Kubernetes Interview Questions & Answers (Professional – 6 Years Experience)
Source: Dev.to
1. Kubernetes Architecture
Q1. What happens when you run kubectl apply -f deployment.yaml?
Answer:
When you run kubectl apply, the request goes to the kube‑apiserver.
- The API server validates the YAML, checks authentication and authorization, and stores the desired state in etcd.
- Controllers notice the new desired state and create a ReplicaSet.
- The scheduler decides on which node the pods should run.
- The kubelet on that node pulls the image and starts the container.
Q2. What is etcd and why is it critical?
Answer:
- etcd is a distributed key‑value store that holds the entire cluster state.
- If etcd is down or corrupted, Kubernetes cannot function correctly.
- Therefore, backups, encryption, and HA etcd setups are essential in production.
2. Workloads & Controllers
Q3. Difference between Deployment, StatefulSet, and DaemonSet?
Answer:
| Resource | Use‑case |
|---|---|
| Deployment | Stateless apps (e.g., web services) |
| StatefulSet | Stateful apps (e.g., databases, Kafka) – provides stable network IDs and persistent storage |
| DaemonSet | One pod per node – typically for logging, monitoring, or security agents |
Q4. When would you use a Job or CronJob?
Answer:
- Job – one‑time tasks such as database migrations.
- CronJob – scheduled recurring tasks like backups or cleanup jobs.
3. Networking (Very Important)
Q5. How does traffic reach a pod from the internet?
Answer:
Typical flow:
Internet → Load Balancer → Ingress → Service → Pod- Ingress handles routing rules.
- Service load‑balances traffic to the appropriate pods.
- The Pod finally serves the request.
Q6. Difference between Service types?
Answer:
| Type | Exposure |
|---|---|
| ClusterIP | Internal only (default) |
| NodePort | Exposes the service on each node’s IP + port |
| LoadBalancer | Provisions a cloud load balancer (production‑grade) |
Q7. What is a NetworkPolicy?
Answer:
A NetworkPolicy defines which pods can talk to which pods.
- By default, traffic is unrestricted.
- In production we usually restrict traffic (zero‑trust) for security.
4. Configuration & Secrets
Q8. How do you manage secrets in production?
Answer:
Avoid storing secrets directly in Kubernetes when possible. Common integrations:
- AWS Secrets Manager
- AWS SSM Parameter Store
- HashiCorp Vault
Secrets are injected at runtime via external‑secrets, CSI drivers, or similar mechanisms.
Q9. Are Kubernetes secrets encrypted?
Answer:
- By default, secrets are only base64‑encoded, not encrypted.
- In production we enable encryption at rest and restrict access with RBAC.
5. Storage & Stateful Apps
Q10. Explain PV, PVC, and StorageClass.
Answer:
| Component | Description |
|---|---|
| PV (PersistentVolume) | The actual storage resource provisioned by the cluster. |
| PVC (PersistentVolumeClaim) | A request for storage made by a pod/developer. |
| StorageClass | Defines how storage is dynamically provisioned (e.g., type, reclaim policy). |
Developers work with PVCs; the infrastructure layer creates and manages PVs based on the StorageClass.
Q11. Would you run databases in Kubernetes?
Answer:
Yes, but with care. For production databases ensure:
- Deploy via StatefulSets
- Use persistent storage (proper PVs)
- Implement a reliable backup strategy
- Apply anti‑affinity rules to spread replicas
Often a managed database service may be a better choice.
6. Resource Management & Scaling
Q12. Difference between requests and limits?
Answer:
- Requests – Resources guaranteed to the container (used for scheduling).
- Limits – Maximum resources a container may consume.
If a pod exceeds its memory limit, it is OOMKilled regardless of node memory availability.
Q13. How does HPA work?
Answer:
The Horizontal Pod Autoscaler (HPA) scales the number of pod replicas based on metrics such as CPU, memory, or custom metrics (e.g., from Prometheus).
Q14. Why is my pod restarting even though the node has memory?
Answer:
Because the pod exceeded its memory limit, not the node’s total memory. Limits are enforced per container.
7. Security (Senior‑Level)
Q15. How do you secure a Kubernetes cluster?
Answer:
- Enforce RBAC with least‑privilege principles.
- Run containers as non‑root users.
- Apply Pod Security Standards (or PSPs).
- Use NetworkPolicies to restrict traffic.
- Scan container images for vulnerabilities.
- Deploy admission controllers (e.g., OPA/Gatekeeper) for policy enforcement.
Q16. What is RBAC?
Answer:
Role‑Based Access Control (RBAC) governs who can do what in the cluster using Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings.
Q17. How do you prevent privileged containers?
Answer:
- Use Pod Security Standards (or the older PodSecurityPolicy) to disallow privileged escalation.
- Enforce OPA/Gatekeeper policies that block privileged security contexts.
8. Helm
Q18. Why do we use Helm?
Answer:
Helm packages Kubernetes applications as charts, providing:
- Versioned releases
- Templating for reusable manifests
- Environment‑specific configuration via values files
Q19. How do you manage multiple environments with Helm?
Answer:
Maintain separate values files:
values-dev.yamlvalues-stage.yamlvalues-prod.yaml
Override values per environment when installing/upgrading the chart.
9. GitOps & Argo CD
Q20. What is GitOps?
Answer:
GitOps treats Git as the single source of truth for the desired cluster state. The cluster continuously reconciles its live state with the Git repository.
Q21. What does Argo CD do?
Answer:
Argo CD:
- Continuously compares the desired state in Git with the live cluster.
- Syncs changes, detects drift, and can rollback automatically.
Q22. What is the App‑of‑Apps pattern?
Answer:
A parent Argo CD application manages multiple child applications, enabling clean management of large, multi‑service environments.
10. Troubleshooting & Operations
Q23. Pod is in CrashLoopBackOff. What do you do?
Answer:
kubectl logs <pod>– inspect container logs.kubectl describe pod <pod>– view events and status details.- Check recent config or secret changes.
- Test the container image locally if needed.
Q24. Production is down. First steps?
Answer:
- Review alerts and monitoring dashboards.
- Check pod and node statuses (
kubectl get pods,kubectl get nodes). - Identify recent deployments or configuration changes.
- Roll back problematic changes if necessary.
- Communicate status and ETA to stakeholders.
11. Cloud Kubernetes (EKS example)
Q25. What is IRSA in EKS?
Answer:
IAM Roles for Service Accounts (IRSA) lets pods assume AWS IAM roles securely, eliminating the need to embed static AWS credentials in containers.
Q26. Difference between node groups and Fargate?
Answer:
| Feature | Node Groups | Fargate |
|---|---|---|
| Control | You manage EC2 instances (size, AMI, etc.) | Fully managed, serverless pods |
| Cost | Pay for EC2 instances (potentially lower) | Higher per‑pod cost, but no infra management |
| Use‑case | Workloads needing custom OS, GPU, etc. | Simple workloads, bursty jobs, or when you want zero‑ops |
12. Design & Architecture
Q27. How …
(Continue with the remaining questions as needed.)
Would you design Kubernetes for multiple teams?
Answer
- Separate namespaces
- RBAC per team
- Resource quotas
- Network policies
- GitOps per environment
Q28. Single cluster or multiple clusters?
Answer
- Small teams → Single cluster
- Large org / compliance → Multiple clusters
Depends on risk, cost, and isolation needs.
Final Interview Tip (Very Important)
Interviewers listen for:
- Clear thinking
- Production experience
- Trade‑offs
- Security mindset