Linux Foundation Certified Cloud Native Platform Engineering Associate CNPA Exam Practice Test

Page: 1 / 14
Total 85 questions
Question 1

During a CI/CD pipeline review, the team discusses methods to prevent insecure code from being introduced into production. Which practice is most effective for this purpose?



Answer : A

The most effective way to prevent insecure code from reaching production is to integrate security gates directly into the CI/CD pipeline. Option A is correct because security gates involve automated scanning of dependencies, SBOM generation, code analysis, and policy enforcement during build and test phases. This ensures that vulnerabilities or policy violations are caught early in the development lifecycle.

Option B (load balancing) improves availability but is unrelated to code security. Option C (A/B testing) validates functionality, not security. Option D (caching strategies) affects performance, not code safety.

By embedding automated checks into CI/CD pipelines, teams adopt a shift-left security approach, ensuring compliance and minimizing risks of supply chain attacks. This practice directly supports platform engineering goals of combining security with speed and reducing developer friction through automation.


--- CNCF Supply Chain Security Whitepaper

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide

Question 2

A platform team wants to let developers provision cloud services like S3 buckets and databases using Kubernetes-native APIs, without exposing cloud-specific details. Which tool is best suited for this?



Answer : B

Crossplane is the CNCF project designed to extend Kubernetes with the ability to provision and manage cloud resources via Kubernetes-native APIs. Option B is correct because Crossplane lets developers use familiar Kubernetes manifests to request resources like S3 buckets, databases, or VPCs while abstracting provider-specific implementation details. Platform teams can define compositions and abstractions, providing developers with golden paths that include organizational guardrails.

Option A (Cluster API) is focused on provisioning Kubernetes clusters themselves, not cloud services. Option C (Helm) manages Kubernetes application deployments but does not provision external infrastructure. Option D (OpenTofu) is a Terraform fork that provides IaC but is not Kubernetes-native.

By leveraging Crossplane, platform teams achieve infrastructure as data and full GitOps integration, empowering developers to provision services declaratively while ensuring governance and compliance.


--- CNCF Crossplane Project Documentation

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide

Question 3

What is the primary purpose of Kubernetes runtime security?



Answer : B

The main purpose of Kubernetes runtime security is to protect workloads during execution. Option B is correct because runtime security focuses on monitoring active Pods, containers, and processes to detect and prevent malicious activity such as privilege escalation, anomalous network connections, or unauthorized file access.

Option A (etcd encryption) addresses data at rest, not runtime. Option C (image scanning) occurs pre-deployment, not during execution. Option D (API access control) is enforced through RBAC and IAM, not runtime security.

Runtime security solutions (e.g., Falco, Cilium, or Kyverno) continuously observe system calls, network traffic, and workload behaviors to enforce policies and detect threats in real time. This ensures compliance, strengthens defenses in zero-trust environments, and provides critical protection for cloud native workloads in production.


--- CNCF Security TAG Guidance

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide

Question 4

What is the primary goal of platform engineering?



Answer : D

The primary goal of platform engineering is to create reusable, scalable platforms that improve both developer productivity and developer experience. Option D is correct because platform engineering treats the platform as a product, providing self-service capabilities, abstractions, and golden paths that reduce cognitive load for developers while embedding organizational guardrails.

Option A is too narrow---platform engineering is not limited to infrastructure automation but extends to developer usability, observability, and governance. Option B is incorrect because limiting access contradicts the principle of empowering developers through self-service. Option C is misleading; platform engineering complements DevOps practices but does not replace them.

By enabling developers to consume infrastructure and platform services through self-service APIs and portals, platform teams accelerate delivery cycles while maintaining compliance and security. This approach results in improved efficiency, reduced toil, and better alignment between business and engineering outcomes.


--- CNCF Platforms Whitepaper

--- CNCF Platform Engineering Maturity Model

--- Cloud Native Platform Engineering Study Guide

Question 5

Which IaC approach ensures Kubernetes infrastructure maintains its desired state automatically?



Answer : A

The declarative approach to Infrastructure as Code (IaC) is the foundation of Kubernetes and GitOps practices. Option A is correct because declarative IaC defines the desired state of the infrastructure (e.g., Kubernetes YAML manifests) and relies on controllers or reconciliation loops to ensure the actual state matches the declared one. This allows for automation, consistency, and drift correction without manual intervention.

Option B (imperative) requires explicit step-by-step instructions, which are not automatically enforced after execution. Option C (hybrid) can combine both methods but does not guarantee reconciliation. Option D (manual) is error-prone and eliminates the benefits of IaC entirely.

Declarative IaC reduces cognitive load, improves reproducibility, and ensures compliance through automated drift detection and reconciliation, which are essential in platform engineering for multi-cluster and multi-team environments.


--- CNCF GitOps Principles

--- Kubernetes Declarative Model

--- Cloud Native Platform Engineering Study Guide

Question 6

In a scenario where an Internal Developer Platform (IDP) is being used to enable developers to self-service provision products and capabilities such as Namespace-as-a-Service, which answer best describes who is responsible for resolving application-related incidents?



Answer : C

Platform engineering clearly separates responsibilities between platform teams and application teams. Option C is correct because platform teams manage the platform and infrastructure layer, ensuring stability, compliance, and availability, while application teams own their applications, including troubleshooting application-specific issues.

Option A (creating a single merged team) introduces inefficiency and removes specialization. Option B incorrectly suggests application teams should also solve infrastructure issues, which conflicts with platform-as-a-product principles. Option D places all responsibilities on platform teams, which creates bottlenecks and undermines application team ownership.

By splitting responsibilities, IDPs empower developers with self-service provisioning while maintaining clear boundaries. This ensures both agility and accountability: platform teams focus on enabling and securing the platform, while application teams take ownership of their code and services.


--- CNCF Platforms Whitepaper

--- Team Topologies (Platform as a Product Model)

--- Cloud Native Platform Engineering Study Guide

Question 7

In a GitOps setup, which of the following correctly describes the interaction between components when using a pull-based approach?



Answer : A

GitOps uses a pull-based approach, where controllers inside the cluster continuously reconcile the desired state stored in Git with the actual cluster state. Option A is correct because GitOps sync agents (e.g., Argo CD, Flux) poll or watch Git repositories for changes and automatically apply updates to the cluster.

Option B reverses the model---clusters do not send updates to Git; Git is the source of truth. Option C is partially misleading: webhooks can trigger faster syncs but reconciliation is still pull-based. Option D misrepresents GitOps---Git never pushes directly to clusters.

This pull-based approach ensures greater security (clusters pull changes rather than exposing themselves to pushes), consistency (Git as source of truth), and continuous reconciliation (drift correction).


--- CNCF GitOps Principles

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide

Page:    1 / 14   
Total 85 questions