Calico Certified Operator: AWS Expert Questions & Answers

Section 1

Which one of the following is NOT an AWS networking concept?

1 point possible (graded, results hidden)

AWS Region

Virtual Private Cloud

Elastic Network Interface

Cloud NAT

submitted

Which of the following are network configuration options for the Calico CNI in BYOC clusters?

1 point possible (graded, results hidden)

Select all that apply:

VLAN based segmentation

VXLAN encapsulation

IP-IP encapsulation

CrossSubnet mode

submitted

Why does AWS-CNI networking make use of source based routing on the nodes?

1 point possible (graded, results hidden)

To provide more available IP addresses

To allow the utilisation of all ENIs attached to the node

To secure the node’s compute resources

To ensure all pods use the same ENI

submitted

Which of the following are true when using the CrossSubnet mode in Calico CNI on BYOC clusters?

1 point possible (graded, results hidden)

Select all that apply:

It is recommended that for best performance, you turn off the src/dest check

No overlay networking is needed when pods communicate with each other in the same VPC subnet

CrossSubnet mode works only when the encapsulation mode is VXLAN

submitted

Which of the following are advantages of using EKS?

1 point possible (graded, results hidden)

Select all that apply:

Less expensive

Managed control plane

Integrated with other AWS services (IAM, ECR, ELB)

Built-in support for Calico

submitted

Which of the following are NOT true about an Availability Zone (AZ) in AWS?

1 point possible (graded, results hidden)

Select all that apply:

AZs provide fault isolation within a region

Elastic IP Addresses can be used in conjunction with AZs

AZs provide load balancing

You need an overlay network when you use AZs

submitted

Which command allows the user to examine the contents of a routing table called “5” on an AWS-CNI networked node?

1 point possible (graded, results hidden)

ip route show table 5

route examine 5

ip address 5

aws table 5 show

submitted

Which of the following are true when you use Calico CNI on EKS?

1 point possible (graded, results hidden)

Select all that apply:

Pod IPs are assigned as secondary IPs on ENIs

Pod to pod traffic going across VPC subnets is encapsulated with VXLAN or IP-IP

Pod IP addresses are not necessarily from the VPC address pool

You can use Calico for policy only or for networking and policy

Connections to IP addresses outside the cluster need to be source NATed

submitted

Which of the following is NOT true about a VPC in AWS?

1 point possible (graded, results hidden)

It is a virtual network in a region that allows you to define a network similar to a datacenter network

A VPC has its own security rules, subnets and routes

A VPC spans all availability zones in a region

You cannot assign subnets per AZ in a VPC

submitted

Which one of the following is NOT true about an ENI?

1 point possible (graded, results hidden)

You can attach multiple ENIs to an instance

You cannot move ENIs between instances in a VPC

One or more security groups can be assigned to an ENI

One or more IPv6 addresses can be assigned to an ENI

submitted

Section 2

Which of the following are true for cluster security groups in EKS?

1 point possible (graded, results hidden)

Select all that apply:

They automatically block inter-VPC traffic

They allow traffic from the control plane to node groups

They are assigned to ENIs created for nodes in the cluster

submitted

Which of the following are true about Ingress?

1 point possible (graded, results hidden)

Select all that apply:

It provides Layer 2 to Layer 7 load balancing

It is a proxy for external communication for HTTP/HTTPS based services

It is implemented by defining an ingress resource and an ingress controller

submitted

Which of the following are true when using Calico Policy with the AWS CNI?

1 point possible (graded, results hidden)

Select all that apply:

Calico Policy requires the Calico CNI in AWS

Calico Policy can be installed on top of the AWS CNI

Calico Policy enforcement is disabled when using security groups for pods

submitted

Which of the following are true for security groups assigned to pods?

1 point possible (graded, results hidden)

Select all that apply:

You can associate security groups to pods in both EKS and BYOC

Security groups are assigned to pods in EKS using pod or service account labels

Security groups are implemented using a webhook and a controller for managing ENIs

They are limited to the number of branch ENIs available in the EC2 instance

submitted

Which of the following are true when security groups in EKS are assigned to pods?

1 point possible (graded, results hidden)

Select all that apply:

This option is supported on all EKS clusters

Policy options are limited to security group rules

Source NAT for traffic leaving nodes is disabled

submitted

What is an AWS EKS Cluster Service Role?

1 point possible (graded, results hidden)

It is a role that allows you to manage cluster wide network policy

It is a role that allows an EKS created Kubernetes cluster to access other AWS services

It a role that manages access control for pods in your EKS cluster

submitted

Which of the following are true when using BYOC clusters on AWS?

1 point possible (graded, results hidden)

Select all that apply:

You can use prebuilt clusters and customize then to your needs

They are extremely flexible and can be built to be portable across multiple cloud environments

They provide better control of costs

Several tools are available to help you with BYOC clusters

AWS helps you manage your BYOC cluster once it's created

submitted

Which of the following are recommended ways to encrypt data in transit in AWS Kubernetes clusters?

1 point possible (graded, results hidden)

Select all that apply:

IPsec gateways

Calico CNI with WireGuard encryption

AWS App Mesh

submitted

Load balancers in EKS-based clusters typically operate as follows:

1 point possible (graded, results hidden)

Select all that apply:

Services are exposed by an independent proxy to the external load balancer

Creating a supported external load balancer

Creating NodePort or Cluster IP based services that are configured to receive traffic from the external load balancer

submitted

Which of the following are true about security groups in AWS?

1 point possible (graded, results hidden)

Select all that apply:

Security groups are only available in EKS based clusters

Security groups do not have pod-level visibility in BYOC clusters

Security groups can be assigned to pods in EKS

submitted

 

Section 3

What are some of the widely used tools to create self managed clusters in AWS?

1 point possible (graded, results hidden)

Select all that apply:

Kubectl

kOps

Kubespray

Kubeadm

submitted

Which of the following combinations are suitable for deploying workloads in EKS?

1 point possible (graded, results hidden)

Select all that apply:

Calico CNI with Calico eBPF

AWS CNI with Calico eBPF

Calico CNI with Standard Linux networking

submitted

Which of the following are true about K3s?

1 point possible (graded, results hidden)

Select all that apply:

It is a tool to deploy Kubernetes clusters

It is a lightweight binary that implements the Kubernetes API

It uses SQLite as the default Kubernetes datastore

submitted

Which of the following steps are needed in order to enable Calico eBPF on AWS?

1 point possible (graded, results hidden)

Select all that apply:

Enable eBPF mode on EKS

Create a cluster with an AMI that supports eBPF

Configure Calico to talk to the Kubernetes API server

Create an EKS cluster with Bottlerocket as the Linux distribution

submitted

Which of the following are true about Kubespray?

1 point possible (graded, results hidden)

Select all that apply:

It needs eksctl to create clusters in AWS

It uses Ansible to install Kubernetes

It is very flexible and helps you build production grade clusters

It is more complex to use than kOps

submitted

Which of the following are recommended options to use Calico networking on an AWS BYOC cluster?

1 point possible (graded, results hidden)

Select all that apply:

Use kOps with Calico CNI to create the cluster on AWS

Use Kubespray to create the cluster on AWS and set the kube_network_plugin option to calico

Setup an AWS cluster and configure security groups

submitted

Which of the following are features of kOps?

1 point possible (graded, results hidden)

Select all that apply:

On AWS, it leverages EKS to deploy clusters

It deploys production grade, highly available clusters

All Calico features are supported

It supports idempotency

submitted

Which of the following are true about Calico’s native service handling?

1 point possible (graded, results hidden)

Select all that apply:

It uses kube-proxy for its operation

It is recommended for high performance and latency sensitive applications

It consumes significantly less CPU when you have a large number of services in a cluster and churn services

submitted

Which of the following are true when you use Calico eBPF on AWS with NLB?

1 point possible (graded, results hidden)

Select all that apply:

Kube-proxy preserves the source IP

You need to set externalTrafficPolicy to local to preserve source IP

Calico’s native service handling load balances the traffic arriving at the nodeport to the backend pods

The backend pods see the client source IP

submitted

Which of the following are true about Kubeadm?

1 point possible (graded, results hidden)

Select all that apply:

It is very flexible and supports many environments

It is very useful to build a minimal viable Kubernetes cluster

Calico is a supported option

submitted

 

Section 4

Which of the following are advantages of Calico's Istio service mesh integration?

1 point possible (graded, results hidden)

Select all that apply:

It supports AWS security group policies

It supports Kubernetes and Calico Policy

It supports identity based authentication using mTLS

It supports application layer policy

submitted

Which of the following is NOT true about Online Boutique, the microservices demo application?

1 point possible (graded, results hidden)

All of the microservices use gRPC to communicate with each other

The frontend service is exposed to the Internet

All 11 microservices are implemented in Golang

The application works in cloud environments other than GCP

submitted

When you use Calico for networking in a kOps cluster, which of the following is NOT a configuration option?

1 point possible (graded, results hidden)

bpfEnabled

CrossSubnet

Mtu

overlayMode

submitted

Which of the following are important considerations when you use kOps on AWS?

1 point possible (graded, results hidden)

Select all that apply:

AWS IAM configuration

Cluster State Storage

DNS

submitted

After you deploy an ALB in your cluster, which command is used to get the ingress URL for the service?

1 point possible (graded, results hidden)

aws ec2 describe-subnets

aws ec2 get ingress

kubectl describe ingress

submitted

Which of the following are options to set up DNS for kOps clusters in AWS?

1 point possible (graded, results hidden)

Select all that apply:

You do need DNS for creating a kOps cluster in AWS

Use a Domain/subdomain hosted via AWS

Setup Route53 for a domain/subdomain purchased at another registrar

submitted

Which of the following is false about Cluster State Storage in a kOps cluster?

1 point possible (graded, results hidden)

It is used to store cluster configuration state

You can use an S3 bucket for Cluster State Storage

The S3 bucket for Cluster State Storage cannot be shared by multiple clusters

You should enable versioning and encryption on the S3 bucket

submitted

Which of the following are true about Calico Policy for Istio?

1 point possible (graded, results hidden)

Select all that apply:

Calico ALP supports policy with HTTP methods for both ingress and egress traffic

The application layer policy can be defined as both NetworkPolicy and GlobalNetworkPolicy

Prefix match and exact match are both supported for URL paths

submitted

Which of the following are true for Calico application layer policy enforced via Istio?

1 point possible (graded, results hidden)

Select all that apply:

You need to define Layer 7 and Layer 3/4 policies separately

You can enable or disable ALP enforcement independently for each namespace

You can use URL paths and HTTP methods in Calico Policy

submitted

Which of the following are required to enable application layer policy with Calico and Istio?

1 point possible (graded, results hidden)

Select all that apply:

You need to add configuration to envoy to enable Calico Policy

The Policy Sync API needs to be enabled in Felix, cluster-wide

You need to configure Istio to query Calico for application policy decisions

You need to modify the Istio sidecar injector to add the Calico component as a side car

submitted