Container Orchestration and Kubernetes Operations Questions
This topic covers the design, deployment, operation, and scaling of containerized applications and Kubernetes clusters in production environments. Candidates should understand application level constructs such as pods, replica sets, deployments and controllers; rolling updates and canary and blue green deployment strategies; horizontal pod autoscaling and cluster autoscaling; resource requests and limits; scheduling, node and pod affinity and taints. It also includes service discovery, internal and external load balancing, ingress and traffic management, service mesh patterns, persistent storage including persistent volumes and storage classes, and storage provisioning. Candidates should demonstrate knowledge of container networking models, network policies, security and role based access control, secrets management, and observability including logging, metrics and distributed tracing for both cluster and application health. Operational responsibilities include cluster provisioning and upgrades, control plane and etcd considerations, high availability and multi zone topologies, multi cluster strategies, backup and disaster recovery, capacity planning, cost and reliability trade offs, managed versus self managed Kubernetes services, continuous integration and continuous deployment integration, operational runbooks, incident response, and debugging and troubleshooting approaches at production scale. Senior level candidates should be able to articulate cluster architecture and design trade offs, extensibility and automation strategies, maintenance and upgrade strategies, and long term operational governance.
MediumTechnical
55 practiced
Design a secrets management approach for Kubernetes that supports automated rotation, least-privilege access, auditability, and secure injection into pods. Compare options such as Kubernetes Secrets with KMS encryption, HashiCorp Vault, Bitnami SealedSecrets, and ExternalSecrets operator. Outline a rotation plan for database credentials that minimizes downtime and automatic propagation to workloads.
Sample Answer
**Approach summary (DevOps perspective)** I’d use a centralized secret store that supports dynamic credentials, RBAC, audit logs, and a Kubernetes-native sync mechanism. For many orgs a HashiCorp Vault (HA, with auto-unseal via cloud KMS) plus ExternalSecrets operator on clusters provides the best tradeoff: Vault issues/rotates creds, KMS protects master keys, ExternalSecrets syncs into pods securely when needed.**Comparison**- Kubernetes Secrets + KMS encryption: simple, low ops, but static secrets, limited audit/rotation, cluster-scoped access increases blast radius.- HashiCorp Vault: dynamic secrets, leases, fine-grained policies, audit logs, auto-rotation — higher operational complexity.- Bitnami SealedSecrets: GitOps-friendly encrypted manifests; good for immutable secrets in repo but not for dynamic/rotating DB creds.- ExternalSecrets operator: integrates external stores (Vault, AWS Secrets Manager) with Kubernetes, enabling injection without storing plaintext in git.**Rotation plan for DB credentials (minimize downtime)**1. Use Vault to generate short‑lived DB credentials (leases) or rotate master password via provider API.2. For lease-based creds: apps request new credentials on startup and refresh before expiry; ExternalSecrets mounts them as projected volumes or environment variables via CSI/Secrets Store so refresh can be propagated.3. For master rotation: perform rolling rotate — create new user, grant privileges, update Vault secret, wait for replication, update consumer secrets, revoke old user after grace period.4. Automate with pipeline (CI/CD job or Vault rotation policy) and health checks; monitor authentication errors and audit logs to rollback.**Best practices**- Use least-privilege Vault policies and Kubernetes service accounts with OIDC.- Inject via CSI Secrets Store to avoid Kubernetes Secrets where possible.- Enforce audit logging, secret TTLs, alert on failed rotations.
MediumTechnical
55 practiced
You're running multiple HPA-controlled applications across namespaces and observe undesirable node flapping and overscaling. Propose a cluster autoscaling strategy that coordinates HPA with Cluster Autoscaler, respects namespace resource-quotas, and reduces thrashing. Discuss node pool structure, buffer capacity, scale-down delays, pod priorities/eviction, and configuration choices to stabilize scaling behavior.
Sample Answer
**Situation & goal**You need to stop node flapping/overscaling from multiple HPAs by making Cluster Autoscaler (CA) and HPAs play together predictably, while enforcing namespace quotas and minimizing thrash.**Strategy summary**- Create node-pools by workload SLA: stable (system/critical), general-purpose (steady traffic), burst/ephemeral (HPA-driven). Use size-based homogeneous node groups to help CA bin-packing.- Reserve buffer capacity: keep a small warm pool by setting a non-zero min-size on burst pools (e.g., 1–2 nodes) or use a “buffer” node group sized to expected peak QPS. This reduces churn when HPAs spike briefly.- CA config tweaks: - Set --scale-down-delay-after-add to e.g., 10m to avoid removing nodes CA just added for bursts. - Increase --scale-down-unneeded-time to e.g., 10m so nodes aren’t reclaimed immediately after transient load. - Use expander strategy that minimizes pod moves (most-pods or priority). - Tune --max-node-provision-time per cloud provider to avoid premature scale decisions.- HPA & pod settings: - Ensure HPAs scale on stable metrics (CPU + custom/multi-metric) and set stabilizationWindowSeconds to smooth rapid scale-ups/downs. - Require accurate resource requests/limits and enforce via LimitRanges; HPAs that act on requests produce predictable scheduling. - Use Pod PriorityClasses: mark critical pods so CA won’t evict them; put non-critical, preemptible pods in lower priority classes. - Add PodDisruptionBudgets for important services to avoid mass evictions during scale-down.- Respect namespace quotas: - Align node-pool roles with namespace resource-quota expectations; avoid a single pool serving many namespaces with tight quotas. - Use ResourceQuota and LimitRange to prevent a namespace from requesting huge resources that cause autoscaler spikes.- Eviction & preemption: - Configure kubelet eviction thresholds conservatively so CA has time to act before kubelet force-evicts. - Allow preemption for low-priority pods to make room without full node replacement.- Observability & feedback loop: - Monitor CA events, HPA events, node lifecycle metrics; create alerts for scale-churn patterns. - Run canary experiments: simulate HPA bursts to validate buffer sizing and delays.**Trade-offs**- Warm buffer increases cost but reduces latency and churn.- Longer scale-down delays may keep idle nodes longer; tune based on cost vs stability.This coordinated approach—node-pool segregation, warm capacity, CA delays, proper HPA metrics + stabilization, and pod priorities/quotas—stabilizes scaling and respects namespace resource constraints.
HardTechnical
100 practiced
Design an end-to-end distributed tracing strategy for microservices in Kubernetes. Explain how to instrument services using OpenTelemetry, propagate context across HTTP/gRPC calls, choose sampling strategies to control data volume, and operate a scalable backend (Jaeger/Tempo) with retention and query capabilities. Address privacy and sensitive-data redaction concerns in traces.
Sample Answer
**Situation & goal (one line)** Design an end-to-end distributed tracing strategy for Kubernetes microservices using OpenTelemetry, with context propagation, sampling to control volume, a scalable backend (Jaeger/Tempo), retention/query, and sensitive-data redaction.**1) Instrumentation with OpenTelemetry**- Use OpenTelemetry SDK & collectors. Add language SDKs (Java/Python/Go) as libs and auto-instrumentation agents where available.- Deploy an OpenTelemetry Collector as a Kubernetes Deployment/DaemonSet receiving OTLP over gRPC/HTTP, applying processors/exporters.- Example: service env
**2) Context propagation**- Use W3C Trace Context (traceparent) and Baggage. Ensure HTTP/gRPC clients and servers use OTel propagators.- For gRPC add interceptor that injects/extracts context; for HTTP middleware use OTel HTTP instrumentation.**3) Sampling strategy**- Implement multi-stage sampling: - SDK-level tail-based or parent-based with low initial rate (e.g., 1-5%). - Collector-level tail-based sampling for storing high-value traces: sample 100% for errors, 100% for high-latency (> latency threshold), and downsample normal requests.- Example collector processor: probabilistic + tail-based (rules for error/status/latency).**4) Scalable backend (Jaeger/Tempo)**- Use Tempo for low-cost, object-storage-backed traces or Jaeger with Cassandra/Elasticsearch for ingestion: - Ingress: OTel Collector → Kafka (buffering) → Ingest cluster (horizontal) → Storage (S3/GCS or Elasticsearch) - Run collectors as Deployment scaled by load and use HPA with CPU/queue metrics. - Use object storage retention lifecycle (S3 lifecycle rules) or time-based TTL for indices.- Provide query layer: Grafana + Tempo/Jaeger Query scaled by replicas and using caching (Redis) for frequent queries.**5) Retention & query**- Short-term hot storage (days-weeks) on fast storage for quick queries, long-term cold on object store with index support for key attributes.- Implement retention policies via storage lifecycle; expose query time ranges and adaptive UI that warns when querying cold storage.**6) Privacy & redaction**- Enforce data classification: mark PII/sensitive fields at code level. Use OTel attributes only for non-sensitive identifiers (hashed IDs).- Add collector processors to: - Remove/transform attributes using attribute processors (regex redact, replace) - Drop payloads or mask headers (Authorization, Cookie)- Example collector attribute processor config (yaml) that removes keys matching credit_card|ssn.- Apply sampling rules to avoid storing full request/response bodies. Logging of bodies disabled by default in production.**Operational notes**- Monitor collector/ingest with metrics (queue length, export latency), trace-drop rates, and cost.- Run chaos tests to ensure propagation across service restarts.- Document tracing conventions: span naming, attribute keys, error tagging, and retention policies for developers.This strategy balances fidelity, cost, scalability, and privacy while giving DevOps control over sampling, storage, and redaction.
EasyTechnical
56 practiced
Compare managed Kubernetes (GKE/EKS/AKS) versus self-managed Kubernetes in terms of operational responsibilities, control plane upgrades, etcd management, security patching, cost and vendor lock-in. Provide criteria you would use to recommend one approach for a small startup versus a large enterprise with strict compliance requirements.
Sample Answer
**High-level comparison**- **Operational responsibilities** - Managed (GKE/EKS/AKS): cloud provider handles control plane, API server HA, etcd backups (varies by provider), and basic monitoring ops. You manage worker nodes (unless using node pools or Fargate), runtime, networking, RBAC, and apps. - Self-managed: you own entire cluster lifecycle—control plane, etcd, HA, backups, scaling, upgrade orchestration, monitoring, and disaster recovery.- **Control plane upgrades** - Managed: provider offers safer, automated or one-click upgrades, tested combinations, and rollout windows. - Self-managed: you must plan, test, and execute upgrades (kubeadm/kops/kubespray), handle rollback paths.- **etcd management** - Managed: often abstracted with snapshots/restore and automated HA; specifics differ by provider. - Self-managed: design HA topology, secure TLS, tune compaction, schedule backups, and perform restores manually.- **Security patching** - Managed: provider patches control plane; you still patch nodes and container runtimes. - Self-managed: full responsibility to apply CVE fixes across control plane, etcd, nodes, and dependencies.- **Cost and vendor lock-in** - Managed: higher direct costs but lower operational labor; some API/feature differences create moderate lock-in. - Self-managed: lower cloud fees but higher engineering cost; more portability but operational burden.**Recommendation criteria**- For a small startup: - Prioritize speed to market, limited ops headcount, lower SRE maturity → choose managed (GKE/EKS/AKS) with managed node pools or serverless nodes. - Use provider-managed backups, enable auto-upgrades, enforce IaC and robust CI/CD.- For a large enterprise with strict compliance: - If compliance requires full control over data plane, custom audit controls, or specific network isolation → consider self-managed or dedicated managed offerings (e.g., GKE private clusters + Anthos, EKS with custom control plane networking). - Evaluate: regulatory requirements, internal SRE capacity, auditability, encryption/key management (bring-your-own-key), uptime SLAs, and disaster recovery RTO/RPO.Choose managed to reduce day-to-day ops; choose self-managed when compliance, customization, or control justify ongoing engineering investment.
EasyTechnical
73 practiced
You observe a Pod in CrashLoopBackOff in production. List the kubectl commands and investigative steps you would take to diagnose and resolve the issue. Cover use of kubectl describe, kubectl logs (including -p for previous logs), events, container exit codes, image and config checks, liveness/readiness probe failures, and strategies to reproduce and test fixes.
Sample Answer
**Situation & goal**You see a Pod in CrashLoopBackOff in production — diagnose root cause quickly and safely, then test a fix.**Immediate inspection (commands)**- Describe pod and get events:
- Monitor logs/events and metrics; validate fix in staging before rolling to prod.**Notes & safety**- Avoid direct prod changes without rollback plan; use canary/blue-green where possible.- Capture current state (kubectl get pod -o yaml) before changes for diagnostics and rollback.
Unlock Full Question Bank
Get access to hundreds of Container Orchestration and Kubernetes Operations interview questions and detailed answers.