can be encrypted at rest using EncryptionConfiguration in kube-apiserver.

45. How do you troubleshoot pods stuck in Pending state?

Answer: Use kubectl describe pod to check for insufficient resources, missing PVCs, or unschedulable nodes.

46. What is a Volume in Kubernetes?

Answer: A volume is a storage abstraction used to persist data across container restarts within a pod.

47. How does Kubernetes support multi-tenancy?

Answer: Through namespaces, resource quotas, RBAC policies, and network policies to isolate workloads.

48. What is the default pod eviction behavior on node failure?

Answer: The node is marked NotReady, and after a grace period (default 5 mins), pods are evicted by the Node Controller.

49. How do you restrict how many pods can be unavailable during updates?

Answer: Set maxUnavailable in the Deployment's rolling update strategy.

50. What is PodDisruptionBudget (PDB)?

Answer: PDB specifies the minimum number or percentage of pods that must remain available during voluntary disruptions like maintenance or upgrades.

51. What is a StatefulSet and when do you use it?

Answer: A StatefulSet manages the deployment and scaling of stateful applications. It assigns persistent identities and stable storage to each pod, ideal for databases and distributed systems like Cassandra, Kafka, or MongoDB.

52. Explain how Init Containers work.

Answer: Init containers run before app containers in a pod. They're used for initialization logic like setting permissions, waiting for services, or pulling config, and must complete before regular containers start.

53. How does Kubernetes handle application logs?

Answer: Kubernetes doesn't manage logs natively. Logs from pods are accessed via kubectl logs, but for centralized logging, tools like Fluentd, Logstash, or Loki are used to collect and ship logs to storage backends like Elasticsearch or S3.

54. How do you implement Blue-Green Deployment in Kubernetes?

Answer: Use two separate deployments (blue and green) and switch traffic between them using services or ingress routing. Green is the new version, blue is the current live version.

55. What is the role of etcd in a Kubernetes cluster?

Answer: etcd is a distributed key-value store that stores all cluster state, configurations, and metadata. It's the single source of truth for Kubernetes.

56. How do you backup and restore etcd?

Answer: Use etcdctl snapshot save and etcdctl snapshot restore commands. Ensure access to the correct certificate and endpoint.

57. What is kube-scheduler responsible for?

Answer: It assigns unscheduled pods to appropriate nodes based on resource availability, constraints, taints/tolerations, and affinity rules.

58. How does Kubernetes perform leader election?

Answer: Kubernetes components like kube-controller-manager and scheduler use lease-based leader election, typically stored in etcd.

59. How does readinessProbe differ from livenessProbe?

Answer:

  • readinessProbe: Determines if the pod is ready to serve traffic.

  • livenessProbe: Checks if the pod is healthy. If it fails, Kubernetes restarts the container.

60. What are the different types of Services in Kubernetes?

Answer:

  • ClusterIP: Internal communication only.

  • NodePort: Exposes service on node IP at a static port.

  • LoadBalancer: Uses cloud provider to provision an external load balancer.

  • ExternalName: Maps a service to an external DNS name.

61. How do you implement canary deployments in Kubernetes?

Answer: Deploy a new version alongside the stable one with fewer replicas, adjust traffic using labels/selectors or ingress controllers until fully promoted.

62. What are resource quotas and how are they used?

Answer: Resource quotas limit resource usage per namespace (e.g., CPU, memory, pods, PVCs) to avoid resource starvation or abuse.

63. What is kubelet and what does it do?

Answer: kubelet runs on each node, ensuring containers are running as per the pod specs. It reports node status and manages pod lifecycle.

64. How do you scale applications manually and automatically?

Answer:

  • Manual: kubectl scale deployment <name> --replicas=n

  • Auto: HPA/VPA with metrics-based triggers.

65. How do you secure ingress traffic in Kubernetes?

Answer: Use Ingress Controllers with TLS termination, authentication policies, and WAF integration (e.g., NGINX Ingress with cert-manager and OPA).

66. What is the role of the API Server?

Answer: It is the front-end for the Kubernetes control plane, handling REST requests, validating them, and updating etcd.

67. What is a DaemonSet? Provide a use case.

Answer: Ensures a pod runs on all (or selected) nodes. Use it for log collectors (e.g., Fluentd), monitoring agents, or network plugins.

68. How do you update a ConfigMap without restarting the pods?

Answer: Mount it as a volume with subPath and use tools like Reloader or write custom controllers to watch changes.

69. What is the eviction policy in Kubernetes?

Answer: Kubernetes evicts pods under resource pressure (CPU/memory/disk). Eviction is controlled via Quality of Service (QoS) classes and priorities.

70. What is a VolumeMount and how does it relate to a Volume?

Answer: A volumeMount is the location inside the container where the volume is attached. It allows containers to access persistent or shared data.

71. What is a Finalizer in Kubernetes?

Answer: Finalizers prevent premature deletion of resources. Controllers remove finalizers after performing cleanup tasks (e.g., deleting associated cloud resources).

72. How do you upgrade a Kubernetes cluster safely?

Answer:

  1. Backup etcd

  2. Drain and upgrade control plane components

  3. Upgrade kubelet/kube-proxy on worker nodes

  4. Use tools like kubeadm, eksctl, or kops

73. How do you debug a pod that doesn’t start?

Answer:

  • kubectl describe pod <pod> for events

  • kubectl logs <pod> for container logs

  • Check image pull issues, PVCs, resource limits

74. What are OPA Gatekeeper and Kyverno used for?

Answer: They are policy engines used to enforce governance and security policies at admission time via CRDs.

75. What is the difference between ClusterRole and Role?

Answer:

  • Role: Grants permissions within a namespace.

  • ClusterRole: Grants permissions across the entire cluster.

76. How do you perform service discovery in Kubernetes?

Answer: Kubernetes auto-creates DNS records for services and pods using kube-dns or CoreDNS, enabling service name resolution.

77. What are the available rollout strategies for Deployments?

Answer:

  • RollingUpdate (default): Gradually replaces pods.

  • Recreate: Terminates all old pods before creating new ones.

78. What is a sidecar container?

Answer: A helper container deployed alongside the main container in a pod. Used for logging, proxying, or configuration management (e.g., Envoy in Istio).

79. What is the difference between a Deployment and a ReplicaSet?

Answer:

  • ReplicaSet ensures the desired number of pod replicas.

  • Deployment provides declarative updates and versioning over ReplicaSets.

80. How do you integrate secrets with external secret managers like AWS Secrets Manager?

Answer: Use tools like external-secrets, Vault Agent Injector, or CSI Secrets Store Driver to sync external secrets into Kubernetes as native secrets.81. What are Kubernetes Admission Controllers?

Answer: Admission Controllers are plugins that intercept (mutating or validating) requests to the Kubernetes API server after authentication and authorization, but before persistence. Examples: NamespaceLifecycle, LimitRanger, PodSecurityPolicy.

82. What is the difference between Mutating and Validating Admission Webhooks?

Answer:

  • MutatingWebhook modifies requests (e.g., adding labels).

  • ValidatingWebhook checks requests against custom policies but doesn't alter them.

83. What is the role of CoreDNS in a Kubernetes cluster?

Answer: CoreDNS provides service discovery via DNS. It maps Kubernetes services and pod names to IP addresses and is deployed as a cluster add-on.

84. What is kube-proxy and how does it work?

Answer: kube-proxy maintains network rules on nodes to allow communication to services. It uses iptables or IPVS to route traffic to pod endpoints.

85. What are taints and tolerations in Kubernetes?

Answer:

  • Taints prevent pods from being scheduled on a node unless a pod has a matching toleration.
    Used to dedicate or isolate nodes for specific workloads.

86. How do you implement High Availability (HA) for a Kubernetes Control Plane?

Answer:

  • Deploy multiple API servers behind a load balancer

  • Run etcd in clustered mode (odd number)

  • Use multiple controller-manager and scheduler pods with leader election

87. How do you run a Kubernetes Job on a schedule?

Answer: Use a CronJob, which runs pods on a defined schedule (e.g., every hour) like a cron task.

88. What is a Kubernetes CRD and why is it used?

Answer: A CustomResourceDefinition (CRD) allows extending Kubernetes APIs to define and manage custom resource types like KafkaTopic or MySQLBackup.

89. What’s the difference between kubectl exec, kubectl cp, and kubectl logs?

Answer:

  • exec: Executes a command inside a container.

  • cp: Copies files between local and container filesystem.

  • logs: Shows stdout/stderr logs from container.

90. How do you configure a Pod to use a PersistentVolume (PV)?

Answer:

  1. Create a PersistentVolume (PV)

  2. Create a PersistentVolumeClaim (PVC)

  3. Mount PVC into pod via volumes and volumeMounts

91. How do you roll back a failed deployment?

Answer:

kubectl rollout undo deployment <name>

It reverts to the previous ReplicaSet version.

92. How do you restrict a pod to run only on a specific node?

Answer: Use nodeSelector, nodeAffinity, or nodeName in the pod spec to target specific nodes.

93. What is the difference between Horizontal and Vertical Pod Autoscaling?

Answer:

  • HPA: Scales the number of pods.

  • VPA: Adjusts pod CPU/memory requests/limits.
    They can be used together with care.

94. How does Kubernetes handle secret encryption at rest?

Answer:

  • Secrets are encrypted in etcd using encryption providers configured in the API server (encryptionConfig.yaml)

  • Uses AES, KMS, or cloud provider's encryption backends.

95. What is a Kubernetes Operator?

Answer: An Operator is a method of packaging, deploying, and managing applications using custom controllers to extend Kubernetes functionalities for a specific application’s lifecycle (e.g., backup, upgrades, scaling).

96. How do you monitor a Kubernetes cluster?

Answer:

  • Use Prometheus + Grafana for metrics

  • Use tools like kube-state-metrics, node-exporter

  • Enable API server audit logging, logs via Fluentd/Loki

97. What is the use of PodSecurityPolicy (PSP) and its replacement?

Answer:

  • PSPs were used to enforce security contexts for pods (e.g., runAsNonRoot).

  • PSP is deprecated and replaced by Pod Security Admission and policy engines like OPA Gatekeeper or Kyverno.

98. What are Resource Requests and Limits?

Answer:

  • Request: Minimum guaranteed CPU/memory for a pod

  • Limit: Maximum CPU/memory a pod can use
    Helps in scheduling and OOM protection.

99. How do you expose metrics from an application in Kubernetes?

Answer:

  • Expose metrics on /metrics endpoint

  • Annotate pod with Prometheus scrape config

  • Use Prometheus Operator or ServiceMonitor CRDs

100. What is the difference between Recreate and RollingUpdate deployment strategies?

Answer:

  • Recreate: Deletes all old pods before starting new ones (downtime).

  • RollingUpdate: Replaces pods incrementally with zero downtime.

#kubernetes#containerization#container-orchestration#k8s#devops#docker#docker-swarm

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

thiru's blog

43 posts