Kubernetes interview questions

How to approach thisA cluster has a control plane (API server, etcd, scheduler, controller manager) and worker nodes (kubelet, kube-proxy, container runtime). The API server is the front door for all operations. etcd stores all cluster state. The scheduler assigns pods to nodes. The kubelet on each node ensures pods are running. All communication goes through the API server.

How to approach thisDeployment: manages stateless pods with rolling updates and rollback. StatefulSet: manages stateful pods with stable network identities, persistent storage, and ordered deployment/scaling. DaemonSet: ensures one pod runs on every (or selected) node, used for logging agents and monitoring. Choose based on whether your workload is stateless, stateful, or per-node.

How to approach thisEvery pod gets its own IP address. Pods on the same node communicate via a virtual bridge. Pods across nodes communicate via a CNI plugin (Calico, Cilium, Flannel) that creates an overlay network. Services provide stable IPs and DNS names for a set of pods. Ingress controllers handle external HTTP traffic routing to services.

How to approach thisLiveness probe: checks if the container is still running. If it fails, Kubernetes restarts the container. Readiness probe: checks if the container is ready to receive traffic. If it fails, the pod is removed from the Service endpoint. Startup probe: checks if the application has started (disables liveness/readiness during startup). Use all three for robust health checking.

How to approach thisUse PersistentVolumes (PV) and PersistentVolumeClaims (PVC). PVs represent actual storage (EBS, NFS, local disk). PVCs are requests for storage by pods. StorageClasses enable dynamic provisioning (create PVs on demand). For databases, use StatefulSets with PVCs. Set reclaimPolicy to Retain for important data. Consider CSI drivers for cloud-specific storage integration.

How to approach thisA rolling update gradually replaces old pods with new ones. You configure maxSurge (how many extra pods during update) and maxUnavailable (how many pods can be down). Kubernetes creates new pods, waits for readiness, then terminates old pods. If the new version fails readiness checks, the rollout stalls. Use kubectl rollout undo to revert to the previous version.

How to approach thisA Service provides a stable network endpoint for a set of pods selected by labels. Types: ClusterIP (internal-only, default), NodePort (exposes on each node's IP at a static port), LoadBalancer (provisions a cloud load balancer), ExternalName (CNAME alias to an external service). Use ClusterIP for internal services, LoadBalancer/Ingress for external access.

How to approach thisKubernetes Secrets store sensitive data (passwords, tokens) as base64-encoded values in etcd. They are NOT encrypted by default. Best practices: enable encryption at rest for etcd, use external secrets managers (Vault, AWS Secrets Manager) with operators like External Secrets, limit RBAC access to Secrets, and avoid mounting secrets as environment variables (prefer volume mounts for auditability).

How to approach thisHelm is a package manager for Kubernetes. A chart is a collection of YAML templates that define a complete application deployment. Values files allow customization without editing templates. Benefits: reusable packaging, versioned releases, easy rollback, dependency management, and consistent deployments across environments. Alternatives: Kustomize (template-free patching), Jsonnet, CDK8s.

How to approach thisSteps: kubectl describe pod (check events for OOMKilled, image pull errors, mount failures). kubectl logs (check application logs from the previous crash with --previous flag). Check resource limits (is the container OOMKilled?). Verify environment variables and config maps. Check if the health probe is too aggressive. If the container exits immediately, try overriding the command to sleep and exec in to debug.

How to approach thisRBAC (Role-Based Access Control) uses Roles (namespace-scoped permissions), ClusterRoles (cluster-wide permissions), RoleBindings, and ClusterRoleBindings to control who can do what. Create Roles with least-privilege (only the verbs and resources needed). Bind them to ServiceAccounts for applications, Groups for teams, and Users for individuals. Audit regularly with kubectl auth can-i.

How to approach thisConfigMaps store non-sensitive configuration (feature flags, connection strings without passwords, config files). Secrets store sensitive data (passwords, TLS certificates, API keys). Both can be mounted as files or exposed as environment variables. Secrets are base64-encoded (not encrypted by default) and have slightly different access controls. Never put sensitive data in ConfigMaps.