Free Practice Questions for Linux Foundation CNPA Exam

Crossplane integrates tightly with GitOps workflows by extending Kubernetes with infrastructure APIs. Option B is correct because infrastructure resources (databases, networks, S3 buckets, etc.) are defined declaratively in Git repositories. Git becomes the single source of truth, while Crossplane controllers automatically reconcile the desired state into real infrastructure across supported cloud providers.

Option A reflects imperative scripting, which contradicts GitOps principles. Option C (manual provisioning) lacks automation, governance, and repeatability. Option D involves manual application with kubectl, which bypasses GitOps reconciliation loops.

With Crossplane and GitOps, teams achieve consistent, reproducible, and auditable infrastructure provisioning at scale. This enables full alignment with cloud native platform engineering principles of declarative management, self-service, and extensibility.

Crossplane is the CNCF project designed to extend Kubernetes with the ability to provision and manage cloud resources via Kubernetes-native APIs. Option B is correct because Crossplane lets developers use familiar Kubernetes manifests to request resources like S3 buckets, databases, or VPCs while abstracting provider-specific implementation details. Platform teams can define compositions and abstractions, providing developers with golden paths that include organizational guardrails.

Option A (Cluster API) is focused on provisioning Kubernetes clusters themselves, not cloud services. Option C (Helm) manages Kubernetes application deployments but does not provision external infrastructure. Option D (OpenTofu) is a Terraform fork that provides IaC but is not Kubernetes-native.

By leveraging Crossplane, platform teams achieve infrastructure as data and full GitOps integration, empowering developers to provision services declaratively while ensuring governance and compliance.

Declarative resource management is a core principle in Kubernetes and cloud native platforms. Option C is correct because declarative systems define the desired state of resources (e.g., YAML manifests for Deployments, Services, or ConfigMaps), and controllers reconcile the actual state to match the desired state. This provides consistency, automation, and resilience, while also allowing dynamic adjustments like scaling.

Option A (imperative management) requires step-by-step commands, which are error-prone and not scalable. Option B (manual tracking) adds overhead and risk of drift. Option D (static allocation) wastes resources and does not adapt to changing workloads.

Declarative management enables GitOps workflows, automated scaling, and consistent application of policies. This approach aligns with platform engineering principles by combining automation with governance, enabling efficiency and reliability at scale.

Role-Based Access Control (RBAC) in Kubernetes is a cornerstone of cluster security, enabling fine-grained access control based on the principle of least privilege. Option D is correct because RBAC leverages Roles (or ClusterRoles) that define sets of permissions, and RoleBindings (or ClusterRoleBindings) that assign those roles to users, groups, or service accounts. This mechanism ensures that users have only the minimum required access to perform their tasks, enhancing both security and governance.

Option A is incorrect because RBAC fully supports namespace-scoped roles, allowing isolation of permissions at the namespace level in addition to cluster-wide roles. Option B is wrong because RBAC is specifically designed to restrict, not grant, unrestricted access. Option C is misleading because RBAC applies broadly across Kubernetes API resources, not just Pods—it includes ConfigMaps, Secrets, Deployments, Services, and more.

By applying RBAC correctly, platform teams can align with security best practices, ensuring that sensitive operations (e.g., managing secrets or modifying cluster configurations) are tightly controlled. RBAC is also central to compliance frameworks, as it provides auditability of who has access to what resources.

In GitOps workflows, the source of truth for environments is stored in Git. Promotion from staging to production is managed by merging changes into the production branch or repository. Option A is correct because once changes are merged, the GitOps operator (e.g., Argo CD, Flux) automatically detects the updated desired state in Git and reconciles it with the production environment.

Option B (creating new environments each time) is inefficient and unnecessary. Option C (manual updates) violates GitOps principles of automation and auditability. Option D (direct deployments) reverts to a push-based CI/CD model rather than GitOps’ pull-based reconciliation.

By relying on Git as the single source of truth, GitOps ensures version control, auditability, and rollback capabilities. This allows consistent, reproducible promotion between environments while reducing human error.

The declarative approach to Infrastructure as Code (IaC) is the foundation of Kubernetes and GitOps practices. Option A is correct because declarative IaC defines the desired state of the infrastructure (e.g., Kubernetes YAML manifests) and relies on controllers or reconciliation loops to ensure the actual state matches the declared one. This allows for automation, consistency, and drift correction without manual intervention.

Option B (imperative) requires explicit step-by-step instructions, which are not automatically enforced after execution. Option C (hybrid) can combine both methods but does not guarantee reconciliation. Option D (manual) is error-prone and eliminates the benefits of IaC entirely.

Declarative IaC reduces cognitive load, improves reproducibility, and ensures compliance through automated drift detection and reconciliation, which are essential in platform engineering for multi-cluster and multi-team environments.

Continuous Integration (CI) and Continuous Delivery (CD) are complementary practices. Option A is correct: CI is a prerequisite for CD. CI focuses on automating code integration by building, testing, and validating changes, ensuring code quality and early detection of defects. CD builds upon CI by automating the process of releasing validated builds into staging and production environments, making delivery repeatable and reliable.

Option B incorrectly treats them as entirely separate. Option C reverses the relationship, as CD cannot exist without CI pipelines. Option D is inaccurate because CI and CD are not interchangeable—they represent distinct stages in the software delivery lifecycle.

Together, CI/CD accelerates software delivery, reduces risk, and improves quality. In platform engineering, CI/CD pipelines are critical enablers of developer productivity and efficient operations.

Helm provides native support for managing versioned releases, allowing easy rollback in case of issues. Option A is correct because the helm rollback command reverts the deployment to a previously known stable release without requiring a redeployment from scratch. This ensures fast recovery and minimizes downtime after a faulty upgrade.

Option B (helm upgrade --force) attempts to reapply an upgrade but does not restore the previous version. Option C (helm template) only renders Kubernetes manifests from charts and does not affect running releases. Option D (helm uninstall) removes the release entirely, which is not suitable for quick recovery.

Rollback functionality is essential in platform engineering for resilience and rapid mitigation of production issues. By using helm rollback, teams align with best practices for safe, controlled release management in Kubernetes environments.

The primary reason for implementing multiple environments in cloud native platforms is to isolate the different phases of the software development lifecycle. Option A is correct because environments such as development, staging, and production enable testing and validation at each stage without impacting end users. Development environments allow rapid iteration, staging environments simulate production for integration and performance testing, and production environments serve real users.

Option B (reducing costs) may be a side effect but is not the main purpose. Option C (distributing traffic) relates more to load balancing and high availability, not environment separation. Option D is the opposite of the goal—different environments often require tailored infrastructure to meet their distinct purposes.

Isolation through multiple environments is fundamental to reducing risk, supporting continuous delivery, and ensuring stability. This practice also allows for compliance checks, automated testing, and user acceptance validation before changes reach production.