Here are 100 Kubernetes interview questions and answers, covering fundamental concepts, architecture, core objects, networking, storage, security, and real-world troubleshooting scenarios.
Kubernetes Fundamentals
1. What is Kubernetes?
An open-source container orchestration platform that automates deployment, scaling, and management of containerized applications. Originally developed by Google, now maintained by CNCF.
2. What problems does Kubernetes solve?
It automates manual container operations: scheduling containers across hosts, self-healing (restarting failed containers), scaling, service discovery, load balancing, storage orchestration, and declarative configuration.
3. Explain the difference between Docker and Kubernetes.
Docker is a container runtime and packaging tool. Kubernetes is a container orchestration platform that manages and schedules Docker (or other) containers across a cluster, handling networking, scaling, and resilience.
4. What are the main components of a Kubernetes cluster?
Control plane components: API server, etcd, scheduler, controller manager. Node components: kubelet, kube-proxy, container runtime.
5. What is a Pod?
The smallest deployable unit in Kubernetes—a group of one or more containers that share network namespace, storage, and lifecycle. Containers in a Pod are always co-located and co-scheduled.
6. What is a Node?
A worker machine (physical or virtual) that runs Pods. Each node runs kubelet, kube-proxy, and a container runtime.
7. What is the Kubernetes control plane?
The set of components that manage the cluster: API server (front-end), etcd (backing store), scheduler (places pods on nodes), controller manager (runs controllers).
8. What is etcd?
A distributed key-value store used by Kubernetes to persist all cluster data, including configuration, state, and metadata.
9. What is the API server?
The front-end to the Kubernetes control plane, exposing the Kubernetes API. All cluster interactions (kubectl, internal components) go through it.
10. What is a Namespace?
A virtual cluster inside a Kubernetes cluster used to divide resources and scope object names. Useful for multi-tenancy and separating environments.
Architecture & Components
11. What is the role of the kubelet?
An agent that runs on each node. It receives PodSpecs from the API server and ensures containers are running and healthy.
12. What does kube-proxy do?
Maintains network rules on nodes, enabling network communication to Pods from inside or outside the cluster. Implements part of the Service concept.
13. What is the scheduler?
Watches for newly created Pods with no assigned node, and selects a node for them to run on based on resource availability, constraints, and policies.
14. What is the controller manager?
Runs controller processes like the node controller, replication controller, endpoints controller, and service account & token controllers. Each controller watches the state and moves towards the desired state.
15. What is a container runtime in Kubernetes?
The software responsible for running containers. Kubernetes supports runtimes via the Container Runtime Interface (CRI), e.g., containerd, CRI-O, Docker Engine (deprecated via dockershim).
16. What is the role of etcd in high availability?
In production, etcd runs as a cluster of odd-numbered nodes (≥3) using the Raft consensus algorithm to ensure fault tolerance and data consistency.
17. How does the control plane communicate with node components?
The kubelet on each node connects to the API server via TLS, waiting for instructions. The API server pushes updates to nodes via a watch mechanism.
18. What is the Kubernetes API?
A RESTful HTTP API that allows users, external tools, and internal components to query and manipulate Kubernetes objects.
19. What is a Kubernetes object?
A persistent entity in the Kubernetes system that represents the desired state of the cluster. Examples: Pod, Service, Deployment, Namespace.
20. What is declarative configuration?
Specifying the desired state of the world via YAML/JSON manifests. Kubernetes continuously works to make the actual state match the desired state.
Core Objects: Pods & Workloads
21. How do you create a Pod?
Usually via a workload resource like Deployment, but directly: kubectl run pod-name --image=image or by applying a YAML manifest with kind: Pod.
22. What is a ReplicaSet?
Ensures a specified number of identical Pod replicas are running at all times. Usually managed indirectly by a Deployment.
23. What is a Deployment?
Provides declarative updates for Pods and ReplicaSets. Supports rolling updates, rollback, scaling, and pausing. The most common way to run stateless apps.
24. What is a StatefulSet?
Manages stateful applications with stable unique network identifiers, persistent storage, and ordered, graceful deployment and scaling. Used for databases like MySQL, Cassandra.
25. What is a DaemonSet?
Ensures a copy of a Pod runs on all (or a subset of) nodes in the cluster. Use cases: log collectors, monitoring agents, storage daemons.
26. What is a Job?
Creates one or more Pods to perform a task to completion. A Job tracks successful completions and retries.
27. What is a CronJob?
A Job that runs on a recurring schedule, similar to Linux cron.
28. How do you scale a Deployment?kubectl scale deployment/name --replicas=N. Or by editing the deployment YAML. Kubernetes creates or terminates Pods accordingly.
29. What is a rolling update?
A Deployment strategy that gradually replaces old Pods with new ones, ensuring availability during updates. Controlled by maxSurge and maxUnavailable.
30. What is a rollout undo?kubectl rollout undo deployment/name to revert to the previous revision of a Deployment.
31. What is a liveness probe?
A health check that determines if a container is still running. If failed, the kubelet kills the container and restarts it.
32. What is a readiness probe?
A health check that determines if a container is ready to serve traffic. If failed, the Pod’s IP is removed from Service endpoints.
33. What is a startup probe?
Used for containers with slow startup. If configured, liveness and readiness checks are delayed until the startup probe succeeds.
34. How can you define resource requests and limits?
In the container spec:
yaml
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
35. What is the difference between requests and limits?
Requests are what the container is guaranteed to get; the scheduler uses it to place Pods. Limits cap the maximum resource usage; exceeding CPU results in throttling, exceeding memory leads to OOM kill.
Labels, Selectors & Annotations
36. What are labels?
Key/value pairs attached to objects like Pods, Services, etc., used for organization and selection. For example, app: frontend.
37. What are label selectors?
Used to filter a set of objects based on labels. Equality-based: environment = production. Set-based: environment in (staging, production).
38. What are annotations?
Similar to labels but for non-identifying metadata: build timestamps, git branch, contact info. Not used for grouping/selection.
39. How do you find Pods matching a label?kubectl get pods -l app=frontend
40. Can you update labels on a running Pod?
Yes, using kubectl label pod name newlabel=value. However, some labels may affect object selection (like a Service, be careful).
Services & Networking
41. What is a Kubernetes Service?
An abstraction that defines a logical set of Pods and a policy to access them (usually via stable IP and DNS name). Services enable service discovery.
42. What are the different types of Services?
ClusterIP (default, internal only), NodePort (exposes on a static port on each node), LoadBalancer (provisions an external load balancer), ExternalName (maps to external DNS).
43. What is a ClusterIP Service?
Exposes the Service on a cluster-internal IP. Only reachable within the cluster. Used for internal communication.
44. What is a NodePort Service?
Exposes the Service on the same port of each selected node, accessible from outside with <NodeIP>:<NodePort>. Underneath creates a ClusterIP.
45. What is a LoadBalancer Service?
Standard way to expose a Service externally using a cloud provider’s load balancer. Creates a NodePort and ClusterIP as underlying infrastructure.
46. What is an Ingress?
An API object that manages external HTTP/S access to Services inside a cluster, providing features like host-based routing, SSL termination, and path-based routing. Requires an Ingress controller.
47. What is an Ingress Controller?
A pod that fulfills the Ingress rules, e.g., NGINX Ingress Controller, Traefik, HAProxy. It watches for Ingress resources and configures the actual load balancer.
48. How does DNS work inside Kubernetes?
Kube-dns or CoreDNS runs as a Service. Pods can resolve other Services by their name (e.g., my-svc.my-namespace.svc.cluster.local). Pods get DNS configured via /etc/resolv.conf.
49. What is a NetworkPolicy?
A resource that controls traffic flow between Pods and/or network endpoints. It defines ingress and egress rules. The network plugin must support it (e.g., Calico, Cilium).
50. What is a CNI plugin?
Container Network Interface: a standard for how network plugins interface with container runtimes. Kubernetes uses CNI plugins like Flannel, Calico, Weave for pod networking.
51. How do you troubleshoot network connectivity issues in Kubernetes?
Check Service endpoints (kubectl get endpoints), verify network policies, test from inside cluster using a debug container (kubectl run -it --rm debug --image=busybox -- sh), inspect kube-proxy logs.
52. What is a headless service?
A Service with clusterIP: None. It does not allocate a cluster IP; DNS returns Pod IPs directly. Useful for StatefulSets and client-side load balancing.
53. What is the purpose of the externalTrafficPolicy in a Service?
Controls routing of external traffic to node-local or cluster-wide endpoints. Setting to Local preserves source IP but may cause load imbalance.
54. How does a Service select Pods?
By using label selectors in the Service spec. The endpoints controller maintains the list of healthy Pod IPs.
55. What is a Gateway API?
A newer Kubernetes native API for managing service networking, more expressive and role-oriented than Ingress. It’s intended to replace Ingress in the long term.
Storage
56. What is a Volume in Kubernetes?
A directory accessible to containers in a Pod. Its lifetime depends on the volume type; some live as long as the Pod, others persist beyond Pod lifecycle.
57. What is a PersistentVolume (PV)?
A piece of storage in the cluster provisioned by an administrator or dynamically via StorageClass. It has a lifecycle independent of any Pod.
58. What is a PersistentVolumeClaim (PVC)?
A request for storage by a user. It can specify size, access modes, and StorageClass. Once bound to a PV, it can be mounted in a Pod.
59. What is a StorageClass?
Defines different “classes” of storage (e.g., fast SSD, slow HDD) and enables dynamic provisioning of PVs.
60. What are the access modes for PVs?
ReadWriteOnce (RWO – single node), ReadOnlyMany (ROX – many nodes read-only), ReadWriteMany (RWX – many nodes read-write), ReadWriteOncePod (single pod only, newer).
61. What is a CSI driver?
Container Storage Interface: a standard for exposing arbitrary block and file storage systems to containerized workloads. Kubernetes uses CSI to support third-party storage.
62. How do you mount a ConfigMap as a volume?
Define a volume referencing the ConfigMap, then mount it in the container. The file content becomes the ConfigMap’s data keys.
63. What is an emptyDir volume?
A temporary directory that is initially empty and tied to a Pod’s lifecycle. Data survives container restarts but not Pod deletion. Good for scratch space.
64. What is a hostPath volume?
Mounts a file or directory from the host node’s filesystem into a Pod. Use with caution; it ties the Pod to that specific node.
65. How do you use a PV with ReadWriteMany in a real deployment?
You need a storage backend that supports that access mode (e.g., NFS, GlusterFS, CephFS). It’s essential for multiple pods sharing the same data.
Configuration & Secrets
66. What is a ConfigMap?
An object for storing non-sensitive configuration data as key-value pairs. Can be consumed via environment variables, command-line arguments, or as files in a volume.
67. What is a Secret?
Similar to ConfigMap but designed for sensitive data (passwords, tokens, keys). Data is base64-encoded in the manifest; at rest encryption is recommended.
68. How do you create a Secret from literal values?kubectl create secret generic my-secret --from-literal=password=secret123
69. How do you mount a Secret as environment variables?
In the container spec, use env: with valueFrom.secretKeyRef.
70. Are Secrets truly secure?
By default, they are only base64-encoded and stored in etcd without encryption. You must enable encryption at rest, restrict access via RBAC, and consider using external secret management (Vault, Sealed Secrets).
71. What is a SealedSecret?
A Kubernetes CRD (from Bitnami) that encrypts a Secret into a SealedSecret which is safe to store in Git. Only the cluster controller can decrypt it.
72. How do you update a ConfigMap and make it available to a running pod?
ConfigMaps mounted as files are updated automatically (depending on symlink mechanism, may take some time). Env vars are not updated; requires pod restart.
73. What is the difference between ConfigMap and environment-specific configuration?
ConfigMaps store configuration, but typically you’d have separate ConfigMaps per environment or use tools like Helm/Kustomize to manage variations.
Security
74. What is RBAC?
Role-Based Access Control: a method of regulating access to Kubernetes API resources based on roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding.
75. What is a ServiceAccount?
A Kubernetes identity used by Pods to authenticate to the API server. Bound to roles to grant permissions within the namespace.
76. What is a ClusterRole vs a Role?Role is namespaced; ClusterRole is cluster-wide (can also be used for non-namespaced resources). Bindings decide scope.
77. How do you restrict a container from running as root?
Using securityContext in the Pod/container spec: runAsNonRoot: true, and/or by setting runAsUser. Also enforce with PodSecurity Standards.
78. What is a PodSecurityPolicy (PSP)?
Deprecated. Replaced by Pod Security Admission (PSA) and Pod Security Standards. Define security contexts at the namespace level with enforcement.
79. What is Pod Security Admission (PSA)?
A built-in controller that enforces Pod Security Standards (privileged, baseline, restricted) at the namespace level via labels.
80. What is a NetworkPolicy?
(Already asked) It acts as a firewall for Pods; define ingress/egress rules to control traffic.
81. How do you secure the Kubernetes API server?
Use TLS, enable RBAC, enable authentication (OIDC, client certs), restrict etcd access, enable audit logging, and limit network exposure.
82. What is the principle of least privilege in Kubernetes?
Grant only the minimum necessary permissions for a user, Pod, or component to do its job, using RBAC.
83. How do you use TLS between services?
Implement a service mesh like Istio/Linkerd, or use cert-manager to issue certificates and mount them in Pods.
84. What is imagePullSecrets?
A reference to a secret containing credentials for a private container registry. Configured on the Pod or ServiceAccount to pull images.
85. How do you scan container images for vulnerabilities?
Using tools like Trivy, Clair, or integrated image scanners in CI/CD pipelines. Also enforce with admission controllers like Kyverno or OPA Gatekeeper.
Scheduling & Advanced Features
86. What are taints and tolerations?
Taints are applied to nodes to repel pods that don’t tolerate them. Tolerations are applied to pods to allow them to be scheduled onto nodes with matching taints.
87. What is node affinity?
A set of rules used by the scheduler to determine which node a Pod can be placed on, based on labels on nodes.
88. What is pod affinity/anti-affinity?
Rules that influence which node a Pod can be placed on based on the labels of other Pods already running on that node.
89. How do you dedicate a node to a specific workload?
By tainting the node and adding corresponding tolerations to the workload, plus possibly node affinity.
90. What is a Horizontal Pod Autoscaler (HPA)?
Automatically scales the number of Pods in a Deployment or ReplicaSet based on observed CPU utilization or custom metrics.
91. What is a Vertical Pod Autoscaler (VPA)?
Adjusts the CPU and memory requests/limits of containers based on usage. Can also evict Pods to apply new values.
92. What is a Custom Resource Definition (CRD)?
Allows you to extend the Kubernetes API with your own resource types. Operators use CRDs to manage applications.
93. What is an Operator?
A method of packaging, deploying, and managing a Kubernetes application using custom resources and custom controllers. Encode operational knowledge.
94. What is Helm?
A package manager for Kubernetes. Bundles Kubernetes manifests into charts, supporting templating, versioning, release management, and rollbacks.
95. What is a Helm chart?
A collection of files describing a related set of Kubernetes resources. Contains Chart.yaml, templates/, and values.yaml.
96. How do you upgrade a Helm release?helm upgrade release-name chart --values values.yaml. Helm applies only the delta between the new chart and the previous deployment.
Monitoring, Logging & Troubleshooting
97. What are the main Kubernetes monitoring tools?
Prometheus (metrics collection), Grafana (visualization), Elasticsearch/Fluentd/Kibana (EFK) for logging, Jaeger for tracing, and Kubernetes Dashboard.
98. How do you debug a Pod stuck in “Pending” state?kubectl describe pod to see events. Common causes: insufficient resources, no matching node selector/affinity, or volume mounting issues.
99. How do you debug a Pod stuck in “CrashLoopBackOff”?kubectl logs pod-name (and previous instance with --previous). Check liveness/readiness probes, missing dependencies, resource limits.
100. How do you check resource utilization of Pods and nodes?kubectl top pods and kubectl top nodes (requires metrics-server). For detailed, use Prometheus/Grafana dashboards.