CNPA Practice Exam — Free Sample Questions

Platform engineering for cloud-native environments. Free practice questions sampled from our full 120-question bank, with detailed explanations for every option.

Format
multi-choice
Duration
90 min
Pass mark
75%
Study time
2–8 wks
Mocks here
2

What the CNPA exam tests

The Certified Cloud Native Platform Engineering Associate exam is structured around 6 weighted domains. Each domain link below opens a focused practice page with sample questions from that area.

Sample questions across every domain

One representative question per domain, drawn from the 120-question pool. Click "Reveal answer" to see the correct option plus explanations for every distractor.

Platform Engineering Core Fundamentals

Q1. Which of the following describes the benefit of codifying infrastructure as code (IaC)?

Reveal answer and explanations
  1. A IaC allows production changes to ship without any peer review or formal approval process in place.

    Incorrect. IaC enables peer review and approval via code review — it does not remove the need for it.

  2. B IaC makes infrastructure changes reproducible, reviewable, and version-controlled alongside code.

    Correct. IaC provides reproducibility, reviewability through pull requests, and version control of infrastructure state.

  3. C IaC removes the need for automated testing and runtime monitoring once the code is merged.

    Incorrect. IaC complements testing and monitoring; it does not replace them.

  4. D IaC eliminates the need for container runtimes in Kubernetes because manifests replace them.

    Incorrect. IaC provisions infrastructure but does not replace the container runtimes Kubernetes requires.

Platform Observability, Security, and Conformance

Q2. Which of the following best describes how mTLS secures service-to-service communication?

Reveal answer and explanations
  1. A It only encrypts traffic, leaving authentication of both parties entirely to the application layer.

    Incorrect. mTLS authenticates both endpoints; it is not purely an encryption mechanism.

  2. B It only authenticates the server to the client, similar to standard HTTPS sessions used by browsers.

    Incorrect. Server-only authentication is standard one-way TLS, not mutual TLS.

  3. C It encrypts traffic and authenticates both client and server using X.509 certificates for identity.

    Correct. Mutual TLS encrypts the channel and authenticates both sides using X.509 certificates.

  4. D It replaces network policies entirely and removes the need for them in a modern service mesh.

    Incorrect. mTLS and network policies are complementary and operate at different layers.

Continuous Delivery & Platform Engineering

Q3. Which of the following is a common pattern for promoting an application from staging to production using GitOps?

Reveal answer and explanations
  1. A Updating the production overlay or `Application` definition in Git; the GitOps agent reconciles it.

    Correct. Environment promotion in GitOps is typically done by updating the production overlay or `Application` definition in Git.

  2. B Running `kubectl edit` directly on the production cluster to update the image tag for the workload.

    Incorrect. `kubectl edit` bypasses Git and breaks the GitOps invariant.

  3. C Copying pod specifications from staging nodes to production nodes over SSH in a scheduled batch job.

    Incorrect. Copying pod specs between nodes over SSH is both non-standard and non-GitOps.

  4. D Telling the CI server to SSH into each production node and restart the workload pods one by one.

    Incorrect. SSH-based manual operations violate the GitOps reconciliation model.

Platform APIs and Provisioning Infrastructure

Q4. Which Kubernetes project manages the lifecycle of Kubernetes clusters themselves through declarative APIs and controllers?

Reveal answer and explanations
  1. A Flux

    Incorrect. Flux reconciles application state; it does not manage cluster lifecycle itself.

  2. B Cluster API

    Correct. Cluster API (CAPI) provides declarative Kubernetes APIs and controllers for lifecycle management of clusters.

  3. C Gatekeeper

    Incorrect. Gatekeeper is a policy engine, not a cluster lifecycle manager.

  4. D Argo Rollouts

    Incorrect. Argo Rollouts provides progressive delivery; it does not manage cluster lifecycle.

IDPs and Developer Experience

Q5. Which of the following best represents the aim of an internal developer portal (IDP)?

Reveal answer and explanations
  1. A Replace the CI/CD pipeline system entirely with a manually managed ticket queue for every change.

    Incorrect. Manual ticketing is the opposite of self-service that IDPs enable.

  2. B Expose raw Kubernetes API access to every individual developer with no guardrails or abstractions.

    Incorrect. Raw API exposure without guardrails is not the aim of an IDP.

  3. C Provide a unified, discoverable entry point to platform capabilities for application developers.

    Correct. An IDP provides a unified, discoverable entry point to platform capabilities and information for developers.

  4. D Centralize all developer workstation administration and laptop provisioning inside the portal itself.

    Incorrect. Workstation administration is outside the scope of internal developer portals.

Measuring your Platform

Q6. According to DORA's `State of DevOps` classifications, which metric range is MOST consistent with an `elite` performer for deployment frequency?

Reveal answer and explanations
  1. A Deployments roughly once per month during an approved change window with mandatory board approval each time.

    Incorrect. Monthly deployments with board approval match low-performer profiles, not elite.

  2. B Deployments less than one per week but more than one per two weeks on a predictable bi-weekly cadence with manual reviews.

    Incorrect. Bi-weekly is roughly medium-performer territory.

  3. C Deployments once per quarter, aligned with fiscal planning cycles and coordinated with marketing launch windows.

    Incorrect. Quarterly deploys are low-performer cadence.

  4. D Deployments on demand, multiple times per day, into production via an automated pipeline with appropriate safeguards.

    Correct. Elite performers deploy on demand, multiple times per day.

Start the full CNPA mock exam (free)90-min timer · 60 questions · free with account

How long should you study for CNPA?

Roughly 2–8 weeks of focused study, but it depends heavily on what you already know. Engineers with hands-on production Kubernetes (or Cilium / Argo / OTel / etc. for project-specific certs) can compress this to a week or two of mocks; people coming in cold should expect the upper end. The exam is multi-choice and recall-heavy — practice exams matter more than reading documentation cover to cover. Aim for 85%+ on full timed mocks before booking the real exam.

Why this practice library

This library was built by a Platform Engineer chasing Golden Kubestronaut who got frustrated by the lack of decent practice material for the associate-tier CNCF exams. Question banks track curriculum updates from CNCF and Linux Foundation.

Official CNPA reference: cncf.io/training/certification/cnpa.