← CCA hub

CCA — Network Observability

10% of the CCA exam. Sample questions below; the full library has 15 questions tagged to this domain.

Sample questions on Network Observability

Network Observability

Q1. When you enable Hubble metrics export to Prometheus, which of the following metrics are typically available?

Reveal answer and explanations
  1. A Only flow rate and packet counts

    Incorrect. Multiple metric categories are available.

  2. B Cilium-agent daemon status metrics only

    Incorrect. Hubble exports network flow metrics, not daemon status.

  3. C Flow metrics, HTTP-specific metrics, and DNS-specific metrics based on enabled protocols

    Correct. Hubble exports protocol-agnostic and protocol-specific metrics (HTTP, DNS, gRPC, etc.) to Prometheus.

  4. D Pod CPU and memory usage

    Incorrect. Resource metrics are not Hubble's responsibility.

Network Observability

Q2. In a Cilium cluster, where is Hubble observability data stored and how is it accessed?

Reveal answer and explanations
  1. A In a central database; accessed only through Hubble UI

    Incorrect. Data is distributed and accessed through gRPC.

  2. B In memory on each cilium-agent; aggregated and exposed via Hubble Relay's gRPC API

    Correct. Flow events are collected per-node in cilium-agent memory and exposed via Hubble Relay for query.

  3. C In Prometheus only; Hubble Relay is optional

    Incorrect. Hubble Relay is essential for centralized access to distributed flow data.

  4. D In etcd; queried through Kubernetes API

    Incorrect. Observability data is not stored in etcd.

Network Observability

Q3. Hubble records a flow with source label 'k8s:app=frontend' and destination label 'reserved:world'. What does this flow represent?

Reveal answer and explanations
  1. A Traffic from a frontend pod to the host network stack

    Incorrect. Host traffic uses 'reserved:host', not 'reserved:world'.

  2. B Egress traffic from a frontend pod to an external IP address outside the cluster

    Correct. 'reserved:world' is the identity for non-Cilium-managed external entities; this flow represents egress to external IPs.

  3. C Traffic from a pod in the frontend deployment to another pod in the cluster

    Incorrect. Intra-cluster traffic would have both source and destination with k8s labels.

  4. D Ingress from the cluster's external load balancer to the frontend

    Incorrect. Ingress from external load balancers is still recorded with 'reserved:world' as source.

Network Observability

Q4. How does enabling DNS visibility in Hubble enhance network observability compared to standard flow logs?

Reveal answer and explanations
  1. A It shows DNS queries and responses, mapping domain names to IP resolutions within the cluster

    Correct. DNS visibility shows DNS queries/responses, providing context for which services are being resolved.

  2. B It encrypts DNS traffic

    Incorrect. Visibility is about observability, not encryption.

  3. C It increases the size of flow logs

    Incorrect. Visibility enhancement doesn't necessarily increase log size.

  4. D It replaces the need for separate DNS monitoring tools

    Incorrect. It's a component of observability, not a complete replacement for all monitoring.

Network Observability

Q5. You query Hubble for flows using '--to-label k8s:io.kubernetes.pod.namespace=payment'. What is the limitation of this query?

Reveal answer and explanations
  1. A The query returns flows matching any pod in the payment namespace, not the specific label selector

    Incorrect. The label is specific, not a namespace-based filter; it matches the specific label on pods.

  2. B The query is correct and will show flows to pods in the payment namespace

    Incorrect. The query is valid, but the limitation is that it only shows destination-matching flows.

  3. C The query only shows flows where the destination pod has the label; source labels are ignored

    Correct. Hubble '--to-label' filters destination labels only; source labels matching the same label aren't included unless explicitly queried with '--from-label'.

  4. D Label selectors in Hubble don't support namespace prefixes; the query will fail

    Incorrect. Namespace label syntax is valid in Hubble queries.

Drill Network Observability with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Network Observability accounts for 10% of the CCA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 15-question domain bank will close those gaps.