search

Interview questions (EASY)

Of course. Here are the answers to the 50 CI/CD interview questions, tailored for a candidate with about 3 years of experience.

hashtag
## General CI/CD Concepts

1. What is CI/CD and why is it important?

CI/CD stands for Continuous Integration and Continuous Delivery/Deployment. It's a practice that automates the software build, test, and release process. It's important because it allows development teams to deliver code changes more frequently and reliably, reducing risk and improving velocity.

2. Explain the difference between Continuous Integration, Continuous Delivery, and Continuous Deployment.

  • Continuous Integration (CI): Developers merge their code into a central repository frequently. Each merge triggers an automated build and test. The goal is to catch integration bugs early.

  • Continuous Delivery (CDelivery): This is the next step after CI. Every code change that passes the automated tests is automatically packaged and released to a staging environment. The release to production is a manual, one-click step.

  • Continuous Deployment (CDeployment): This goes one step further than Continuous Delivery. Every change that passes all stages of the pipeline is automatically deployed to production without any human intervention.

3. What are the main benefits of implementing a CI/CD pipeline?

The main benefits are Faster Release Cycles (delivering value to users quicker), Improved Reliability (fewer bugs make it to production due to automated testing), Lower Risk (deploying smaller changes is less risky than large, infrequent releases), and Increased Developer Productivity (devs can focus on coding instead of manual deployment tasks).

4. What is "Pipeline as Code" and why is it a best practice?

Pipeline as Code is the practice of defining your CI/CD pipeline in a version-controlled text file (like a Jenkinsfile or .gitlab-ci.yml) that lives in the same repository as your application code. It's a best practice because it makes your pipeline reproducible, versioned, and reviewable through pull requests, just like any other code.

5. Can you describe the typical stages of a CI/CD pipeline you have worked with?

A typical pipeline includes a Source stage (triggers on a git push), a Build stage (compiles code or builds a Docker image), a Test stage (runs unit, integration, and static analysis tests), a Package stage (pushes the artifact to a registry), and a Deploy stage (deploys to Staging and then Production).

6. What does it mean to "shift left" in a DevOps context?

Shifting left means moving testing, security, and quality checks earlier in the development lifecycle (i.e., to the "left" on a timeline). Instead of waiting for a final QA phase, we run automated security scans and quality checks in the CI stage, providing faster feedback to developers.

7. How do you handle failures in a pipeline? What's a common strategy?

The pipeline should be configured to "fail fast." As soon as a stage fails (e.g., a unit test breaks), the pipeline stops and sends an immediate notification to the developer or team (via Slack, email, etc.). A common strategy is to require a fix before any new code can be merged, preventing the main branch from remaining in a broken state.

hashtag
## Version Control (Git)

### 8. What is a webhook and how is it used to trigger a pipeline?

A webhook is an automated HTTP callback. In CI/CD, a Git platform like GitHub is configured to send a webhook to a CI server like Jenkins whenever a specific event occurs, such as a git push. This payload tells the CI server to clone the repository and start the pipeline.

### 9. Explain the difference between git merge and git rebase.

  • git merge creates a new merge commit in the history, combining two branches. It preserves the exact history of the feature branch.

  • git rebase rewrites the commit history by re-applying commits from your feature branch on top of the target branch. This creates a linear history, which is cleaner but alters the original commit data. It's best used on private feature branches before merging.

10. What is a popular Git branching strategy you have used?

A common and simple strategy is GitHub Flow. You have a main branch which is always deployable. All new work is done on a descriptive feature branch created from main. When work is complete, a pull request is opened to merge it back into main, which then triggers a deployment.

### 11. What is the purpose of a .gitignore file?

The .gitignore file specifies files and directories that Git should intentionally ignore. This is used to prevent committing files like build artifacts, log files, dependencies (node_modules), and environment-specific files (.env).

2. What's the difference between git pull and git fetch?

  • git fetch downloads the latest changes from the remote repository but does not integrate them into your local working branch. It lets you see what others have done.

  • git pull is essentially a git fetch followed by a git merge. It downloads the changes and immediately tries to merge them into your current branch.

13. How would you revert a commit that has already been pushed to a remote repository?

You would use git revert <commit-hash>. This command creates a new commit that undoes the changes from the specified commit. This is the safe way to undo changes on a shared, public branch because it doesn't rewrite history.

hashtag
## CI/CD Orchestrators (Jenkins, GitLab CI, GitHub Actions)

14. What is a Jenkinsfile? What's the difference between a Declarative and a Scripted pipeline?

A Jenkinsfile is the text file that defines a Jenkins pipeline.

  • Declarative Pipeline is a newer, more structured syntax. It's easier to read and write, with a pre-defined structure of pipeline, agent, stages, and steps.

  • Scripted Pipeline is older and uses a more flexible, imperative Groovy-based syntax. It offers more power but can be more complex to maintain.

15. What is the role of a Jenkins agent (or GitLab Runner)? Why use them?

An agent or runner is a worker machine that executes the jobs defined in the pipeline. We use them to distribute the build load, run builds in parallel, and create clean, isolated environments for each job without bogging down the main CI/CD server.

16. How do you manage secrets in your CI/CD pipeline?

Secrets should never be hardcoded. They are managed using the CI tool's built-in secrets management, such as Jenkins Credentials, GitLab CI/CD variables (masked), or GitHub Actions secrets. For more advanced needs, we can integrate with an external vault like HashiCorp Vault or AWS Secrets Manager.

17. What is a multi-branch pipeline and why is it useful?

A multi-branch pipeline in Jenkins automatically discovers branches in your Git repository and creates a pipeline for each one that contains a Jenkinsfile. This is useful because it allows every feature branch to be automatically built and tested without manual job configuration.

18. In GitHub Actions, what is the difference between a workflow, a job, and a step?

  • Workflow: The highest-level concept. It's the entire automated process, defined in a YAML file.

  • Job: A set of steps that execute on the same runner. A workflow can have one or more jobs that run in parallel or sequentially.

  • Step: An individual task within a job. It can be a shell command or a pre-built Action.

19. How can you optimize the performance of your CI pipelines?

You can optimize by using Docker layer caching, running jobs in parallel, using lighter base images, and storing dependencies in a cache to avoid downloading them on every run.

20. Have you ever had to troubleshoot a failing pipeline? Can you give an example?

"Yes, a common issue is a test failure that only happens in the CI environment. I'd start by checking the logs for the failed step. If that's not enough, I would try to replicate the CI environment locally using Docker. In one instance, a test failed because the CI agent's database version was slightly different from our local ones. We fixed it by specifying the exact database version in our Docker-based test setup."

hashtag
## Containerization (Docker)

21. What is a Dockerfile? Can you describe its basic structure?

A Dockerfile is a text file with instructions for building a Docker image. It typically starts with a FROM instruction to specify a base image, followed by COPY or ADD to add files, RUN to execute commands (like installing packages), EXPOSE to document a port, and finally a CMD or ENTRYPOINT to specify the command to run when a container starts.

22. What is the difference between the COPY and ADD instructions in a Dockerfile?

Both copy files into the image. However, ADD has some extra features: it can automatically extract tar files and can fetch files from a URL. The best practice is to always use COPY unless you specifically need ADD's extra functionality, as COPY is more explicit.

23. Explain the difference between CMD and ENTRYPOINT.

  • ENTRYPOINT configures the primary executable for the container. It's not easily overridden.

  • CMD provides the default arguments for the ENTRYPOINT. These arguments are easily overridden when starting the container.

  • A common pattern is to use ENTRYPOINT for the command (e.g., python) and CMD for the argument (e.g., app.py).

24. What are Docker layers? How does layer caching help in building images faster?

Each instruction in a Dockerfile creates a read-only layer. When you rebuild an image, Docker caches the layers. If an instruction hasn't changed, Docker reuses the layer from the cache instead of re-running it. This is why you should order your Dockerfile instructions from least to most frequently changing to maximize cache usage.

25. How can you create a smaller, more secure Docker image?

By using multi-stage builds. You use one stage with a larger build environment to compile your code and run tests. Then, you COPY only the compiled application artifact into a final, smaller base image (like alpine or distroless) for production. This removes all the build tools and dependencies, reducing size and attack surface.

26. What is docker-compose and what is it typically used for?

docker-compose is a tool for defining and running multi-container Docker applications. It uses a YAML file (docker-compose.yml) to configure the application's services, networks, and volumes. It's primarily used for setting up local development and testing environments.

27. What's the difference between a Docker image and a Docker container?

  • An image is a read-only template that contains the application and its environment. It's like a class or a blueprint.

  • A container is a runnable instance of an image. It's like an object or an instance of a class. You can run multiple containers from the same image.

hashtag
## Artifact & Package Management

28. Why do we need an artifact repository like JFrog Artifactory or Sonatype Nexus?

We need an artifact repository to store, version, and manage the binary outputs (artifacts) of our build process. It acts as a single source of truth for our deployable units, caches external dependencies for faster and more reliable builds, and helps manage access control and security scanning of artifacts.

29. What kind of artifacts have you managed in a repository?

I've managed Docker images in Amazon ECR, Java .jar files in Nexus, and npm packages in JFrog Artifactory.

30. How do you version your artifacts? What is semantic versioning?

Artifact versions should be unique and traceable. A common practice is to tag them with the Git commit hash or a build number. Semantic Versioning (SemVer) is a popular standard that uses a MAJOR.MINOR.PATCH format (e.g., 1.2.5). MAJOR versions indicate breaking changes, MINOR versions add functionality in a backward-compatible way, and PATCH versions are for backward-compatible bug fixes.

hashtag
## Configuration Management & Infrastructure as Code (IaC)

31. What is Ansible and what is it used for in a CI/CD context?

Ansible is a configuration management tool used to automate application deployment, software provisioning, and system configuration. In a CI/CD context, it's often used in the deploy stage to configure servers and push out the new version of an application.

32. What is an Ansible playbook? What is a role?

  • A playbook is a YAML file that defines a set of tasks to be executed on a remote server.

  • A role is a standardized, reusable way to organize playbooks and related files (templates, handlers) to facilitate sharing and reuse.

33. Why is Ansible considered agentless?

Ansible is agentless because it doesn't require any special software (an agent) to be installed on the managed nodes. It communicates over standard protocols like SSH for Linux and WinRM for Windows.

34. What is Terraform? How is it different from Ansible?

Terraform is an Infrastructure as Code (IaC) tool used for provisioning infrastructure (servers, databases, networks).

  • The main difference is Terraform provisions infrastructure (the house), while Ansible configures what's inside it (the furniture).

  • Terraform uses a declarative approach (you define the desired state), while Ansible is more procedural (you define the steps to get there).

35. What is the purpose of the Terraform state file?

The Terraform state file (terraform.tfstate) is a JSON file that keeps track of the resources Terraform manages. It maps your configuration to the real-world resources, tracks metadata, and is crucial for planning and applying future changes.

36. What does the terraform plan command do?

terraform plan creates an execution plan. It compares the desired state in your configuration files with the current state of the infrastructure (read from the state file) and shows you exactly what changes will be made (created, updated, or destroyed) if you run terraform apply.

37. What does the term "idempotency" mean?

Idempotency means that running an operation multiple times will have the same result as running it once. Tools like Ansible are designed to be idempotent; if you run a playbook to ensure a package is installed, it will install it the first time and do nothing on subsequent runs if it's already there.

hashtag
## Container Orchestration (Kubernetes)

38. What is a Kubernetes Pod? Is it the smallest deployable unit?

Yes, a Pod is the smallest and simplest deployable unit in Kubernetes. It's a wrapper around one or more containers, sharing the same storage, network resources, and a specification for how to run the containers.

39. What is the difference between a Deployment and a Service in Kubernetes?

  • A Deployment manages the lifecycle of Pods. It ensures that a specified number of replica Pods are running and handles updates using strategies like rolling updates.

  • A Service provides a stable network endpoint (a single IP address and DNS name) to access a group of Pods. It acts as a load balancer, directing traffic to the Pods managed by a Deployment.

40. How does Kubernetes handle a rolling update?

During a rolling update, the Kubernetes Deployment incrementally replaces old Pods with new ones. It ensures that a certain number of Pods are always available, avoiding downtime. It will create a new Pod, wait for it to be ready, and then terminate an old one, repeating this process until all Pods are updated.

41. What is kubectl? Name a few commands you use frequently.

kubectl is the command-line tool for interacting with a Kubernetes cluster. Common commands I use are:

  • kubectl get pods (to list pods)

  • kubectl describe pod <pod-name> (to get detailed info for troubleshooting)

  • kubectl logs <pod-name> (to view container logs)

  • kubectl apply -f <filename.yaml> (to create or update a resource)

42. What is a Helm chart and why is it useful?

Helm is a package manager for Kubernetes. A Helm chart is a collection of files that describe a related set of Kubernetes resources. It's useful because it allows you to package, version, share, and manage complex applications as a single, configurable unit, making deployments much simpler.

43. What is the purpose of a ConfigMap and a Secret in Kubernetes?

Both are used to decouple configuration from container images.

  • A ConfigMap is used to store non-confidential configuration data as key-value pairs (e.g., application URLs, environment settings).

  • A Secret is used specifically for sensitive data like passwords, API keys, or TLS certificates. The data is stored in base64 encoding.

44. Explain the role of the Kubelet.

The Kubelet is an agent that runs on every node in the Kubernetes cluster. Its primary job is to ensure that the containers described in PodSpecs are running and healthy on its node. It doesn't manage containers it wasn't created to manage.

hashtag
## Monitoring & Observability

45. What's the difference between monitoring and observability?

  • Monitoring is about watching for pre-defined problems. You collect metrics for known failure modes (like CPU usage) and get alerted when a threshold is crossed. It tells you that something is wrong.

  • Observability is about having enough data to understand and debug novel problems you've never seen before. It allows you to ask arbitrary questions about your system to figure out why something is wrong.

46. What are the three pillars of observability?

The three pillars are Metrics (numerical, time-series data like request count or CPU usage), Logs (timestamped, unstructured text records of events), and Traces (which show the lifecycle of a request as it travels through a distributed system).

47. What is Prometheus? How does it collect metrics from applications?

Prometheus is an open-source monitoring and alerting toolkit. It collects metrics using a pull-based model. It periodically scrapes HTTP endpoints (called /metrics) exposed by applications, which contain metrics in a simple text-based format.

48. What is Grafana used for?

Grafana is an open-source visualization and analytics tool. It's commonly used to create interactive dashboards and graphs by querying data sources like Prometheus, Elasticsearch, or Loki. It turns raw metrics and logs into meaningful visualizations.

49. In your pipeline, how would you verify that a deployment was successful?

A simple verification is to check the exit status of the deployment command. A more robust method is to add a "smoke test" stage after deployment. This stage would run a quick check, like sending an HTTP request to the application's health check endpoint and verifying it returns a 200 OK status.

50. What is a health check or liveness probe in Kubernetes?

A liveness probe is a check that the Kubelet performs periodically to determine if a container is still running. If the probe fails (e.g., an HTTP endpoint stops responding), the Kubelet will kill the container and restart it, helping the application to self-heal.

Of course! Here are the answers to the second set of 50 questions.

hashtag
## CI/CD Principles & Strategy

hashtag
1. What is a build artifact? Can you provide a few examples?

A build artifact is the output of a build process—the file or set of files that are ready to be tested and deployed. Examples include a Docker image, a Java .jar or .war file, a compiled C++ executable, or a zipped folder of static HTML/CSS/JS files.

2. Explain the difference between Blue/Green and Canary deployment strategies.

  • Blue/Green Deployment: You have two identical production environments: Blue (the current version) and Green (the new version). All traffic is switched from Blue to Green at once. This allows for an instant rollback by simply switching traffic back to Blue. The main drawback is the cost of maintaining two full environments.

  • Canary Deployment: You release the new version to a small subset of users (the "canaries"). You monitor for errors and performance issues. If it's stable, you gradually roll it out to more users. This is lower risk but a more complex and slower process.

3. What are DORA metrics and why are they important?

DORA (DevOps Research and Assessment) metrics are four key indicators used to measure the performance of a software development team. They are:

  1. Deployment Frequency: How often you deploy to production.

  2. Lead Time for Changes: How long it takes from commit to production.

  3. Mean Time to Recovery (MTTR): How long it takes to restore service after an incident.

  4. Change Failure Rate: The percentage of deployments that cause a failure in production.

    They are important because they provide a balanced view of both team velocity and operational stability.

4. What does it mean for a process to be idempotent? Why is this important for automation scripts?

Idempotency means that an operation can be applied multiple times without changing the result beyond the initial application. This is crucial for automation because it makes scripts safe to re-run. If a deployment script fails halfway, you can simply run it again, and it will only complete the unfinished tasks without breaking what's already done.

5. What is rollback? What factors would you consider when deciding to perform a rollback?

A rollback is the process of reverting a system to its previous state after a failed deployment. I would consider the severity of the issue (is it a minor UI bug or a critical outage?), the impact on users, and the time to fix. If the Mean Time to Recovery (MTTR) is lower by rolling back than by rolling forward with a hotfix, then a rollback is the right choice.

6. How do you ensure the quality of code being merged into the main branch?

Code quality is ensured through a combination of automated checks and manual reviews. This includes a CI pipeline that runs unit tests, static code analysis (linting), and security scans on every commit. Additionally, a mandatory peer review process (via Pull/Merge Requests) ensures another developer has approved the changes.

7. What is the "blast radius" and how do deployment strategies like Canary help manage it?

The blast radius is the potential impact a failure can have on your users and system. A Canary deployment significantly reduces the blast radius by exposing a new, potentially buggy version of the software to only a small percentage of users. If a failure occurs, only those few users are affected, not the entire user base.

hashtag
## Version Control & Git

8. What is the purpose of the git stash command?

git stash temporarily shelves (or stashes) your uncommitted changes, leaving you with a clean working directory. This is useful when you need to quickly switch branches to work on something else, but you're not ready to commit your current work. You can later re-apply the stashed changes with git stash pop.

9. How would you resolve a merge conflict?

  1. Git will mark the conflicting files.

  2. Open the marked file(s) in a text editor.

  3. Look for the conflict markers (<<<<<<<, =======, >>>>>>>).

  4. Manually edit the file to keep the desired changes and remove the conflict markers.

  5. Use git add <filename> to stage the newly resolved file.

  6. Finally, run git commit to complete the merge.

10. What is a Pull Request (PR) or Merge Request (MR)?

A Pull Request (on GitHub/Bitbucket) or Merge Request (on GitLab) is a way to propose and collaborate on changes to a repository. It's a formal request to merge code from one branch (a feature branch) into another (like main). It allows for code review, discussion, and automated CI checks before the changes are integrated.

11. What does the git cherry-pick command do?

git cherry-pick <commit-hash> is used to apply a specific commit from one branch onto another branch. It's useful when you only need to bring over one or two specific commits from a feature branch instead of merging the entire branch.

12. What does it mean to be in a "detached HEAD" state in Git?

A detached HEAD state means that your HEAD (the pointer to your current location) is pointing directly to a specific commit, not to a branch. This can happen if you git checkout <commit-hash>. You can look around and make experimental commits, but they won't belong to any branch and can be lost once you switch back to a branch.

13. Why is it a bad idea to use git push --force on a shared branch?

Using git push --force overwrites the history of the remote branch with your local history. If other team members have pulled the branch and based their work on it, a force push will invalidate their work and create major conflicts. It should only be used on your own private feature branches, and even then, with extreme caution.

hashtag
## CI/CD Tools & Pipelines (Jenkins, GitLab CI, etc.)

14. How can you pass data or artifacts from one stage to another in a CI/CD pipeline?

Most CI/CD tools provide a mechanism for this. In Jenkins, you can use the stash and unstash steps to pass files between stages. In GitLab CI and GitHub Actions, you can define artifacts in one job that can be downloaded and used by a subsequent job.

15. What is a shared library in Jenkins?

A shared library allows you to define reusable Groovy code and pipeline logic that can be shared across multiple Jenkins pipelines. This helps reduce code duplication and allows you to centralize and version-control common pipeline tasks.

16. How would you trigger a pipeline manually with custom parameters?

Most CI/CD tools have a "Run Pipeline" or "Trigger Pipeline" UI button. When defining the pipeline-as-code (e.g., in a Jenkinsfile), you can define parameters (like string, boolean, or choice parameters). These will appear as a form in the UI, allowing you to input custom values for a manual run.

17. What is the purpose of the post section in a Declarative Jenkinsfile?

The post section defines one or more actions that will be run at the end of a pipeline or stage run. It's useful for cleanup tasks, sending notifications, or running different logic depending on the pipeline's status (always, success, failure, etc.).

18. In GitLab CI, what is the purpose of the .gitlab-ci.yml file?

The .gitlab-ci.yml file is the core of GitLab CI/CD. It's a YAML file in the root of your repository where you define the structure of your pipeline: the stages, the jobs to run, and the conditions under which they should run.

19. What's the difference between a script block and a sh step in a Jenkinsfile?

A sh step is a specific function in a Jenkinsfile used to execute a shell command. A script block is a construct used within a Declarative pipeline to allow for a block of more complex, scripted pipeline logic (like if/else conditions, loops, or variable definitions).

20. Why might a pipeline run on a self-hosted runner instead of a cloud-provided one?

You might use a self-hosted runner to access resources in a private network (like a database behind a firewall), to use custom hardware (like a GPU), or to comply with security policies that don't allow code to be run on third-party infrastructure. It can also be more cost-effective for high-volume builds.

hashtag
## Containers & Docker

21. What is a Docker volume and why is it used?

A Docker volume is a mechanism for persisting data generated by and used by Docker containers. Volumes are managed by Docker and exist on the host machine, outside the container's writable layer. This ensures that the data is not lost when the container is stopped or removed.

22. What is the purpose of the .dockerignore file?

The .dockerignore file works just like .gitignore. It lists files and directories that should be excluded from the Docker build context. This is used to prevent sensitive files from being copied into the image and to speed up builds by ignoring large files or directories like .git or node_modules.

23. How do Docker containers communicate with each other?

Containers can communicate by being attached to the same Docker network. By default, containers on the same user-defined bridge network can reach each other by using their container name as a DNS hostname.

24. What's the difference between docker exec and docker attach?

  • docker exec is used to run a new command inside an already running container. It's great for debugging.

  • docker attach connects your terminal's standard input, output, and error streams to the main running process inside a container.

25. How do you see the logs of a running container?

You use the docker logs <container-name-or-id> command. You can also use the -f flag (docker logs -f ...) to follow the log output in real-time.

26. What is the difference between a private and a public Docker registry?

A public registry, like Docker Hub, allows anyone to pull images. A private registry, like Amazon ECR or a self-hosted one, requires authentication and is used to store an organization's proprietary container images securely.

27. Explain the EXPOSE instruction in a Dockerfile. Does it actually publish the port?

The EXPOSE instruction serves as documentation. It informs Docker that the container listens on the specified network ports at runtime. It does not actually publish the port. To make the port accessible from the host, you must use the -p or -P flag in the docker run command.

hashtag
## IaC & Configuration Management

28. What is the difference between Push and Pull based configuration management? Which model does Ansible use?

  • Push Model: A central server initiates changes and pushes them out to the managed nodes. Ansible uses this model.

  • Pull Model: The managed nodes periodically check in with a central server to see if their configuration is up-to-date and pull any changes. Puppet and Chef use this model.

29. What is a Terraform provider?

A provider is a plugin that allows Terraform to interact with a specific API. This could be a cloud platform like AWS, a SaaS provider like Cloudflare, or an on-premise technology like vSphere. Each provider adds a set of resources and data sources that Terraform can manage.

30. What does the terraform init command do?

terraform init is the first command you run in a new Terraform project. It initializes the working directory by downloading the required provider plugins and setting up the backend for state file storage.

31. In Ansible, what is an inventory file?

An inventory is a file (usually in INI or YAML format) that defines the list of hosts (managed nodes) that Ansible will manage. It can also organize hosts into groups and set variables specific to those hosts or groups.

32. What is a template in Ansible? How is it useful?

A template in Ansible is a file containing variables that can be dynamically replaced with actual values when a playbook is run. It uses the Jinja2 templating engine. This is useful for creating configuration files that are customized for each specific host.

33. Why is it important to keep your Terraform state file secure?

The state file is a record of your infrastructure and can contain sensitive data in plain text, such as database passwords or private keys. It's crucial to store it in a secure, encrypted, and access-controlled remote backend (like an AWS S3 bucket).

34. What is packer and how might it be used with Terraform?

Packer is a tool by HashiCorp used to create identical machine images (like AMIs for AWS or VMDKs for VMware) from a single source configuration. You would use Packer to build a custom, pre-configured "golden image" and then use Terraform to provision servers using that image. This speeds up server launch times.

hashtag
## Kubernetes & Orchestration

35. What is a Namespace in Kubernetes used for?

A Namespace is a way to create a virtual cluster inside a physical Kubernetes cluster. It's used to isolate resources for different teams, environments (e.g., dev, staging), or projects, helping with organization and access control.

36. What is an Ingress and what problem does it solve?

An Ingress is a Kubernetes object that manages external access to services within the cluster, typically HTTP(S). It acts as an API gateway or reverse proxy, allowing you to define routing rules to direct external traffic to different services based on the hostname or URL path.

37. How would you scale a Deployment in Kubernetes?

You can scale a Deployment using the kubectl scale command, for example: kubectl scale deployment my-app --replicas=5. Alternatively, you can edit the replicas field in the Deployment's YAML manifest and re-apply it with kubectl apply.

38. What is the role of etcd in a Kubernetes cluster?

etcd is the primary datastore for a Kubernetes cluster. It's a consistent and highly-available key-value store that holds all cluster data, including the configuration, state, and metadata of all resources. It is the single source of truth for the cluster.

39. What is the difference between a livenessProbe, a readinessProbe, and a startupProbe?

  • Liveness Probe: Asks "Is the application alive?" If it fails, Kubernetes restarts the container.

  • Readiness Probe: Asks "Is the application ready to accept traffic?" If it fails, Kubernetes removes the Pod from the Service's endpoints, so it doesn't receive new requests.

  • Startup Probe: Used for slow-starting containers. It disables the liveness and readiness probes until it succeeds, preventing the container from being killed prematurely.

40. What is a DaemonSet? Give an example of a use case.

A DaemonSet ensures that all (or some) nodes in a cluster run a copy of a Pod. A common use case is for deploying cluster-wide agents like a log collector (Fluentd), a monitoring agent (Prometheus Node Exporter), or a network plugin.

41. How can you limit the CPU and memory resources a Pod can consume?

You can set resource requests and limits in the Pod's specification.

  • Requests: The amount of resources Kubernetes guarantees for the container.

  • Limits: The maximum amount of resources the container is allowed to use. If it exceeds the memory limit, it will be terminated.

hashtag
## Security in DevOps (DevSecOps)

42. What is DevSecOps?

DevSecOps is a cultural shift that integrates security practices into the DevOps process. The goal is to automate and embed security at every stage of the software lifecycle, from design to deployment, rather than treating it as an afterthought.

43. Where in the CI/CD pipeline would you add a security scan for container images?

A container image scan should be added after the image is built but before it is pushed to the registry. This ensures that you catch vulnerabilities before the artifact is stored. It's also a good practice to periodically re-scan images that are already in the registry.

44. What is the difference between SAST and DAST?

  • SAST (Static Application Security Testing): A "white-box" testing method that scans the application's source code or binaries for vulnerabilities without running the code.

  • DAST (Dynamic Application Security Testing): A "black-box" testing method that tests the running application from the outside, looking for vulnerabilities by sending malicious requests.

45. Why is it important to use specific versions for base images in a Dockerfile (e.g., python:3.9.1) instead of latest?

Using the latest tag leads to unpredictable builds, as the latest tag can be updated at any time with a new version, potentially introducing breaking changes or vulnerabilities. Pinning to a specific version ensures that your builds are deterministic and reproducible.

46. What is the principle of least privilege and how does it apply to CI/CD?

The principle of least privilege states that a user or service should only be granted the minimum permissions necessary to perform its job. In CI/CD, this means the pipeline's service account should only have permissions to, for example, push to a specific container registry or deploy to a specific Kubernetes namespace, and nothing more.

hashtag
## Monitoring & Cloud

47. What is an SLI (Service Level Indicator) and an SLO (Service Level Objective)?

  • An SLI is a quantitative measurement of some aspect of your service, like request latency, error rate, or system uptime.

  • An SLO is the target value or range for that SLI over a period of time. For example, an SLO could be "99.9% of homepage requests will be served in under 200ms."

48. What is distributed tracing?

Distributed tracing is a method used to profile and monitor applications, especially those built using a microservices architecture. It tracks a single request as it flows through all the different services it interacts with, providing a complete picture of the request's journey and helping to pinpoint performance bottlenecks.

49. How does using a cloud platform (like AWS, GCP, Azure) affect your CI/CD setup?

Cloud platforms profoundly affect CI/CD by offering managed services that simplify the process. Instead of building your own Jenkins server, you can use AWS CodePipeline or GCP Cloud Build. You can store artifacts in ECR or GCR and deploy to managed Kubernetes services like EKS or GKE. This reduces the operational overhead of managing the CI/CD infrastructure itself.

50. What is a service mesh (like Istio or Linkerd) and what are some of its benefits?

A service mesh is a dedicated infrastructure layer for managing service-to-service communication in a microservices architecture. It provides features like traffic management (e.g., intelligent routing), security (e.g., automatic mutual TLS encryption), and observability (e.g., detailed metrics and traces) without requiring any changes to the application code itself.

PreviousEnd to End CI/CD pipelineNextInterview questions (Medium)

Last updated