During a CI/CD pipeline review, the team discusses methods to prevent insecure code from being introduced into production. Which practice is most effective for this purpose?
Correct Answer: A
The most effective way to prevent insecure code from reaching production is to integrate security gates directly into the CI/CD pipeline. Option A is correct because security gates involve automated scanning of dependencies, SBOM generation, code analysis, and policy enforcement during build and test phases. This ensures that vulnerabilities or policy violations are caught early in the development lifecycle. Option B (load balancing) improves availability but is unrelated to code security. Option C (A/B testing) validates functionality, not security. Option D (caching strategies) affects performance, not code safety. By embedding automated checks into CI/CD pipelines, teams adopt a shift-left security approach, ensuring compliance and minimizing risks of supply chain attacks. This practice directly supports platform engineering goals of combining security with speed and reducing developer friction through automation. References:- CNCF Supply Chain Security Whitepaper- CNCF Platforms Whitepaper- Cloud Native Platform Engineering Study Guide
Question 22
In a Continuous Integration (CI) pipeline, what is a key benefit of using automated builds?
Correct Answer: C
The key benefit of automated builds in a CI pipeline is ensuring consistent and reproducible builds. Option C is correct because automation eliminates the variability introduced by manual processes, guaranteeing that each build follows the same steps, uses the same dependencies, and produces artifacts that are predictable and testable. Option A (minimizing server costs) may be a side effect but is not the primary advantage. Option B (eliminates coding errors) is inaccurate-automated builds do not prevent developers from writing faulty code; instead, they surface errors earlier. Option D (reduces code redundancy) relates more to code design than CI pipelines. Automated builds are fundamental to DevOps and platform engineering because they establish reliability in the software supply chain, integrate seamlessly with automated testing, and enable continuous delivery. This practice ensures that code changes are validated quickly, improving developer productivity and reducing integration risks. References:- CNCF Platforms Whitepaper- Continuous Delivery Foundation Best Practices- Cloud Native Platform Engineering Study Guide
Question 23
If you update a Deployment's replica count from 3 to 5, how does the reconciliation loop respond?
Correct Answer: B
The Kubernetes reconciliation loop ensures that the actual state of a resource matches the desired state defined in its manifest. If the replica count of a Deployment is changed from 3 to 5, option B is correct: Kubernetes will automatically create two new Pods to satisfy the new desired replica count. Option A is incorrect because Deployments are not deleted; they are updated in place. Option C contradicts Kubernetes' declarative model-no manual intervention is required. Option D is wrong because Kubernetes does not restart existing Pods unless necessary; it simply adds additional Pods. This reconciliation process is core to Kubernetes' declarative infrastructure approach, where desired states are continuously monitored and enforced. It reduces human toil and ensures consistency, making it fundamental for platform engineering practices like GitOps. References:- CNCF Kubernetes Documentation- CNCF GitOps Principles- Cloud Native Platform Engineering Study Guide
Question 24
A developer is tasked with securing a Kubernetes cluster and needs to implement Role-Based Access Control (RBAC) to manage user permissions. Which of the following statements about RBAC in Kubernetes is correct?
Correct Answer: D
Role-Based Access Control (RBAC) in Kubernetes is a cornerstone of cluster security, enabling fine-grained access control based on the principle of least privilege. Option D is correct because RBAC leverages Roles (or ClusterRoles) that define sets of permissions, and RoleBindings (or ClusterRoleBindings) that assign those roles to users, groups, or service accounts. This mechanism ensures that users have only the minimum required access to perform their tasks, enhancing both security and governance. Option A is incorrect because RBAC fully supports namespace-scoped roles, allowing isolation of permissions at the namespace level in addition to cluster-wide roles. Option B is wrong because RBAC is specifically designed to restrict, not grant, unrestricted access. Option C is misleading because RBAC applies broadly across Kubernetes API resources, not just Pods-it includes ConfigMaps, Secrets, Deployments, Services, and more. By applying RBAC correctly, platform teams can align with security best practices, ensuring that sensitive operations (e.g., managing secrets or modifying cluster configurations) are tightly controlled. RBAC is also central to compliance frameworks, as it provides auditability of who has access to what resources. References:- CNCF Kubernetes Security Best Practices- Kubernetes RBAC Documentation (aligned with CNCF platform engineering security guidance)- Cloud Native Platform Engineering Study Guide
Question 25
In a GitOps workflow using Crossplane, how is infrastructure provisioned across multiple clusters?
Correct Answer: B
Crossplane integrates tightly with GitOps workflows by extending Kubernetes with infrastructure APIs. Option B is correct because infrastructure resources (databases, networks, S3 buckets, etc.) are defined declaratively in Git repositories. Git becomes the single source of truth, while Crossplane controllers automatically reconcile the desired state into real infrastructure across supported cloud providers. Option A reflects imperative scripting, which contradicts GitOps principles. Option C (manual provisioning) lacks automation, governance, and repeatability. Option D involves manual application with kubectl, which bypasses GitOps reconciliation loops. With Crossplane and GitOps, teams achieve consistent, reproducible, and auditable infrastructure provisioning at scale. This enables full alignment with cloud native platform engineering principles of declarative management, self-service, and extensibility. References:- CNCF Crossplane Documentation- CNCF GitOps Principles- Cloud Native Platform Engineering Study Guide
