Top Kubernetes Interview Questions and Answers

In today's tech landscape, the Kubernetes container orchestration platform is widely used across various projects. With its increasing popularity and widespread adoption, Kubernetes often comes up during interviews for certain IT roles, including DevOps, SRE, system administration, development, and operations. The questions can range from very simple ones about cluster components to more advanced topics like networking within the cluster and network policies. In this article, we’ll go over the top Kubernetes interview questions and provide detailed answers.

What is Kubernetes?

Kubernetes is an open-source platform for managing containerized applications. It enables the deployment, scaling, and management of containerized workloads and services.

List the Main Components of a Kubernetes Cluster

At the core of Kubernetes lies the Control Plane, which resides on the master node. The Control Plane includes the following components:

• kube-api-server – The API server processes REST requests and serves as the "brain" of the cluster. All interactions, including object creation and deletion, go through the API server, which also manages communication between cluster components.
• etcd – A highly available key-value store that saves configuration data and cluster state. It can be deployed externally for improved fault tolerance. etcd is an independent project maintained by a separate team.
• kube-scheduler – The component responsible for determining which nodes will run which pods. It monitors available resources on each node to balance workload distribution.
• kube-controller-manager – Runs controllers that monitor resources and ensure the cluster matches the desired state by making necessary changes.
• kube-proxy – A network service that acts as a load balancer. It distributes network traffic between pods and runs on every node in the cluster.

What is a Pod in Kubernetes?

A Pod is the smallest deployable unit in Kubernetes and serves as an abstraction for running containers. A pod usually contains one or more containers, its own IP address, and data storage. Kubernetes doesn’t interact directly with containers, but rather through pods.

What is the difference between Deployment and StatefulSet?

Both Deployment and StatefulSet are Kubernetes objects for managing applications, but they serve different purposes.

Deployment:

• Used for managing stateless applications (e.g., web servers).
• Supports rolling updates for zero-downtime deployments.
• Pods are ephemeral with non-persistent names and IPs.
• No state persistence: when a pod is deleted, its data is lost.

StatefulSet:

• Designed for stateful applications (e.g., databases).
• Pods have stable, unique names and identifiers that persist across restarts.
• Supports Persistent Volumes to retain data between restarts.
• Pods are created and terminated in a specific order, one at a time.

In conclusion, data persistence is the main difference between a Deployment and a StatefulSet. Use Deployment if the application does not require state to be preserved. However, if the application needs to retain its state, then a StatefulSet is the appropriate choice.

What is a Service in Kubernetes, and What are the Types?

A Service in Kubernetes defines how to access a set of pods. It provides a stable IP and DNS name, allowing internal or external communication with pods.

Types of Services:

1. ClusterIP – The default type. Exposes the service on an internal IP, accessible only within the cluster.
2. NodePort – Exposes the service on a specific port across all nodes. Allows external access via NodeIP:NodePort.
3. LoadBalancer – Provisions an external load balancer (mainly in cloud environments) and assigns a public IP for external traffic distribution.
4. ExternalName – Maps the service name to an external hostname or IP address using a DNS CNAME record. Works purely at the DNS level.

What is Ingress in Kubernetes?

Ingress is a Kubernetes object that defines rules for routing external HTTP/HTTPS traffic to internal services within the cluster. It enables fine-grained control over how traffic is handled and directed.

What is an Ingress Controller?

An Ingress Controller is a component that implements the Ingress rules. It typically consists of:

• A reverse proxy (e.g., Nginx, HAProxy)
• A controller that interacts with the Kubernetes API server to apply Ingress configuration and routing rules.

The controller watches for changes to Ingress objects and configures the reverse proxy accordingly to handle incoming traffic.

How to Store Sensitive Data (Secrets), Including Logins, Passwords, Tokens, and Keys?

Kubernetes provides the Secret object for storing sensitive information. There are six types of secrets:

1. Opaque – A general-purpose secret type used to store any data.
2. Service Account Token – Used to work with service accounts by generating a JWT token. Typically, the token is automatically created when a service account object is created.
3. Basic Auth – Stores login and password in Base64-encoded format.
4. SSH Auth – Used for SSH authentication. The secret contains a pre-generated private key.
5. TLS Certificates – Involves using certificates and their private keys, provided in the manifest's tls.crt and tls.key fields (Base64-encoded). 
6. Bootstrap Token – A special token type used to add new nodes to the Kubernetes cluster safely.

Secrets are usually injected into containers via volumeMount or secretKeyRef.

You can also use external secret management tools like HashiCorp Vault.

What Are Labels and Selectors, and What Are They Used For?

• Labels are key-value metadata that can be attached to any Kubernetes object. They help to identify attributes of objects that are not directly related to the running services but can provide useful information to users — for example, the purpose of a deployed application or the environment in which it will run. In other words, labels are intended to distinguish between different instances of objects.
• Selectors are used to filter or query objects based on their labels. A selector is a request to fetch objects that match specific label criteria.

What Are Probes in Kubernetes, What Types Exist, and What Are They Used For?

Probes in Kubernetes check the health and readiness of applications. There are three types:

1. Liveness Probe: Checks whether a pod is running correctly. If the check fails, the pod is restarted automatically.
2. Readiness Probe: Checks whether a pod is ready to receive network traffic. If it fails, the pod is excluded from load balancing, though it continues running.
3. Startup Probe: Used for apps that take a long time to start. This probe checks the app's initial startup before liveness and readiness checks are activated.

What Is Pod Disruption Budget (PDB) and What Is It Used For?

Pod Disruption Budget is a Kubernetes feature used to ensure a minimum number of pods are available during voluntary disruptions (e.g., node maintenance or upgrades).

Example: If you have an application with 3 replicas that can tolerate the loss of 1 pod, then the PDB should specify that no more than 1 pod can be unavailable at any time. This prevents disruptions that would make the application non-functional.

How to Control Resource Usage in Containers?

Use requests and limits in your pod definitions:

• Requests define the minimum amount of CPU and memory required for a pod to be scheduled. If the cluster doesn't have enough resources, the pod won't be scheduled.
• Limits define the maximum amount of CPU and memory a pod can consume. The pod will be throttled or terminated if it exceeds these limits.

You can learn more about Kubernetes requests and limits in our article.

How to Expose an Application Running in Kubernetes to the External Network?

To provide external access to an application, you can use:

• Ingress Controller – A preferred method for managing HTTP/HTTPS access. It routes traffic to services based on defined rules.
• NodePort – Opens a specific port on all nodes for external access.
• LoadBalancer – Provisions an external IP through a cloud load balancer.

What Is the CNI Interface?

CNI (Container Network Interface) is a Kubernetes specification maintained by the Cloud Native Computing Foundation. It defines how network interfaces are managed in Linux containers. CNI is responsible for connecting pods to the network.

CNI features are implemented through plugins, with popular ones including:

• Calico
• Weave
• Flannel
• Cilium

What Is CRI?

CRI (Container Runtime Interface) is the primary communication interface between the kubelet component in a Kubernetes cluster and the container runtime environment. Using CRI, Kubernetes interacts with the container engine responsible for creating and managing containers (Kubernetes itself does not create containers directly). 

Popular container runtimes that implement CRI include containerd and CRI-O.

What Is a Persistent Volume (PV)?

A Persistent Volume (PV) is a Kubernetes object used to store data persistently across pod lifecycles. Volumes in Kubernetes are implemented via plugins, and the platform supports the following types:

• Container Storage Interface (CSI)
• Fibre Channel (FC)
• hostPath
• iSCSI
• Local Storage
• Network File System (NFS)

What Is a Persistent Volume Claim (PVC)?

A Persistent Volume Claim (PVC) is a user request for storage resources. It allows users to claim a portion of a Persistent Volume based on parameters such as requested size and access mode. PVCs enable dynamic provisioning of storage in Kubernetes, meaning the cluster can automatically create a volume that matches the claim.

How to Assign Access Rights in a Kubernetes Cluster?

Kubernetes manages access control using RBAC (Role-Based Access Control). RBAC allows administrators to define who can do what within the cluster using the following entities:

• Role – Defines a set of permissions within a specific namespace.
• RoleBinding – Assigns a Role to a user or group within a namespace.
• ClusterRole – Grants permissions across the entire cluster (not limited to a single namespace).
• ClusterRoleBinding – Binds a ClusterRole to users or groups across all namespaces.
• ServiceAccount – An identity used by Kubernetes workloads (pods) to interact with the API.

Conclusion

In this article, we covered a list of common interview questions that candidates might encounter when applying for IT roles involving Kubernetes. These questions span a range of foundational and advanced topics, including architecture, security, networking, and storage in Kubernetes.