Free Cilium Certified Associate practice questions with full explanations on every option. eBPF networking, observability, and security for Kubernetes.
Q1. In a Cilium cluster, if you observe that the cilium-operator pod is unavailable for an extended period, which of the following will be directly impacted?
Reveal answer and explanations
ANew nodes don't get IPAM pool allocations
Correct. The operator is responsible for allocating IP pools to nodes; without it, new nodes cannot be onboarded with IP allocations.
BAll eBPF programs on every node will be removed
Incorrect. eBPF programs are loaded by cilium-agent and persist independently.
CDNS resolution will fail cluster-wide
Incorrect. DNS is handled by the individual cilium-agents, not the operator.
DExisting pod-to-pod connectivity will immediately stop functioning
Incorrect. The cilium-agent maintains datapath functionality independent of the operator.
Network Policy
Q2. You write a CiliumNetworkPolicy with an egress rule that uses `toServices` and selects the cluster `kube-dns` Service. A teammate asks how the rule is enforced at packet time, given that the Service is a virtual ClusterIP. What is the most accurate description?
Reveal answer and explanations
ACilium expands `toServices` at policy-installation time into the matching backend pod identities, and enforcement happens against those backend identities
Correct. `toServices` is resolved to the current set of backend endpoints, and Cilium enforces the rule against the identities of those backend pods.
BCilium installs a static iptables rule that whitelists the Service ClusterIP itself, bypassing identity resolution
Incorrect. Cilium does not delegate enforcement to iptables for `toServices`; the lookup happens through identity-aware eBPF maps.
CCilium forwards the policy to the kube-apiserver, which mints an admission webhook that rejects pods talking to the Service
Incorrect. Admission webhooks gate API server requests, not pod-level packet enforcement, and Cilium does not install one for policy enforcement.
DCilium creates a temporary CiliumIdentity for the Service ClusterIP and uses that identity for L4 matching at runtime
Incorrect. Cilium identities are assigned to endpoints (pods) based on labels; a Service ClusterIP does not receive its own runtime identity in this flow.
Service Mesh
Q3. In Cilium's service mesh, what does a CiliumEnvoyConfig (or CiliumClusterwideEnvoyConfig) resource configure for traffic management?
Reveal answer and explanations
AIt replaces CiliumNetworkPolicy as the primary mechanism for enforcing L3/L4 and L7 network security
Incorrect. Network security enforcement remains the role of CiliumNetworkPolicy; CiliumEnvoyConfig supplies Envoy traffic-management configuration, a separate concern from policy enforcement.
BEnvoy listener, cluster, and route config for behaviors such as connection pooling, outlier detection, and load-balancing policy
Correct. CiliumEnvoyConfig injects raw Envoy resources (listeners, clusters, routes), letting operators configure connection pooling, outlier detection, and load-balancing behavior for traffic to services.
CIt defines how traffic is routed to individual pods by their IP address
Incorrect. Pod-level IP routing is handled by the eBPF datapath and IPAM, not by Envoy configuration resources.
DIt configures DNS-based service discovery for the cluster
Incorrect. Service discovery is handled by Kubernetes and CoreDNS, separate from Envoy traffic-management configuration.
Network Observability
Q4. A node runs workloads generating very high flow volume and you want to bound the per-node memory and CPU overhead of Hubble flow observability. Which approach actually reduces that overhead?
Reveal answer and explanations
ALower the per-node Hubble flow ring buffer via `hubble.eventBufferCapacity` and enable monitor aggregation (`monitor-aggregation: medium`/`maximum`) to coalesce datapath events
Correct. Hubble stores flows in a bounded per-node in-memory ring buffer sized by `hubble.eventBufferCapacity`, so shrinking that buffer plus enabling monitor aggregation (which coalesces repeated datapath notifications) is the supported way to cap per-node observability overhead.
BSet `hubble-flow-sample-rate: 100` in the cilium-config ConfigMap to keep 1 in 100 flows
Incorrect. There is no `hubble-flow-sample-rate` cilium-config key; Hubble does not implement 1-in-N flow sampling, so this knob does not exist.
CPass `--flow-sample-rate=100` to the Hubble Relay deployment so it samples aggregated flows
Incorrect. Hubble Relay only aggregates the per-node servers' flows and exposes no `--flow-sample-rate` sampling flag, so it cannot be configured this way.
DConfigure a `monitoring-sampling-ratio` setting on the per-node Hubble server so it deterministically keeps only 1 in every 100 observed flow records and silently discards the remaining flows before they ever reach the buffer
Incorrect. The per-node Hubble server has no `monitoring-sampling-ratio` option; flow retention is controlled by ring-buffer capacity and monitor aggregation, not a sampling ratio.
Installation and Configuration
Q5. You're upgrading Cilium between two minor releases. Which command performs a rolling upgrade while maintaining network policies?
Correct. 'helm upgrade' is the standard method to upgrade Cilium while preserving configuration and policies.
D`kubectl set image daemonset/cilium -n kube-system cilium=cilium:<target>`
Incorrect. Manual image updates bypass Helm state management and can cause inconsistencies.
Cluster Mesh
Q6. In ClusterMesh, a service is annotated with `service.cilium.io/global: "true"`. What does this enable?
Reveal answer and explanations
AThe service is accessible cluster-wide with the same cluster-local IP
Incorrect. ClusterIP addresses are cluster-local; they can't be shared across clusters.
BThe service's endpoints are distributed across all connected clusters for load balancing
Incorrect. Endpoints aren't distributed; the service stays in its origin cluster with all endpoints there.
CThe service is replicated to all connected clusters with the same name and namespace
Incorrect. The service isn't replicated; it remains in its original cluster.
DAdvertised cluster-wide; reached via the local Service (same name+namespace)
Correct. The annotation marks a service as global; each connected cluster defines a Service with the same name and namespace, and Cilium stitches their endpoints together so workloads use their cluster-local Service to reach remote backends.
eBPF
Q7. When Cilium enables kube-proxy replacement, which eBPF hook is primarily used to translate ClusterIP service traffic on a pod's outbound socket?
Reveal answer and explanations
AThe TC ingress hook on every host interface, so packets are inspected after they leave the pod
Incorrect. TC ingress is used elsewhere; the socket-level rewrite avoids the cost of building and re-parsing the packet for service translation.
BThe XDP hook on each host NIC, so packets are mangled at the lowest possible kernel layer for every connection
Incorrect. XDP runs on the NIC and cannot directly access pod-local socket structures, so it is not the primary kube-proxy-replacement hook.
CThe cgroup/sock socket-level hook, so the destination address is rewritten at `connect()` time before the packet is built
Correct. Cilium attaches at the cgroup BPF socket layer; the service IP is replaced with a backend address at connect time, so the packet leaves the pod already destined for the backend.
DA LSM hook in the security subsystem, so policy decisions are aligned with SELinux and AppArmor
Incorrect. LSM hooks are for security policy decisions, not for service load-balancing rewrites in Cilium.
BGP and External Networking
Q8. What does the BGP graceful restart capability provide when a cilium-agent restarts on a node that peers with external routers?
Reveal answer and explanations
AIt deletes all advertised prefixes immediately so external routers re-converge before the agent comes back
Incorrect. Immediate withdrawal causes traffic blackholing during the restart; graceful restart exists specifically to avoid that.
BIt signals peers to retain previously-learned routes for a configured stale time, so traffic continues to flow while the agent reconnects
Correct. Peers mark routes from the restarting speaker as stale but keep forwarding using them until the speaker resumes and re-announces or the stale timer expires.
CIt promotes a sibling cilium-agent on another node to take over the peering session for the duration of the restart
Incorrect. Cilium BGP runs on the same node as the agent; there is no sibling-failover for the local peering session in this mechanism.
DIt rewrites the AS-path on existing routes to insert a sentinel ASN, so peers know the routes are stale
Incorrect. Graceful restart relies on a capability negotiation and stale-timer, not on AS-path mutation.
90 minutes, multi-choice format. See the official CNCF page for the current question count.
How difficult is the CCA exam?
Rated intermediate. Plan 2–8 weeks depending on your background.
How much does the CCA exam cost?
Pricing changes periodically — check the official CNCF CCA page at https://www.cncf.io/training/certification/cca/.
Are these CCA mock exams free?
Sample questions on this page are free with no account. Full timed CCA mocks require a paid plan.
How is this mock exam different from the real CCA exam?
Original questions written against the official CNCF curriculum — not scraped dumps. Format mirrors the real exam; the real one is proctored, these are self-paced.
What is the best way to study for CCA?
Work through the official curriculum in order of domain weight (heaviest first), then run full timed mocks until you hit 85%+ consistently.