Linux Foundation Certified Cloud Native Platform Engineering Associate CNPA Exam Questions

Answer : B

Mutual TLS (mTLS) is the core mechanism for securing service-to-service communication in cloud native environments. Option B is correct because mTLS provides encryption in transit and mutual authentication, ensuring both the client and server verify each other's identity. This prevents unauthorized access, man-in-the-middle attacks, and data leakage.

Option A (API Gateway) manages ingress traffic from external clients but does not secure internal service-to-service communication. Option C (Service Mesh) is a broader infrastructure layer (e.g., Istio, Linkerd) that implements mTLS, but mTLS itself is the mechanism that enforces secure communications. Option D (Load Balancer) distributes traffic but does not handle encryption or authentication.

mTLS is foundational to zero-trust networking inside Kubernetes clusters. Service meshes typically provide automated certificate management and policy enforcement, ensuring seamless adoption of mTLS without requiring developers to modify application code.

--- CNCF Service Mesh Whitepaper

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide

Answer : C

The HEART framework was developed by Google to measure user experience using both qualitative and quantitative indicators. Option C is correct because HEART stands for Happiness, Engagement, Adoption, Retention, and Task success. In platform engineering, this framework is applied to measure developer experience with internal developer portals (IDPs) and other platform components.

Option A and D misrepresent the acronym by replacing its original user-experience focus with infrastructure-oriented metrics. Option B substitutes Reliability for Retention, which is incorrect.

By applying HEART, platform teams can measure satisfaction (Happiness), frequency of use (Engagement), onboarding success (Adoption), long-term value (Retention), and ability to complete tasks effectively (Task success). This helps teams identify pain points, iterate on golden paths, and improve the usability of their platform.

--- CNCF Platforms Whitepaper

--- Google HEART Framework for UX Measurement

--- Cloud Native Platform Engineering Study Guide

Answer : A

The declarative approach to Infrastructure as Code (IaC) is the foundation of Kubernetes and GitOps practices. Option A is correct because declarative IaC defines the desired state of the infrastructure (e.g., Kubernetes YAML manifests) and relies on controllers or reconciliation loops to ensure the actual state matches the declared one. This allows for automation, consistency, and drift correction without manual intervention.

Option B (imperative) requires explicit step-by-step instructions, which are not automatically enforced after execution. Option C (hybrid) can combine both methods but does not guarantee reconciliation. Option D (manual) is error-prone and eliminates the benefits of IaC entirely.

Declarative IaC reduces cognitive load, improves reproducibility, and ensures compliance through automated drift detection and reconciliation, which are essential in platform engineering for multi-cluster and multi-team environments.

--- CNCF GitOps Principles

--- Kubernetes Declarative Model

--- Cloud Native Platform Engineering Study Guide

Answer : B

One of the primary objectives of internal developer platforms (IDPs) is to improve developer experience by reducing cognitive load. Complex Kubernetes configurations often overwhelm developers who simply want to consume services and deploy code without worrying about infrastructure intricacies.

Option B is correct because implementing a self-service web portal (or developer portal) abstracts away Kubernetes complexities, providing developers with easy access to platform services through standardized workflows, templates, and golden paths. This aligns with platform engineering principles: empowering developers with self-service capabilities while maintaining governance, security, and compliance.

Option A increases burden unnecessarily and negatively impacts productivity. Option C limits access to services, reducing flexibility and developer autonomy, which goes against the core goal of IDPs. Option D, while helpful for education, does not remove complexity---it only shifts the responsibility back to the developer. By leveraging portals, APIs, and automation, platform teams allow developers to focus on building business value instead of managing infrastructure details.

--- CNCF Platforms Whitepaper

--- Team Topologies and Platform Engineering Practices

--- Cloud Native Platform Engineering Study Guide

Answer : C

The best way for platform teams to support data scientists is by enabling easy access to specialized AI/ML workflows, tools, and compute resources. Option C is correct because it empowers data scientists to experiment, train, and deploy models without worrying about the complexities of infrastructure setup. This aligns with platform engineering's principle of self-service with guardrails.

Option A (integrating into standard CI/CD) may help, but AI/ML workflows often require specialized tools like MLflow, Kubeflow, or TensorFlow pipelines. Option B (strict quotas) ensures stability but does not improve usability or productivity. Option D (UI-driven execution only) restricts flexibility and reduces the ability of data scientists to adapt workflows to evolving needs.

By offering AI/ML-specific workflows as golden paths within an Internal Developer Platform (IDP), platform teams improve developer experience for data scientists, accelerate innovation, and ensure compliance and governance.

--- CNCF Platforms Whitepaper

--- CNCF Platform Engineering Maturity Model

--- Cloud Native Platform Engineering Study Guide

Answer : D

The Kubernetes Controller is responsible for continuously reconciling the desired state with the actual state of resources, including custom resources. Option D is correct because controllers watch resources (via the API Server), detect deviations, and take corrective actions to match the desired state defined in manifests. For example, a Deployment controller ensures that the number of Pods matches the replica count, while custom controllers manage CRDs.

Option A (Scheduler) assigns Pods to nodes but does not reconcile state. Option B (Etcd) is the key-value store holding cluster state but does not enforce it. Option C (API Server) exposes the Kubernetes API and validates requests but does not enforce reconciliation.

Controllers embody Kubernetes' declarative management principle and are essential for operators, CRDs, and GitOps workflows that rely on automated state enforcement.

--- CNCF Kubernetes Documentation

--- CNCF GitOps Principles

--- Cloud Native Platform Engineering Study Guide

Answer : A

The most effective way to prevent insecure code from reaching production is to integrate security gates directly into the CI/CD pipeline. Option A is correct because security gates involve automated scanning of dependencies, SBOM generation, code analysis, and policy enforcement during build and test phases. This ensures that vulnerabilities or policy violations are caught early in the development lifecycle.

Option B (load balancing) improves availability but is unrelated to code security. Option C (A/B testing) validates functionality, not security. Option D (caching strategies) affects performance, not code safety.

By embedding automated checks into CI/CD pipelines, teams adopt a shift-left security approach, ensuring compliance and minimizing risks of supply chain attacks. This practice directly supports platform engineering goals of combining security with speed and reducing developer friction through automation.

--- CNCF Supply Chain Security Whitepaper

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide