← CCA hub

CCA — Service Mesh

16% of the CCA exam. Sample questions below; the full library has 17 questions tagged to this domain.

Sample questions on Service Mesh

Service Mesh

Q1. In a Cilium service mesh deployment, if you want to enable encryption in transit using WireGuard, what protocol does WireGuard protect?

Reveal answer and explanations
  1. A Only pod-to-pod traffic within a cluster

    Incorrect. WireGuard can protect inter-node traffic and optionally pod traffic.

  2. B Only Layer 7 application protocols like HTTP

    Incorrect. WireGuard operates at Layer 3, not Layer 7.

  3. C All IP-level traffic between nodes and optionally between pods

    Correct. WireGuard encrypts all IP-level traffic (Layer 3 and above) between configured endpoints.

  4. D Only inter-node traffic for cluster mesh

    Incorrect. WireGuard is not limited to ClusterMesh.

Service Mesh

Q2. What is a key use case for using Cilium's service mesh with Envoy in addition to eBPF-based routing?

Reveal answer and explanations
  1. A To enable encryption, which eBPF-based routing does not support

    Incorrect. Encryption is supported at multiple levels independently.

  2. B To replace eBPF-based routing entirely

    Incorrect. Envoy augments, not replaces, eBPF routing.

  3. C To avoid the need for a Kubernetes CNI plugin

    Incorrect. CNI is a separate concern from service mesh implementation.

  4. D To handle complex L7 policies and traffic management that eBPF-based routing alone cannot provide

    Correct. Envoy enables advanced L7 traffic management, complex routing, and observability features beyond eBPF's capabilities.

Service Mesh

Q3. A CiliumGateway and HTTPRoute are deployed. The HTTPRoute has a backendRef to a Service with no endpoints. What is the expected behavior?

Reveal answer and explanations
  1. A The gateway routes traffic to the service name; Kubernetes will eventually add endpoints

    Incorrect. Gateway API requires actual endpoints for traffic forwarding.

  2. B The route is immediately rejected with a validation error

    Incorrect. Validation errors occur only for structural issues (e.g., invalid route syntax), not runtime endpoint availability.

  3. C Traffic is routed with HTTP 503 responses until endpoints are available

    Correct. Cilium's Envoy-based gateway returns HTTP 503 Service Unavailable when backends lack endpoints, allowing for graceful handling.

  4. D The HTTPRoute remains stuck in a Pending state until endpoints are created

    Incorrect. Pending state is not the correct behavior for missing endpoints.

Service Mesh

Q4. You enable WireGuard transparent encryption in Cilium's service mesh. What is the encryption scope?

Reveal answer and explanations
  1. A All inter-pod traffic (same-node and cross-node) is encrypted via WireGuard tunnels

    Incorrect. Same-node traffic is not encrypted; only cross-node tunnels use WireGuard.

  2. B Only traffic between pods on different nodes is encrypted; same-node traffic is unencrypted

    Correct. WireGuard transparent encryption in Cilium encrypts only cross-node tunnel traffic; same-node traffic is unencrypted as it's already protected by kernel isolation.

  3. C WireGuard encrypts only service-to-backend traffic, not pod-to-service traffic

    Incorrect. WireGuard encrypts the tunnel between nodes, not selectively per traffic pattern.

  4. D Only traffic matching CiliumNetworkPolicy rules is encrypted

    Incorrect. WireGuard encryption is independent of policy rules; it applies globally to cross-node traffic.

Service Mesh

Q5. What is the primary architectural advantage of Cilium's sidecarless service mesh approach over traditional sidecar-based service meshes?

Reveal answer and explanations
  1. A Reduces per-pod resource overhead by implementing networking in the kernel via eBPF instead of a sidecar container

    Correct. Cilium uses eBPF-based sidecarless service mesh to avoid the memory and CPU overhead of per-pod sidecar containers.

  2. B Eliminates the need for load balancing

    Incorrect. Load balancing is still required and performed at the kernel level.

  3. C Provides better application performance through sidecar optimization

    Incorrect. Sidecarless approach provides better efficiency, not traditional sidecars.

  4. D Automatically handles multi-cluster communication

    Incorrect. Multi-cluster support is through ClusterMesh, separate from the sidecar choice.

Drill Service Mesh with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Service Mesh accounts for 16% of the CCA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 17-question domain bank will close those gaps.