← CCA hub

CCA — eBPF

10% of the CCA exam. Sample questions below; the full library has 9 questions tagged to this domain.

Sample questions on eBPF

eBPF

Q1. Cilium's kube-proxy replacement uses eBPF to intercept ClusterIP traffic at XDP. Why is XDP preferred over TC for kube-proxy replacement?

Reveal answer and explanations
  1. A XDP supports DNAT; TC doesn't

    Incorrect. Both XDP and TC can perform DNAT.

  2. B TC requires userspace proxies; XDP operates entirely in kernel eBPF

    Incorrect. TC (qdisc classifier) also operates in kernel eBPF; userspace proxies aren't required.

  3. C XDP is earlier in the packet processing pipeline, reducing overhead and latency

    Correct. XDP runs at the NIC driver level before the kernel network stack; kube-proxy replacement at XDP reduces overhead significantly compared to TC (after the stack).

  4. D XDP is required for service affinity; TC can't implement service affinity

    Incorrect. Service affinity is implementable at TC level; XDP isn't strictly required.

eBPF

Q2. You're optimizing a Cilium policy lookup using a BPF hash map. With 1 million policies, how does eBPF policy evaluation compare to iptables rule traversal?

Reveal answer and explanations
  1. A Both use O(n) evaluation; no advantage to eBPF over iptables

    Incorrect. eBPF with hash maps is O(1); iptables is O(n).

  2. B eBPF hash maps provide O(1) lookup, while iptables requires O(n) rule traversal per packet

    Correct. eBPF hash map lookups are O(1), while iptables sequentially traverses rules, resulting in O(n) evaluation time that degrades with rule count.

  3. C Both use O(1) hashing; performance is equivalent

    Incorrect. iptables doesn't use hashing; it sequentially evaluates rules, making performance O(n).

  4. D eBPF provides O(log n) binary search, while iptables uses O(1) hashing

    Incorrect. eBPF uses hash maps (O(1)), not binary search (O(log n)).

eBPF

Q3. A Cilium eBPF program reads a packet header using 'load_byte()'. The load fails with 'invalid access to packet data'. What is the most likely cause?

Reveal answer and explanations
  1. A The offset being read exceeds the packet's length; packet boundary checks failed

    Correct. eBPF packet reads must be bounds-checked against packet_end; reads exceeding packet length are rejected by the verifier.

  2. B The packet buffer was freed before the load operation

    Incorrect. Packet buffers remain valid during eBPF hook execution.

  3. C The eBPF program lacks CAP_NET_ADMIN capability

    Incorrect. Capability restrictions don't apply to eBPF packet reads; permissions are enforced at load time.

  4. D The packet is fragmented; eBPF can't read fragmented packets directly

    Incorrect. eBPF can read fragmented packets if bounds checks pass.

eBPF

Q4. A Cilium eBPF program performs a tail call to another program using 'bpf_tail_call()'. What happens to the caller program's stack after the tail call?

Reveal answer and explanations
  1. A Tail calls don't affect the stack; they execute in separate kernel contexts

    Incorrect. Tail calls operate within the same kernel context but with stack replacement.

  2. B The caller's stack frame is preserved; the callee shares the same 512-byte stack space

    Incorrect. Tail calls deallocate the caller's stack; they don't preserve the frame.

  3. C The caller's stack is deallocated; the callee gets a fresh 512-byte stack

    Correct. Tail calls deallocate the caller's stack and give the callee program its own fresh 512-byte stack space, enabling unbounded program chaining.

  4. D The caller and callee share a common 1024-byte stack pool to reduce overhead

    Incorrect. Stack space is fixed at 512 bytes per program; there's no 1024-byte pool.

eBPF

Q5. A Cilium BPF map is configured as LRU (Least Recently Used) type. When the map is full, what happens to the least recently used entry?

Reveal answer and explanations
  1. A The least recently used entry is automatically evicted to make space for the new entry

    Correct. LRU maps automatically evict the least recently used entry when full, enabling bounded map size without explicit cleanup.

  2. B New entries are rejected until map space is freed by userspace

    Incorrect. LRU maps automatically evict; new entries aren't rejected.

  3. C The kernel blocks the inserting eBPF program until userspace deletes entries

    Incorrect. LRU doesn't block programs; eviction is automatic and synchronous.

  4. D LRU entries are persisted to disk and reloaded on demand

    Incorrect. BPF maps are kernel memory; they don't persist to disk.

Drill eBPF with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

eBPF accounts for 10% of the CCA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 9-question domain bank will close those gaps.