π¦ Kubernetes / EKS Objects β Interview Q&A (3β5 Line Answers)
πΉ Deployment
Q1 β What is a Deployment in Kubernetes? A Deployment is used to manage stateless applications and ensures a desired number of pod replicas are always running. It manages ReplicaSets automatically and supports rolling updates and rollbacks. You can update container images and configs without downtime. Most web apps and APIs run using Deployments.
Q2 β What features does Deployment give in real production use? It provides rolling updates, rollout history, rollback, and declarative scaling. You can control update speed using maxSurge and maxUnavailable. It integrates with HPA for autoscaling. Itβs the default controller for stateless workloads.
πΉ StatefulSet
Q1 β What is a StatefulSet? StatefulSet is used for stateful applications that require stable pod identity and persistent storage. Each pod gets a fixed name and its own persistent volume. Pods are created and terminated in order. Common for databases and clustered systems.
Q2 β Difference between StatefulSet and Deployment? Deployment pods are interchangeable and randomly named. StatefulSet pods have stable identity and ordered startup/shutdown. StatefulSets usually use headless services for stable DNS. Storage is tightly bound to each pod instance.
πΉ DaemonSet
Q1 β What is a DaemonSet? A DaemonSet ensures one pod runs on every node (or selected nodes) in the cluster. Itβs mainly used for node-level agents. When new nodes join, pods are automatically added. When nodes are removed, pods are cleaned up.
Q2 β Where is DaemonSet used in EKS clusters? Used for log collectors (FluentBit), monitoring agents (node-exporter), and CNI plugins. These services must run on every node to function correctly. Itβs not used for user-facing apps.
πΉ Job
Q1 β What is a Job object? A Job runs pods until a task successfully completes. Itβs used for one-time or finite batch tasks. Kubernetes ensures retry if the pod fails. Once completed, it does not restart automatically.
Q2 β When should you use Job instead of Deployment? Use Job for batch processing, DB migrations, or data fixes. Deployment is for continuously running services. Jobs are completion-based, not uptime-based.
πΉ CronJob
Q1 β What is a CronJob? CronJob schedules Jobs at fixed times using cron format. Itβs used for periodic tasks like backups and cleanup jobs. It creates a new Job at each scheduled time. It depends on the controller manager to trigger runs.
Q2 β What are key CronJob configs to know? Important fields are schedule, concurrencyPolicy, and successfulJobsHistoryLimit. concurrencyPolicy prevents overlapping runs. Without limits, old job history can fill etcd.
πΉ Service
Q1 β What is a Service in Kubernetes? A Service provides a stable IP and DNS name for a group of pods. It routes traffic using label selectors. This abstracts away changing pod IPs. Internal pod-to-pod communication usually uses Services.
Q2 β Types of Services and when used? ClusterIP for internal access, NodePort for node-level exposure, LoadBalancer for cloud external access. In EKS, LoadBalancer creates AWS NLB/CLB automatically. Most internal microservices use ClusterIP.
πΉ Ingress
Q1 β What is Ingress? Ingress is an API object that manages HTTP/HTTPS routing into the cluster. It supports host and path-based routing. It requires an Ingress Controller to work. In EKS, AWS Load Balancer Controller is commonly used.
Q2 β Why prefer Ingress over multiple LoadBalancer services? Ingress reduces cost and complexity by using one ALB for many services. It centralizes TLS and routing rules. Better for microservice architectures.
πΉ ConfigMap
Q1 β What is ConfigMap? ConfigMap stores non-sensitive configuration like URLs and feature flags. It decouples config from container images. Pods can consume it as env vars or mounted files. Helps avoid rebuilding images for config changes.
Q2 β How do ConfigMap updates behave? Mounted ConfigMap volumes update automatically. Env var usage requires pod restart. Many teams use checksum annotations to trigger rollout on change.
πΉ Secret
Q1 β What is a Secret? Secret stores sensitive data like passwords and API keys. It is base64-encoded and can be encrypted at rest. Access is controlled via RBAC. Pods consume it like ConfigMaps.
Q2 β How are Secrets secured in EKS? You can enable KMS envelope encryption for etcd. Often integrated with AWS Secrets Manager via External Secrets operator. Avoid storing plain secrets in Git.
πΉ HPA
Q1 β What is HPA? Horizontal Pod Autoscaler automatically scales pod replicas based on metrics. Default metric is CPU or memory. It queries metrics-server. It updates Deployment replica count dynamically.
Q2 β What must be defined for HPA to work correctly? Resource requests must be set on containers. Without requests, scaling math fails. Metrics server must be installed and healthy.
πΉ kube-controller-manager (EKS managed)
Q1 β What does kube-controller-manager do? It runs background controllers that reconcile desired vs actual state. Includes Deployment, Node, Job, and Endpoint controllers. It continuously watches the API server and makes corrections.
Q2 β Why is it critical? Without it, objects wonβt self-heal or scale. Replica counts wonβt be maintained. Cluster becomes non-reconciling.
πΉ kube-scheduler (EKS managed)
Q1 β What is kube-scheduler? Scheduler decides which node a pod runs on. It evaluates resources and constraints. It does not create pods β only assigns nodes.
Q2 β What factors affect scheduling decisions? CPU/memory requests, affinity rules, taints/tolerations, topology spread. Bad rules can make pods unschedulable.
πΉ kube-proxy
Q1 β What is kube-proxy? kube-proxy manages service networking rules on each node. It programs iptables or IPVS rules. It enables service IP to pod routing.
Q2 β What happens if kube-proxy fails? Service traffic routing breaks. Pods may run but cannot be reached via Service IP.
Continuing β more Kubernetes + EKS objects/components, each with 2 interview questions and 3β5 line practical answers. Still interview-style, still clean, still useful for your notes.
π¦ Kubernetes / EKS Objects β Interview Q&A (Set 2)
πΉ PersistentVolume (PV)
Q1 β What is a PersistentVolume (PV)? A PersistentVolume is a cluster-level storage resource that provides actual backing storage. It can be created manually or dynamically by a StorageClass. PV exists independent of pods. It represents real storage like EBS or EFS in EKS.
Q2 β Who creates PV in EKS setups usually? Mostly created dynamically using CSI drivers and StorageClass. When a PVC is created, Kubernetes provisions PV automatically. Manual PVs are rare in cloud-native setups.
πΉ PersistentVolumeClaim (PVC)
Q1 β What is a PVC? PVC is a storage request made by a pod. It specifies size, access mode, and storage class. Kubernetes binds it to a matching PV. Pods use PVC, not PV directly.
Q2 β What happens if PVC cannot bind? Pod stays Pending with volume binding errors. Usually due to wrong storage class, size, or access mode mismatch. Events section shows the reason.
πΉ StorageClass
Q1 β What is StorageClass? StorageClass defines how storage should be provisioned dynamically. It includes provisioner type, parameters, and reclaim policy. In EKS, gp2/gp3 EBS CSI classes are common.
Q2 β Why is reclaim policy important? It controls what happens after PVC deletion β Delete or Retain. Delete removes the cloud disk automatically. Retain keeps disk for manual recovery.
πΉ ServiceAccount
Q1 β What is a ServiceAccount? ServiceAccount provides identity to pods inside Kubernetes. Pods use it to talk to API server. It is different from user authentication.
Q2 β Why is ServiceAccount important in EKS? It is used with IRSA to attach IAM roles to pods. This allows fine-grained AWS permissions per workload. Better than giving node-wide IAM access.
πΉ IRSA (IAM Roles for Service Accounts)
Q1 β What is IRSA in EKS? IRSA lets pods assume IAM roles using Kubernetes ServiceAccounts. It uses OIDC federation between EKS and IAM. This avoids using node IAM role for everything.
Q2 β What is required to enable IRSA? OIDC provider must be enabled for the cluster. ServiceAccount annotated with role ARN. IAM trust policy must allow that SA subject.
πΉ NetworkPolicy
Q1 β What is NetworkPolicy? NetworkPolicy controls pod-to-pod traffic rules at network layer. It defines allowed ingress and egress sources. Works like a pod firewall.
Q2 β Does NetworkPolicy work by default in EKS? Only if your CNI supports enforcement (like Calico/Cilium). Basic AWS VPC CNI alone doesnβt enforce policies. Many people forget this.
πΉ PodDisruptionBudget (PDB)
Q1 β What is PodDisruptionBudget? PDB limits how many pods can be voluntarily evicted at once. It protects app availability during node drains and upgrades. It does not protect against crashes.
Q2 β Where is PDB practically used? During node group upgrades and cluster maintenance. Without it, too many replicas may go down together. Critical for HA apps.
πΉ PriorityClass
Q1 β What is PriorityClass? PriorityClass assigns scheduling priority to pods. Higher priority pods get scheduled first. Lower priority pods can be preempted.
Q2 β Real use case of PriorityClass? Give critical system pods higher priority than batch jobs. Ensures important workloads get resources first during pressure.
πΉ Taints and Tolerations
Q1 β What are taints and tolerations? Taints repel pods from nodes. Tolerations allow pods to schedule on tainted nodes. They control placement rules.
Q2 β EKS real-world use case? Separate spot vs on-demand nodes. Taint spot nodes and allow only tolerant workloads. Protects critical apps.
πΉ Node Selector / Node Affinity
Q1 β What is nodeSelector? Simple rule to schedule pod on nodes with specific labels. Itβs hard constraint. If no match β pod stays pending.
Q2 β NodeSelector vs Node Affinity? NodeSelector is basic exact match. Node affinity supports advanced rules and soft preferences. Affinity is more flexible.
πΉ Pod Affinity / Anti-Affinity
Q1 β What is pod anti-affinity? Forces pods to avoid being scheduled together on same node or zone. Improves availability. Often used for replicas.
Q2 β Why can heavy anti-affinity be risky? It can make pods unschedulable in small clusters. Scheduler complexity also increases. Use topology spread when possible.
πΉ TopologySpreadConstraints
Q1 β What is topology spread? Ensures pods are evenly distributed across zones or nodes. Helps high availability. Modern replacement for heavy anti-affinity.
Q2 β Why preferred over anti-affinity now? Itβs more scheduler-friendly and predictable. Reduces scheduling failures. Better for multi-AZ EKS clusters.
πΉ CoreDNS
Q1 β What is CoreDNS? CoreDNS provides DNS resolution inside cluster. It resolves service and pod names. Runs as deployment in kube-system.
Q2 β What happens if CoreDNS is down? Service discovery fails. Pods cannot resolve service names. Many apps break silently.
πΉ Metrics Server
Q1 β What is metrics-server?
Metrics-server collects CPU and memory metrics from nodes and pods. It feeds HPA and kubectl top. It is lightweight.
Q2 β What breaks if metrics-server fails?
HPA stops scaling. kubectl top shows no data. Autoscaling decisions fail.
Continuing β next set covers EKS add-ons, node components, RBAC objects, and pod lifecycle features. Same format: 2 questions per object, 3β5 line practical answers, interview-ready.
π¦ Kubernetes / EKS Objects β Interview Q&A (Set 3)
πΉ AWS VPC CNI (EKS Add-on)
Q1 β What is AWS VPC CNI in EKS? AWS VPC CNI is the networking plugin used by EKS to assign IPs to pods directly from the VPC subnet. Pods get real VPC IP addresses, not overlay network IPs. This allows native VPC routing and security group integration. It runs as a DaemonSet on each node.
Q2 β What is the main limitation of VPC CNI? Pod count is limited by ENI and IP limits per instance type. Large workloads can hit IP exhaustion. Prefix delegation is used to increase pod density per node.
πΉ AWS Load Balancer Controller
Q1 β What is AWS Load Balancer Controller? It is a controller that watches Ingress and Service resources and creates ALB/NLB in AWS automatically. It replaces the old in-tree cloud provider logic. It supports advanced routing and annotations.
Q2 β What permissions does it need? It needs IAM permissions to create and manage load balancers, target groups, and security groups. Usually configured using IRSA with a dedicated ServiceAccount.
πΉ EBS CSI Driver
Q1 β What is EBS CSI driver? EBS CSI driver allows Kubernetes to provision and attach EBS volumes dynamically. It implements the CSI standard interface. Used with StorageClass for dynamic PV creation.
Q2 β One important limitation of EBS volumes in EKS? EBS volumes are AZ-specific and support ReadWriteOnce. Pods using them must run in the same AZ. Not suitable for multi-node shared access.
πΉ EFS CSI Driver
Q1 β What is EFS CSI driver? EFS CSI driver integrates Amazon EFS with Kubernetes for shared storage. It supports ReadWriteMany access mode. Multiple pods across nodes can mount same volume.
Q2 β When do you prefer EFS over EBS? When you need shared storage across pods or AZs. Good for shared content or ML workloads. Not ideal for high-IO databases.
πΉ kubelet
Q1 β What is kubelet? kubelet is the node agent that runs on every worker node. It communicates with API server and ensures containers are running as defined. It manages pod lifecycle locally.
Q2 β What happens if kubelet stops? Node becomes NotReady. Pods may still run but are unmanaged. Scheduler wonβt place new pods there.
πΉ Container Runtime (containerd)
Q1 β What is container runtime in EKS nodes? Container runtime actually runs containers on the node. Modern EKS uses containerd instead of Docker. kubelet talks to runtime via CRI.
Q2 β Why was Docker removed from Kubernetes runtime? Docker shim was removed to simplify architecture. containerd is lighter and CRI-native. Better performance and less overhead.
πΉ kube-proxy (Node Component)
Q1 β What does kube-proxy do on each node? kube-proxy programs iptables/IPVS rules for Service networking. It routes Service IP traffic to backend pods. It works at node level.
Q2 β kube-proxy iptables vs IPVS? iptables is simpler and default. IPVS is more scalable for very large clusters. Both implement service load balancing.
πΉ RBAC Role
Q1 β What is a Role in RBAC? Role defines a set of permissions within a namespace. It controls what actions can be performed on which resources. It does not grant access by itself.
Q2 β When do you use Role instead of ClusterRole? When access should be limited to a single namespace. Good for app teams with namespace boundaries.
πΉ ClusterRole
Q1 β What is a ClusterRole? ClusterRole defines permissions at cluster scope. It can apply to all namespaces or cluster-wide resources. Used for admin or controllers.
Q2 β Example ClusterRole use case? Grant read access to nodes or CRDs cluster-wide. Controllers and operators often need ClusterRoles.
πΉ RoleBinding / ClusterRoleBinding
Q1 β What is RoleBinding? RoleBinding attaches a Role to a user, group, or ServiceAccount in a namespace. It activates the permissions defined in Role.
Q2 β RoleBinding vs ClusterRoleBinding? RoleBinding = namespace scope. ClusterRoleBinding = cluster-wide scope. Binding decides where permissions apply.
πΉ Init Container
Q1 β What is an init container? Init containers run before the main container starts. They must complete successfully first. Used for setup tasks like config fetch or DB check.
Q2 β Why use init container instead of startup script? It separates setup logic from main image. Easier to manage and debug. Also supports different images/tools.
πΉ Liveness Probe
Q1 β What is a liveness probe? Liveness probe checks if container is still healthy. If probe fails repeatedly, kubelet restarts the container. It detects deadlocks.
Q2 β Risk of wrong liveness probe config? It can cause restart loops even if app is fine. Misconfigured timeouts often break production.
πΉ Readiness Probe
Q1 β What is readiness probe? Readiness probe checks if app is ready to receive traffic. If it fails, pod is removed from service endpoints. It does not restart container.
Q2 β Why is readiness probe critical in rolling updates? Prevents traffic going to not-ready pods. Without it, users hit failing pods during rollout.
πΉ Startup Probe
Q1 β What is startup probe? Startup probe is used for slow-starting apps. It disables liveness checks until startup succeeds. Prevents premature restarts.
Q2 β When should you add startup probe? For apps with long initialization like JVM or heavy cache warmup. Otherwise liveness probe may kill them too early.