Question 1

Explain the difference between taints and tolerations versus node affinity. How would you use these features to control pod scheduling in a multi-tenant cluster?

Accepted Answer

Taints, tolerations, and node affinity are all mechanisms for controlling pod scheduling, but they work in different directions and serve different purposes.

Taints and tolerations work together to repel pods from nodes. A taint is applied to a node and prevents pods from being scheduled there unless those pods have a matching toleration. Think of it as nodes saying "keep out unless you have permission."

Taints have three effects. NoSchedule prevents new pods without a toleration from being scheduled. PreferNoSchedule tries to avoid scheduling pods without a toleration but does not guara

Question 2

Explain the architecture of a Kubernetes cluster. What are the main components of the control plane and worker nodes?

Accepted Answer

A Kubernetes cluster consists of two main parts: the control plane and the worker nodes. Each serves a distinct purpose in managing and running containerized workloads.

The control plane is the brain of the cluster. It makes global decisions about scheduling, responds to cluster events, and maintains the desired state. The key components include:

The API Server, or kube-apiserver, is the front door to Kubernetes. Every command you run with kubectl goes through this component. It validates and processes REST requests, then updates the corresponding objects in etcd.

Etcd is a distribute

Question 3

Explain Terraform state locking in detail. What happens during a lock, how do you handle lock issues, and what are the risks of not using locking?

Accepted Answer

State locking prevents multiple Terraform processes from modifying the same state simultaneously. Without locking, concurrent operations can corrupt state, create duplicate resources, or cause data loss.

When you run terraform plan or terraform apply, Terraform attempts to acquire a lock on the state before reading or modifying it. If successful, Terraform holds the lock until the operation completes, then releases it.

For AWS with an S3 backend, locking uses DynamoDB. Terraform creates a lock record in the specified DynamoDB table with a unique ID. The record includes the operation, who

Question 4

What is Infrastructure as Code, and what are its main benefits compared to manual infrastructure management?

Accepted Answer

Infrastructure as Code, commonly abbreviated as IaC, is the practice of managing and provisioning infrastructure through machine-readable configuration files rather than through manual processes or interactive configuration tools.

With IaC, you define your servers, networks, databases, and other infrastructure components in code files. These files describe the desired state of your infrastructure, and specialized tools read them to create, modify, or destroy resources automatically.

The main benefits of Infrastructure as Code include:

Version control and history. Because infrastructur

Question 5

What is the difference between monitoring and observability? Why is observability important in modern distributed systems?

Accepted Answer

Monitoring and observability are related but distinct concepts. Understanding the difference helps you build systems that are easier to operate and troubleshoot.

Monitoring is the practice of collecting, aggregating, and analyzing predefined metrics to detect known problems. You decide in advance what to measure, set thresholds, and create alerts. Monitoring answers questions you already know to ask, such as is CPU usage above 80 percent or is the database responding within acceptable latency.

Observability is the ability to understand the internal state of a system by examining its exte

Question 6

What is Prometheus, and how does it collect metrics? Explain the pull-based model and its advantages.

Accepted Answer

Prometheus is an open-source monitoring and alerting system originally developed at SoundCloud. It has become the standard for metrics collection in cloud-native environments, particularly Kubernetes.

Prometheus stores all data as time series, which are streams of timestamped values identified by a metric name and a set of key-value pairs called labels. For example, a metric might be http_requests_total with labels for method, endpoint, and status code.

Prometheus uses a pull-based model to collect metrics. Instead of applications pushing data to a central server, Prometheus periodically

Question 7

You are designing the security architecture for a new cloud-native application handling sensitive customer data. Walk me through your approach, covering network security, data protection, access control, and monitoring.

Accepted Answer

Designing security for a cloud-native application requires a defense-in-depth approach where multiple layers of security controls protect sensitive data. I would approach this systematically, addressing network security, data protection, access control, and monitoring.

For network security, I would start with network segmentation. The application runs in a VPC with separate subnets for different tiers. Web servers sit in public subnets with internet access. Application servers and databases sit in private subnets with no direct internet connectivity.

Security groups and network ACLs rest

Question 8

What is DevSecOps, and what does "shift-left" security mean? How does this approach differ from traditional security practices?

Accepted Answer

DevSecOps integrates security practices into every phase of the DevOps lifecycle. Instead of treating security as a separate phase at the end of development, DevSecOps makes security a shared responsibility throughout the entire software delivery process.

The term shift-left refers to moving security activities earlier in the development timeline. If you imagine the software development lifecycle as a timeline from left to right, with coding on the left and production on the right, shifting left means addressing security concerns closer to when code is written rather than waiting until depl

Question 9

How would you implement a zero-trust security model in a cloud environment? What are the key principles and components?

Accepted Answer

Zero-trust security operates on the principle of never trust, always verify. It assumes breaches will occur and designs systems to limit blast radius and require continuous verification.

The core principles are verify explicitly, which means always authenticate and authorize based on all available data. Use least privilege access, which grants minimum permissions needed for the task. Assume breach, which minimizes blast radius and segments access.

Identity as the new perimeter is fundamental. For human identities, implement strong authentication with multi-factor authentication required

Question 10

Explain the differences between IaaS, PaaS, and SaaS. When would you choose each model for a DevOps workflow?

Accepted Answer

Cloud service models represent different levels of abstraction and managed services. Understanding each helps DevOps engineers choose the right approach for different scenarios.

Infrastructure as a Service, or IaaS, provides virtualized computing resources over the internet. You manage the operating system, middleware, runtime, and applications while the provider handles physical hardware, networking, and virtualization. Examples include AWS EC2, Azure Virtual Machines, and Google Compute Engine.

Use IaaS when you need full control over the infrastructure, have specific OS or software re

DevOps Engineer

Topics

Kubernetes

Infrastructure as Code

Monitoring & Logging

Security & Compliance

Cloud Advanced

Mock Interview

Quick Stats