CNPA Sample Questions Answers

To achieve repeatability and consistency, CI pipelines must produce immutable artifacts that are uniquely identifiable and reproducible. Option D is correct because immutable artifacts (such as container images tagged with digests or versioned binaries) ensure that the same build artifact can be promoted across environments (dev, staging, production) without modification. This eliminates discrepancies caused by rebuilding code in different environments.

Option A (notifications) improves feedback but does not guarantee consistency. Option B (dynamic scaling) optimizes resource usage but does not address build reproducibility. Option C (dashboards) aid in visibility but are not critical to ensuring consistent outputs.

Immutable artifacts are essential for compliance, traceability, and reliability. They ensure that what has been tested is exactly what gets deployed, which is central to continuous delivery and GitOps practices.

The most effective way to prevent insecure code from reaching production is to integrate security gates directly into the CI/CD pipeline. Option A is correct because security gates involve automated scanning of dependencies, SBOM generation, code analysis, and policy enforcement during build and test phases. This ensures that vulnerabilities or policy violations are caught early in the development lifecycle.

Option B (load balancing) improves availability but is unrelated to code security. Option C (A/B testing) validates functionality, not security. Option D (caching strategies) affects performance, not code safety.

By embedding automated checks into CI/CD pipelines, teams adopt a shift-left security approach, ensuring compliance and minimizing risks of supply chain attacks. This practice directly supports platform engineering goals of combining security with speed and reducing developer friction through automation.

An extensible architecture with modular components is crucial for modern platform engineering. Option C is correct because modularity allows new capabilities (e.g., self-service delivery, observability, or security features) to be added or replaced without disrupting the whole system. This approach promotes agility, scalability, and maintainability.

Option A (monolithic architecture) restricts flexibility and slows innovation. Option B (centralized API gateways) may help integration but still creates bottlenecks if every addition requires specialist intervention. Option D (static architecture) locks the platform into rigid patterns, preventing adaptation to evolving needs.

Extensible, modular design is a hallmark of cloud native platforms. It enables composability, where services (like service mesh, logging, monitoring, or provisioning APIs) can be plugged in as needed. This architecture supports golden paths and self-service abstractions, reducing developer friction while keeping governance intact.

The Kubernetes reconciliation loop ensures that the actual state of a resource matches the desired state defined in its manifest. If the replica count of a Deployment is changed from 3 to 5, option B is correct: Kubernetes will automatically create two new Pods to satisfy the new desired replica count.

Option A is incorrect because Deployments are not deleted; they are updated in place. Option C contradicts Kubernetes’ declarative model—no manual intervention is required. Option D is wrong because Kubernetes does not restart existing Pods unless necessary; it simply adds additional Pods.

This reconciliation process is core to Kubernetes’ declarative infrastructure approach, where desired states are continuously monitored and enforced. It reduces human toil and ensures consistency, making it fundamental for platform engineering practices like GitOps.

An API-driven service catalog provides a centralized and standardized interface where developers can discover and provision platform services. Option A is correct because it simplifies service discovery, allowing teams to connect to databases, messaging systems, and other infrastructure without needing in-depth platform knowledge. This improves productivity and developer experience by reducing cognitive load and ensuring consistent, governed access.

Option B is the opposite of the benefit—catalogs accelerate provisioning. Option C is incorrect because catalogs do not bypass security; they enforce guardrails and compliance. Option D is also incorrect because service catalogs abstract away provisioning details rather than forcing developers to manage them.

By providing golden paths and API-driven self-service, service catalogs ensure developers focus on building applications while platform teams maintain consistency and compliance.

The primary goal of platform engineering is to create reusable, scalable platforms that improve both developer productivity and developer experience. Option D is correct because platform engineering treats the platform as a product, providing self-service capabilities, abstractions, and golden paths that reduce cognitive load for developers while embedding organizational guardrails.

Option A is too narrow—platform engineering is not limited to infrastructure automation but extends to developer usability, observability, and governance. Option B is incorrect because limiting access contradicts the principle of empowering developers through self-service. Option C is misleading; platform engineering complements DevOps practices but does not replace them.

By enabling developers to consume infrastructure and platform services through self-service APIs and portals, platform teams accelerate delivery cycles while maintaining compliance and security. This approach results in improved efficiency, reduced toil, and better alignment between business and engineering outcomes.

Prometheus is the de facto standard for collecting and monitoring metrics in Kubernetes and other cloud native environments. Option D is correct because Prometheus is a CNCF graduated project designed for multi-dimensional data collection, time-series storage, and powerful querying using PromQL. It integrates seamlessly with Kubernetes, automatically discovering targets such as Pods and Services through service discovery.

Option A (Grafana) is widely used for visualization but relies on Prometheus or other data sources to collect metrics. Option B (ELK Stack) is better suited for log aggregation rather than real-time metrics. Option C (OpenTelemetry) provides standardized instrumentation but is focused on generating and exporting metrics, logs, and traces rather than storage, querying, and alerting.

Prometheus plays a central role in platform observability strategies, often paired with Alertmanager for notifications and Grafana for dashboards. Together, they enable proactive monitoring, SLO/SLI measurement, and incident detection, making Prometheus indispensable in cloud native platform engineering.

The defining capability of an IDP is enabling self-service so developers can independently access infrastructure and platform resources. Option D is correct because self-service resource provisioning APIs allow developers to provision resources such as namespaces, databases, or environments without relying on manual intervention from the platform team. These APIs embed governance, compliance, and organizational guardrails while giving autonomy to development teams.

Option A (manual deployment services) defeats the purpose of self-service. Option B (knowledge centers) improve documentation but do not provide automation. Option C (logging/monitoring interfaces) are observability tools, not resource provisioning mechanisms.

Self-service APIs empower developers, reduce cognitive load, and minimize bottlenecks. They also align with the platform engineering principle of “treating the platform as a product,” where developers are customers, and the platform offers curated golden paths to simplify consumption of infrastructure and services.

The primary role of an Internal Developer Platform (IDP) is to reduce cognitive load for developers by abstracting away infrastructure complexity and providing simple, self-service interfaces. Option B is correct because platforms deliver curated golden paths, service catalogs, and APIs that allow developers to focus on application logic instead of learning every underlying infrastructure tool.

Option A is incorrect—platforms are specifically designed to reduce mental overhead. Option C contradicts the platform engineering principle of shifting complexity away from developers. Option D also misrepresents the intent of platforms, which aim to unify and simplify rather than complicate.

By lowering cognitive load, platforms improve productivity, enable faster onboarding, and reduce the likelihood of errors. This aligns with the “platform as a product” model, where developers are treated as customers and the platform is designed to optimize their experience.

The biggest driver for customizing CI pipeline configurations across application types is technical differences between programming languages, frameworks, and artifact formats. Option B is correct because applications written in Java, Python, Go, or Node.js require different build tools (e.g., Maven, pip, go build, npm), testing frameworks, and packaging mechanisms. These differences must be reflected in the CI pipeline to ensure successful builds, tests, and artifact generation.

Option A (priority-based pipelines) is more of an organizational practice, not a technical necessity. Option C (team sizes and expertise) may influence usability but does not drive pipeline configuration. Option D (visual distinction) relates to dashboards and observability, not pipeline functionality.

Platform engineers often provide pipeline templates or abstractions that encapsulate these differences while standardizing security and compliance checks. This balances customization with consistency, enabling developers to use pipelines suited to their technology stack without fragmenting governance.

Resource allocation varies between environments to balance cost, performance, and reliability. Option D is correct because development environments usually require fewer resources and are optimized for speed and cost efficiency, while production environments require stricter limits to ensure stability, scalability, and resilience under real user traffic.

Option A (identical settings) may simplify management but wastes resources and fails to account for different needs. Option B (maximizing usage in all environments) increases costs unnecessarily. Option C (strict parity) may be used in testing scenarios but is impractical as a universal rule.

By tailoring resource limits per environment, platforms ensure cost efficiency in dev/staging and robust performance in production. This practice is central to cloud native engineering, as it allows teams to innovate quickly while maintaining governance and operational excellence in production.

Self-service capabilities are a cornerstone of platform engineering, enabling developers to move quickly while reducing dependency on platform teams. Option C is correct because an automated resource provisioning system allows developers to spin up sandbox or test environments on demand, supporting experimentation and rapid iteration. This aligns with the principle of treating platforms as products, focusing on developer experience and productivity.

Option A (manual request process) creates bottlenecks and is the opposite of self-service. Option B (documentation) is helpful but does not enable automation or self-service. Option D (centralized monitoring) improves observability but is not a self-service capability by itself.

By implementing automated provisioning, developers gain autonomy while platform teams maintain governance through abstractions, golden paths, and policy enforcement. This fosters agility, consistency, and scalability, improving both developer experience and organizational efficiency.

The key benefit of automated builds in a CI pipeline is ensuring consistent and reproducible builds. Option C is correct because automation eliminates the variability introduced by manual processes, guaranteeing that each build follows the same steps, uses the same dependencies, and produces artifacts that are predictable and testable.

Option A (minimizing server costs) may be a side effect but is not the primary advantage. Option B (eliminates coding errors) is inaccurate—automated builds do not prevent developers from writing faulty code; instead, they surface errors earlier. Option D (reduces code redundancy) relates more to code design than CI pipelines.

Automated builds are fundamental to DevOps and platform engineering because they establish reliability in the software supply chain, integrate seamlessly with automated testing, and enable continuous delivery. This practice ensures that code changes are validated quickly, improving developer productivity and reducing integration risks.

The best way for platform teams to support data scientists is by enabling easy access to specialized AI/ML workflows, tools, and compute resources. Option C is correct because it empowers data scientists to experiment, train, and deploy models without worrying about the complexities of infrastructure setup. This aligns with platform engineering’s principle of self-service with guardrails.

Option A (integrating into standard CI/CD) may help, but AI/ML workflows often require specialized tools like MLflow, Kubeflow, or TensorFlow pipelines. Option B (strict quotas) ensures stability but does not improve usability or productivity. Option D (UI-driven execution only) restricts flexibility and reduces the ability of data scientists to adapt workflows to evolving needs.

By offering AI/ML-specific workflows as golden paths within an Internal Developer Platform (IDP), platform teams improve developer experience for data scientists, accelerate innovation, and ensure compliance and governance.

A key advantage of using a service mesh is its ability to secure service-to-service communication transparently, without requiring application code changes. Option A is correct because service meshes (e.g., Istio, Linkerd) provide mutual TLS (mTLS) by default, ensuring both encryption in transit and authentication between services. This establishes a zero-trust networking model inside the cluster.

Option B (scaling) is managed by Kubernetes (Horizontal Pod Autoscaler), not service mesh. Option C (logging) may be supported as an observability feature, but it is not the primary security benefit. Option D (IP allowlisting) is an outdated, less flexible mechanism compared to identity-based policies that meshes provide.

Service meshes enforce security consistently across all services, support fine-grained policies, and ensure compliance without burdening developers with complex configurations. This makes mTLS a foundational benefit in cloud native platform security.

The Kubernetes reconciliation process ensures that the actual cluster state matches the desired state defined in manifests. The Kubernetes Controller (option D) is responsible for watching the state of resources through the API Server and taking action to reconcile differences. For example, the Deployment Controller ensures that the number of Pods matches the replica count specified, while the Node Controller monitors node health.

Option A (Scheduler) is incorrect because the Scheduler’s role is to assign Pods to nodes based on constraints and availability, not ongoing reconciliation. Option B (Dashboard) is simply a UI for visualization and does not manage cluster state. Option C (API Server) exposes the Kubernetes API and serves as the communication hub, but it does not perform reconciliation logic itself.

Controllers embody the core Kubernetes design principle: continuous reconciliation between declared state and observed state. This makes them fundamental to declarative infrastructure and aligns with GitOps practices where controllers continuously enforce desired configurations from source control.

The most secure and scalable method for handling secrets in CI/CD pipelines is to use a secrets manager with encryption. Option B is correct because solutions like HashiCorp Vault, AWS Secrets Manager, or Kubernetes Secrets (backed by KMS) securely store, encrypt, and control access to sensitive values such as API keys, tokens, or credentials.

Option A (restricted config files) may protect secrets but lacks auditability and rotation capabilities. Option C (plain-text environment variables) exposes secrets to accidental leaks through logs or misconfigurations. Option D (base64 encoding) is insecure because base64 is an encoding, not encryption, and secrets can be trivially decoded.

Using a secrets manager ensures secure retrieval, audit trails, access policies, and secret rotation. This aligns with supply chain security and zero-trust practices, reducing risks of credential leakage in CI/CD pipelines.

The main purpose of Kubernetes runtime security is to protect workloads during execution. Option B is correct because runtime security focuses on monitoring active Pods, containers, and processes to detect and prevent malicious activity such as privilege escalation, anomalous network connections, or unauthorized file access.

Option A (etcd encryption) addresses data at rest, not runtime. Option C (image scanning) occurs pre-deployment, not during execution. Option D (API access control) is enforced through RBAC and IAM, not runtime security.

Runtime security solutions (e.g., Falco, Cilium, or Kyverno) continuously observe system calls, network traffic, and workload behaviors to enforce policies and detect threats in real time. This ensures compliance, strengthens defenses in zero-trust environments, and provides critical protection for cloud native workloads in production.

The fundamental difference between a traditional CI/CD model and a GitOps model lies in how changes are applied to the Kubernetes cluster—whether they are "pushed" to the cluster by an external system or "pulled" by an agent running inside the cluster.

CI/CD (Push Model)In a typical CI/CD pipeline for Kubernetes, the CI/CD server (like Jenkins, GitLab CI, or GitHub Actions) is granted credentials to access the cluster. When a pipeline runs, it executes commands like kubectl apply or helm upgrade to push the new application configuration and image versions directly to the Kubernetes API server.

Actor: The CI/CD pipeline is the active agent initiating the change.

Direction: Changes flow from the CI/CD system to the cluster.

Security: Requires giving cluster credentials to an external system.

In a GitOps model, a Git repository is the single source of truth for the desired state of the application. An agent or controller (like Argo CD or Flux) runs inside the Kubernetes cluster. This controller continuously monitors the Git repository.

When it detects a difference between the desired state defined in Git and the actual state of the cluster, it pulls the changes from the repository and applies them to the cluster to bring it into the desired state. This process is called reconciliation.

Actor: The in-cluster controller is the active agent initiating the change.

Direction: The cluster pulls its desired state from the Git repository.

Security: The cluster's credentials never leave its boundary. The controller only needs read-access to the Git repository.

The GitOps model is built on the principle that the desired state of infrastructure and applications must be stored in Git as the single source of truth. Option D is correct because Git provides versioning, immutability, and auditability, while reconciliation controllers (e.g., Argo CD or Flux) pull the desired state into the system continuously. This ensures that actual cluster state always matches the declared Git state.

Option A is partially correct but fails because GitOps eliminates manual push workflows—automation ensures changes are pulled and reconciled. Option B describes Kubernetes CRDs, which may be part of the system but do not embody GitOps on their own. Option C contradicts GitOps principles, which rely on pull-based reconciliation, not centralized push.

Storing desired state in Git provides full traceability, automated rollbacks, and continuous reconciliation, improving reliability and compliance. This makes GitOps a core practice for cloud native platform engineering.

In cloud native CI/CD workflows, build artifacts such as Docker/OCI images are pushed to a central container registry to ensure consistent, reproducible deployments. Option A is correct because registries serve as a single source of truth where immutable artifacts are stored, versioned, and distributed across environments. Deployment systems like Kubernetes pull images from these registries, ensuring that the same tested artifact is deployed in staging and production.

Option B is incorrect because images cannot be directly transformed back into source code. Option C partially describes benefits (version tracking) but misses the primary function of deployment consistency. Option D is misleading—registries typically don’t run automated tests; CI/CD pipelines do that before pushing the image.

By using OCI-compliant registries, organizations gain portability, interoperability, and compliance with supply chain security practices such as image signing and SBOM attestation. This ensures traceability, reliability, and secure distribution of artifacts across the platform.

The key distinction is that Helm charts are packaging and deployment tools, while Operators extend Kubernetes controllers to provide ongoing lifecycle management. Option C is correct because Operators continuously reconcile the desired and actual state of custom resources, enabling advanced behaviors like upgrades, scaling, and failover. Helm charts, by contrast, define templates and values for deploying applications but do not actively manage them after deployment.

Option A oversimplifies; Operators do more than deploy, while Helm manages deployment packaging. Option B is incorrect—Helm does not create CRDs by default; Operators often do. Option D is incorrect because Operators and Helm serve different purposes, though they may complement each other.

Operators are essential for complex workloads (e.g., databases, Kafka) that require ongoing operational knowledge codified into Kubernetes-native controllers. Helm is best suited for standard deployments and reproducibility. Together, they improve Kubernetes extensibility and automation.