Architecture

Cluster Architecture Quiz

Quiz

Question 1 of 40 (0 answered)

Question 1

What are the two main parts of a Kubernetes cluster?

Control Plane & Worker Nodes Master & Slave API Server & kubelet Nodes & Pods

✓

Correct!

A Kubernetes cluster has two main parts: the Control Plane (the ‘brain’ that makes all scheduling and management decisions) and Worker Nodes (the ‘muscle’ that runs application containers). A common mistake is naming sub-components like API Server or kubelet — those exist within these two layers, not as the layers themselves.

✗

Incorrect

Think about management vs execution layers.

Question 2

Which component is responsible for assigning pods to nodes?

kube-controller-manager kube-scheduler kubelet cloud-controller-manager

✓

Correct!

The kube-scheduler watches for newly created pods with no assigned node and selects the best node based on resource availability, affinity rules, and other constraints. A common confusion: kube-controller-manager reconciles desired state to actual state (e.g., ensuring 3 replicas exist) but doesn’t decide where to place pods — that’s strictly the scheduler’s job.

✗

Incorrect

The name gives away its primary function.

Question 3

The kubelet connects to the API server (not the reverse).

True False

✓

Correct!

Correct! The kubelet on each worker node initiates and maintains a connection to the API server using a watch mechanism. The API server does not initiate connections to kubelets.

✗

Incorrect

Correct! The kubelet on each worker node initiates and maintains a connection to the API server using a watch mechanism. The API server does not initiate connections to kubelets.

Consider which direction the persistent connection is established.

Question 4

The _____ component stores all cluster data as a distributed key-value store.

✓

Correct!

etcd is the single source of truth for all cluster state — every object (pods, services, configs, secrets) is persisted here, and nowhere else. This is why backing up etcd is critical for disaster recovery: if etcd is lost without a backup, the entire cluster state is unrecoverable.

✗

Incorrect

It’s a four-letter word and acts as the cluster’s database.

Question 5

Which namespace contains Kubernetes system components like CoreDNS and kube-proxy?

default kube-system kube-public kube-node-lease

✓

Correct!

kube-system is reserved for Kubernetes system components that must be present for the cluster to function. Keeping them in their own namespace prevents accidental modification by users. The default namespace is where resources land when no namespace is specified — it’s intentionally kept separate from system components.

✗

Incorrect

It has ‘system’ in the name.

Question 6

Which of the following are Control Plane components?

kube-api-server kubelet kube-scheduler kube-proxy etcd kube-controller-manager

✓

Correct!

kube-api-server, kube-scheduler, etcd, and kube-controller-manager run on control plane nodes. kubelet and kube-proxy run on every worker node — kubelet receives pod assignments and kube-proxy maintains service routing rules. A common mistake is placing kube-proxy in the control plane because ‘proxy’ sounds like infrastructure.

✗

Incorrect

Worker nodes run pods; control plane manages the cluster.

Question 7

Which resources are namespace-scoped (not cluster-scoped)?

Pods Nodes Services PersistentVolumes Deployments StorageClasses Secrets

✓

Correct!

Pods, Services, Deployments, and Secrets are namespace-scoped — they belong to a team or environment’s namespace. Nodes, PersistentVolumes, and StorageClasses are cluster-scoped because they represent physical infrastructure shared across all namespaces. The PV/PVC split is a classic trap: PersistentVolumeClaims are namespace-scoped, but the PersistentVolumes they bind to are cluster-scoped.

✗

Incorrect

Think about resources that belong to specific teams or projects.

Question 8

In Kubernetes pod-to-pod communication, pods use NAT (Network Address Translation) to communicate.

True False

✓

Correct!

False! Kubernetes uses direct IP connectivity without NAT. Each pod gets its own IP address and can communicate directly with any other pod using that IP, with the CNI plugin handling routing.

✗

Incorrect

False! Kubernetes uses direct IP connectivity without NAT. Each pod gets its own IP address and can communicate directly with any other pod using that IP, with the CNI plugin handling routing.

Kubernetes networking follows a flat network model.

Question 9

What happens when the kube-api-server fails in a cluster?

All pods stop immediately No new changes possible, but workloads keep running All data is lost Worker nodes shut down

✓

Correct!

When the API server fails, no new changes are possible, but existing workloads keep running. Running pods continue to operate because kubelet manages them independently, but you cannot make any cluster modifications.

✗

Incorrect

Think about the separation between control plane and data plane.

Question 10

For an etcd cluster with 3 nodes, the quorum formula (N/2) + 1 means it can tolerate _____ failure(s).

✓

Correct!

With 3 nodes, the quorum is (3/2) + 1 = 2 nodes. This means the cluster can tolerate 1 failure and still maintain quorum with 2 healthy nodes.

✗

Incorrect

With 3 nodes, the quorum is (3/2) + 1 = 2 nodes. This means the cluster can tolerate 1 failure and still maintain quorum with 2 healthy nodes.

Calculate: how many nodes remain if one fails? Is that enough for quorum?

Question 11

What is the first status a namespace enters during deletion?

Deleted Terminating Removing Finalizing

✓

Correct!

When you delete a namespace, it first enters the Terminating status. During this phase, admission controllers prevent new resource creation, all resources are deleted, finalizers are processed, and finally the namespace is removed.

✗

Incorrect

It’s similar to pod deletion status.

Question 12

Arrange these steps in the correct order when creating a Deployment:

Drag to arrange in the correct deployment creation workflow

⋮⋮ User submits deployment manifest

⋮⋮ kubectl sends to API Server

⋮⋮ API Server validates & stores in etcd

⋮⋮ Scheduler assigns Pods to Nodes

⋮⋮ Deployment Controller creates ReplicaSet

⋮⋮ kubelet starts containers

✓

Correct!

The correct workflow is: User submits → kubectl sends to API Server → API Server validates & stores in etcd → Deployment Controller creates ReplicaSet → Scheduler assigns Pods to Nodes → kubelet starts containers. The Deployment Controller must create the ReplicaSet (and the ReplicaSet Controller creates the Pod objects) before the Scheduler can act — you can’t schedule pods that don’t exist yet as API objects.

✗

Incorrect

Question 13

A pod in the ‘app’ namespace needs to connect to a service called ‘postgres’ in the ‘database’ namespace. What is the fully qualified DNS name (FQDN) it should use?

postgres postgres.database postgres.database.svc.cluster.local database.postgres

✓

Correct!

The fully qualified DNS name format is <service-name>.<namespace>.svc.cluster.local. In this case: postgres.database.svc.cluster.local. The shorter postgres.database also works for cross-namespace access, but the FQDN is preferred in production configs because it’s explicit and works regardless of DNS search domain configuration.

✗

Incorrect

Format: <service-name>.<namespace-name>.svc.cluster.local

Question 14

Namespaces provide complete security boundaries and network isolation by default.

True False

✓

Correct!

False! Namespaces are NOT security boundaries by default. They provide logical separation but not network isolation. Network policies are required for true isolation between namespaces.

✗

Incorrect

False! Namespaces are NOT security boundaries by default. They provide logical separation but not network isolation. Network policies are required for true isolation between namespaces.

Think about what additional resources you need for network isolation.

Question 15

Which of the following are valid reasons to use separate clusters instead of namespaces?

Different teams working on projects Strict security requirements Different Kubernetes versions needed Resource organization Regulatory compliance requirements

✓

Correct!

Use separate clusters for strict security requirements (namespaces share nodes and network — they are not real isolation boundaries), different Kubernetes versions (impossible within a single cluster), and regulatory compliance (may require physical infrastructure separation). Different teams and resource organization are exactly what namespaces are designed for — creating separate clusters for these would waste resources and add operational overhead.

✗

Incorrect

When do namespaces become insufficient?

Question 16

Complete this ResourceQuota to limit a namespace to 50 pods and 20Gi memory:

Fill in the missing field name

apiVersion: v1
kind: ResourceQuota
metadata:
  name: compute-quota
spec:
  _____:
    pods: "50"
    requests.memory: 20Gi

Your answer:

✓

Correct!

The hard field sets absolute maximum limits — any request that would exceed a hard limit is immediately rejected by the admission controller. There is no ‘soft’ limit in ResourceQuota; the name reflects that these limits are enforced without exception. Compare this to LimitRange, which sets per-container defaults and bounds rather than per-namespace totals.

✗

Incorrect

Question 17

Your namespace deletion is stuck in ‘Terminating’ status. What is the MOST likely cause?

Network connectivity issues Resources with finalizers Insufficient permissions etcd is full

✓

Correct!

The most common cause of stuck namespace deletion is resources with finalizers that haven’t been properly cleaned up. Other causes include unavailable API services or custom resources without proper cleanup.

✗

Incorrect

What prevents Kubernetes from completing the deletion process?

Question 18

What is the primary difference between stacked and external etcd deployment?

Stacked etcd (common default): etcd runs on the same nodes as control plane components

Simpler setup and operations
Fewer machines required
Less resilient: a node failure takes down both control plane components and etcd together

External etcd (better HA): dedicated etcd cluster separate from control plane nodes

Control plane failures don’t affect etcd data
Independent scaling of each tier
More complex to manage and more machines required

Did you get it right?

✓

Correct!

✗

Incorrect

Question 19

In a production multi-node cluster, control plane nodes should run user workloads to maximize resource utilization.

True False

✓

Correct!

False! In production, control plane nodes should NOT run user workloads. They should be dedicated to cluster management to ensure stability and isolation from worker node failures.

✗

Incorrect

False! In production, control plane nodes should NOT run user workloads. They should be dedicated to cluster management to ensure stability and isolation from worker node failures.

Think about best practices for HA and stability.

Question 20

A LimitRange is configured in the ‘dev’ namespace with a maximum container CPU of 2. A user tries to create a pod requesting 3 CPUs. What happens?

apiVersion: v1
kind: LimitRange
metadata:
  name: limits
  namespace: dev
spec:
  limits:
  - type: Container
    max:
      cpu: 2
      memory: 2Gi

What will this code output?

Pod is created successfully Pod creation is rejected Pod runs with 2 CPUs automatically Warning shown but pod created

✓

Correct!

Pod creation is rejected. When a pod requests resources exceeding the LimitRange maximum, the admission controller rejects the request before the pod is created.

✗

Incorrect

Pod creation is rejected. When a pod requests resources exceeding the LimitRange maximum, the admission controller rejects the request before the pod is created.

LimitRange is enforced at admission time.

Question 21

For high availability, you need an etcd cluster that can tolerate 2 failures. How many etcd nodes should you deploy?

3 4 5 6

✓

Correct!

You need 5 nodes. With 5 nodes, quorum is (5/2)+1 = 3. If 2 nodes fail, you still have 3 healthy nodes, which meets the quorum requirement.

✗

Incorrect

You need 5 nodes. With 5 nodes, quorum is (5/2)+1 = 3. If 2 nodes fail, you still have 3 healthy nodes, which meets the quorum requirement.

Use the formula: (N/2) + 1 for quorum. You need quorum even after 2 failures.

Question 22

Which components are REQUIRED for pod networking to function properly?

CNI Plugin CoreDNS kube-proxy Ingress Controller Network Policy Controller

✓

Correct!

CNI Plugin (provides pod IP addresses and routing) and kube-proxy (maintains iptables/ipvs rules for Service routing) are required. CoreDNS is highly recommended for service discovery but pods can technically communicate by IP without it. Ingress Controller is only needed for HTTP/HTTPS routing rules. Network Policy Controller enforces network policies but pods route traffic fine without one — policies just won’t be enforced.

✗

Incorrect

What’s needed for basic pod-to-pod and service communication?

Question 23

Arrange the communication flow when a user runs kubectl get pods:

Drag to arrange in the correct order

⋮⋮ kubectl authenticates with API Server

⋮⋮ API Server sends response to kubectl

⋮⋮ API Server queries etcd

⋮⋮ etcd returns pod data

⋮⋮ User sees pod list

✓

Correct!

The flow is: kubectl authenticates → API Server queries etcd → etcd returns data → API Server sends response → User sees results. Authentication happens first because the API server rejects any request before verifying identity. Every read operation goes through etcd via the API server — there is no in-memory cache in the standard control path, which is why API server latency scales directly with etcd performance.

✗

Incorrect

Question 24

The control plane component that handles cloud provider integration (like load balancers and storage) is called _____.

✓

Correct!

The cloud-controller-manager decouples cloud-specific logic from core Kubernetes, allowing each cloud provider to implement their own controllers without patching the core codebase. It manages cloud resources like load balancers (for Services of type LoadBalancer), storage volumes, and routes — things that differ across AWS, GCP, and Azure. It is optional in on-premises clusters that have no cloud integrations.

✗

Incorrect

It has ‘cloud’ and ‘controller’ in its name.

Question 25

When a worker node’s kubelet fails, all pods running on that node immediately stop.

True False

✓

Correct!

False! When kubelet fails, pods keep running because the container runtime continues to operate. However, the pods are no longer managed—kubelet won’t restart failed containers or report status to the control plane.

✗

Incorrect

Think about the separation between container runtime and kubelet.

Question 26

The _____ is the ‘front-end for the control plane’ that all other components and users must communicate through.

✓

Correct!

The kube-api-server is the sole entry point for all cluster operations. Every request — from kubectl, from internal controllers, from kubelets — is authenticated, authorized, and processed through the API server before being committed to etcd. No component reads from or writes to etcd directly.

✗

Incorrect

It’s the component that all other components and users interact with.

Question 27

What are the three key responsibilities of Worker Nodes?

Run pods (application containers)
Monitor pod health and report status
Provide networking for pods and communicate with control plane

Worker nodes execute workloads while the control plane makes decisions.

Did you get it right?

✓

Correct!

✗

Incorrect

Question 28

What is the best practice for namespace usage in production?

Use the ‘default’ namespace for all workloads Create one namespace per pod Avoid using ‘default’ namespace; create dedicated namespaces Use only ‘kube-system’ for production

✓

Correct!

Using the default namespace in production is an anti-pattern: there is no access control isolation (any user can see and modify all resources), no resource quotas scoped to a team, and kubectl get pods returns all pods making operational visibility poor. Dedicated namespaces let you apply RBAC, ResourceQuotas, and LimitRanges per team or environment.

✗

Incorrect

Organization and separation are key in production.

Question 29

All cluster operations must go through the API server for authentication and authorization.

True False

✓

Correct!

True! The API server is the only entry point for all cluster operations. Every request (from kubectl, components, or controllers) must go through the API server where authentication and authorization are enforced.

✗

Incorrect

Think about the centralized control pattern.

Question 30

The component on each worker node that maintains network rules for service routing is called _____.

✓

Correct!

kube-proxy implements Kubernetes Service abstraction on each node. When you create a Service, kube-proxy watches the API server for endpoint changes and updates iptables or ipvs rules so traffic to a Service’s ClusterIP is routed to healthy pods. If kube-proxy fails on a node, new services and endpoint changes stop taking effect on that node — existing connections may persist until they break, but no new routing updates are applied.

✗

Incorrect

It has ‘proxy’ in its name and handles networking.

Question 31

What happens when kube-scheduler fails in a Kubernetes cluster?

All running pods stop immediately New pods remain in Pending state, but running pods continue normally No new cluster changes are possible, but workloads keep running Failed pods are not replaced and self-healing stops

✓

Correct!

When kube-scheduler fails, existing pods keep running unaffected — the scheduler does not manage running pods, only assigns new ones to nodes. New pods get created as API objects but remain in Pending state indefinitely because no component is available to assign them a node. Common mix-up: ‘No new changes possible’ describes kube-api-server failure; ‘self-healing stops’ describes kube-controller-manager failure. The scheduler only handles placement, not detection of failures.

✗

Incorrect

The scheduler’s only job is assigning pods to nodes — it doesn’t control what’s already running.

Question 32

A Deployment is running 3 replicas. Two pods crash, but no replacement pods are created — not even in Pending state. Which component has most likely failed?

kube-scheduler kube-controller-manager kubelet kube-proxy

✓

Correct!

The kube-controller-manager hosts the ReplicaSet controller, which detects discrepancies between desired state (3 replicas) and actual state (1 running) and creates new pod objects. If no pod objects are being created at all (not even in Pending), the controller-manager has failed. kube-scheduler failure would leave new pods stuck in Pending — the pods would at least exist as API objects. kubelet failure affects only one node and would not prevent cluster-wide pod replacement. kube-proxy only handles service routing rules.

✗

Incorrect

What component detects that fewer replicas exist than desired and creates new pod objects to compensate?

Question 33

Complete the LimitRange to set the default CPU limit applied to containers when no resource limits are specified:

Fill in the missing field name

spec:
  limits:
  - type: Container
    _____:
      cpu: 500m
      memory: 512Mi
    defaultRequest:
      cpu: 100m
      memory: 128Mi

Your answer:

✓

Correct!

The default field sets the limits automatically applied to a container when none are specified. The defaultRequest field sets the requests applied when none are specified. These are commonly confused: default → limits; defaultRequest → requests. If neither is set and a ResourceQuota enforces limits, a pod without explicit limits is rejected. The max and min fields are bounds — they reject pods outside the allowed range rather than applying defaults.

✗

Incorrect

Question 34

The kube-public namespace is readable only by authenticated users.

True False

✓

Correct!

False! kube-public is intentionally readable by all users, including unauthenticated ones. Its purpose is to expose cluster information that needs to be publicly accessible — typically a ConfigMap with cluster metadata used during cluster bootstrapping. The name ‘public’ is the giveaway. This is a security consideration: never store sensitive data in kube-public. Both kube-system (system components) and kube-node-lease (heartbeat objects) require authentication.

✗

Incorrect

The name of the namespace describes its access policy.

Question 35

The _____ namespace contains Lease objects that worker nodes use to report heartbeats to the control plane.

✓

Correct!

kube-node-lease holds a Lease object for each node. The kubelet renews its node’s Lease on each heartbeat cycle. The control plane uses lease expiry to detect node health — a missed renewal triggers the node condition to change to NotReady. This dedicated namespace was introduced to reduce API server load: before Lease objects existed, kubelet heartbeats required updating the Node object directly, which caused write contention under high node counts.

✗

Incorrect

The namespace name combines ‘kube’ with the purpose: tracking node leases.

Question 36

A worker node’s container runtime (containerd) crashes. What is the IMMEDIATE impact on that node?

All existing containers stop immediately Existing containers keep running, but new containers cannot start kubelet automatically restarts containerd and resumes normal operation The node is immediately marked NotReady and all pods are evicted

✓

Correct!

Existing containers keep running because containerd uses a per-container shim process (containerd-shim) that is independent from the main containerd daemon. Running containers are owned by these shim processes, not containerd itself, so they survive a containerd crash. New containers cannot start because container creation requires the runtime daemon. The node is eventually marked NotReady as kubelet loses its ability to report status, but this is not immediate — it happens after the heartbeat timeout expires.

✗

Incorrect

Think about what actually owns the running container process vs what manages container lifecycle.

Question 37

In a highly available Kubernetes control plane with 3 API server instances, a _____ is required in front of them so that kubectl and other components use a single stable endpoint.

✓

Correct!

A load balancer sits in front of multiple API server instances in an HA control plane. Without it, clients (kubectl, kubelets, controllers) would be hardcoded to a single API server — defeating the purpose of running multiple instances. The load balancer provides one stable endpoint while distributing traffic and routing around failed instances. In cloud environments this is typically a cloud load balancer (ELB, GCP LB); on-premises setups often use HAProxy or keepalived.

✗

Incorrect

What distributes traffic across multiple servers and provides a single stable endpoint?

Question 38

A ClusterRole can only be bound at the cluster scope — it cannot grant permissions within a specific namespace.

True False

✓

Correct!

False! A ClusterRole can be bound within a namespace by pairing it with a RoleBinding (not a ClusterRoleBinding). When a RoleBinding references a ClusterRole, it grants those permissions only within the RoleBinding’s namespace. This is useful for defining standard permission templates once (e.g., a ‘pod-reader’ ClusterRole) and reusing them across namespaces without duplicating Role objects. The scope of the permission grant is determined by the Binding type: ClusterRoleBinding = cluster-wide, RoleBinding = namespace-scoped, regardless of whether the role is a Role or ClusterRole.

✗

Incorrect

The binding type — RoleBinding vs ClusterRoleBinding — determines the scope, not the role type itself.

Question 39

You configure a HorizontalPodAutoscaler (HPA) targeting CPU utilization, but pods never scale. No errors are visible in the Deployment. Which missing add-on is the most likely cause?

CoreDNS Ingress Controller Metrics Server Network Policy Controller

✓

Correct!

Metrics Server provides the resource metrics API that HPA queries to read current CPU and memory utilization. Without it, the HPA controller cannot retrieve utilization data and silently fails to scale — the HPA status shows ‘unable to get metrics’ but no Deployment error appears. CoreDNS enables service discovery but does not supply resource metrics. Ingress Controller handles HTTP routing. Network Policy Controller enforces traffic rules. Metrics Server is frequently overlooked because it is not installed by default in many Kubernetes distributions.

✗

Incorrect

HPA needs to read live CPU/memory usage — what add-on component provides that data?

Question 40

What is the fundamental difference between LimitRange and ResourceQuota?

LimitRange — per-container (or per-pod) defaults and bounds:

Sets default requests/limits injected when none are specified
Enforces min/max per individual container or pod
Does NOT limit namespace totals

ResourceQuota — namespace-wide totals:

Caps the aggregate CPU, memory, and object counts across an entire namespace
Pod creation is rejected when adding it would exceed the quota
Does NOT set per-container defaults or bounds

Key distinction: LimitRange governs individual containers; ResourceQuota governs the namespace as a whole.

Did you get it right?

✓

Correct!

✗

Incorrect

Quiz Results

Score

0/0

Accuracy

Right

Wrong

Skipped

Last updated on May 2, 2026

Introduction to K8s Control Plane