Module Quiz

Complete this quiz after finishing all concept and practice pages.

Current Module Questions

Question 1: What a Container Is

Name the seven commonly used Linux namespace types and what each isolates.

Answer: mnt (mount points), pid (process IDs), net (network stack), uts (hostname/domain), ipc (System V / POSIX IPC), user (UID/GID mappings and capabilities), cgroup (view of its own cgroup tree).

Question 2: cgroups vs Namespaces

Are cgroups a security feature?

Answer: No. Cgroups limit and account for resource usage. Isolation is provided by namespaces, capabilities, and seccomp. Cgroups prevent a noisy neighbor, not a malicious one.

Question 3: OCI Image Anatomy

Given image: nginx@sha256:abc..., what three pieces of data will the runtime pull from a registry, and what does each contain?

Answer: The image manifest (JSON listing layers and config by digest), the config blob (JSON with entrypoint, env, labels, and the ordered list of layer diff IDs), and the layer blobs (gzipped tarballs that are stacked via overlayfs).

Question 4: Where Is the Line

You are told "Kubernetes 1.24 removed Docker." What actually changed, and what still works?

Answer: The kubelet's dockershim translator was removed. Nodes now speak CRI directly to containerd or CRI-O. Images built with docker build still work because they are OCI-compatible. docker is no longer typically installed on nodes; use crictl to inspect containers at the runtime level.

Question 5: YAML Reading -- Deployment

Given:

apiVersion: apps/v1
kind: Deployment
metadata: { name: web }
spec:
  replicas: 3
  selector: { matchLabels: { app: web } }
  template:
    metadata: { labels: { app: web } }
    spec:
      containers:
        - name: app
          image: nginx:1.27
          resources:
            requests: { cpu: "250m", memory: "256Mi" }
            limits:   { cpu: "500m", memory: "256Mi" }

What is the QoS class of each Pod, and why?

Answer: Burstable. For Guaranteed, every container must have requests == limits for both CPU and memory. Here CPU has 250m vs 500m, so it is Burstable. Memory happens to match but that alone is not sufficient.

Question 6: Reconciliation Loop

State the three steps of a controller's reconciliation loop, and give a one-sentence example for the ReplicaSet controller.

Answer: Observe -> diff -> act. The ReplicaSet controller observes current Pods matching its selector, computes whether the live count differs from spec.replicas, and creates or deletes one or more Pods to close the gap.

Question 7: Pod Network Model

Explain why a client should target a Service, not a Pod IP, even though Pods have routable IPs on the cluster network.

Answer: Pod IPs are ephemeral -- they change on every Pod restart. The Service provides a stable virtual IP and DNS name whose endpoints are kept up to date by the EndpointSlice controller and programmed into kernel rules by kube-proxy.

Question 8: Service Has No Endpoints

A ClusterIP Service called payments exists but clients get connection refused. kubectl get endpointslices -l kubernetes.io/service-name=payments shows no addresses. Name three possible causes.

Answer: (1) No Pod matches the Service's label selector. (2) Pods match the selector but none are Ready -- readiness probe failing or container still starting. (3) The Pods are in a different namespace than the Service (Service selectors are namespace-scoped).

Question 9: YAML Reading -- Service

Given:

apiVersion: v1
kind: Service
metadata: { name: web }
spec:
  selector: { app: web }
  ports:
    - { name: http, port: 80, targetPort: 8080 }

Which port does the container listen on, which port do clients dial, and what does DNS resolve?

Answer: The container listens on 8080 (targetPort). Clients dial 80 (port) on the Service's ClusterIP. DNS web.<ns>.svc.cluster.local resolves to the ClusterIP. kube-proxy DNATs ClusterIP:80 to PodIP:8080.

Question 10: Ingress Prerequisites

You apply an Ingress resource to a cluster. Five minutes later it has no status.loadBalancer. Name the most likely cause and the fix.

Answer: No Ingress controller is installed (or none matches the ingressClassName). The Ingress type is built in but requires an external controller Deployment (NGINX, Traefik, cloud ALB, etc.) to reconcile resources into real routing rules.

Question 11: ConfigMaps vs Secrets

A teammate says "we should stop using Secrets because they're not really encrypted." Give a more precise answer.

Answer: By default, Secret data is base64-encoded in etcd, not encrypted, which is weaker than the word "secret" suggests. It is encrypted at rest only if the cluster was started with EncryptionConfiguration. However, Secrets still matter because they carry different RBAC conventions, are redacted in many tools, and integrate with CSI Secret Store drivers for external KMS. Putting credentials in a ConfigMap instead is strictly worse.

Question 12: StatefulSet Identity

Why does a StatefulSet need a headless Service, and what breaks if you give it a normal ClusterIP Service instead?

Answer: The StatefulSet relies on the Service for per-Pod DNS (db-0.db.<ns>.svc.cluster.local). A headless Service (clusterIP: None) is what causes DNS to return direct Pod IPs and per-ordinal A records. A normal ClusterIP Service would return the virtual IP for the short name, so clients could not target specific replicas -- and per-Pod DNS records would not be populated.

Question 13: Resources and the Scheduler

A Pod with requests: { cpu: 4, memory: 8Gi } stays Pending. kubectl describe shows "0/3 nodes available: 3 Insufficient cpu." What does this actually mean, and list two fixes.

Answer: The sum of existing CPU requests on every candidate node plus this Pod's 4 CPU request exceeds the node's allocatable CPU. It is about requests fitting, not actual utilization. Fixes: (1) lower the Pod's CPU request if it's over-specified, (2) scale the cluster (add a node or a larger instance type), (3) evict lower-priority workloads via PriorityClasses.

Question 14: Troubleshooting Scenario

You run kubectl get pods and see:

NAME                  READY   STATUS             RESTARTS   AGE
orders-7d8-abc        0/1     CrashLoopBackOff   7          12m

Write the exact next four kubectl commands you will run, in order, and what each will tell you.

Answer:

1. kubectl describe pod orders-7d8-abc -- shows events and Last State including exit code (e.g. OOMKilled = 137, normal crash = the process exit code) and the container spec.
2. kubectl logs orders-7d8-abc --previous --tail=200 -- shows the output of the previous container instance, since the current one has not yet produced logs or is restarting.
3. kubectl get events --sort-by=.lastTimestamp | grep orders-7d8-abc -- recent events possibly from controllers or the kubelet (image pull failures, volume failures).
4. kubectl get deploy orders -o yaml -- inspect resources, probes, and env to see whether configuration is the cause.

Question 15: Security Baseline

Name four fields that should be set in a securityContext to run a workload at the "restricted" Pod Security Standard.

Answer: runAsNonRoot: true, allowPrivilegeEscalation: false, capabilities.drop: ["ALL"], seccompProfile.type: RuntimeDefault (typically also readOnlyRootFilesystem: true). Privileged mode and host namespaces must not be set.

Interleaved Review Questions

Prior Module Question 1 (S9M2 IaC)

Why does infrastructure-as-code prefer declarative configuration over imperative scripts?

Answer: Declarative configuration describes desired state, which can be diffed against actual state, versioned, reviewed, and reconverged. Imperative scripts encode a sequence that assumes a starting state and is hard to safely rerun.

Prior Module Question 2 (S9M1 Cloud)

What is the difference between a cloud L4 load balancer and a cloud L7 load balancer?

Answer: L4 routes TCP/UDP connections by IP and port without understanding the payload. L7 terminates HTTP(S), reads paths, hostnames, and headers, and can route, rewrite, and apply policy at the application layer.

Prior Module Question 3 (S5M3 Concurrency)

What is the difference between a namespace and a process in Linux?

Answer: A process is an instance of a running program with its own address space. A namespace is a per-process view of a global kernel resource (mount table, pid table, network stack, etc.). Multiple processes can share a namespace; one process belongs to one namespace of each type.

Prior Module Question 4 (S5 Systems)

What does overlayfs do?

Answer: It presents the union of multiple directories as one filesystem, with lower directories read-only and an upper directory receiving writes. Containers use it to share read-only image layers while each container accumulates its writes in an isolated upper layer.

Prior Module Question 5 (Git / CI Track)

Why is it good practice to pin image references by digest instead of tag in production manifests?

Answer: Tags like :latest or :1.27 are mutable; a later push to the registry changes what those tags resolve to. Digests (@sha256:…) are content-addressed and immutable, so a Deployment pinned by digest deploys exactly the bytes that were reviewed.

Self-Assessment and Remediation

Mastery Level (90-100% correct):

• Ready to advance with confidence.

Proficient Level (75-89% correct):

• Re-read the concept pages whose questions you missed and redo two katas from practice/04.

Developing Level (60-74% correct):

• Rework the practice pages, especially Workshop 02 (control plane trace) and Clinic 03 (Services and storage).

Insufficient Level (<60% correct):

• Return to Cluster 1 and rebuild the kernel-primitives and reconciliation-loop mental model before advancing.