← CCA hub

CCA — Architecture

20% of the CCA exam. Sample questions below; the full library has 23 questions tagged to this domain.

Sample questions on Architecture

Architecture

Q1. In Cilium, what is the relationship between the datapath and eBPF programs loaded by cilium-agent?

Reveal answer and explanations
  1. A The datapath defines traffic flow; eBPF programs are alternative implementations when datapath is not available

    Incorrect. eBPF programs are not fallback implementations; they are the primary mechanism.

  2. B They are independent layers; datapath handles L3/L4 and eBPF handles only L7

    Incorrect. eBPF programs handle policy enforcement, routing, load balancing, and observability across all layers.

  3. C The datapath is a userspace routing table; eBPF programs optimize specific flows

    Incorrect. Cilium's datapath is entirely kernel-based through eBPF, not a userspace routing table.

  4. D eBPF programs ARE the datapath implementation, loaded at kernel ingress/egress hooks to process all network traffic

    Correct. In Cilium, eBPF programs implement the entire datapath, attached to kernel hooks to process all traffic efficiently.

Architecture

Q2. A Cilium cluster uses Geneve encapsulation with MTU 1500. What is the typical IP packet payload size loss compared to native routing due to Geneve headers?

Reveal answer and explanations
  1. A 20-24 bytes (outer IP header + UDP header)

    Incorrect. This doesn't account for Geneve and its metadata layers, underestimating actual overhead.

  2. B 14 bytes (Geneve header + Cilium metadata)

    Incorrect. Cilium metadata is optional; the primary overhead comes from IP/UDP/Geneve encapsulation layers.

  3. C 8 bytes (Geneve fixed header only)

    Incorrect. Geneve adds more than just the fixed header; UDP and outer IP headers increase the overhead significantly.

  4. D 50-54 bytes (Geneve + UDP + outer IP headers)

    Correct. Geneve (8B) + UDP (8B) + outer IPv4 (20B) + potential options adds ~50-54 bytes of overhead, reducing usable payload from 1500 to ~1450.

Architecture

Q3. What is the primary function of Hubble Relay in a Cilium deployment?

Reveal answer and explanations
  1. A Provides the gRPC endpoint for Hubble CLI to query flow events from multiple nodes

    Correct. Hubble Relay aggregates flow events from all cilium-agents and provides a central gRPC API for querying observability data.

  2. B Enforces network policies based on flow visibility

    Incorrect. Policy enforcement happens at the cilium-agent level using eBPF programs.

  3. C Acts as a proxy for DNS resolution within the cluster

    Incorrect. DNS handling is part of Cilium's core networking, not Hubble Relay's responsibility.

  4. D Encrypts all traffic between nodes using WireGuard

    Incorrect. Encryption is a separate feature, not related to Hubble's function.

Architecture

Q4. You deploy Cilium with the operator in HA mode (3 replicas). Which component does NOT require the operator to function?

Reveal answer and explanations
  1. A CiliumClusterwideNetworkPolicy reconciliation and status reporting

    Incorrect. CiliumClusterwideNetworkPolicy is an operator responsibility for cluster-wide propagation.

  2. B Hubble Relay aggregation of per-node flow events

    Incorrect. Hubble Relay is an operator-managed aggregation service for flow collection.

  3. C IP prefix delegation and reclaiming on nodes

    Incorrect. IP prefix delegation management is an operator function for IPAM coordination.

  4. D Cilium agents performing pod IP allocation and policy enforcement

    Correct. Cilium agents run independently on each node and enforce policies even without the operator; the operator handles cluster-wide coordination, not core datapath functionality.

Architecture

Q5. What distinguishes Cilium's cilium-proxy component from traditional sidecar proxies in the context of service mesh?

Reveal answer and explanations
  1. A cilium-proxy cannot be disabled, while traditional sidecars are optional

    Incorrect. Cilium's proxy functionality is optional and can be disabled depending on cluster needs.

  2. B cilium-proxy runs as a DaemonSet while traditional sidecars run as containers in each pod

    Incorrect. Both Cilium components and sidecars can run as DaemonSets or per-pod deployments.

  3. C cilium-proxy is eBPF-based and runs in the kernel, avoiding per-pod container overhead

    Correct. Cilium implements L7 proxy functionality via eBPF in the kernel kernel space, avoiding the resource overhead of per-pod sidecar containers.

  4. D cilium-proxy only handles L3/L4 while traditional sidecars handle all layers

    Incorrect. Cilium's eBPF proxy handles L7 protocol parsing, the same as traditional sidecars.

Drill Architecture with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Architecture accounts for 20% of the CCA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 23-question domain bank will close those gaps.