1. Explain the difference between a Deployment and a StatefulSet in Kubernetes. When would you use each?
Deployments manage stateless applications with rolling updates and are ideal for web servers, while StatefulSets maintain stable network identities and persistent storage for stateful applications like databases. Use StatefulSets when your pods require unique identities, ordered startup/shutdown, or persistent volumes tied to specific instances.
2. Walk me through how you would debug a pod that is stuck in a CrashLoopBackOff state.
First, I would check pod logs using 'kubectl logs <pod-name>' and '--previous' flag for previous crashed container logs, then describe the pod with 'kubectl describe pod' to see events and resource limits, and finally inspect the application configuration and resource requests/limits. Common causes include insufficient CPU/memory, failing liveness probes, or misconfigured container commands.
3. How do you implement resource requests and limits in Kubernetes? What happens if a pod exceeds its limits?
Resource requests define the minimum guaranteed CPU/memory, while limits cap maximum usage; you specify both in the pod spec under 'resources.requests' and 'resources.limits'. If a pod exceeds CPU limits, it gets throttled; if it exceeds memory limits, it gets OOMKilled and evicted.
4. Describe how Kubernetes scheduling works. What is a taint and toleration, and when would you use them?
The Kubernetes scheduler assigns pods to nodes based on resource availability and affinity rules; taints prevent pods from being scheduled on specific nodes unless tolerated, and tolerations allow pods to tolerate those taints. Use taints for dedicated hardware (GPU nodes, high-memory nodes) or to repel non-critical workloads.
5. A service in your cluster is receiving traffic but pods behind it are not responding. How would you troubleshoot this?
I would verify the service selector matches pod labels with 'kubectl get pods --show-labels', check endpoint creation using 'kubectl get endpoints', test pod connectivity with 'kubectl exec', ensure NetworkPolicies are not blocking traffic, and verify the service port mapping. Common issues include mismatched labels, missing service ports, or network policies.
6. Explain persistent volumes and persistent volume claims. How would you provision storage for a stateful application?
A PersistentVolume is cluster-level storage; a PersistentVolumeClaim requests storage from a PV; the PVC binds to an available PV matching its size and access mode. For stateful applications, you create a StorageClass for dynamic provisioning, define PVCs in a StatefulSet, and Kubernetes automatically creates and manages volumes per pod instance.
7. How do you manage configuration and secrets in Kubernetes? What are the security implications of each approach?
ConfigMaps store non-sensitive configuration as key-value pairs; Secrets store sensitive data like credentials and are base64-encoded by default but not encrypted at rest unless explicitly configured. For security, use encrypted Secrets, mount them as volumes instead of environment variables, and implement RBAC to limit access; avoid storing passwords in ConfigMaps.
8. You need to perform a rolling update on a Deployment. Explain the strategy and how you would ensure zero-downtime.
A rolling update gradually replaces old pods with new ones controlled by 'maxSurge' and 'maxUnavailable' parameters; to ensure zero-downtime, set 'maxUnavailable: 0' to keep all pods available, implement health checks (readiness and liveness probes), and ensure the new version is backward compatible. Kubernetes will only mark pods as ready after passing readiness probes before routing traffic.
9. What are init containers and sidecar containers? Describe a practical use case for each.
Init containers run before application containers to perform setup tasks like downloading configs or waiting for dependencies; sidecars run alongside application containers to add cross-cutting concerns. Use init containers to prepare data volumes or wait for service availability, and sidecars for logging aggregation (Filebeat), service mesh proxies (Envoy), or monitoring agents.
10. How does the Kubernetes API server enforce policies? Describe the difference between RBAC and NetworkPolicy.
The API server enforces policies through admission controllers; RBAC controls which users/service accounts can perform actions on resources (who can do what), while NetworkPolicy controls network traffic between pods at the network layer (which pods can talk to each other). RBAC is identity-based; NetworkPolicy is network-based and requires a CNI plugin that supports it.
11. A cluster node is running out of disk space and you're seeing 'DiskPressure' node conditions. How would you respond?
I would first check kubelet logs and 'df -h' to identify the cause, then evict pods using 'kubectl drain <node>' with '--ignore-daemonsets --delete-emptydir-data' flags to reclaim space, remove old container images and logs, and monitor node conditions with 'kubectl get nodes' to verify recovery. Long-term, I'd implement resource quotas and monitor disk usage.
12. Design a scalable architecture for a microservices application with 5 services that need to communicate securely. What K8s objects would you use?
I would use Deployments for each service with appropriate resource limits, Services (ClusterIP by default) for internal communication, Ingress for external access, NetworkPolicy to restrict traffic between services, and Secrets for service-to-service authentication credentials. I'd implement a service mesh (like Istio) for advanced traffic management, mTLS, and observability if required by the company.


