The Kubernetes Questions That Exposed My Container Orchestration Blind Spots
Six years managing Kubernetes clusters taught me that interviews aren't about memorizing kubectl commands—they're about proving you can architect resilient, scalable container platforms. Here are the questions that separate YAML copiers from true cluster architects.
My first Kubernetes admin interview was humbling. When they asked "How would you handle a pod that's stuck in Pending state?", I immediately started listing resource constraints. The senior engineer stopped me: "That's one possibility, but what's your systematic approach? How do you gather information? What's your troubleshooting methodology?"
That question taught me that Kubernetes administration isn't just about knowing YAML syntax—it's about understanding distributed systems, networking, security, and operational excellence. The best K8s admins don't just deploy workloads; they architect platforms that scale, heal, and protect themselves.
After managing Kubernetes clusters at scale and conducting dozens of admin interviews, I've compiled the questions that truly matter in 2026. These aren't just technical trivia—they're insights into how you approach reliability, security, and operational complexity in container orchestration.
Kubernetes Admin Core Competencies
- Cluster Architecture: Can you design and maintain highly available clusters?
- Workload Management: Do you understand pods, services, and deployment strategies?
- Networking & Security: Can you implement network policies and RBAC?
- Storage & Persistence: Do you handle stateful applications effectively?
- Pro tip: Always discuss scalability, security, and observability implications
Kubernetes Architecture & Pods (Questions 1-8)
1. Explain the Kubernetes control plane components and their roles.
Tests understanding of K8s architecture and cluster operations
Answer:
API Server (kube-apiserver): Central management point, validates and processes REST operations
etcd: Distributed key-value store, holds cluster state and configuration data
Controller Manager: Runs controller processes (node, replication, endpoints controllers)
Scheduler (kube-scheduler): Assigns pods to nodes based on resource requirements and constraints
Cloud Controller Manager: Interfaces with cloud provider APIs for load balancers, storage, etc.
2. What happens when you create a pod? Describe the lifecycle.
Tests understanding of pod creation process and lifecycle management
Answer:
- Pod manifest submitted to API server
- API server validates and stores in etcd
- Scheduler watches for unscheduled pods, selects node
- Kubelet on target node pulls container images
- Container runtime creates containers
- Pod phases: Pending → Running → Succeeded/Failed
# Monitor pod lifecycle
kubectl get pods -w
kubectl describe pod <pod-name>
3. How do you troubleshoot a pod stuck in Pending state?
Answer:
- Check pod events:
kubectl describe pod <name> - Verify node resources:
kubectl top nodes - Check node taints and pod tolerations
- Verify resource requests vs node capacity
- Check for node selectors or affinity rules
- Examine persistent volume availability
4. Write a pod spec with resource limits, health checks, and security context.
Answer:
apiVersion: v1
kind: Pod
metadata:
name: secure-app
labels:
app: secure-app
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
- name: app
image: nginx:1.21-alpine
ports:
- containerPort: 8080
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
volumeMounts:
- name: tmp-volume
mountPath: /tmp
volumes:
- name: tmp-volume
emptyDir: {{}}5-8. Additional Architecture Questions:
- 5. Explain the difference between DaemonSet, ReplicaSet, and Deployment
- 6. How do you handle init containers and sidecar patterns?
- 7. What are admission controllers and give examples?
- 8. How do you backup and restore etcd cluster?
Networking & Services (Questions 9-16)
9. Explain Kubernetes networking model and CNI.
Answer:
Networking Requirements:
- All pods can communicate without NAT
- Nodes can communicate with all pods
- Pod sees same IP that others see it as
CNI (Container Network Interface): Standard for configuring network interfaces in containers
Popular CNI plugins: Calico, Flannel, Weave, Cilium, AWS VPC CNI
10. Create a Service and Ingress for exposing an application.
Answer:
# Service
apiVersion: v1
kind: Service
metadata:
name: web-service
spec:
selector:
app: web-app
ports:
- port: 80
targetPort: 8080
protocol: TCP
type: ClusterIP
---
# Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- example.com
secretName: web-tls
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 8011. Implement NetworkPolicies for micro-segmentation.
Answer:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-ingress
namespace: production
spec:
podSelector: {{}}
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend-to-backend
namespace: production
spec:
podSelector:
matchLabels:
tier: backend
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
tier: frontend
ports:
- protocol: TCP
port: 8080Best Practice: Default deny-all, then selectively allow required traffic
12. How do you troubleshoot DNS resolution issues in pods?
Answer:
- Check CoreDNS pods:
kubectl get pods -n kube-system -l k8s-app=kube-dns - Test DNS resolution from pod:
nslookup kubernetes.default - Check pod's DNS configuration:
cat /etc/resolv.conf - Verify service endpoints:
kubectl get endpoints - Check CoreDNS ConfigMap and logs
13-16. Additional Networking Questions:
- 13. Explain Service types: ClusterIP, NodePort, LoadBalancer, ExternalName
- 14. How do you implement service mesh (Istio, Linkerd) for traffic management?
- 15. What's the difference between kube-proxy modes (iptables, ipvs, userspace)?
- 16. How do you handle cross-cluster networking and multi-cluster setups?
Storage & Persistent Volumes (Questions 17-22)
17. Explain the difference between Volumes, PVs, and PVCs.
Answer:
Volume: Directory accessible to containers in a pod, tied to pod lifecycle
PersistentVolume (PV): Cluster resource representing storage, independent of pod lifecycle
PersistentVolumeClaim (PVC): Request for storage by a user, binds to available PV
StorageClass: Defines different types of storage with provisioning policies
18. Create a StatefulSet with persistent storage for a database.
Answer:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: postgres
spec:
serviceName: postgres
replicas: 3
selector:
matchLabels:
app: postgres
template:
metadata:
labels:
app: postgres
spec:
containers:
- name: postgres
image: postgres:13
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-secret
key: password
ports:
- containerPort: 5432
volumeMounts:
- name: postgres-storage
mountPath: /var/lib/postgresql/data
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
volumeClaimTemplates:
- metadata:
name: postgres-storage
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: "fast-ssd"
resources:
requests:
storage: 10Gi19. How do you backup and restore persistent data?
Answer:
Strategies:
- Volume snapshots using CSI snapshot controller
- Application-consistent backups (Velero, Stash)
- Database-specific backup tools (pg_dump, mysqldump)
- Cross-region replication for disaster recovery
# Create volume snapshot
kubectl create -f volume-snapshot.yaml
# Restore from snapshot
kubectl create -f restore-pvc.yaml
20-22. Additional Storage Questions:
- 20. How do you handle dynamic provisioning vs static provisioning?
- 21. Explain storage classes and their parameters for different cloud providers
- 22. How do you migrate data between different storage backends?
RBAC & Security (Questions 23-28)
23. Design RBAC for a multi-tenant Kubernetes cluster.
Answer:
# Namespace for tenant apiVersion: v1 kind: Namespace metadata: name: tenant-a --- # ServiceAccount for tenant apiVersion: v1 kind: ServiceAccount metadata: name: tenant-a-user namespace: tenant-a --- # Role with limited permissions apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: tenant-a name: tenant-role rules: - apiGroups: [""] resources: ["pods", "services", "configmaps"] verbs: ["get", "list", "create", "update", "delete"] - apiGroups: ["apps"] resources: ["deployments", "replicasets"] verbs: ["get", "list", "create", "update", "delete"] --- # RoleBinding to link user and role apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tenant-a-binding namespace: tenant-a subjects: - kind: ServiceAccount name: tenant-a-user namespace: tenant-a roleRef: kind: Role name: tenant-role apiGroup: rbac.authorization.k8s.io
24. Implement Pod Security Standards (PSS) and Security Contexts.
Answer:
# Pod Security Standard at namespace level
apiVersion: v1
kind: Namespace
metadata:
name: secure-namespace
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted
---
# Secure Pod with security context
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
namespace: secure-namespace
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: secure-container
image: nginx:1.21-alpine
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE25. How do you secure the Kubernetes API server?
Answer:
- Enable TLS encryption for all communication
- Use strong authentication (certificates, OIDC, webhooks)
- Implement RBAC with principle of least privilege
- Enable audit logging for compliance
- Use admission controllers (ValidatingAdmissionWebhook)
- Regular security scanning and updates
- Network policies to restrict API server access
26-28. Additional Security Questions:
- 26. How do you implement image scanning and admission control?
- 27. Explain how to rotate certificates and manage PKI in Kubernetes
- 28. How do you implement secrets management with external systems (Vault, AWS Secrets Manager)?
Monitoring & Troubleshooting (Questions 29-30)
29. Set up comprehensive monitoring for a Kubernetes cluster.
Answer:
Monitoring Stack:
- Prometheus for metrics collection
- Grafana for visualization
- Alertmanager for notifications
- Jaeger/Zipkin for distributed tracing
- ELK/EFK stack for log aggregation
# Key monitoring queries kubectl top nodes kubectl top pods --all-namespaces kubectl get events --sort-by=.lastTimestamp kubectl logs -f deployment/app-name kubectl describe pod <pod-name> # Resource utilization kubectl describe node <node-name> kubectl get resourcequota --all-namespaces
30. Troubleshoot a complete cluster outage scenario.
Answer:
Systematic Approach:
- Assess Impact: What services are affected?
- Check Control Plane: API server, etcd, scheduler health
- Verify Node Status: Node readiness, resource availability
- Network Connectivity: CNI health, DNS resolution
- Storage Issues: PV availability, CSI driver status
- Review Logs: System logs, audit logs, application logs
- Recovery Plan: Restore from backup, recreate resources
# Emergency troubleshooting commands
kubectl get componentstatuses
kubectl cluster-info
kubectl get nodes -o wide
systemctl status kubelet
journalctl -u kubelet -f
Master Kubernetes Administration
Stuck on YAML syntax or can't remember kubectl commands? LastRound AI provides real-time Kubernetes guidance during your interviews.
- ✓ Pod, Service, and Deployment YAML examples
- ✓ RBAC and NetworkPolicy configurations
- ✓ Troubleshooting commands and methodologies
- ✓ Security best practices and implementation
Kubernetes Administration Success Tips
The Five Pillars of K8s Administration
Use this framework to demonstrate Kubernetes expertise:
- Architecture: Deep understanding of control plane and worker node components
- Security: RBAC, Pod Security Standards, network policies, secrets management
- Networking: CNI, Services, Ingress, DNS, and troubleshooting connectivity
- Storage: Persistent volumes, storage classes, backup strategies
- Operations: Monitoring, logging, troubleshooting, and disaster recovery
What Separates Expert K8s Administrators
✓ Expert Administrators Show:
- • Security-first approach to cluster design
- • Systematic troubleshooting methodology
- • Understanding of distributed systems concepts
- • Proactive monitoring and alerting strategies
- • Knowledge of scalability and performance optimization
- • Experience with GitOps and infrastructure as code
❌ Common Mistakes:
- • Running containers as root without justification
- • Ignoring resource limits and requests
- • Poor RBAC implementation (too permissive)
- • Inadequate backup and disaster recovery planning
- • Neglecting network security and segmentation
- • Manual configuration instead of GitOps
The best Kubernetes administrators I've worked with understand that container orchestration is just the foundation. They focus on building secure, reliable, and scalable platforms while maintaining operational excellence. Master the fundamentals, but more importantly, understand how they combine to create resilient distributed systems.