← CNPA hub

CNPA — Platform Observability, Security, and Conformance

20% of the CNPA exam. Sample questions below; the full library has 24 questions tagged to this domain.

Sample questions on Platform Observability, Security, and Conformance

Platform Observability, Security, and Conformance

Q1. Which of the following correctly describes Kubernetes admission control?

Reveal answer and explanations
  1. A A fixed set of kernel-level policies applied by the container runtime on the node for each container.

    Incorrect. Kernel-level policies are a different layer (Linux/AppArmor/Seccomp), not admission control.

  2. B A scheduled CronJob that periodically scans cluster nodes for common security misconfigurations.

    Incorrect. Node scanners are separate security tools, not admission controllers.

  3. C A passive monitoring tool that reports resource policy violations without ever blocking the request.

    Incorrect. Admission controllers can and often do block non-compliant resources, not just report.

  4. D A stage in the API request lifecycle where validating or mutating webhooks can enforce policy.

    Correct. Admission controllers, including validating and mutating webhooks, run during API request handling to enforce policy.

Platform Observability, Security, and Conformance

Q2. A Kyverno policy uses `generate` to create a default `NetworkPolicy` in every new namespace. A platform engineer observes that newly created namespaces have the `NetworkPolicy` but long-existing ones do not. Which setting most directly addresses this?

Reveal answer and explanations
  1. A Move the policy from `ClusterPolicy` to namespaced `Policy` so that every namespace gets it retroactively.

    Incorrect. Switching to namespaced `Policy` does not retroactively target existing namespaces cluster-wide.

  2. B Enable `validationFailureAction: Enforce` because generate rules only run when validation is strictly enforced.

    Incorrect. Enforcement is about validation, not generate rule coverage of existing objects.

  3. C Enable `synchronize: true` and the `background` scan so Kyverno can backfill existing namespaces that predate the policy.

    Correct. Enabling background scanning with synchronize lets Kyverno reconcile existing namespaces, applying the generate rule retroactively.

  4. D Recreate every existing namespace in the cluster because generate rules can never apply to already-existing objects.

    Incorrect. Recreating every namespace is unnecessary; background mode handles this.

Platform Observability, Security, and Conformance

Q3. Which mechanism in Kubernetes is most appropriate for enforcing pod security standards such as `restricted` at namespace scope?

Reveal answer and explanations
  1. A A `PodDisruptionBudget` applied to the namespace to coordinate evictions during voluntary disruption.

    Incorrect. `PodDisruptionBudget` controls eviction during voluntary disruptions, not pod security.

  2. B Pod Security Admission labels set on the namespace object to enforce a chosen standard policy.

    Correct. Pod Security Admission is the built-in mechanism, configured via namespace labels, for enforcing pod security standards.

  3. C A `NetworkPolicy` applied cluster-wide to restrict which pods may communicate with each other.

    Incorrect. `NetworkPolicy` controls network traffic, not pod security standards.

  4. D A `LimitRange` applied to the namespace to set default CPU and memory requests and limits.

    Incorrect. `LimitRange` sets default resource requests/limits, not pod security.

Platform Observability, Security, and Conformance

Q4. A namespace is labeled `pod-security.kubernetes.io/enforce=restricted`. A user applies a pod with `securityContext.runAsNonRoot: false` and an image defaulting to `USER 0`. What does the API server do?

Reveal answer and explanations
  1. A It rejects the pod at admission because `restricted` forbids running as root and requires `runAsNonRoot: true`.

    Correct. The `restricted` profile forbids running as root; the pod is rejected at admission.

  2. B It accepts the pod and PSA emits a warning event visible only in the kube-system namespace for auditing.

    Incorrect. `enforce` mode blocks rather than warn; `warn` mode emits warnings.

  3. C It accepts the pod but kubelet refuses to start the container because PSA is enforced by the runtime, not the API.

    Incorrect. PSA is a validating admission plugin, enforced in-API, not at the kubelet.

  4. D It mutates the pod spec to set `runAsNonRoot: true` automatically and then admits the modified resource.

    Incorrect. PSA does not mutate; it only validates.

Platform Observability, Security, and Conformance

Q5. Which of the following best describes the purpose of signing container images with Cosign?

Reveal answer and explanations
  1. A To encrypt image layers so that only explicitly authorized pullers can read their file contents.

    Incorrect. Cosign provides signatures, not content encryption of image layers.

  2. B To compress image layers and speed up pulls from a distant registry to the cluster node.

    Incorrect. Image compression is a registry/storage concern unrelated to signing.

  3. C To replace mutable container image tags with immutable SHA digests automatically on every push.

    Incorrect. Digests are an image addressing feature and are independent of signing.

  4. D To attach verifiable signatures so consumers can confirm image provenance and integrity.

    Correct. Cosign attaches signatures so that consumers can verify who built an image and that it has not been tampered with.

Drill Platform Observability, Security, and Conformance with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Platform Observability, Security, and Conformance accounts for 20% of the CNPA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 24-question domain bank will close those gaps.