




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam evaluates comprehensive cloud-native development skills including Kubernetes application delivery, microservices design, container build strategies, CI/CD pipelines, GitOps, service mesh concepts, and cloud-native security. Candidates solve hands-on scenarios involving troubleshooting distributed systems, designing scalable APIs, implementing observability stacks, and applying best practices in container lifecycle management. Includes case-study-driven architecture questions and practical code-review assessments.
Typology: Exams
1 / 106
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which principle of the Twelve‑Factor App ensures that code is never locked to a specific deployment environment? A) Config B) Dependencies C) Build, release, run D) Disposability Answer: B Explanation: The “Dependencies” factor requires declaring all external libraries explicitly, preventing hidden ties to a particular environment. Question 2. In a microservices architecture, which pattern is most appropriate for reducing latency when a client must call multiple services to assemble a response? A) Circuit Breaker B) API Gateway aggregation C) Sidecar proxy D) Bulkhead Answer: B Explanation: API Gateway aggregation composes calls to several services into a single request, minimizing round‑trip latency. Question 3. When choosing between client‑side and server‑side service discovery, which statement is true? A) Client‑side discovery eliminates the need for a load balancer. B) Server‑side discovery provides DNS‑style resolution for pods.
C) Client‑side discovery requires each service to embed the discovery logic. D) Server‑side discovery cannot be used with Kubernetes. Answer: C Explanation: In client‑side discovery, the client library queries a registry (e.g., Consul) and selects an instance, embedding discovery logic. Question 4. Which of the following best describes a “cold start” in Function‑as‑a‑Service (FaaS) platforms? A) The function exceeds its memory limit. B) The runtime container must be initialized before executing the request. C) The function receives an unhandled exception. D) The function is throttled due to concurrency limits. Answer: B Explanation: A cold start occurs when the platform must spin up a new execution environment before handling the first invocation. Question 5. In Docker, which instruction creates a new build stage that can be referenced later to copy artifacts? A) FROM B) RUN C) COPY D) LABEL Answer: A
A) Deployment B) ReplicaSet C) StatefulSet D) CronJob Answer: C Explanation: StatefulSets provide stable pod names, ordered startup, and persistent volume claims, ideal for stateful databases. Question 9. Which Service type exposes an application inside the cluster only, without allocating an external IP? A) LoadBalancer B) NodePort C) ClusterIP D) ExternalName Answer: C Explanation: ClusterIP creates an internal virtual IP accessible only within the cluster. Question 10. In Kubernetes networking, what does a NetworkPolicy with policyTypes: [Ingress] control? A) Outbound traffic from pods B) Inbound traffic to pods C) DNS resolution for services D) Pod-to-pod traffic on the same node
Answer: B Explanation: An Ingress‑only NetworkPolicy restricts which sources may send traffic to selected pods. Question 11. Which of the following is NOT a typical use case for a sidecar container? A) Log forwarding B) Service mesh proxy C) Primary business logic processing D) Credential rotation Answer: C Explanation: The sidecar pattern is for auxiliary tasks; the main application logic runs in the primary container. Question 12. Which CI tool natively integrates with Google Cloud Build to trigger builds on commits to a Cloud Source Repository? A) Jenkins B) CircleCI C) Cloud Build D) Travis CI Answer: C Explanation: Cloud Build can be configured to watch Cloud Source Repositories and start builds automatically.
C) delta() D) irate() Answer: B Explanation: rate(metric[5m]) returns per‑second average rate of increase for a counter over the specified window. Question 16. In OpenTelemetry, which component is responsible for sending collected trace data to a backend like Jaeger? A) Collector B) Exporter C) Instrumentation library D) Span processor Answer: B Explanation: Exporters serialize and forward telemetry data to tracing back‑ends. Question 17. Which Kubernetes probe is executed before a container is considered “started” and therefore ready to receive traffic? A) Liveness probe B) Readiness probe C) Startup probe D) Health probe Answer: C
Explanation: The startup probe disables other probes until it succeeds, allowing containers with long initialization. Question 18. Which IAM role in GKE grants a service account permission to pull images from Artifact Registry? A) roles/container.developer B) roles/artifactregistry.reader C) roles/compute.instanceAdminV D) roles/iam.serviceAccountUser Answer: B Explanation: roles/artifactregistry.reader permits read‑only access to repositories for image pulls. Question 19. Which security mechanism provides mutual authentication between services in a service mesh? A) OAuth B) JWT C) mTLS D) API keys Answer: C Explanation: Mutual TLS (mTLS) establishes bidirectional certificate verification, ensuring both client and server authenticate each other. Question 20. In a supply‑chain security context, what does SBOM stand for?
Answer: B Explanation: Ingress resources define HTTP(S) routing rules, allowing path‑based traffic distribution to multiple services. Question 23. Which of the following is a primary benefit of using a multi‑stage Docker build? A) Reducing runtime memory consumption B) Eliminating the need for a base image C) Removing build‑time dependencies from the final image D) Enabling automatic scaling of containers Answer: C Explanation: Multi‑stage builds allow copying only the compiled artifact into the final stage, leaving behind build tools and libraries. Question 24. In a Kubernetes Deployment, what does the strategy.type: RollingUpdate field control? A) How many replicas are created at startup B) The order in which pods are terminated during scale‑down C) The process of gradually replacing old pods with new ones D) Whether the Deployment uses a Service account Answer: C Explanation: RollingUpdate defines the max surge and max unavailable pods to achieve a smooth transition.
Question 25. Which of the following is an example of a “stateless” design principle for cloud‑native services? A) Storing session data in a local file system B) Caching user preferences in memory without replication C) Using an external Redis cluster for session storage D) Maintaining a per‑instance counter in process memory Answer: C Explanation: Offloading state to an external, shared store (Redis) ensures any instance can handle a request, achieving statelessness. Question 26. Which Cloud‑Native pattern helps prevent cascading failures by limiting the number of concurrent calls to a downstream service? A) Retry B) Circuit Breaker C) Bulkhead D) Rate Limiter Answer: C Explanation: Bulkhead isolates resources (e.g., thread pools) so failure in one component does not exhaust resources for others. Question 27. In GKE Autopilot, which of the following responsibilities is still managed by the user? A) Node pool provisioning
Answer: A Explanation: The sidecar.istio.io/inject: "true" annotation tells the Istio webhook to inject the Envoy sidecar. Question 30. Which of the following is the most appropriate way to store database credentials for a containerized application in GKE? A) Hard‑code them in the Dockerfile B) Pass them as command‑line arguments C) Store them in a ConfigMap D) Store them in a Secret and mount as a volume Answer: D Explanation: Secrets provide base64‑encoded data and can be mounted as files or exposed as env vars, keeping credentials out of plain text. Question 31. Which of the following CI/CD practices helps ensure that only validated images are promoted to production? A) Manual approval after each build B) Image signing with Notary and verification in the deployment pipeline C) Using latest tag for all environments D) Deploying directly from the developer’s workstation Answer: B Explanation: Image signing creates a cryptographic guarantee of provenance; verification blocks unsigned or tampered images from reaching prod.
Question 32. Which Prometheus metric type is best suited for representing a gauge of current active connections? A) Counter B) Gauge C) Histogram D) Summary Answer: B Explanation: Gauges can go up and down, making them ideal for tracking instantaneous values like active connections. Question 33. Which of the following is a primary advantage of using gRPC over traditional REST for inter‑service communication? A) Human‑readable JSON payloads B) Built‑in caching mechanisms C) Binary protocol with contract‑first interfaces and lower latency D) Automatic API documentation generation Answer: C Explanation: gRPC uses Protocol Buffers (binary) and generates stubs from .proto files, offering efficient, low‑latency communication. Question 34. In a Kubernetes cluster, which component watches for changes in desired state and creates/deletes pods accordingly? A) kubelet B) kube-proxy
Explanation: Fluentd has a native Google Cloud Logging plugin and is the default log collector in GKE. Question 37. Which Kubernetes resource is used to store non‑confidential configuration data that can be consumed as environment variables or volume files? A) Secret B) ConfigMap C) PersistentVolume D) Service Answer: B Explanation: ConfigMaps hold key‑value pairs for configuration and can be injected into pods via env vars or mounted volumes. Question 38. Which of the following is a recommended practice for reducing the attack surface of container images? A) Use the latest ubuntu base image for every service B) Run containers as root user C) Remove unnecessary packages and use minimal base images like distroless or alpine D) Include debugging tools in production images Answer: C Explanation: Minimal images reduce the number of binaries that could be exploited and shrink the overall attack surface. Question 39. Which of the following Kubernetes objects can be used to schedule a periodic job that runs every day at midnight?
A) Deployment B) CronJob C) StatefulSet D) Job Answer: B Explanation: CronJob defines a schedule using Cron syntax and creates Jobs at the specified times. Question 40. In the context of IaC, what does “idempotent” mean? A) The operation can be performed only once. B) Applying the same configuration multiple times yields the same result without side effects. C) The code automatically scales resources. D) Resources are destroyed after each apply. Answer: B Explanation: Idempotent operations ensure that repeated applications do not change the system beyond the intended state. Question 41. Which of the following best explains the purpose of a “Readiness probe” in Kubernetes? A) Detects if a container has crashed and needs to be restarted B) Determines whether a pod should receive traffic from Services C) Checks if the node has sufficient resources to run a pod D) Validates the container image signature before launch
Question 44. Which of the following tools can generate a Software Bill of Materials (SBOM) for a container image? A) kubectl B) trivy C) helm D) terraform Answer: B Explanation: Trivy can scan images and output an SBOM listing all included packages and versions. Question 45. Which of the following is a key characteristic of “disposability” in cloud‑native applications? A) Applications must retain state across restarts. B) Processes should start quickly and shut down gracefully. C) Services must never be terminated once started. D) Containers should never be deleted. Answer: B Explanation: Disposability emphasizes fast startup and graceful termination to enable rapid scaling and resilience. Question 46. Which Kubernetes object can be used to expose a Service outside the cluster without allocating a cloud load balancer? A) NodePort B) ClusterIP
C) ExternalName D) Ingress with a NodePort backend Answer: D Explanation: An Ingress can be configured with a NodePort service backend, allowing external traffic via the node’s IP and port without a cloud LB. Question 47. Which of the following statements about “immutable infrastructure” is true? A) Servers are patched in place after deployment. B) Changes are applied by updating the existing instances. C) New instances are provisioned with the desired state, and old ones are terminated. D) Configuration files are edited directly on running VMs. Answer: C Explanation: Immutable infrastructure avoids in‑place changes; updates are performed by replacing resources with new versions. Question 48. Which of the following is NOT a typical responsibility of a CI pipeline? A) Static code analysis B) Deploying to production without approval C) Running unit tests D) Building Docker images Answer: B Explanation: Deploying to production without approval is a CD or release‑management activity, not a core CI function.