Linux Foundation CNPA Exam Questions

The most effective approach for scalable Kubernetes infrastructure provisioning is Crossplane compositions. Option D is correct because compositions let platform teams define custom CRDs (Composite Resources) that abstract infrastructure details while embedding organizational policies and guardrails. Developers then consume these abstractions through simple Kubernetes-native APIs, enabling self-service at scale.

Option A (Helm with values.yaml) is useful for application deployment but not for scalable infrastructure provisioning across multiple clouds. Option B (imperative scripts) lacks scalability, repeatability, and governance. Option C (static YAML with kubectl apply) is manual and not suited for dynamic, multi-team environments.

Crossplane compositions allow platform teams to curate golden paths while giving developers autonomy. This reduces complexity, ensures compliance, and supports multi-cloud provisioning---all key aspects of platform engineering.

--- CNCF Crossplane Project Documentation

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide

The Kubernetes reconciliation loop ensures that the actual state of a resource matches the desired state defined in its manifest. If the replica count of a Deployment is changed from 3 to 5, option B is correct: Kubernetes will automatically create two new Pods to satisfy the new desired replica count.

Option A is incorrect because Deployments are not deleted; they are updated in place. Option C contradicts Kubernetes' declarative model---no manual intervention is required. Option D is wrong because Kubernetes does not restart existing Pods unless necessary; it simply adds additional Pods.

This reconciliation process is core to Kubernetes' declarative infrastructure approach, where desired states are continuously monitored and enforced. It reduces human toil and ensures consistency, making it fundamental for platform engineering practices like GitOps.

--- CNCF Kubernetes Documentation

--- CNCF GitOps Principles

--- Cloud Native Platform Engineering Study Guide

Abstract APIs are an essential component of platform engineering, providing a simplified interface for developers to consume infrastructure and cloud services without deep knowledge of provider-specific details. Option B is correct because abstractions allow platform teams to curate services with built-in guardrails, ensuring compliance, security, and operational standards are enforced automatically. Developers get the benefit of self-service and flexibility while the platform team ensures governance.

Option A would slow down the process, defeating the purpose of abstraction. Option C removes guardrails, which risks security and compliance violations. Option D allows uncontrolled deployments, which can create chaos and undermine platform governance.

Abstract APIs strike the balance between developer experience and organizational control. They provide golden paths and opinionated defaults while maintaining the flexibility needed for developer productivity. This approach ensures efficient service provisioning at scale with reduced cognitive load on developers.

--- CNCF Platforms Whitepaper

--- CNCF Platform Engineering Maturity Model

--- Cloud Native Platform Engineering Study Guide

Modern platform engineering requires security and compliance to be integral parts of the delivery process, not afterthoughts. CI/CD pipelines are the foundation for delivering platform software rapidly and reliably, and integrating SBOM generation and automated vulnerability scanning directly within pipelines ensures that risks are identified early in the lifecycle.

Option B is correct because it reflects recommended practices from cloud native platform engineering standards: SBOMs provide a transparent inventory of all software components, including dependencies, which is crucial for vulnerability management, license compliance, and supply chain security. By automating these steps in CI/CD, teams can maintain both velocity and security without manual overhead.

Option A downplays the relevance of SBOMs for platform software, which is inaccurate because platform components (like Kubernetes operators, ingress controllers, or logging agents) are equally susceptible to vulnerabilities. Option C dismisses automation in favor of periodic audits, which contradicts the shift-left security principle. Option D misunderstands CI/CD's purpose: security must be integrated, not separated.

--- CNCF Supply Chain Security Whitepaper

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide

Mutual TLS (mTLS) is a core feature of service meshes, such as Istio or Linkerd, that enhances security in cloud native environments by ensuring that both communicating services authenticate each other and that the communication channel is encrypted. Option A is correct because mTLS delivers two critical benefits: authentication (verifying the identity of both client and server services) and encryption (protecting data in transit from interception or tampering).

Option B is incorrect because mTLS does not bypass security---it enforces it. Option C is partly true in that service meshes often support observability and logging, but that is not the primary purpose of mTLS. Option D relates to scaling, which is outside the scope of mTLS.

In platform engineering, mTLS is a fundamental security mechanism that provides zero-trust networking between microservices, ensuring secure communication without requiring application-level changes. It strengthens compliance with security and data protection requirements, which are crucial in regulated industries.

--- CNCF Service Mesh Whitepaper

--- CNCF Platforms Whitepaper

--- Cloud Native Platform Engineering Study Guide