← CNPA hub

Free CNPA Sample Questions

10 CNPA questions with full explanations for every option, free to view on this page.

Platform APIs and Provisioning Infrastructure

Q1. A platform team exposes a self-service `Database` CRD to developers. Which statement about this approach is most accurate?

Reveal answer and explanations
  1. A Developers must write Rego policies in the `Database` CRD in order to provision a new database instance.

    Incorrect. Rego is not required for creating custom resources; it may be used separately for policy.

  2. B CRDs cannot be used to represent off-cluster infrastructure such as a cloud-managed relational database.

    Incorrect. CRDs can absolutely represent off-cluster infrastructure when paired with an operator or Crossplane.

  3. C Developers can request databases using Kubernetes-native APIs while the platform team owns the backend.

    Correct. Custom resources provide a Kubernetes-native self-service interface, while the platform team controls the underlying implementation.

  4. D The CRD approach removes the need for RBAC and policy controls because the CRD itself is the guardrail.

    Incorrect. RBAC and policy controls are still essential — in fact more so when exposing self-service APIs.

Platform APIs and Provisioning Infrastructure

Q2. A platform team uses OpenAPI v3 validation on a CRD but notices that invalid `spec` values sometimes reach their controller. Which gap is MOST likely?

Reveal answer and explanations
  1. A The CRD is installed in the `kube-system` namespace, which bypasses all OpenAPI validation for legacy compatibility reasons.

    Incorrect. `kube-system` does not bypass validation.

  2. B OpenAPI v3 on CRDs is disabled by default in all modern Kubernetes releases and never applies to new CRDs today.

    Incorrect. OpenAPI v3 validation on CRDs is enabled and widely used.

  3. C The CRD sets `x-kubernetes-preserve-unknown-fields: true` on the field path, letting invalid structures bypass validation.

    Correct. `x-kubernetes-preserve-unknown-fields` disables pruning and validation on that path, letting arbitrary fields pass.

  4. D Controllers always receive objects before validation runs, so some invalid objects reach them regardless of configuration.

    Incorrect. Validation runs before controllers observe objects.

Platform APIs and Provisioning Infrastructure

Q3. Which statement best contrasts Crossplane with Terraform in Kubernetes-native infrastructure provisioning?

Reveal answer and explanations
  1. A Crossplane and Terraform both rely on the exact same HCL configuration language for defining infrastructure.

    Incorrect. Crossplane uses Kubernetes YAML composite resources, not HCL.

  2. B Terraform continuously reconciles desired state without any state file; Crossplane requires a state file to work.

    Incorrect. Terraform is state-based and does not continuously reconcile without external automation.

  3. C Crossplane provisions and reconciles via Kubernetes controllers; Terraform is CLI-invoked and state-based.

    Correct. Crossplane uses Kubernetes controllers to continuously reconcile infrastructure, while Terraform is typically CLI- and state-file-based.

  4. D Crossplane cannot provision cloud resources at all, only in-cluster Kubernetes objects within the same cluster.

    Incorrect. Crossplane provisions cloud resources across many providers.

Platform APIs and Provisioning Infrastructure

Q4. Which statement best contrasts `kubebuilder` with `Kopf` as operator frameworks?

Reveal answer and explanations
  1. A Kubebuilder and Kopf are identical tools published under different names by CNCF; either runs on any supported language.

    Incorrect. They are distinct projects with different language and runtime models.

  2. B Kubebuilder uses Go and controller-runtime; Kopf uses Python and a decorator-style handler model for event-driven logic.

    Correct. Kubebuilder targets Go with controller-runtime; Kopf is a Python operator framework with decorator-driven handlers.

  3. C Kubebuilder only supports in-tree controllers bundled with kube-controller-manager; Kopf only supports out-of-tree operators.

    Incorrect. Kubebuilder is for out-of-tree operators.

  4. D Kubebuilder is a CLI for scaffolding Rego policies; Kopf is a CLI for scaffolding service mesh sidecar configurations.

    Incorrect. Neither is a CLI for Rego or sidecars.

IDPs and Developer Experience

Q5. Which CNCF project is commonly used as the foundation for building an internal developer portal with a software catalog?

Reveal answer and explanations
  1. A Kyverno

    Incorrect. Kyverno is a policy engine, not a developer portal.

  2. B Istio

    Incorrect. Istio is a service mesh, not a portal or catalog.

  3. C Backstage

    Correct. Backstage is a CNCF project for building internal developer portals centered on a software catalog.

  4. D OpenTelemetry

    Incorrect. OpenTelemetry is an observability framework, not a developer portal.

IDPs and Developer Experience

Q6. A Backstage software template scaffolds a new service by creating a GitHub repository and registering it in the catalog. Which file MUST exist in the generated repository so Backstage automatically shows the component in the catalog?

Reveal answer and explanations
  1. A `cncf-catalog.yml`

    Incorrect. No file named `cncf-catalog.yml` is required by Backstage.

  2. B `backstage.json`

    Incorrect. `backstage.json` is not the required catalog entity file.

  3. C `.backstage/registry.toml`

    Incorrect. `.backstage/registry.toml` is not a recognized Backstage path.

  4. D `catalog-info.yaml`

    Correct. `catalog-info.yaml` is the canonical Backstage catalog entity file that makes a repo discoverable.

IDPs and Developer Experience

Q7. Which of the following best describes a `golden path` in a developer portal?

Reveal answer and explanations
  1. A A templated, opinionated workflow for a common use case that embeds organizational best practices.

    Correct. A golden path is a templated, opinionated workflow that bakes in best practices and supported defaults.

  2. B A fully unsupported experimental pipeline that application teams can opt in to at their own risk only.

    Incorrect. Golden paths are supported, not experimental, and are opinionated to guide users.

  3. C A directory of every underlying cloud API presented raw without any opinionated wrappers or defaults.

    Incorrect. Raw cloud APIs are exactly what golden paths abstract away.

  4. D An internal marketplace for developers to purchase third-party SaaS products using a company credit card.

    Incorrect. A SaaS marketplace is a different concept from a developer golden path.

IDPs and Developer Experience

Q8. A platform team compares Backstage, Port, and Cortex. Which statement is MOST accurate?

Reveal answer and explanations
  1. A Backstage is a CNCF open-source framework, while Port and Cortex are commercial SaaS products with managed developer-portal offerings.

    Correct. Backstage is a CNCF open-source project; Port and Cortex are commercial SaaS developer-portal products.

  2. B Backstage, Port, and Cortex are all open-source projects hosted within the CNCF Sandbox as of every recent TOC vote.

    Incorrect. Port and Cortex are not CNCF projects.

  3. C Backstage, Port, and Cortex are all closed-source commercial products built on the same underlying Apache Helm framework.

    Incorrect. Backstage is open source; they are not all closed source and are not built on the same framework.

  4. D Backstage is the only one of the three that supports software catalogs; the others focus solely on incident response workflows.

    Incorrect. Port and Cortex also implement software catalogs, not just incident response.

Continuous Delivery & Platform Engineering

Q9. Which statement best captures the difference between pull-based and push-based CD?

Reveal answer and explanations
  1. A Pull-based CD relies on webhook-driven SSH; push-based CD periodically polls the Git repository for changes.

    Incorrect. Webhook-driven SSH is neither a defining feature of pull-based nor push-based CD.

  2. B Pull-based CD has an agent inside the cluster reconciling from Git; push-based CD uses an external system.

    Correct. Pull-based CD uses an in-cluster agent reconciling from Git, while push-based CD uses an external system applying changes to the cluster.

  3. C Pull-based CD applies manifests from the CI server; push-based CD applies manifests from inside the cluster.

    Incorrect. The description reverses the models; pull-based applies from inside the cluster, not from CI.

  4. D There is no meaningful operational difference between the two delivery models in modern Kubernetes setups.

    Incorrect. The two models differ meaningfully in trust boundaries, credentials, and drift handling.

Continuous Delivery & Platform Engineering

Q10. A blameless postmortem identifies that a broken pipeline merged to main because the team's required CI check was not marked as required on the protected branch. Which remediation is MOST aligned with blameless principles?

Reveal answer and explanations
  1. A Formally reprimand the engineer who pushed the failing commit and require them to attend additional training this quarter.

    Incorrect. Individual punishment contradicts blameless principles.

  2. B Add the missing required check to branch protection via code review, and document the gap in the team's runbook.

    Correct. Fixing the systemic control (branch protection) and documenting the gap is the blameless remediation.

  3. C Remove branch protection entirely so that future incidents do not depend on branch-protection configuration at all.

    Incorrect. Removing controls entirely is worse, not better.

  4. D Rotate the on-call pager away from the team for six months to penalize poor process hygiene during the incident.

    Incorrect. Pager rotation as punishment is a classic blame-oriented response.

Take the full timed CNPA mock90 minutes · 60 questions · free with account

About these questions

These questions are written against the current CNPA curriculum — not scraped exam dumps. The full CNPA library here has 120 questions; the broader platform covers the rest of the Golden Kubestronaut path.