CNPA Linux Foundation Certified Cloud Native Platform Engineering Associate Free Practice Exam Questions (2025 Updated)

In cloud native CI/CD workflows, build artifacts such as Docker/OCI images are pushed to a central container registry to ensure consistent, reproducible deployments. Option A is correct because registries serve as a single source of truth where immutable artifacts are stored, versioned, and distributed across environments. Deployment systems like Kubernetes pull images from these registries, ensuring that the same tested artifact is deployed in staging and production.

Option B is incorrect because images cannot be directly transformed back into source code. Option C partially describes benefits (version tracking) but misses the primary function of deployment consistency. Option D is misleading—registries typically don’t run automated tests; CI/CD pipelines do that before pushing the image.

By using OCI-compliant registries, organizations gain portability, interoperability, and compliance with supply chain security practices such as image signing and SBOM attestation. This ensures traceability, reliability, and secure distribution of artifacts across the platform.

OpenTelemetry is a CNCF project providing standardized APIs and SDKs for collecting observability data. Among its supported telemetry signals are metrics, logs, and traces. Option C is correct because traces are a core OpenTelemetry signal type that captures the journey of requests across distributed systems, making them vital for detecting latency, dependencies, and bottlenecks.

Option A (user interface), Option B (networking), and Option D (databases) represent system components or domains, not observability signals. While OpenTelemetry can instrument applications in these areas, it expresses data through its standard telemetry signals.

By supporting consistent collection of logs, metrics, and traces, OpenTelemetry enables observability pipelines to integrate seamlessly with different backends while avoiding vendor lock-in. Traces specifically provide visibility into distributed microservices, which is critical in cloud native environments.

A CI/CD pipeline is the platform component that enables automated provisioning of sandbox environments with both infrastructure and application code. Option A is correct because modern pipelines integrate Infrastructure as Code (IaC) with application deployment, enabling “one-click” or self-service provisioning of complete environments. This capability is central to platform engineering because it empowers developers to spin up temporary or permanent sandbox environments quickly for testing, experimentation, or demos.

Option B (service mesh) focuses on secure, observable service-to-service communication but does not provision environments. Option C (service bus) is used for asynchronous communication between services, not environment provisioning. Option D (observability pipeline) deals with collecting telemetry data, not provisioning.

By leveraging CI/CD pipelines integrated with GitOps and IaC tools (such as Terraform, Crossplane, or Kubernetes manifests), platform teams ensure consistency, compliance, and automation. Developers benefit from reduced friction, faster feedback cycles, and a better overall developer experience.

Continuous Integration (CI) and Continuous Delivery (CD) are complementary practices. Option A is correct: CI is a prerequisite for CD. CI focuses on automating code integration by building, testing, and validating changes, ensuring code quality and early detection of defects. CD builds upon CI by automating the process of releasing validated builds into staging and production environments, making delivery repeatable and reliable.

Option B incorrectly treats them as entirely separate. Option C reverses the relationship, as CD cannot exist without CI pipelines. Option D is inaccurate because CI and CD are not interchangeable—they represent distinct stages in the software delivery lifecycle.

Together, CI/CD accelerates software delivery, reduces risk, and improves quality. In platform engineering, CI/CD pipelines are critical enablers of developer productivity and efficient operations.

A golden path in platform engineering refers to a curated, opinionated workflow that makes the easiest way the right way for developers. Option C is correct because a templated workflow for deploying a microservice with integrated testing and monitoring embodies the golden path concept. It provides developers with a pre-validated, secure, and efficient approach that reduces cognitive load and accelerates delivery.

Option A (documentation) provides information but lacks automation and enforced best practices. Option B (monitoring dashboards) improves observability but does not guide developers in delivery workflows. Option D (API service catalog) is useful but more about service discovery than curated workflows.

Golden paths improve adoption by embedding guardrails, automation, and organizational standards directly into workflows, making compliance seamless. They ensure consistency while allowing developers to focus on innovation rather than platform complexity.

The most secure and scalable method for handling secrets in CI/CD pipelines is to use a secrets manager with encryption. Option B is correct because solutions like HashiCorp Vault, AWS Secrets Manager, or Kubernetes Secrets (backed by KMS) securely store, encrypt, and control access to sensitive values such as API keys, tokens, or credentials.

Option A (restricted config files) may protect secrets but lacks auditability and rotation capabilities. Option C (plain-text environment variables) exposes secrets to accidental leaks through logs or misconfigurations. Option D (base64 encoding) is insecure because base64 is an encoding, not encryption, and secrets can be trivially decoded.

Using a secrets manager ensures secure retrieval, audit trails, access policies, and secret rotation. This aligns with supply chain security and zero-trust practices, reducing risks of credential leakage in CI/CD pipelines.

Self-service capabilities are a cornerstone of platform engineering, enabling developers to move quickly while reducing dependency on platform teams. Option C is correct because an automated resource provisioning system allows developers to spin up sandbox or test environments on demand, supporting experimentation and rapid iteration. This aligns with the principle of treating platforms as products, focusing on developer experience and productivity.

Option A (manual request process) creates bottlenecks and is the opposite of self-service. Option B (documentation) is helpful but does not enable automation or self-service. Option D (centralized monitoring) improves observability but is not a self-service capability by itself.

By implementing automated provisioning, developers gain autonomy while platform teams maintain governance through abstractions, golden paths, and policy enforcement. This fosters agility, consistency, and scalability, improving both developer experience and organizational efficiency.

The key distinction is that Helm charts are packaging and deployment tools, while Operators extend Kubernetes controllers to provide ongoing lifecycle management. Option C is correct because Operators continuously reconcile the desired and actual state of custom resources, enabling advanced behaviors like upgrades, scaling, and failover. Helm charts, by contrast, define templates and values for deploying applications but do not actively manage them after deployment.

Option A oversimplifies; Operators do more than deploy, while Helm manages deployment packaging. Option B is incorrect—Helm does not create CRDs by default; Operators often do. Option D is incorrect because Operators and Helm serve different purposes, though they may complement each other.

Operators are essential for complex workloads (e.g., databases, Kafka) that require ongoing operational knowledge codified into Kubernetes-native controllers. Helm is best suited for standard deployments and reproducibility. Together, they improve Kubernetes extensibility and automation.

Automated testing throughout the pipeline is a key enabler of efficient and reliable delivery. Option B is correct because incorporating unit tests, integration tests, and security scans at different pipeline stages ensures that errors are caught early, reducing the risk of faulty code reaching production. This also accelerates delivery by providing fast, consistent feedback to developers.

Option A (single environment) undermines isolation and does not reflect real-world deployment conditions. Option C (skipping packaging) prevents reproducibility and traceability of builds. Option D (manual approvals) adds delays and reintroduces human bottlenecks, which goes against DevOps and GitOps automation principles.

Automated testing, combined with immutable artifacts and GitOps-driven deployments, aligns with platform engineering’s focus on automation, reliability, and developer experience. It reduces cognitive load for teams and enforces quality consistently.

Automation in platform engineering is primarily about reducing repetitive manual work, or toil, which consumes engineering capacity and increases the risk of human error. Option A is correct because cluster autoscaling—adjusting resources to meet workload demand—is a repetitive, ongoing task that is better handled through automation. Automating this process ensures scalability, efficiency, and reliability while freeing platform teams to focus on higher-value work.

Option B may provide learning opportunities but is not a sustainable justification. Option C is subjective and inefficient, while Option D is overly broad—automation should be applied thoughtfully to tasks that bring measurable benefits.

Automating autoscaling aligns with cloud native best practices, ensuring workloads can respond elastically to demand changes while maintaining cost efficiency. This reduces manual overhead, improves resiliency, and supports the developer experience by ensuring resource availability.

Traces provide end-to-end visibility into how a request flows through multiple services in a distributed system. Option A is correct because tracing captures spans (individual service operations) and stitches them together to form a complete picture of request execution, including latency, bottlenecks, and dependencies.

Option B (logs) provide detailed event records but lack contextual linkage across services. Option C (events) are discrete system occurrences, not correlated request flows. Option D (metrics) provide aggregated numerical data like latency or throughput but cannot show request-level detail across distributed systems.

Tracing is especially critical in microservices architectures where a single request may traverse dozens of services. Tools like OpenTelemetry, Jaeger, and Zipkin are commonly used to implement distributed tracing, which is essential for debugging, performance optimization, and improving reliability.

Argo CD is a GitOps-native continuous delivery tool specifically designed for Kubernetes. Option B is correct because Argo CD continuously monitors Git repositories for desired application state and reconciles Kubernetes clusters accordingly. It is declarative, Kubernetes-native, and aligned with GitOps principles, making it a key tool in platform engineering.

Option A (TravisCI) and Option C (CircleCI) are CI/CD systems but not Kubernetes-native or GitOps-driven. Option D (Jenkins) is a widely used CI/CD tool but operates primarily in a push-based model unless extended with plugins, and is not purpose-built for GitOps.

Argo CD provides automated deployments, drift detection, rollback, and auditability—features central to GitOps workflows. It simplifies multi-cluster management, enforces compliance, and reduces manual intervention, making it a leading choice in Kubernetes-based platform engineering.

Resource allocation varies between environments to balance cost, performance, and reliability. Option D is correct because development environments usually require fewer resources and are optimized for speed and cost efficiency, while production environments require stricter limits to ensure stability, scalability, and resilience under real user traffic.

Option A (identical settings) may simplify management but wastes resources and fails to account for different needs. Option B (maximizing usage in all environments) increases costs unnecessarily. Option C (strict parity) may be used in testing scenarios but is impractical as a universal rule.

By tailoring resource limits per environment, platforms ensure cost efficiency in dev/staging and robust performance in production. This practice is central to cloud native engineering, as it allows teams to innovate quickly while maintaining governance and operational excellence in production.

Automation in DevOps practices is central to platform engineering because it enables faster, reliable, and repeatable deployments. Option D is correct: automation accelerates deployments, reduces bottlenecks, and enables continuous delivery and rapid iterations. By automating build, test, and deployment pipelines, teams can deliver new features quickly while maintaining high quality and compliance.

Option A is incorrect because automation does not reduce the need for communication—it complements collaboration by removing friction. Option B is unrealistic: some manual oversight may remain (e.g., in production approvals for sensitive workloads). Option C is not a primary benefit—while tools may be involved, the focus is on outcomes, not tool dependency.

By embedding automation, teams reduce toil, enforce consistency, and free developers to focus on value creation rather than repetitive tasks. This results in shorter lead times, higher deployment frequency, and overall improved developer experience, which aligns with DORA metrics.

The primary purpose of multiple environments in software delivery pipelines is to isolate changes and test them before they reach production. Option A is correct because development, staging, and production environments provide controlled phases where teams can validate functionality, integration, performance, and security without impacting end users.

Option B (team collaboration) is facilitated by source control and workflows, not environment separation. Option C (testing only in staging) is a risky practice and not recommended. Option D is a partial benefit—testing with different datasets helps—but the broader purpose is risk isolation.

By maintaining environment separation, organizations reduce the likelihood of bugs or misconfigurations reaching production. This practice aligns with DevOps and platform engineering principles, ensuring safer, more reliable continuous delivery.

Kubernetes Custom Resource Definitions (CRDs) extend the Kubernetes API by allowing platform teams to create and expose custom APIs without modifying the core Kubernetes API server code. Option C is correct because this extensibility enables teams to define new abstractions (e.g., Database, Application, or Environment resources) tailored to organizational needs, which developers can consume through a self-service model.

Option A is incorrect because scaling and failover are handled by controllers or operators, not CRDs themselves. Option B is wrong because RBAC is still required for access control over custom resources. Option D is misleading because multi-cloud support depends on how CRDs and their controllers are implemented, not a built-in CRD feature.

By leveraging CRDs, platform teams can standardize workflows, hide complexity, and implement guardrails, all while presenting developers with simplified abstractions. This is central to platform engineering, as it empowers developers with self-service APIs while maintaining operational control.

Mutual TLS (mTLS) is the core mechanism for securing service-to-service communication in cloud native environments. Option B is correct because mTLS provides encryption in transit and mutual authentication, ensuring both the client and server verify each other’s identity. This prevents unauthorized access, man-in-the-middle attacks, and data leakage.

Option A (API Gateway) manages ingress traffic from external clients but does not secure internal service-to-service communication. Option C (Service Mesh) is a broader infrastructure layer (e.g., Istio, Linkerd) that implements mTLS, but mTLS itself is the mechanism that enforces secure communications. Option D (Load Balancer) distributes traffic but does not handle encryption or authentication.

mTLS is foundational to zero-trust networking inside Kubernetes clusters. Service meshes typically provide automated certificate management and policy enforcement, ensuring seamless adoption of mTLS without requiring developers to modify application code.

The most efficient and scalable strategy is to use a declarative approach with Infrastructure as Code (IaC). Option B is correct because declarative definitions specify the desired state (e.g., resource requests, limits, autoscaling policies) in code, allowing Kubernetes controllers and autoscalers to reconcile and enforce them dynamically. This ensures that applications can scale efficiently based on actual demand.

Option A (fixed allocation) is inefficient, leading to wasted resources during low usage or insufficient capacity during high demand. Option C (manual provisioning) introduces delays, risk of error, and operational overhead. Option D (imperative scripting) is not sustainable for large-scale or dynamic workloads, as it requires constant manual intervention.

Declarative IaC aligns with GitOps workflows, enabling automated, version-controlled scaling decisions. Combined with Kubernetes’ Horizontal Pod Autoscaler (HPA) and Cluster Autoscaler, this approach allows platforms to balance cost efficiency with application reliability.

Declarative resource management is a core principle in Kubernetes and cloud native platforms. Option C is correct because declarative systems define the desired state of resources (e.g., YAML manifests for Deployments, Services, or ConfigMaps), and controllers reconcile the actual state to match the desired state. This provides consistency, automation, and resilience, while also allowing dynamic adjustments like scaling.

Option A (imperative management) requires step-by-step commands, which are error-prone and not scalable. Option B (manual tracking) adds overhead and risk of drift. Option D (static allocation) wastes resources and does not adapt to changing workloads.

Declarative management enables GitOps workflows, automated scaling, and consistent application of policies. This approach aligns with platform engineering principles by combining automation with governance, enabling efficiency and reliability at scale.