CNPA Mock Exam Simulator

Free Certified Cloud Native Platform Engineering Associate practice questions with full explanations on every option. Platform engineering for cloud-native environments.

Format
multi-choice
Duration
90 min
Pass mark
75%
Study time
2–8 wks
Mocks here
2

CNPA exam domains

Free CNPA sample questions

Platform Engineering Core Fundamentals

Q1. Which of the following describes the benefit of codifying infrastructure as code (IaC)?

Reveal answer and explanations
  1. A IaC allows production changes to ship without any peer review or formal approval process in place.

    Incorrect. IaC enables peer review and approval via code review — it does not remove the need for it.

  2. B IaC makes infrastructure changes reproducible, reviewable, and version-controlled alongside code.

    Correct. IaC provides reproducibility, reviewability through pull requests, and version control of infrastructure state.

  3. C IaC removes the need for automated testing and runtime monitoring once the code is merged.

    Incorrect. IaC complements testing and monitoring; it does not replace them.

  4. D IaC eliminates the need for container runtimes in Kubernetes because manifests replace them.

    Incorrect. IaC provisions infrastructure but does not replace the container runtimes Kubernetes requires.

Platform Observability, Security, and Conformance

Q2. Which of the following best describes how mTLS secures service-to-service communication?

Reveal answer and explanations
  1. A It only encrypts traffic, leaving authentication of both parties entirely to the application layer.

    Incorrect. mTLS authenticates both endpoints; it is not purely an encryption mechanism.

  2. B It only authenticates the server to the client, similar to standard HTTPS sessions used by browsers.

    Incorrect. Server-only authentication is standard one-way TLS, not mutual TLS.

  3. C It encrypts traffic and authenticates both client and server using X.509 certificates for identity.

    Correct. Mutual TLS encrypts the channel and authenticates both sides using X.509 certificates.

  4. D It replaces network policies entirely and removes the need for them in a modern service mesh.

    Incorrect. mTLS and network policies are complementary and operate at different layers.

Continuous Delivery & Platform Engineering

Q3. Which of the following is a common pattern for promoting an application from staging to production using GitOps?

Reveal answer and explanations
  1. A Updating the production overlay or `Application` definition in Git; the GitOps agent reconciles it.

    Correct. Environment promotion in GitOps is typically done by updating the production overlay or `Application` definition in Git.

  2. B Running `kubectl edit` directly on the production cluster to update the image tag for the workload.

    Incorrect. `kubectl edit` bypasses Git and breaks the GitOps invariant.

  3. C Copying pod specifications from staging nodes to production nodes over SSH in a scheduled batch job.

    Incorrect. Copying pod specs between nodes over SSH is both non-standard and non-GitOps.

  4. D Telling the CI server to SSH into each production node and restart the workload pods one by one.

    Incorrect. SSH-based manual operations violate the GitOps reconciliation model.

Platform APIs and Provisioning Infrastructure

Q4. Which Kubernetes project manages the lifecycle of Kubernetes clusters themselves through declarative APIs and controllers?

Reveal answer and explanations
  1. A Flux

    Incorrect. Flux reconciles application state; it does not manage cluster lifecycle itself.

  2. B Cluster API

    Correct. Cluster API (CAPI) provides declarative Kubernetes APIs and controllers for lifecycle management of clusters.

  3. C Gatekeeper

    Incorrect. Gatekeeper is a policy engine, not a cluster lifecycle manager.

  4. D Argo Rollouts

    Incorrect. Argo Rollouts provides progressive delivery; it does not manage cluster lifecycle.

IDPs and Developer Experience

Q5. Which of the following best represents the aim of an internal developer portal (IDP)?

Reveal answer and explanations
  1. A Replace the CI/CD pipeline system entirely with a manually managed ticket queue for tasks

    Incorrect. Manual ticketing is the opposite of self-service that IDPs enable.

  2. B Expose raw Kubernetes API access to every individual developer with no guardrails or abstractions.

    Incorrect. Raw API exposure without guardrails is not the aim of an IDP.

  3. C Provide a unified, discoverable entry point to platform capabilities for application developers.

    Correct. An IDP provides a unified, discoverable entry point to platform capabilities and information for developers.

  4. D Centralize all developer workstation administration and laptop provisioning inside the portal itself.

    Incorrect. Workstation administration is outside the scope of internal developer portals.

Measuring your Platform

Q6. According to DORA's `State of DevOps` classifications, which metric range is MOST consistent with an `elite` performer for deployment frequency?

Reveal answer and explanations
  1. A Deployments roughly once per month during an approved change window with mandatory board approval each time.

    Incorrect. Monthly deployments with board approval match low-performer profiles, not elite.

  2. B Deployments less than one per week but more than one per two weeks on a predictable bi-weekly cadence with manual reviews.

    Incorrect. Bi-weekly is roughly medium-performer territory.

  3. C Deployments once per quarter, aligned with fiscal planning cycles and coordinated with marketing launch windows.

    Incorrect. Quarterly deploys are low-performer cadence.

  4. D Deployments on demand, multiple times per day, into production via an automated pipeline with appropriate safeguards.

    Correct. Elite performers deploy on demand, multiple times per day.

Start the full CNPA mock exam90-min timer · paid plan required

Prerequisites and background knowledge

Kubernetes production experience or KCNA. Familiarity with CI/CD, GitOps, developer portals, and cloud-native observability concepts.

Official reference: cncf.io/training/certification/cnpa.

More CNPA practice resources

Free CNPA sample questions CNPA exam tips

Where to go after CNPA

Once you pass CNPA, these certs are natural next steps on the Golden Kubestronaut path:

KCA — Kyverno Certified AssociateOTCA — OpenTelemetry Certified Associate

Frequently asked questions about CNPA

What is the passing score for CNPA?

75%.

How long is the CNPA exam?

90 minutes, multi-choice format. See the official CNCF page for the current question count.

How difficult is the CNPA exam?

Rated intermediate. Plan 2–8 weeks depending on your background.

How much does the CNPA exam cost?

Pricing changes periodically — check the official CNCF CNPA page at https://www.cncf.io/training/certification/cnpa/.

Are these CNPA mock exams free?

Sample questions on this page are free with no account. Full timed CNPA mocks require a paid plan.

How is this mock exam different from the real CNPA exam?

Original questions written against the official CNCF curriculum — not scraped dumps. Format mirrors the real exam; the real one is proctored, these are self-paced.

What is the best way to study for CNPA?

Work through the official curriculum in order of domain weight (heaviest first), then run full timed mocks until you hit 85%+ consistently.