← CCA hub

CCA — Installation and Configuration

10% of the CCA exam. Sample questions below; the full library has 19 questions tagged to this domain.

Sample questions on Installation and Configuration

Installation and Configuration

Q1. You run 'cilium connectivity test' and one of the test pods is in CrashLoopBackOff state. The logs show 'BPF verification failed'. What is the likely issue?

Reveal answer and explanations
  1. A The kernel version is too old and doesn't support the eBPF programs Cilium is trying to load

    Correct. BPF verification failures typically indicate kernel incompatibility or missing eBPF support features in the running kernel version.

  2. B The connectivity test requires a specific kernel capability (CAP_SYS_ADMIN) that wasn't granted

    Incorrect. Capability issues would cause permission errors, not BPF verification failures.

  3. C The test pod's network namespace wasn't properly isolated from the host namespace

    Incorrect. Namespace isolation issues would cause network connectivity failures, not BPF verification errors.

  4. D The cilium-agent failed to attach the BPF program to the test pod's veth interface

    Incorrect. BPF program attachment errors are logged separately from verification failures.

Installation and Configuration

Q2. You want to enable Cilium's DNS policy enforcement after installation. Which Helm value must be set, and what is the prerequisite?

Reveal answer and explanations
  1. A Set 'l7Proxy=true' and 'dnsPolicyEnforcement=true'; prerequisite is running with kubeProxyReplacement

    Correct. DNS policy enforcement requires L7 proxying (l7Proxy=true) and DNS policy enforcement (dnsPolicyEnforcement=true), with kubeProxyReplacement recommended.

  2. B Set 'l7Protocols=dns'; no prerequisite, but it only works with the Cilium ingress controller

    Incorrect. DNS policies are independent of the ingress controller.

  3. C Set 'dnsPolicy=true'; prerequisite is DNS caching enabled in kube-dns

    Incorrect. DNS policy uses L7 proxying, not a simple boolean flag.

  4. D Set 'dnsSecurity=true'; prerequisite is all pods using CoreDNS (not kube-dns)

    Incorrect. CoreDNS vs kube-dns doesn't matter for DNS policy enforcement; it works with either.

Installation and Configuration

Q3. After installing Cilium, you run 'cilium endpoint list' but see no endpoints listed, even though pods are running. What should you check first?

Reveal answer and explanations
  1. A Verify that cilium-agents are running on all nodes

    Correct. If cilium-agents aren't running, endpoints won't be discovered or managed; this is the first check.

  2. B Ensure the Cilium operator is running and has synced with the API server

    Incorrect. Operator issues wouldn't prevent agent endpoint discovery and listing.

  3. C Confirm that pods have been annotated with 'cilium.io/inject=true'

    Incorrect. Pod injection annotations aren't required for Cilium to manage endpoints.

  4. D Check if the kubeconfig is correctly pointing to the cluster

    Incorrect. kubeconfig issues would prevent any cluster access, not just endpoint listing.

Installation and Configuration

Q4. You want to change the Cilium datapath tunnel type from VXLAN to Geneve after installation. Which command(s) would you use?

Reveal answer and explanations
  1. A 'cilium-dbg config set tunnel geneve' followed by agent restart

    Incorrect. cilium-dbg config changes are transient; persistent changes require ConfigMap updates.

  2. B 'cilium install --set tunnelProtocol=geneve' (requires reinstall)

    Incorrect. Tunnel protocol can be changed without a full reinstall.

  3. C Update the cilium-config ConfigMap and trigger a rolling restart of cilium-agents

    Correct. The cilium-config ConfigMap is the persistent configuration source; changing tunnelProtocol there and restarting agents applies the change cluster-wide.

  4. D 'cilium config set tunnel geneve' on each node

    Incorrect. Local cilium config command doesn't persist changes across agent restarts.

Installation and Configuration

Q5. You run 'cilium install --set kubeProxyReplacement=true --version 1.15.1'. The installation hangs during the operator initialization phase. What is the most common root cause?

Reveal answer and explanations
  1. A The cilium Helm chart version 1.15.1 doesn't support kubeProxyReplacement

    Incorrect. Cilium 1.15.1 supports kubeProxyReplacement; this isn't a version compatibility issue.

  2. B The kube-proxy DaemonSet is still running and conflicts with kubeProxyReplacement initialization

    Correct. When kube-proxy is still running, kubeProxyReplacement initialization hangs due to port conflicts; kube-proxy must be scaled down or removed first.

  3. C The kernel doesn't support the eBPF features required by kubeProxyReplacement in this version

    Incorrect. Kernel eBPF feature checks happen during agent initialization, not operator initialization.

  4. D The API server is unreachable; the operator can't communicate with the cluster

    Incorrect. Operator would fail fast with API server connectivity issues, not hang.

Drill Installation and Configuration with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Installation and Configuration accounts for 10% of the CCA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 19-question domain bank will close those gaps.