Linux Foundation CNPA Exam Questions Instant Access

Question 1

For a cloud native platform handling sensitive customer data, which approach ensures compliance with data privacy regulations like GDPR and PCI DSS within a Kubernetes environment?

ARelying on default cloud provider IAM policies with minimal Kubernetes customizations.

BUtilizing standard Kubernetes Secrets with encrypted storage and manual access reviews.

CDeploying a policy engine like Open Policy Agent (OPA) with real-time data masking and audit logging.

DImplementing Kubernetes Role-based access control (RBAC) with basic network policies and periodic manual audits.

Answer : C

Compliance with regulations like GDPR and PCI DSS requires fine-grained control, auditing, and data protection. Option C is correct because deploying a policy engine like Open Policy Agent (OPA) enables dynamic enforcement of policies, real-time data masking, and comprehensive audit logging. This ensures sensitive data is protected while providing traceability and compliance reporting.

Option A is insufficient, as default IAM policies without Kubernetes-level governance do not provide the granularity required for compliance. Option B (Kubernetes Secrets) adds encryption but lacks auditability and runtime enforcement. Option D (RBAC and network policies) improves security posture but does not provide comprehensive compliance coverage or data privacy features like masking and logging.

OPA and similar tools integrate with Kubernetes admission control to enforce compliance policies consistently, providing the flexibility and auditability needed in regulated industries.

--- CNCF Security TAG Best Practices

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide

Question 2

In the context of platform engineering and the effective delivery of platform software, which of the following statements describes the role of CI/CD pipelines in relation to Software Bill of Materials (SBOM) and security scanning?

ASBOM generation and security scanning are particularly valuable for application software. While platform software may have different security considerations, these practices are highly beneficial within CI/CD pipelines for applications.

BCI/CD pipelines should integrate SBOM generation and security scanning as automated steps within the build and test phases to ensure early detection of vulnerabilities and maintain a clear inventory of components.

CCI/CD pipelines are designed to accelerate the delivery of platform software, and adding SBOM generation and security scanning would slow down the process, so these activities are better suited for periodic audits conducted outside of the pipeline.

DCI/CD pipelines are primarily for automating deployments; SBOM generation and security scanning are separate, manual processes performed after deployment.

Answer : B

Modern platform engineering requires security and compliance to be integral parts of the delivery process, not afterthoughts. CI/CD pipelines are the foundation for delivering platform software rapidly and reliably, and integrating SBOM generation and automated vulnerability scanning directly within pipelines ensures that risks are identified early in the lifecycle.

Option B is correct because it reflects recommended practices from cloud native platform engineering standards: SBOMs provide a transparent inventory of all software components, including dependencies, which is crucial for vulnerability management, license compliance, and supply chain security. By automating these steps in CI/CD, teams can maintain both velocity and security without manual overhead.

Option A downplays the relevance of SBOMs for platform software, which is inaccurate because platform components (like Kubernetes operators, ingress controllers, or logging agents) are equally susceptible to vulnerabilities. Option C dismisses automation in favor of periodic audits, which contradicts the shift-left security principle. Option D misunderstands CI/CD's purpose: security must be integrated, not separated.

--- CNCF Supply Chain Security Whitepaper

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide

Question 3

In the context of observability, which telemetry signal is primarily used to record events that occur within a system and are timestamped?

ALogs

BAlerts

CTraces

DMetrics

Answer : A

Logs are detailed, timestamped records of discrete events that occur within a system. They provide granular insight into what has happened, making them crucial for debugging, auditing, and incident investigations. Option A is correct because logs capture both normal and error events, often containing contextual information such as error codes, user IDs, or request payloads.

Option B (alerts) are secondary outputs generated from telemetry signals like logs or metrics and are not raw data themselves. Option C (traces) represent the flow of requests across distributed systems, showing relationships and latency between services but not arbitrary events. Option D (metrics) are numeric aggregates sampled over intervals (e.g., CPU usage, latency), not discrete, timestamped events.

Observability guidance in cloud native systems emphasizes the 'three pillars' of telemetry: logs, metrics, and traces. Logs are indispensable for root cause analysis and compliance because they preserve historical event context.

--- CNCF Observability Whitepaper

--- OpenTelemetry Documentation (aligned with CNCF)

--- Cloud Native Platform Engineering Study Guide

Question 4

A team wants to deploy a new feature to production for internal users only and be able to instantly disable it if problems occur, without redeploying code. Which strategy is most suitable?

AUse a blue/green deployment to direct internal users to one version and switch as needed.

BUse feature flags to release the feature to selected users and control its availability through settings.

CUse a canary deployment to gradually expose the feature to a small group of random users.

DDeploy the feature to all users and prepare to roll it back manually if an issue is detected.

Answer : B

Feature flags are the most effective way to control feature exposure to specific users, such as internal testers, while enabling fast rollback without redeployment. Option B is correct because feature flags allow teams to decouple deployment from release, giving precise runtime control over feature availability. This means that once the code is deployed, the team can toggle the feature on or off for different cohorts (e.g., internal users) dynamically.

Option A (blue/green deployment) controls traffic between two environments but does not provide user-level granularity. Option C (canary deployments) gradually expose changes but focus on random subsets of users rather than targeted groups such as internal employees. Option D requires redeployment or rollback, which introduces risk and slows down incident response.

Feature flags are widely recognized in platform engineering as a core continuous delivery practice that improves safety, accelerates experimentation, and enhances resilience by enabling immediate mitigation of issues.

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide

--- Continuous Delivery Foundation Guidance

Question 5

Which approach is an effective method for securing secrets in CI/CD pipelines?

AStoring secrets in configuration files with restricted access.

BStoring secrets and encrypting them in a secrets manager.

CStoring secrets as plain-text environment variables managed through config files.

DEncoding secrets in the source code using base64.

Answer : B

The most secure and scalable method for handling secrets in CI/CD pipelines is to use a secrets manager with encryption. Option B is correct because solutions like HashiCorp Vault, AWS Secrets Manager, or Kubernetes Secrets (backed by KMS) securely store, encrypt, and control access to sensitive values such as API keys, tokens, or credentials.

Option A (restricted config files) may protect secrets but lacks auditability and rotation capabilities. Option C (plain-text environment variables) exposes secrets to accidental leaks through logs or misconfigurations. Option D (base64 encoding) is insecure because base64 is an encoding, not encryption, and secrets can be trivially decoded.

Using a secrets manager ensures secure retrieval, audit trails, access policies, and secret rotation. This aligns with supply chain security and zero-trust practices, reducing risks of credential leakage in CI/CD pipelines.

--- CNCF Security TAG Best Practices

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide

Question 6

Which of the following would be considered an advantage of using abstract APIs when offering cloud service provisioning and management as platform services?

AAbstractions enforce explicit platform team approval before any cloud resource is deployed.

BAbstractions curate cloud services with built-in guardrails for development teams.

CAbstractions allow customization of cloud services and resources without guardrails.

DDevelopment teams can arbitrarily deploy cloud services via abstractions.

Answer : B

Abstract APIs are an essential component of platform engineering, providing a simplified interface for developers to consume infrastructure and cloud services without deep knowledge of provider-specific details. Option B is correct because abstractions allow platform teams to curate services with built-in guardrails, ensuring compliance, security, and operational standards are enforced automatically. Developers get the benefit of self-service and flexibility while the platform team ensures governance.

Option A would slow down the process, defeating the purpose of abstraction. Option C removes guardrails, which risks security and compliance violations. Option D allows uncontrolled deployments, which can create chaos and undermine platform governance.

Abstract APIs strike the balance between developer experience and organizational control. They provide golden paths and opinionated defaults while maintaining the flexibility needed for developer productivity. This approach ensures efficient service provisioning at scale with reduced cognitive load on developers.

--- CNCF Platforms Whitepaper

--- CNCF Platform Engineering Maturity Model

--- Cloud Native Platform Engineering Study Guide

Question 7

In a GitOps workflow, what is a secure and efficient method for managing secrets within a Git repository?

AUse environment variables to manage secrets outside the repository.

BUse a secrets management tool and store references in the repository.

CEncrypt secrets and store them directly in the repository.

DStore secrets in plain text within the repository.

Answer : B

The secure and efficient way to handle secrets in a GitOps workflow is to use a dedicated secrets management tool (e.g., HashiCorp Vault, Sealed Secrets, or External Secrets Operator) and store only references or encrypted placeholders in the Git repository. Option B is correct because Git should remain the source of truth for configuration, but sensitive values should be abstracted or encrypted to maintain security.

Option A (environment variables) can supplement secret management but lacks versioning and auditability when used alone. Option C (encrypting secrets in Git) can work with tools like Mozilla SOPS, but it still requires external key management, making Option B a more complete and secure approach. Option D (plain text secrets) is highly insecure and should never be used.

By integrating secrets managers into GitOps workflows, teams achieve both security and automation, ensuring secrets are delivered securely during reconciliation without exposing sensitive data in Git.

--- CNCF GitOps Principles

--- CNCF Supply Chain Security Whitepaper

--- Cloud Native Platform Engineering Study Guide

Linux Foundation Certified Cloud Native Platform Engineering Associate CNPA Exam Questions