Skip to content

K8S Config

← Back to all decks

44 cards — 🟢 7 easy | 🟡 16 medium | 🔴 6 hard

🟢 Easy (7)

1. True or False? storing data in a Secret component makes it automatically secured

Show answer False. Some known security mechanisms like "encryption" aren't enabled by default.

Gotcha: K8s Secrets are base64-encoded, not encrypted at rest by default. Enable EncryptionConfiguration for etcd encryption.

Remember: "Base64 is a disguise, not a safe" — anyone with etcd access can decode without encryption at rest.

See also: External secret managers (Vault, AWS Secrets Manager) provide true encryption and rotation.

2. What is the problem with the following Secret file:

Show answer Password isn't encrypted.
You should run something like this: `echo -n 'mySecretPassword' | base64` and paste the result to the file instead of using plain-text.

Remember: `echo -n` is critical — without `-n`, a trailing newline gets base64-encoded, causing auth failures.

Gotcha: `echo -n 'myPassword' | base64` vs `echo 'myPassword' | base64` produce different results. The newline matters!

Example: Compare: `echo -n 'pass' | base64` → `cGFzcw==` vs `echo 'pass' | base64` → `cGFzcwo=` (extra newline).

3. True or False? Memory is a compressible resource, meaning that when a container reach the memory limit, it will keep running

Show answer False. CPU is a compressible resource while memory is a non compressible resource - once a container reached the memory limit, it will be terminated.

Remember: CPU is compressible (throttled when over-limit), memory is NOT (OOMKilled). This distinction is critical.

Under the hood: Kernel CFS scheduler throttles CPU. OOM killer terminates memory hogs. Different enforcement mechanisms.

Gotcha: Over-provision memory to be safe (OOM=crash). CPU can be slightly under-provisioned (just slower).

4. True or False? Resource limits applied on a Pod level meaning, if limits is 2gb RAM and there are two container in a Pod that it's 1gb RAM each

Show answer False. It's per container and not per Pod.

Remember: K8s true/false questions test edge cases and defaults. Verify with `kubectl explain `.

Gotcha: Use `kubectl explain .spec` to check field behavior directly from the CLI.

5. What is a ConfigMap in Kubernetes?

Show answer A ConfigMap is an object to store non-sensitive configuration data as key-value pairs. Pods can consume ConfigMaps as environment variables or config files. This decouples configuration from container images.

Example: `kubectl create configmap app-cfg --from-file=config.yaml --from-literal=LOG_LEVEL=debug`

Gotcha: ConfigMap updates don't auto-restart pods. Use Reloader or hash annotations for rolling updates.

Remember: ConfigMaps decouple config from images — same image, different config per environment.

6. What is a "ConfigMap"?

Show answer An object used to store non-sensitive configuration data.

Example: `kubectl create configmap app-cfg --from-file=config.yaml --from-literal=LOG_LEVEL=debug`

Gotcha: ConfigMap updates don't auto-restart pods. Use Reloader or hash annotations for rolling updates.

Remember: ConfigMaps decouple config from images — same image, different config per environment.

7. What is a Kubernetes Secret and how does it store sensitive data?

Show answer An object for storing sensitive data like passwords or tokens.

Remember: `kubectl create secret generic` supports `--from-literal`, `--from-file`, `--from-env-file`.

Gotcha: Special chars need shell quoting. Use single quotes: `--from-literal=pass='p@ss!'`.

Example: `kubectl create secret generic ssh-key --from-file=ssh-privatekey=~/.ssh/id_rsa`

🟡 Medium (16)

1. What is Resource Quota?

Show answer Resource quota provides constraints that limit aggregate resource consumption per namespace. It can limit the quantity of objects that can be created in a namespace by type, as well as the total amount of compute resources that may be consumed by resources in that namespace.

Example: `kubectl create quota my-quota --hard=pods=10,requests.cpu=4,requests.memory=8Gi -n dev` limits namespace resources.

Remember: Quotas are per-namespace. Think "Quota = Namespace Budget" — each team gets a spending limit.

2. What is a Secret in Kubernetes?

Show answer A Secret is like a ConfigMap but for sensitive data (passwords, tokens, keys). Secrets store base64-encoded data and are intended to be kept confidential (with optional encryption at rest enabled via configuration). Pods use Secrets via environment variables or mounted files, similar to ConfigMaps, but with stricter access controls.

Remember: `kubectl create secret generic` supports `--from-literal`, `--from-file`, `--from-env-file`.

Gotcha: Special chars need shell quoting. Use single quotes: `--from-literal=pass='p@ss!'`.

3. Explain Kubernetes Secrets

Show answer Secrets let you store and manage sensitive information (passwords, ssh keys, etc.)

Example: `kubectl create secret generic db-creds --from-literal=user=admin --from-literal=pass=s3cret`

Remember: Secrets are like ConfigMaps wearing sunglasses — same structure, base64-encoded, slightly more restricted access.

Gotcha: Secrets stored unencrypted in etcd by default. Enable encryption at rest for production clusters.

4. What is a Kubernetes ConfigMap and how is it used?

Show answer Separate configuration from pods.
It's good for cases where you might need to change configuration at some point but you don't want to restart the application or rebuild the image so you create a ConfigMap and connect it to a pod but externally to the pod.

Overall it's good for:
* Sharing the same configuration between different pods
* Storing external to the pod configuration

Example: `kubectl create configmap app-cfg --from-file=config.yaml --from-literal=LOG_LEVEL=debug`

Gotcha: ConfigMap updates don't auto-restart pods. Use Reloader or hash annotations for rolling updates.

5. Run a pod called "yay2" with the image "python". Make sure it has resources request of 64Mi memory and 250m CPU and the limits are 128Mi memory and 500m CPU

Show answer `kubectl run yay2 --image=python --dry-run=client -o yaml > pod.yaml`

`vi pod.yaml`

```\nspec:\n containers:\n - image: python\n imagePullPolicy: Always\n name: yay2\n resources:\n limits:\n cpu: 500m\n memory: 128Mi\n requests:\n cpu: 250m\n memory: 64Mi\n```

`kubectl apply -f pod.yaml`

Remember: Use `kubectl explain ` to explore API fields interactively from the CLI.

6. What happens what pods are using too much memory? (more than its limit)

Show answer They become candidates to for termination.

Under the hood: K8s eviction manager monitors memory pressure. Evicts BestEffort→Burstable→Guaranteed.

Remember: "No limits? First to go." Pods without resource requests get BestEffort QoS — evicted first.

See also: Check node conditions: `kubectl describe node` — look for MemoryPressure.

7. Run a pod called "yay" with the image "python" and resources request of 64Mi memory and 250m CPU

Show answer `kubectl run yay --image=python --dry-run=client -o yaml > pod.yaml`

`vi pod.yaml`

```\nspec:\n containers:\n - image: python\n imagePullPolicy: Always\n name: yay\n resources:\n requests:\n cpu: 250m\n memory: 64Mi\n```

`kubectl apply -f pod.yaml`

Remember: Use `kubectl explain ` to explore API fields interactively from the CLI.

8. What QoS classes are there?

Show answer * Guaranteed
* Burstable
* BestEffort

Remember: QoS eviction order: BestEffort first, Burstable second, Guaranteed last. Mnemonic: "BBG."

Under the hood: Guaranteed=requests==limits for ALL containers. Burstable=at least one request. BestEffort=zero.

Gotcha: Miss one container's limits and the pod drops from Guaranteed to Burstable.

9. How to create a Secret from a key and value?

Show answer `kubectl create secret generic some-secret --from-literal=password='donttellmypassword'`

Remember: `kubectl create secret generic` supports `--from-literal`, `--from-file`, `--from-env-file`.

Gotcha: Special chars need shell quoting. Use single quotes: `--from-literal=pass='p@ss!'`.

Example: `kubectl create secret generic ssh-key --from-file=ssh-privatekey=~/.ssh/id_rsa`

10. Explain the concept of PodDisruptionBudget in Kubernetes.

Show answer * PodDisruptionBudget: PodDisruptionBudget is a resource in Kubernetes that defines policies for pod disruptions during voluntary disruptions (e.g., rolling updates).
* It limits the number of concurrently disrupted pods and ensures that a minimum number of replicas are available during disruptions.
* Helps prevent service disruption and ensures stability during maintenance activities.
* PodDisruptionBudgets are useful for controlling the impact of disruptions, reducing the risk of service degradation during planned maintenance or updates.
* They provide a balance between maintaining high availability and executing necessary maintenance tasks.

11. How to create a Resource Quota?

Show answer kubectl create quota some-quota --hard=cpu=2,pods=2

Example: `kubectl create quota my-quota --hard=pods=10,requests.cpu=4,requests.memory=8Gi -n dev` limits namespace resources.

Remember: Quotas are per-namespace. Think "Quota = Namespace Budget" — each team gets a spending limit.

Gotcha: If a ResourceQuota exists but pod specs omit requests/limits, pods are rejected. Pair with LimitRange for defaults.

12. How to use ConfigMaps?

Show answer 1. Create it (from key&value, a file or an env file)
2. Attach it. Mount a configmap as a volume

Remember: `--dry-run=client -o yaml` generates templates. Pipe to a file and customize.

Gotcha: `create` = imperative (fails if exists). `apply` = declarative (creates or updates). Production = `apply`.

13. Explain why one would specify resource limits in regards to Pods

Show answer * You know how much RAM and/or CPU your app should be consuming and anything above that is not valid
* You would like to make sure that everyone can run their apps in the cluster and resources are not being solely used by one type of application

Remember: Use `kubectl explain ` to explore API fields interactively from the CLI.

14. What type: Opaque in a secret file means? What other types are there?

Show answer Opaque is the default type used for key-value pairs.

Remember: `kubectl create secret generic` supports `--from-literal`, `--from-file`, `--from-env-file`.

Gotcha: Special chars need shell quoting. Use single quotes: `--from-literal=pass='p@ss!'`.

Example: `kubectl create secret generic ssh-key --from-file=ssh-privatekey=~/.ssh/id_rsa`

15. How to create a Secret from a file?

Show answer `kubectl create secret generic some-secret --from-file=/some/file.txt`

Remember: `kubectl create secret generic` supports `--from-literal`, `--from-file`, `--from-env-file`.

Gotcha: Special chars need shell quoting. Use single quotes: `--from-literal=pass='p@ss!'`.

Example: `kubectl create secret generic ssh-key --from-file=ssh-privatekey=~/.ssh/id_rsa`

16. Explain how ConfigMap and Secret updates are handled in Kubernetes.

Show answer * ConfigMap and Secret Updates: Changes to ConfigMaps or Secrets trigger updates in associated pods automatically.
* Pods referencing ConfigMaps or Secrets receive notifications about updates.
* Containers in the pod can watch for changes and adapt their configurations dynamically.
* ConfigMap and Secret updates are dynamically propagated to pods using them.
* Containers within pods can watch for changes and reconfigure themselves accordingly, ensuring that any modifications to configuration data are seamlessly applied.

Example: `kubectl create secret generic db-creds --from-literal=user=admin --from-literal=pass=s3cret`

Remember: Secrets are like ConfigMaps wearing sunglasses — same structure, base64-encoded, slightly more restricted access.

🔴 Hard (6)

1. How do you prevent high memory usage in your Kubernetes cluster and possibly issues like memory leak and OOM?

Show answer Apply requests and limits, especially on third party applications (where the uncertainty is even bigger)

Example: Set in pod spec: `resources: {limits: {memory: 512Mi}, requests: {memory: 256Mi}}`.

Remember: "Requests = minimum guaranteed, Limits = maximum allowed." Think "Request a seat, Limit the legroom."

Gotcha: CPU is throttled; memory is OOMKilled. Over-limit CPU just slows down; over-limit memory kills the container.

2. How are secrets managed in Kubernetes, and what are best practices for securing them?

Show answer * Secrets Management in Kubernetes: Kubernetes stores secrets as base64-encoded data.
* Secrets are accessed by mounting them into pods as volumes or using them as environment variables.
* Best practices include using RBAC to control access, avoiding storing sensitive information in image layers, and rotating secrets regularly.

Remember: `kubectl create secret generic` supports `--from-literal`, `--from-file`, `--from-env-file`.

Gotcha: Special chars need shell quoting. Use single quotes: `--from-literal=pass='p@ss!'`.

3. How to commit secrets to Git and in general how to use encrypted secrets?

Show answer One possible process would be as follows:

1. You create a Kubernetes secret (but don't commit it)
2. You encrypt it using some 3rd party project (.e.g kubeseal)
3. You apply the sealed/encrypted secret
4. You commit the sealed secret to Git
5. You deploy an application that requires the secret and it can be automatically decrypted by using for example a Bitnami Sealed secrets controller

Remember: `kubectl create secret generic` supports `--from-literal`, `--from-file`, `--from-env-file`.

Gotcha: Special chars need shell quoting. Use single quotes: `--from-literal=pass='p@ss!'`.

4. What is a ConfigMap, and how is it used in Kubernetes?

Show answer **ConfigMap:**
* Kubernetes resource that stores configuration data in key-value pairs.
* Decouples configuration from application code.
* Can be used to store configuration files, command-line arguments, environment variables, etc.
* ConfigMaps allow for the separation of configuration from application logic, making it easier to manage and update configurations without modifying the application code.Applications can reference ConfigMaps, and changes to the ConfigMap are automatically reflected in the pods that reference it.

Example: `kubectl create configmap app-cfg --from-file=config.yaml --from-literal=LOG_LEVEL=debug`

Gotcha: ConfigMap updates don't auto-restart pods. Use Reloader or hash annotations for rolling updates.

5. True or False? Sensitive data, like credentials, should be stored in a ConfigMap

Show answer False. Use secret.

Remember: Sensitive data → Secrets, not ConfigMaps. ConfigMaps are plain text, visible to namespace users.

Gotcha: Even Secrets are only base64-encoded by default. Enable encryption at rest + RBAC.

See also: External Secrets Operator syncs from Vault/AWS into K8s Secrets automatically.

6. Explain how Kubernetes secrets are managed and secured.

Show answer * Kubernetes Secrets: Secrets in Kubernetes store sensitive information like passwords, API keys, or certificates.
* They are stored in etcd, the distributed key-value store, and are base64-encoded for encoding.
* Access to secrets is controlled through RBAC (Role-Based Access Control) to ensure secure handling.
* Kubernetes Secrets provide a secure way to manage sensitive information required by applications.
* They are accessible only to authorized entities, and the use of RBAC ensures that only authorized users or processes can access and manipulate secrets.