← CNPA hub

CNPA — Platform APIs and Provisioning Infrastructure

12% of the CNPA exam. Sample questions below; the full library has 14 questions tagged to this domain.

Sample questions on Platform APIs and Provisioning Infrastructure

Platform APIs and Provisioning Infrastructure

Q1. Which statement best contrasts Crossplane with Terraform in Kubernetes-native infrastructure provisioning?

Reveal answer and explanations
  1. A Crossplane and Terraform both rely on the exact same HCL configuration language for defining infrastructure.

    Incorrect. Crossplane uses Kubernetes YAML composite resources, not HCL.

  2. B Terraform continuously reconciles desired state without any state file; Crossplane requires a state file to work.

    Incorrect. Terraform is state-based and does not continuously reconcile without external automation.

  3. C Crossplane provisions and reconciles via Kubernetes controllers; Terraform is CLI-invoked and state-based.

    Correct. Crossplane uses Kubernetes controllers to continuously reconcile infrastructure, while Terraform is typically CLI- and state-file-based.

  4. D Crossplane cannot provision cloud resources at all, only in-cluster Kubernetes objects within the same cluster.

    Incorrect. Crossplane provisions cloud resources across many providers.

Platform APIs and Provisioning Infrastructure

Q2. Which statement best contrasts `kubebuilder` with `Kopf` as operator frameworks?

Reveal answer and explanations
  1. A Kubebuilder and Kopf are identical tools published under different names by CNCF; either runs on any supported language.

    Incorrect. They are distinct projects with different language and runtime models.

  2. B Kubebuilder uses Go and controller-runtime; Kopf uses Python and a decorator-style handler model for event-driven logic.

    Correct. Kubebuilder targets Go with controller-runtime; Kopf is a Python operator framework with decorator-driven handlers.

  3. C Kubebuilder only supports in-tree controllers bundled with kube-controller-manager; Kopf only supports out-of-tree operators.

    Incorrect. Kubebuilder is for out-of-tree operators.

  4. D Kubebuilder is a CLI for scaffolding Rego policies; Kopf is a CLI for scaffolding service mesh sidecar configurations.

    Incorrect. Neither is a CLI for Rego or sidecars.

Platform APIs and Provisioning Infrastructure

Q3. A platform team exposes a self-service `Database` CRD to developers. Which statement about this approach is most accurate?

Reveal answer and explanations
  1. A Developers must write Rego policies in the `Database` CRD in order to provision a new database instance.

    Incorrect. Rego is not required for creating custom resources; it may be used separately for policy.

  2. B CRDs cannot be used to represent off-cluster infrastructure such as a cloud-managed relational database.

    Incorrect. CRDs can absolutely represent off-cluster infrastructure when paired with an operator or Crossplane.

  3. C Developers can request databases using Kubernetes-native APIs while the platform team owns the backend.

    Correct. Custom resources provide a Kubernetes-native self-service interface, while the platform team controls the underlying implementation.

  4. D The CRD approach removes the need for RBAC and policy controls because the CRD itself is the guardrail.

    Incorrect. RBAC and policy controls are still essential — in fact more so when exposing self-service APIs.

Platform APIs and Provisioning Infrastructure

Q4. A platform team uses OpenAPI v3 validation on a CRD but notices that invalid `spec` values sometimes reach their controller. Which gap is MOST likely?

Reveal answer and explanations
  1. A The CRD is installed in the `kube-system` namespace, which bypasses all OpenAPI validation for legacy compatibility reasons.

    Incorrect. `kube-system` does not bypass validation.

  2. B OpenAPI v3 on CRDs is disabled by default in all modern Kubernetes releases and never applies to new CRDs today.

    Incorrect. OpenAPI v3 validation on CRDs is enabled and widely used.

  3. C The CRD sets `x-kubernetes-preserve-unknown-fields: true` on the field path, letting invalid structures bypass validation.

    Correct. `x-kubernetes-preserve-unknown-fields` disables pruning and validation on that path, letting arbitrary fields pass.

  4. D Controllers always receive objects before validation runs, so some invalid objects reach them regardless of configuration.

    Incorrect. Validation runs before controllers observe objects.

Platform APIs and Provisioning Infrastructure

Q5. Which statement best describes the Kubernetes reconciliation loop?

Reveal answer and explanations
  1. A Controllers watch resources, compare desired state with actual state, and act to converge them continuously.

    Correct. Controllers continuously watch resources, compare desired to actual state, and act to reconcile drift.

  2. B The API server applies changes once during admission and controllers never run after the write is persisted.

    Incorrect. Controllers reconcile continuously; admission is only the gating step of a resource write.

  3. C Kubelet on each node polls etcd directly to modify cluster-wide desired state for the workloads it runs.

    Incorrect. Kubelet operates at the node level and does not poll etcd to mutate cluster-wide desired state.

  4. D The scheduler alone performs all reconciliation between desired state and actual state of the whole cluster.

    Incorrect. The scheduler handles pod placement but is only one of many controllers that participate in reconciliation.

Drill Platform APIs and Provisioning Infrastructure with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Platform APIs and Provisioning Infrastructure accounts for 12% of the CNPA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 14-question domain bank will close those gaps.