← CCA hub

Free CCA Sample Questions

10 CCA questions with full explanations for every option, free to view on this page.

Installation and Configuration

Q1. When you run 'cilium connectivity test', what does it verify about the cluster?

Reveal answer and explanations
  1. A Only DNS resolution

    Incorrect. DNS is tested but not the sole focus.

  2. B Whether all pods can reach the Kubernetes API server

    Incorrect. Connectivity test is broader than API server access.

  3. C Pod-to-pod connectivity across all supported traffic patterns (ingress, egress, L7)

    Correct. The connectivity test validates pod-to-pod traffic in multiple directions and protocols.

  4. D Kubernetes node-to-node connectivity only

    Incorrect. Node connectivity is network infrastructure; the test focuses on pod networking.

Cluster Mesh

Q2. In ClusterMesh, a service is annotated with 'io.cilium.service/global: true'. What does this enable?

Reveal answer and explanations
  1. A The service is accessible cluster-wide with the same cluster-local IP address

    Incorrect. ClusterIP addresses are cluster-local; they can't be shared across clusters.

  2. B The service's endpoints are distributed across all connected clusters for load balancing

    Incorrect. Endpoints aren't distributed; the service stays in its origin cluster with all endpoints there.

  3. C The service is replicated to all connected clusters with the same name and namespace

    Incorrect. The service isn't replicated; it remains in its original cluster.

  4. D The service is advertised to all connected clusters; pods in remote clusters can access it using its FQDN

    Correct. Global services are advertised to all connected clusters; remote pods can resolve and access them via FQDN (e.g., 'service.namespace.svc.clustermesh.local').

Service Mesh

Q3. What is the primary architectural advantage of Cilium's sidecarless service mesh approach over traditional sidecar-based service meshes?

Reveal answer and explanations
  1. A Reduces per-pod resource overhead by implementing networking in the kernel via eBPF instead of a sidecar container

    Correct. Cilium uses eBPF-based sidecarless service mesh to avoid the memory and CPU overhead of per-pod sidecar containers.

  2. B Eliminates the need for load balancing

    Incorrect. Load balancing is still required and performed at the kernel level.

  3. C Provides better application performance through sidecar optimization

    Incorrect. Sidecarless approach provides better efficiency, not traditional sidecars.

  4. D Automatically handles multi-cluster communication

    Incorrect. Multi-cluster support is through ClusterMesh, separate from the sidecar choice.

Service Mesh

Q4. In Cilium's Gateway API implementation, what does a ReferenceGrant resource accomplish?

Reveal answer and explanations
  1. A It authorizes a Gateway in one namespace to reference a Service in a different namespace

    Correct. ReferenceGrant is a Gateway API resource that permits a Gateway in namespace A to reference a Service in namespace B, preventing unauthorized cross-namespace access.

  2. B It creates a temporary tunnel between namespaces for service-to-service traffic

    Incorrect. ReferenceGrant doesn't create tunnels; it authorizes API references only.

  3. C It grants permissions for cross-cluster service mesh communication via ClusterMesh

    Incorrect. ClusterMesh uses different CRDs (GlobalService, ClusterMeshService) for cross-cluster authorization.

  4. D It allows a pod to bypass mTLS when communicating with a gateway

    Incorrect. ReferenceGrant doesn't affect mTLS enforcement; it's an authorization mechanism.

Network Observability

Q5. When you enable Hubble metrics export to Prometheus, which of the following metrics are typically available?

Reveal answer and explanations
  1. A Only flow rate and packet counts

    Incorrect. Multiple metric categories are available.

  2. B Cilium-agent daemon status metrics only

    Incorrect. Hubble exports network flow metrics, not daemon status.

  3. C Flow metrics, HTTP-specific metrics, and DNS-specific metrics based on enabled protocols

    Correct. Hubble exports protocol-agnostic and protocol-specific metrics (HTTP, DNS, gRPC, etc.) to Prometheus.

  4. D Pod CPU and memory usage

    Incorrect. Resource metrics are not Hubble's responsibility.

Installation and Configuration

Q6. You run 'cilium-dbg privileged get-identity labels k8s:app=prod'. The command fails with 'endpoint not found'. What does this indicate?

Reveal answer and explanations
  1. A The label selector syntax is incorrect; use 'k8s.app=prod' instead

    Incorrect. The label syntax 'k8s:app=prod' is correct.

  2. B The get-identity command doesn't support label-based queries; use 'cilium identity list' instead

    Incorrect. get-identity does support label-based queries.

  3. C No pod with label 'app=prod' currently exists in the cluster

    Correct. The 'endpoint not found' error means no pod matches the specified label in the cluster at that moment.

  4. D The cilium-agent hasn't finished syncing identities from the operator

    Incorrect. Sync issues would affect all identity queries, not just this label.

Installation and Configuration

Q7. After modifying Cilium configuration through Helm values, what command allows you to view the current active configuration without redeploying?

Reveal answer and explanations
  1. A kubectl get configmap cilium-config

    Incorrect. The ConfigMap is one representation, but 'cilium config view' is the CLI tool.

  2. B cilium status --verbose

    Incorrect. 'cilium status --verbose' reports status details, but it is not the focused command for viewing active configuration values.

  3. C cilium-agent --print-config

    Incorrect. This is not a valid cilium-agent option.

  4. D cilium config view

    Correct. 'cilium config view' displays the currently active Cilium configuration.

Cluster Mesh

Q8. A global service in ClusterMesh cluster-1 has 10 endpoints, but traffic from cluster-2 pods shows 70% packet loss. The clusters are directly connected via a dedicated network link. What is the most likely cause?

Reveal answer and explanations
  1. A The ClusterMesh egress gateway is filtering traffic from cluster-2; check the egress rules

    Incorrect. ClusterMesh doesn't use egress gateways for inter-cluster service traffic.

  2. B The clustermesh-apiserver in cluster-1 is overloaded and dropping endpoint updates

    Correct. High packet loss to remote service endpoints typically indicates the clustermesh-apiserver isn't reliably distributing endpoint updates, causing stale or partial endpoint knowledge.

  3. C Cross-cluster service traffic is being routed through a misconfigured pod CIDR overlap that causes asymmetric routing

    Incorrect. CIDR overlap would be caught during ClusterMesh setup; setup validation prevents this.

  4. D Service affinity is set to 'local', causing cluster-2 to fail over to cluster-1's endpoints with high latency

    Incorrect. Service affinity set to 'local' would completely fail over, not cause 70% loss.

Service Mesh

Q9. When using Cilium's Gateway API implementation, what does a 'HTTPRoute' resource specifically define?

Reveal answer and explanations
  1. A HTTP protocol version requirements

    Incorrect. HTTP version is part of routing context but not HTTPRoute's primary purpose.

  2. B Mapping of HTTP requests to backend services with path/host matching and traffic splitting

    Correct. HTTPRoute defines how HTTP requests are routed to backend services based on hostname, path, and headers.

  3. C DNS resolution rules for gateways

    Incorrect. DNS is separate from routing definitions.

  4. D SSL/TLS certificate configuration

    Incorrect. TLS is handled by TLSRoute, not HTTPRoute.

Service Mesh

Q10. A TLSRoute in Cilium's Gateway API specifies: ```yaml passthrough: true ``` What happens to TLS termination and SNI routing?

Reveal answer and explanations
  1. A The gateway terminates TLS and reroutes based on the decrypted SNI header

    Incorrect. Passthrough mode doesn't terminate TLS; it avoids decryption.

  2. B Passthrough mode disables all TLS validation; traffic is routed without encryption

    Incorrect. Passthrough mode preserves TLS encryption; it doesn't disable validation.

  3. C TLS is not terminated; the encrypted traffic is proxied directly to backends, with SNI-based routing preserved

    Correct. In passthrough mode, the gateway proxies encrypted TLS traffic directly to backends without terminating, preserving SNI information for backend routing decisions.

  4. D The gateway requires SNI to be decrypted, but TLS renegotiation happens at the backend

    Incorrect. Passthrough doesn't terminate; SNI remains encrypted in the TLS ClientHello.

Take the full timed CCA mock90 minutes · 60 questions · free with account

About these questions

These questions are written against the current CCA curriculum — not scraped exam dumps. The full CCA library here has 120 questions; the broader platform covers the rest of the Golden Kubestronaut path.