Get Linux Foundation CNPA Exam Practice Questions - Real and Updated

Answer : B

The most efficient and scalable strategy is to use a declarative approach with Infrastructure as Code (IaC). Option B is correct because declarative definitions specify the desired state (e.g., resource requests, limits, autoscaling policies) in code, allowing Kubernetes controllers and autoscalers to reconcile and enforce them dynamically. This ensures that applications can scale efficiently based on actual demand.

Option A (fixed allocation) is inefficient, leading to wasted resources during low usage or insufficient capacity during high demand. Option C (manual provisioning) introduces delays, risk of error, and operational overhead. Option D (imperative scripting) is not sustainable for large-scale or dynamic workloads, as it requires constant manual intervention.

Declarative IaC aligns with GitOps workflows, enabling automated, version-controlled scaling decisions. Combined with Kubernetes' Horizontal Pod Autoscaler (HPA) and Cluster Autoscaler, this approach allows platforms to balance cost efficiency with application reliability.

--- CNCF GitOps Principles

--- Kubernetes Autoscaling Documentation

--- Cloud Native Platform Engineering Study Guide

Answer : A

Proper documentation is critical for fostering collaboration through APIs. Option A is correct because well-documented APIs ensure that all teams---platform engineers, developers, and operations---understand how to consume and integrate services effectively. Clear documentation reduces friction, accelerates adoption, and minimizes support overhead.

Option B (no versioning) is poor practice, as versioning ensures backward compatibility and safe upgrades. Option C (tight coupling) restricts collaboration and creates silos, which goes against platform engineering principles. Option D (complex design) reduces usability and increases cognitive load, the opposite of platform goals.

APIs serve as the contracts between teams and systems. In platform engineering, well-documented, versioned, and abstracted APIs provide a consistent and predictable way to interact with platform services, improving collaboration and developer experience.

--- CNCF Platforms Whitepaper

--- Team Topologies Guidance

--- Cloud Native Platform Engineering Study Guide

Answer : A

Logs are detailed, timestamped records of discrete events that occur within a system. They provide granular insight into what has happened, making them crucial for debugging, auditing, and incident investigations. Option A is correct because logs capture both normal and error events, often containing contextual information such as error codes, user IDs, or request payloads.

Option B (alerts) are secondary outputs generated from telemetry signals like logs or metrics and are not raw data themselves. Option C (traces) represent the flow of requests across distributed systems, showing relationships and latency between services but not arbitrary events. Option D (metrics) are numeric aggregates sampled over intervals (e.g., CPU usage, latency), not discrete, timestamped events.

Observability guidance in cloud native systems emphasizes the 'three pillars' of telemetry: logs, metrics, and traces. Logs are indispensable for root cause analysis and compliance because they preserve historical event context.

--- CNCF Observability Whitepaper

--- OpenTelemetry Documentation (aligned with CNCF)

--- Cloud Native Platform Engineering Study Guide

Answer : B

The secure and efficient way to handle secrets in a GitOps workflow is to use a dedicated secrets management tool (e.g., HashiCorp Vault, Sealed Secrets, or External Secrets Operator) and store only references or encrypted placeholders in the Git repository. Option B is correct because Git should remain the source of truth for configuration, but sensitive values should be abstracted or encrypted to maintain security.

Option A (environment variables) can supplement secret management but lacks versioning and auditability when used alone. Option C (encrypting secrets in Git) can work with tools like Mozilla SOPS, but it still requires external key management, making Option B a more complete and secure approach. Option D (plain text secrets) is highly insecure and should never be used.

By integrating secrets managers into GitOps workflows, teams achieve both security and automation, ensuring secrets are delivered securely during reconciliation without exposing sensitive data in Git.

--- CNCF GitOps Principles

--- CNCF Supply Chain Security Whitepaper

--- Cloud Native Platform Engineering Study Guide

Answer : C

Compliance with regulations like GDPR and PCI DSS requires fine-grained control, auditing, and data protection. Option C is correct because deploying a policy engine like Open Policy Agent (OPA) enables dynamic enforcement of policies, real-time data masking, and comprehensive audit logging. This ensures sensitive data is protected while providing traceability and compliance reporting.

Option A is insufficient, as default IAM policies without Kubernetes-level governance do not provide the granularity required for compliance. Option B (Kubernetes Secrets) adds encryption but lacks auditability and runtime enforcement. Option D (RBAC and network policies) improves security posture but does not provide comprehensive compliance coverage or data privacy features like masking and logging.

OPA and similar tools integrate with Kubernetes admission control to enforce compliance policies consistently, providing the flexibility and auditability needed in regulated industries.

--- CNCF Security TAG Best Practices

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide