Control Plane

Control Plane Components Quiz

Quiz

Question 1 of 41 (0 answered)

Question 1

Which component is the ONLY one that directly interacts with etcd?

kube-scheduler kube-api-server kube-controller-manager kubelet

✓

Correct!

The kube-api-server is the only component that directly interacts with etcd. All other components communicate through the API server to read or modify cluster state.

✗

Incorrect

The kube-api-server is the only component that directly interacts with etcd. All other components communicate through the API server to read or modify cluster state.

Think about which component serves as the central hub for all communication.

Question 2

What happens when the kube-api-server fails? Select all that apply.

Existing workloads continue running Networking continues to function kubectl commands fail New pods can still be scheduled Controllers can still reconcile state

✓

Correct!

When the API server fails, the data plane (existing workloads and networking) continues to function, but the control plane operations cease. No new changes are possible, kubectl fails, and controllers cannot reconcile because they cannot communicate without the API server.

✗

Incorrect

Consider the difference between control plane and data plane operations.

Question 3

The kube-scheduler both makes scheduling decisions AND executes the actual pod placement on nodes.

True False

✓

Correct!

False. The kube-scheduler only makes scheduling DECISIONS by assigning pods to nodes (updating the nodeName field). The actual pod PLACEMENT and execution is done by the kubelet on the assigned node.

✗

Incorrect

False. The kube-scheduler only makes scheduling DECISIONS by assigning pods to nodes (updating the nodeName field). The actual pod PLACEMENT and execution is done by the kubelet on the assigned node.

Think about the division of responsibilities between control plane and worker nodes.

Question 4

The scheduling process has two main phases: the filtering phase removes unsuitable nodes, and the _______ phase ranks the remaining nodes.

✓

Correct!

The scheduling process consists of two phases: 1) Filtering (predicate) phase that eliminates unsuitable nodes, and 2) Scoring (priority) phase that ranks the remaining nodes to select the best match.

✗

Incorrect

After filtering, nodes need to be ranked somehow.

Question 5

Given an etcd cluster configuration, what is the minimum number of nodes needed for quorum if you want to tolerate 2 node failures?

# etcd cluster configuration
# Goal: Tolerate 2 failures
# Formula: Quorum = (N/2) + 1
# Quorum must be > 50% of total nodes

# If 2 nodes can fail, how many total nodes needed?

What will this code output?

3 nodes 4 nodes 5 nodes 6 nodes

✓

Correct!

To tolerate 2 failures, you need 5 nodes. With 5 nodes, quorum requires 3 nodes ((5/2)+1=3). If 2 nodes fail, you still have 3 nodes available to maintain quorum. With only 4 nodes, losing 2 would leave you with 2 nodes, which is not enough for quorum (need 3).

✗

Incorrect

Calculate backwards: if 2 fail, how many remain must still meet (N/2)+1?

Question 6

What is the reconciliation loop in Kubernetes?

Reconciliation Loop is the continuous process where controllers compare the desired state (from resource specs in etcd) with the actual state (current reality) and take corrective action when they differ.

Key characteristics:

Runs approximately every 30 seconds
Event-driven but also periodic
Ensures self-healing and state enforcement
Foundation of Kubernetes’ declarative model

Did you get it right?

✓

Correct!

✗

Incorrect

Question 7

Arrange the API server request processing pipeline in the correct order:

Drag to arrange in the correct order from first to last

⋮⋮ Authentication

⋮⋮ Authorization

⋮⋮ Validation

⋮⋮ Admission Controllers

⋮⋮ Persistence to etcd

✓

Correct!

The correct pipeline is: 1) Authentication (Who are you?), 2) Authorization (What can you do?), 3) Admission Control (Should we allow this?), 4) Validation (Is this valid?), 5) Persistence to etcd. Each step must pass before proceeding to the next.

✗

Incorrect

Question 8

Complete the kubectl command to taint a node so that no pods will schedule on it:

Fill in the missing taint effect

kubectl taint nodes node1 maintenance=true:_____

Your answer:

✓

Correct!

The NoSchedule effect prevents new pods from being scheduled on the node unless they have a matching toleration. Other effects include NoExecute (evicts existing pods) and PreferNoSchedule (soft version). Syntax: kubectl taint nodes <node-name> <key>=<value>:<effect>

✗

Incorrect

Question 9

In a 3-node etcd cluster, what happens if 2 nodes fail?

The cluster continues to operate normally The cluster becomes read-only The cluster immediately crashes The remaining node can still process writes

✓

Correct!

With 2 out of 3 nodes failed, the cluster loses quorum (needs 2, has only 1). The cluster becomes read-only — existing workloads continue running, but no changes can be made. Quorum must be restored to resume write operations.

✗

Incorrect

Think about the quorum formula: (N/2) + 1

Question 10

Which controllers are part of the kube-controller-manager? Select all that apply.

Node Controller Endpoints Controller Ingress Controller Deployment Controller Service Mesh Controller StatefulSet Controller

✓

Correct!

The kube-controller-manager includes Node Controller, Endpoints Controller, Deployment Controller, and StatefulSet Controller (among others). Ingress Controller and Service Mesh Controller are typically separate components deployed in the cluster, not part of the core controller manager.

✗

Incorrect

Consider which controllers are fundamental to Kubernetes vs. add-ons.

Question 11

When the kube-controller-manager fails, Kubernetes can no longer perform self-healing operations like replacing failed pods.

True False

✓

Correct!

True. The kube-controller-manager runs the reconciliation loops that enable self-healing. When it fails, controllers cannot detect and correct state discrepancies, so failed pods won’t be replaced, scaling won’t work, and rolling updates will stop.

✗

Incorrect

Think about what component enforces desired state.

Question 12

The kube-scheduler watches for pods where the _______ field is null, indicating they need to be assigned to a node.

✓

Correct!

The kube-scheduler watches for pods with nodeName=null (unscheduled pods). After selecting an appropriate node through filtering and scoring, the scheduler updates the pod’s nodeName field via the API server, which triggers the kubelet on that node to start the pod.

✗

Incorrect

What field identifies which node a pod should run on?

Question 13

A Deployment specifies replicas: 5 but only 3 pods are currently running. What action will the Deployment Controller take?

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-app
spec:
  replicas: 5

# Current state: 3 pods running

What will this code output?

Delete 2 pods to match the lower number Create/update ReplicaSet to ensure 5 pods exist Wait for manual intervention Scale down to 3 to match current state

✓

Correct!

The Deployment Controller detects the discrepancy (desired=5, actual=3) and takes action by creating or updating the ReplicaSet. The ReplicaSet Controller then creates the 2 missing pods. This is the reconciliation loop in action—continuously working to match actual state to desired state.

✗

Incorrect

Think about how reconciliation loops work.

Question 14

What is the Raft consensus algorithm’s role in etcd?

Raft Consensus Algorithm ensures consistency across the distributed etcd cluster.

How it works:

Elects a leader among etcd nodes
Leader handles all write operations
Writes must be acknowledged by quorum (majority)
Guarantees strong consistency
Automatically handles leader failures

Why it matters: Prevents split-brain scenarios and ensures all nodes agree on the cluster state even during network partitions or node failures.

Did you get it right?

✓

Correct!

✗

Incorrect

Question 15

Arrange the complete flow of pod creation in the correct order:

Order these steps from when a user creates a pod to when it’s running

⋮⋮ API server authenticates & validates

⋮⋮ kubelet starts container

⋮⋮ kubectl creates pod request

⋮⋮ Controller verifies desired state

⋮⋮ Pod stored in etcd (nodeName=null)

⋮⋮ Scheduler detects and assigns node

✓

Correct!

The complete flow: 1) User sends create request, 2) API server processes it (auth, authz, validation), 3) Pod saved to etcd without node assignment, 4) Scheduler watches, selects node, and binds pod, 5) kubelet on assigned node pulls image and starts container, 6) Controller monitors to ensure state is maintained.

✗

Incorrect

Question 16

Complete the etcdctl command to create a backup snapshot:

Fill in the missing subcommand

ETCDCTL_API=3 etcdctl _____ save snapshot.db

Your answer:

✓

Correct!

The correct command is etcdctl snapshot save. The snapshot subcommand creates a point-in-time backup of the etcd database. This is critical for disaster recovery since etcd stores all cluster state.

✗

Incorrect

Question 17

Which phase of the scheduling process eliminates nodes that lack sufficient CPU resources?

Scoring phase (Priority phase) Filtering phase (Predicate phase) Binding phase Selection phase

✓

Correct!

The Filtering phase (also called Predicate phase) eliminates unsuitable nodes based on hard constraints like insufficient resources, taints without tolerations, node selector mismatches, etc. The Scoring phase comes after and ranks the remaining nodes.

✗

Incorrect

Think about whether resource requirements are hard constraints or preferences.

Question 18

What data is stored in etcd? Select all that apply.

Pod specifications and status Container logs Secrets and ConfigMaps Deployment definitions Prometheus metrics Service definitions

✓

Correct!

etcd stores all Kubernetes resource definitions and their current state: pods, deployments, services, secrets, configmaps, etc. It does NOT store container logs (stored on nodes) or metrics (stored in monitoring systems like Prometheus). etcd is for cluster state, not operational data.

✗

Incorrect

Consider what represents cluster state vs. runtime operational data.

Question 19

The cloud-controller-manager is required for all Kubernetes clusters to function properly.

True False

✓

Correct!

False. The cloud-controller-manager is optional and only needed for clusters running on cloud providers (AWS, GCP, Azure). It manages cloud-specific resources like load balancers, volumes, and routes. On-premises or bare-metal clusters don’t use it.

✗

Incorrect

Think about whether all Kubernetes clusters run in the cloud.

Question 20

All control plane components communicate through the _______, which serves as the central hub for the cluster.

✓

Correct!

All control plane components communicate through the kube-api-server, which acts as the central hub. No component directly communicates with another—everything goes through the API server. This design simplifies security, consistency, and monitoring.

✗

Incorrect

What component is described as the ‘front door’ of Kubernetes?

Question 21

What will happen if you try to run kubectl commands when the kube-api-server is down but the kube-scheduler and kube-controller-manager are running?

# Control plane status:
# kube-api-server: DOWN ❌
# kube-scheduler: UP ✅
# kube-controller-manager: UP ✅
# etcd: UP ✅

$ kubectl get pods

What will this code output?

Commands work normally since other components are up Commands fail—cannot connect to API server Commands work but data might be stale Commands are queued until API server returns

✓

Correct!

kubectl commands will fail because kubectl communicates exclusively with the kube-api-server. Even though scheduler, controller-manager, and etcd are running, without the API server there is no way to access the cluster. The API server is the only entry point for all external communication.

✗

Incorrect

How does kubectl communicate with the cluster?

Question 22

What are Node Affinity and Pod Affinity/Anti-Affinity?

Node Affinity — places pods on nodes matching labels; not topology-aware

required...: hard constraint; pod stays Pending if no node matches
preferred...: soft preference; scheduler tries but won’t block scheduling

Pod Affinity / Anti-Affinity — topology-aware placement relative to other pods

topologyKey defines scope (e.g., hostname for node-level, zone for zone-level)
Affinity: co-locate pods near matching pods (e.g., same zone for low latency)
Anti-Affinity: spread pods away from matching pods (e.g., across nodes for HA)

Did you get it right?

✓

Correct!

✗

Incorrect

Question 23

Why does Kubernetes recommend odd numbers (3, 5, 7) rather than even numbers for etcd cluster size?

Odd numbers provide better performance Even numbers cannot form a quorum Odd numbers are more cost-effective with same fault tolerance as the next even number Even numbers create split-brain risk since equal partitions can both claim leadership

✓

Correct!

Odd numbers are recommended because they provide the same fault tolerance as the next even number. For example, both 3 and 4 nodes can tolerate 1 failure (need quorum of 2 and 3 respectively). Since you get no additional fault tolerance with 4 nodes vs 3, the 4th node is wasted. Even numbers do NOT create split-brain risk—Raft’s quorum requirement blocks writes on both sides of an equal partition, preventing conflicting writes. The reason to prefer odd numbers is purely cost efficiency.

✗

Incorrect

Compare the fault tolerance of 3 vs 4 nodes, or 5 vs 6 nodes.

Question 24

When the kube-scheduler fails, which statements are true? Select all that apply.

Existing pods continue running normally New pods get stuck in Pending state Running pods will be terminated Services and networking continue to work Controllers stop reconciling

✓

Correct!

When the scheduler fails: existing pods continue running, networking works, and services function normally. However, new pods cannot be assigned to nodes and remain in Pending state. Controllers continue to work (they don’t depend on scheduler), but the pods they create won’t be scheduled.

✗

Incorrect

Think about what the scheduler does vs. what keeps pods running.

Question 25

The API server provides a ‘watch’ mechanism that allows components to subscribe to real-time updates when resources change, rather than constantly polling.

True False

✓

Correct!

True. The kube-api-server provides a watch mechanism that allows components (scheduler, controllers, kubelet) to subscribe to resource changes. When a resource is created, modified, or deleted, watchers are immediately notified. This event-driven architecture is more efficient than polling.

✗

Incorrect

Think about how components stay in sync without overwhelming the API server.

Question 26

A Kubernetes Service of type LoadBalancer is created on an AWS cluster. Which component provisions the corresponding AWS load balancer?

kube-controller-manager via its Service Account Controller cloud-controller-manager via its Service Controller kube-api-server by calling the AWS API directly kube-scheduler via cloud affinity rules

✓

Correct!

The cloud-controller-manager’s Service Controller provisions and manages cloud-specific load balancers (like AWS ELB/NLB, GCP Load Balancer, Azure Load Balancer) for Services of type LoadBalancer. The kube-controller-manager handles cloud-agnostic resources; cloud-specific integrations are handled by cloud-controller-manager to keep provider logic out of the core Kubernetes codebase.

✗

Incorrect

Which component handles cloud provider-specific operations?

Question 27

Given this nodeSelector configuration, which node label must exist for the pod to be scheduled?

apiVersion: v1
kind: Pod
metadata:
  name: web-pod
spec:
  nodeSelector:
    disktype: ssd
    zone: us-east-1a
  containers:
  - name: nginx
    image: nginx

What will this code output?

Only disktype: ssd Only zone: us-east-1a Both disktype: ssd AND zone: us-east-1a Either disktype: ssd OR zone: us-east-1a

✓

Correct!

nodeSelector requires ALL specified labels to match. A node must have both disktype=ssd AND zone=us-east-1a labels for this pod to be scheduled on it. If any label is missing or has a different value, the node is filtered out during the scheduling filtering phase.

✗

Incorrect

Does nodeSelector use AND logic or OR logic?

Question 28

Order these etcd cluster sizes from LEAST to MOST fault-tolerant:

Arrange by number of node failures each can tolerate

⋮⋮ 5 nodes

⋮⋮ 1 node

⋮⋮ 7 nodes

⋮⋮ 3 nodes

✓

Correct!

Fault tolerance increases with cluster size: 1-node clusters cannot tolerate any failures, 3-node clusters tolerate 1 failure, 5-node clusters tolerate 2 failures, and 7-node clusters tolerate 3 failures. The pattern follows: tolerated failures = (N-1)/2.

✗

Incorrect

Question 29

What is the difference between Admission Controllers (mutating vs validating)?

Mutating Admission Controllers — modify requests before persistence; run FIRST

Inject sidecars, set defaults, add labels
Can change the resource definition

Validating Admission Controllers — validate without modifying; run AFTER mutating

Enforce policies, check quotas, apply custom rules
Can only accept or reject

Pipeline: Request → Mutating → Validating → Validation → etcd

Example: Mutating injects Istio sidecar; Validating blocks pod if namespace quota exceeded.

Did you get it right?

✓

Correct!

✗

Incorrect

Question 30

A new pod passes its readiness probe and joins a Deployment’s ReplicaSet. Which component updates the Endpoints object so the Service begins routing traffic to it?

kube-scheduler, which tracks pod placement across nodes kubelet, which reports the pod’s Ready status to the API server Endpoints Controller, which populates Endpoints objects when pod readiness changes Node Controller, which monitors pod health on the node

✓

Correct!

The Endpoints Controller watches for pods whose readiness changes and updates the corresponding Endpoints objects accordingly. Services route traffic to pods by reading these Endpoints objects, so the Endpoints Controller is the bridge between pod lifecycle and Service-level traffic routing. kubelet reports Ready status upstream, but the Endpoints Controller is what acts on that signal to update routing.

✗

Incorrect

Think about how a Service discovers which pods are ready to receive traffic.

Question 31

Complete the pod tolerations configuration to allow scheduling on a node with a specific taint:

Fill in the missing toleration field

spec:
  tolerations:
  - key: "key"
    operator: "Equal"
    value: "value"
    _____: "NoSchedule"

Your answer:

✓

Correct!

The effect field in tolerations specifies which taint effect this toleration applies to (NoSchedule, NoExecute, or PreferNoSchedule). The toleration must match the taint’s key, value, and effect for the pod to be scheduled on the tainted node.

✗

Incorrect

Question 32

If etcd experiences total data loss, the cluster can recover by having the controllers and API server rebuild the state from memory.

True False

✓

Correct!

False. etcd is the single source of truth — there is no other persistent storage of cluster state. If etcd experiences total data loss without backups, the cluster is unrecoverable and must be rebuilt from scratch. This highlights the critical importance of regular etcd backups.

✗

Incorrect

Where is cluster state persisted?

Question 33

Which of the following are responsibilities of the cloud-controller-manager? Select all that apply.

Update node addresses from cloud provider Manage TLS certificates for ingress controllers Create and manage cloud load balancers Configure cluster autoscaling policies Remove failed nodes from the cluster Manage persistent cloud volumes

✓

Correct!

The cloud-controller-manager handles cloud-specific operations: updating node addresses, creating load balancers for LoadBalancer-type services, removing failed nodes, and managing cloud volumes (attach/detach). TLS certificate management is handled by separate tools like cert-manager, not cloud-controller-manager. Cluster autoscaling is handled by Cluster Autoscaler, a separate component that runs independently.

✗

Incorrect

Focus on responsibilities that are specific to cloud infrastructure integration.

Question 34

Complete the etcdctl command to restore a cluster from a snapshot backup: ETCDCTL_API=3 etcdctl snapshot _____ snapshot.db

✓

Correct!

The etcdctl snapshot restore command restores an etcd database from a backup file. While snapshot save creates the backup, snapshot restore is the recovery operation — after restoring, etcd must be restarted pointing to the new data directory. Together, save and restore form the critical backup/recovery workflow that protects against total cluster data loss.

✗

Incorrect

Think about the opposite of ‘save’.

Question 35

A developer creates a new namespace dev-team. Without any additional configuration, which component ensures a default service account is automatically available in that namespace?

kube-api-server, which creates default resources when persisting a new namespace Service Account Controller in kube-controller-manager kubelet, which provisions the service account when the first pod is scheduled Namespace Controller, which manages all child resources within a namespace

✓

Correct!

The Service Account Controller (part of kube-controller-manager) watches for new namespaces and automatically creates a default service account in each one. This is reconciliation loop behavior — the controller continuously ensures every namespace has a default SA. The API server handles validation and storage but does not create child resources; the Namespace Controller manages namespace lifecycle (cleanup on deletion), not resource provisioning within namespaces.

✗

Incorrect

Which component runs reconciliation loops to maintain desired state?

Question 36

Which sub-controller of the cloud-controller-manager configures network routes in cloud infrastructure so that pods on different nodes can communicate directly using their pod IPs?

Service Controller Node Controller Route Controller Volume Controller

✓

Correct!

The Route Controller sets up routes in the cloud provider’s network so pod IPs are reachable across nodes — without these routes, pods on different nodes cannot communicate. This is distinct from the Service Controller (which creates cloud load balancers for LoadBalancer-type Services) and the Volume Controller (which handles persistent disk attach/detach). The Route Controller is the networking plumbing that makes the pod network function on cloud providers.

✗

Incorrect

Think about which controller manages network paths between nodes.

Question 37

A pod is running on a node that matched its requiredDuringSchedulingIgnoredDuringExecution node affinity rule. If the node’s matching label is later removed, the pod will be evicted.

True False

✓

Correct!

False. The IgnoredDuringExecution suffix means the affinity rule is enforced only at scheduling time — once a pod is running, label changes on the node do NOT trigger eviction. The required part gates whether the pod can be initially scheduled, but confers no ongoing enforcement. If you need eviction when conditions change, you would use taints/tolerations with NoExecute effect instead, which do apply to running pods.

✗

Incorrect

Focus on the second half of the field name: ‘IgnoredDuringExecution’.

Question 38

A high-priority pod cannot be scheduled because no node has sufficient CPU. The scheduler finds one node where evicting two lower-priority pods would free enough resources. What does the scheduler do?

Keeps the high-priority pod in Pending state until capacity is organically freed Evicts the lower-priority pods and schedules the high-priority pod on that node Reduces the resource requests of lower-priority pods to make room Migrates the lower-priority pods to other nodes, then schedules the high-priority pod

✓

Correct!

Pod preemption: when a higher-priority pod cannot be scheduled, the scheduler can evict (delete) lower-priority pods to free resources. The evicted pods may reschedule elsewhere if capacity allows, but there is no guarantee — the scheduler does not first find a destination for them. This is why Priority Classes matter in production: a misconfigured high-priority workload can forcibly displace running pods across the cluster.

✗

Incorrect

Kubernetes has a mechanism specifically for this scenario called ‘preemption’.

Question 39

Given the etcd cluster status below, what state is the cluster in?

# 5-node etcd cluster status:
# Node1: UP   ✅
# Node2: DOWN ❌
# Node3: DOWN ❌
# Node4: DOWN ❌
# Node5: UP   ✅

# Quorum formula: (N/2) + 1
# For 5 nodes: quorum = 3
# Nodes currently available: 2

What will this code output?

Fully operational — 2 out of 5 nodes is sufficient for a 5-node cluster Read-only — quorum is lost, writes are blocked but existing data is preserved Crashed — all data is lost and the cluster must be rebuilt from scratch Degraded but writable — the leader node handles writes alone

✓

Correct!

With only 2 of 5 nodes available (below the required quorum of 3), the cluster loses quorum and becomes read-only. Raft intentionally blocks all writes rather than risk split-brain inconsistency — this is correct, safe behavior, not a crash. Existing data is fully preserved; unlike total data loss, quorum loss is recoverable by bringing nodes back online. The cluster resumes write operations automatically once quorum (≥3 nodes) is restored.

✗

Incorrect

Quorum requires (N/2)+1 nodes. Count how many are available versus required.

Question 40

During the binding phase of pod scheduling, the kube-scheduler writes the pod’s nodeName field directly to etcd.

True False

✓

Correct!

False. The kube-scheduler never communicates directly with etcd. During binding, the scheduler sends a Binding API request to the kube-api-server, which then updates etcd. This enforces the invariant that only the API server has direct etcd access — bypassing it would skip authentication, authorization, and admission control. Every control plane component (scheduler, controller-manager) exclusively uses the API server as its gateway to read and write cluster state.

✗

Incorrect

Which is the only component allowed to talk to etcd directly?

Question 41

Both kube-controller-manager and cloud-controller-manager contain a component called ‘Node Controller’. What distinguishes their specific responsibilities?

kube-controller-manager’s Node Controller handles cloud node deletion; cloud-controller-manager’s Node Controller marks nodes as NotReady kube-controller-manager’s Node Controller monitors node health and marks nodes as NotReady; cloud-controller-manager’s Node Controller checks whether nodes still exist in the cloud provider kube-controller-manager’s Node Controller applies to bare-metal only; cloud-controller-manager’s Node Controller applies to cloud clusters only They perform identical functions — the cloud-controller-manager’s version overrides the kube-controller-manager’s when running on a cloud provider

✓

Correct!

They share a name but have different scopes. The kube-controller-manager’s Node Controller is cloud-agnostic: it monitors node heartbeats, updates node conditions, and marks nodes NotReady when they stop responding. The cloud-controller-manager’s Node Controller is cloud-aware: it queries the cloud provider’s API to confirm whether a VM instance still exists — if the cloud deleted the VM, it removes the Kubernetes Node object. Both run in parallel on cloud clusters, each handling their own responsibility.

✗

Incorrect

One tracks Kubernetes health signals; the other queries the cloud provider’s API.

Quiz Results

Score

0/0

Accuracy

Right

Wrong

Skipped

Last updated on April 21, 2026

Architecture Worker Nodes