← CGOA hub

CGOA — Related Practices

16% of the CGOA exam. Sample questions below; the full library has 20 questions tagged to this domain.

Sample questions on Related Practices

Related Practices

Q1. How does Infrastructure as Code differ from GitOps in scope?

Reveal answer and explanations
  1. A IaC and GitOps are identical; they manage the same scope

    Incorrect. While they overlap, GitOps is broader and includes post-provisioning lifecycle management.

  2. B GitOps manages infrastructure; IaC manages applications, which also requires specialized tooling and infrastructure setup

    Incorrect. This is backwards; IaC is infrastructure, GitOps is application deployment and reconciliation.

  3. C IaC codes infrastructure provisioning (networks, VMs, clusters); GitOps uses IaC results and adds continuous deployment and reconciliation to manage application state

    Correct. IaC is a foundational practice (infrastructure provisioning); GitOps builds on that to add deployment and continuous reconciliation of applications.

  4. D IaC is only for cloud providers while GitOps is for Kubernetes

    Incorrect. Both can be used with various platforms; Kubernetes is a common target for GitOps, but GitOps isn't limited to it.

Related Practices

Q2. How does sealed-secrets in Kubernetes relate to the CaC + GitOps principle of 'everything in Git'?

Reveal answer and explanations
  1. A Sealed-secrets is incompatible with GitOps workflows

    Incorrect. Sealed-secrets is a GitOps pattern.

  2. B Sealed-secrets replaces the need for version control

    Incorrect. Git remains the state store.

  3. C Sealed-secrets violates GitOps because secrets should not be in Git

    Incorrect. Sealed-secrets enables GitOps for secrets.

  4. D Sealed-secrets requires a separate secrets management system outside Git

    Incorrect. Sealed-secrets keeps secrets in Git (encrypted).

  5. E Sealed-secrets allows secrets to be encrypted at rest in Git; only the cluster key can decrypt them

    Correct. Sealed-secrets encrypts secrets before Git storage; the cluster holds the decryption key and decrypts at runtime.

Related Practices

Q3. A team implements GitOps for deployment but performs security scanning only after deployment in the cluster. Why is this less effective than performing scanning in the CI stage?

Reveal answer and explanations
  1. A Pre-deployment scanning eliminates all security risks, which also requires specialized tooling and infrastructure setup

    Incorrect. No scanning eliminates all risks; the goal is preventing known vulnerabilities from reaching production.

  2. B GitOps requires scanning before deployment by definition

    Incorrect. While it's a best practice, GitOps itself doesn't mandate it; the principle is about deployment, not security scanning timing.

  3. C Post-deployment scanning is more expensive

    Incorrect. Cost differences aren't the primary issue; timing and prevention are.

  4. D Post-deployment scanning discovers vulnerabilities too late; they've already reached production, whereas CI scanning prevents vulnerable artifacts from entering the state store

    Correct. By the time post-deployment scanning finds issues, they're already live; CI scanning prevents problems from being committed.

Related Practices

Q4. What is the relationship between OPA/Kyverno policy enforcement and GitOps reconciliation?

Reveal answer and explanations
  1. A They are unrelated; policies are enforced only at the API level

    Incorrect. Policies integrate with GitOps.

  2. B Policy checks at commit time and reconciliation time

    Correct. Policy-as-code can be enforced at multiple points: pre-commit webhooks validate Git, and admission controllers validate at apply-time.

  3. C GitOps does not support policy enforcement

    Incorrect. GitOps supports policies through controllers.

  4. D Policy enforcement should happen only in CI, not in GitOps

    Incorrect. Multiple enforcement points provide defense in depth.

  5. E OPA/Kyverno can only enforce policies, not prevent deployments

    Incorrect. Policies can prevent deployments.

Related Practices

Q5. How does DevSecOps' emphasis on automated security testing integrate with GitOps?

Reveal answer and explanations
  1. A GitOps handles security; DevSecOps is unrelated

    Incorrect. GitOps is about deployment strategy, not security policy; DevSecOps provides the security guardrails.

  2. B Security scanning must happen after deployment in GitOps

    Incorrect. This is backwards; pre-deployment scanning (shift-left) is more effective than post-deployment.

  3. C DevSecOps replaces the need for GitOps

    Incorrect. DevSecOps and GitOps are complementary, not competitive.

  4. D CI scanning produces secure artifacts for GitOps deployment

    Correct. DevSecOps automates security upstream in CI; GitOps then safely deploys only the artifacts that passed security gates.

Drill Related Practices with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Related Practices accounts for 16% of the CGOA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 20-question domain bank will close those gaps.