CCA (Cilium Certified Associate) Practice Exam - 80 Questions

Exam Overview

The CCA (Cilium Certified Associate) certification validates foundational knowledge of Cilium and eBPF-based Kubernetes networking.

Domain Weights

Architecture (Questions 1-16)

Question 1

What step must an eBPF program go through before it can run in the Linux kernel?

A. Compilation B. Verification C. Linking D. Serialization

Question 2

On what basis does Cilium assign a security Identity to each workload?

A. Pod IP address B. Pod name C. Security-relevant labels of the Pod D. Node where the Pod runs

Question 3

Which of the following is NOT a primary role of the Cilium Agent?

A. Compiling and loading eBPF programs B. Endpoint management C. IPAM allocation management D. CRD validation

Question 4

What is a correct role of the Cilium Operator?

A. Loading eBPF programs on each node B. Cluster-wide IPAM management and CRD management C. Collecting Hubble metrics D. Managing Envoy proxies

Question 5

What is the purpose of BPF maps in eBPF?

A. Sharing data between eBPF programs or between kernel and user space B. Buffers for storing network packets C. Storing eBPF program source code D. Loading kernel modules

Question 6

What characterizes the veth datapath mode in Cilium?

A. Uses veth pairs between Pod and host network namespaces B. Forwards packets directly via XDP C. Only uses VXLAN tunnels D. Operates based on iptables

Question 7

Which is NOT a valid execution context for eBPF programs?

A. XDP (eXpress Data Path) B. tc (traffic control) C. Socket operations D. User space process

Question 8

Which is NOT an advantage of Cilium's Identity-based security model?

A. Unaffected by IP address changes B. Intuitive label-based policy enforcement C. BPF map size is always smaller than IP-based approaches D. Policies automatically apply when Pods scale

Question 9

When does an Endpoint in Cilium undergo regeneration?

A. When a network policy changes B. When node CPU usage is high C. When Hubble restarts D. When DNS cache expires

Question 10

Which BPF map type does Cilium use for CIDR-based policy matching?

A. Hash Map B. LPM Trie C. Array Map D. Ring Buffer

Question 11

Why is there a limit on the maximum number of instructions an eBPF program can execute?

A. Memory conservation B. To guarantee program termination C. Network bandwidth limitation D. CPU core limitation

Question 12

Why is the Cilium Agent deployed as a DaemonSet on each node?

A. For high availability B. Because it needs to manage the network datapath on each node C. For centralized logging D. For storage management

Question 13

What is the primary benefit of using XDP (eXpress Data Path) in Cilium?

A. L7 protocol analysis B. Ultra-fast packet processing at the network driver level C. Automatic TLS termination D. Multi-cluster communication

Question 14

What characterizes the Kubernetes Host Scope IPAM mode in Cilium?

A. Uses AWS ENIs to allocate IPs B. Allocates IPs from the PodCIDR assigned to each node C. Integrates with external IPAM services D. Supports IPv6 only

Question 15

What state store does the Cilium Agent use?

A. Redis B. Local etcd or CRDs (Kubernetes Custom Resources) C. PostgreSQL D. Consul

Question 16

What is the purpose of eBPF tail calls?

A. Invoking system calls from eBPF programs B. Transferring execution from one eBPF program to another C. Calling user space applications D. Triggering kernel panics

Networking (Questions 17-36)

Question 17

Which is NOT a routing mode supported by Cilium?

A. VXLAN tunneling B. Geneve tunneling C. Direct Routing (native routing) D. MPLS routing

Question 18

What does Cilium do when operating as a CNI (Container Network Interface) plugin?

A. Sets up network interfaces and allocates IPs when Pods are created B. Builds container images C. Kubernetes scheduling D. Mounts storage volumes

Question 19

How is Pod-to-Pod traffic forwarded in Cilium's Direct Routing mode?

A. Encapsulated with VXLAN headers B. Forwarded directly using the node's routing table C. NAT is always applied D. Forwarded through user space proxies

Question 20

What is the core implementation approach for Cilium's kube-proxy replacement feature?

A. Creating iptables rules B. Creating ipvs rules C. eBPF-based service load balancing D. Deploying HAProxy

Question 21

What problem does Maglev consistent hashing solve in Cilium service load balancing?

A. DNS resolution speed B. Maintaining existing connections when backends change C. TLS certificate management D. Pod scheduling optimization

Question 22

What is the advantage of DSR (Direct Server Return) mode?

A. Response packets go directly to the client without passing through the original load-balancing node B. All traffic is encrypted C. L7 protocol analysis is possible D. Multi-cluster communication support

Question 23

What is the primary purpose of Cilium's BGP Control Plane feature?

A. DNS resolution inside Pods B. Advertising Pod CIDRs and service IPs to BGP peers C. Container image registry management D. etcd cluster management

Question 24

What is the approximate overhead added by VXLAN tunneling mode?

A. 8 bytes B. 50 bytes C. 100 bytes D. 200 bytes

Question 25

At which hook point does eBPF acceleration for NodePort services operate in Cilium?

A. Application Layer B. XDP or tc C. syslog D. Netfilter

Question 26

What is the advantage of socket-level load balancing in Cilium?

A. L7 protocol analysis is possible B. Packets connect directly to the backend without traversing the network stack C. Automatic TLS termination D. DNS caching

Question 27

Why is Geneve tunneling preferred over VXLAN in Cilium?

A. Less overhead B. Supports extensible TLV (Type-Length-Value) option fields C. Faster encryption D. Supports only IPv4

Question 28

What does Cilium's Host Firewall feature protect?

A. Pod-to-Pod communication only B. Traffic to and from the host network namespace C. External DNS requests D. etcd data

Question 29

What configuration is needed to enable IPv4/IPv6 dual stack in Cilium?

A. enable-ipv4: true and enable-ipv6: true B. dual-stack: enabled C. ip-version: both D. network-mode: dual

Question 30

What Linux kernel feature does Cilium's Bandwidth Manager use?

A. cgroups B. EDT (Earliest Departure Time) based rate limiting C. tc-filter D. iptables rate limiting

Question 31

What is the purpose of WireGuard integration in Cilium?

A. L7 traffic analysis B. Transparent encryption of inter-node traffic C. DNS query acceleration D. Log collection

Question 32

Which Cilium IPAM mode uses ENIs (Elastic Network Interfaces) in cloud environments?

A. Kubernetes Host Scope B. Cluster Scope C. AWS ENI mode D. CRD-backed

Question 33

What is the purpose of BIG TCP in Cilium?

A. Limiting TCP connections B. Improving throughput via GRO/GSO for large packet processing C. Expanding TCP port range D. Adjusting TCP timeouts

Question 34

How does Cilium implement session affinity for services?

A. iptables rules B. Storing client IP to backend mappings in BPF maps C. DNS round-robin D. Delegating to external load balancer

Question 35

Which statement about IP Masquerading in Cilium is correct?

A. Always applies SNAT to all traffic B. Applies SNAT with node IP for traffic from Pods to destinations outside the cluster C. Applies only to inbound traffic D. Works only with IPv6

Question 36

What is the LB-IPAM feature for LoadBalancer type services in Cilium?

A. Automatic cloud load balancer provisioning B. Cilium directly allocates IPs from a LoadBalancer IP pool C. DNS-based load balancing D. Ingress controller deployment

Network Policy (Questions 37-52)

Question 37

What is a correct difference between CiliumNetworkPolicy and Kubernetes NetworkPolicy?

A. CiliumNetworkPolicy supports L7 policies B. Kubernetes NetworkPolicy provides more features C. CiliumNetworkPolicy only supports cluster scope D. They have exactly the same features

Question 38

Where are L3/L4 network policies enforced in Cilium?

A. Envoy proxy B. eBPF programs (kernel level) C. iptables D. User space firewall

Question 39

How do FQDN-based network policies work in Cilium?

A. Periodically querying external DNS servers B. Cilium DNS proxy intercepts DNS responses to learn IP mappings and apply policies C. Referencing /etc/hosts files D. Implemented as a CoreDNS plugin

Question 40

What traffic does the following CiliumNetworkPolicy allow?

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-frontend
spec:
  endpointSelector:
    matchLabels:
      app: backend
  ingress:
    - fromEndpoints:
        - matchLabels:
            app: frontend
      toPorts:
        - ports:
            - port: '8080'
              protocol: TCP

A. Traffic from backend to frontend on port 8080 B. TCP traffic from frontend to backend on port 8080 C. Traffic from all Pods to backend D. All outbound traffic from backend

Question 41

What is the purpose of CiliumClusterwideNetworkPolicy?

A. A policy that applies only to a specific namespace B. A network policy that applies across the entire cluster C. A policy applied to external clusters D. A DNS-only policy

Question 42

Which proxy is used when Cilium applies L7 network policies?

A. Nginx B. HAProxy C. Envoy D. Traefik

Question 43

When is default deny behavior activated in Cilium network policies?

A. Automatically when Cilium is installed B. When at least one policy selecting a specific endpoint is applied C. Only when explicitly configured by an administrator D. By namespace labels

Question 44

Which protocol is NOT supported in Cilium L7 policies?

A. HTTP B. gRPC C. Kafka D. MQTT

Question 45

What is the purpose of Policy Audit Mode in Cilium?

A. Block and log policy-violating traffic B. Monitor policy-violating traffic without blocking it C. Automatically generate policies D. Optimize policy performance

Question 46

What is the purpose of CIDR-based egress rules in Cilium network policies?

A. Controlling Pod-to-Pod communication within the cluster B. Controlling egress traffic to specific external IP ranges C. Controlling DNS resolution D. Configuring Ingress controllers

Question 47

What does toEntities: world mean in Cilium?

A. All Pods in the same cluster B. All endpoints outside the cluster C. All endpoints not managed by Cilium D. DNS servers

Question 48

Given the following Cilium L7 policy example:

rules:
  http:
    - method: GET
      path: '/api/v1/users'

What traffic does this rule allow?

A. All HTTP traffic B. Only GET requests to the /api/v1/users path C. All HTTP methods to the /api/v1/users path D. Only POST requests

Question 49

Where is Identity stored in Cilium's Identity-based policies?

A. Pod environment variables B. BPF maps and KVStore (CRD or etcd) C. ConfigMap D. Secret

Question 50

How do you write policies that cross namespace boundaries in Cilium?

A. Directly specifying namespace names B. Using namespaceSelector to match namespace labels C. Always using CiliumClusterwideNetworkPolicy D. Adding iptables rules

Question 51

What is the purpose of the toServices field in Cilium policies?

A. Defining egress policies targeting Kubernetes services B. Configuring service mesh C. Configuring service discovery D. Service monitoring

Question 52

What is the priority of deny rules in Cilium policies?

A. Always lower than allow rules B. Always higher than allow rules (deny takes precedence) C. By creation time D. By namespace alphabetical order

Service Mesh (Questions 53-64)

Question 53

What is the core principle of Cilium service mesh's sidecar-less architecture?

A. Injecting a sidecar container into each Pod B. One Envoy proxy per node with eBPF-based traffic redirection C. Integration with Istio sidecars D. Modifying application code

Question 54

What is the role of mTLS (Mutual TLS) in Cilium service mesh?

A. DNS encryption B. Mutual authentication and encryption of service-to-service communication C. Log encryption D. Storage encryption

Question 55

Which is NOT an advantage of Cilium's sidecar-less service mesh?

A. Improved resource efficiency B. Reduced latency C. Independent Envoy configuration per Pod D. Reduced operational complexity

Question 56

What is the purpose of the CiliumEnvoyConfig CRD?

A. Cilium Agent configuration B. Defining L7 traffic management rules for the Envoy proxy C. Hubble configuration D. BGP peer configuration

Question 57

What is included in Cilium service mesh's L7 traffic management capabilities?

A. Header-based routing B. GPU scheduling C. Storage provisioning D. Node autoscaling

Question 58

What resource does Cilium use to provide Ingress controller functionality?

A. CiliumIngressController CRD B. Standard Kubernetes Ingress resources and CiliumEnvoyConfig C. Nginx ConfigMap D. Istio Gateway

Question 59

What does Gateway API support mean in Cilium service mesh?

A. Uses only proprietary APIs B. Natively supports Kubernetes Gateway API resources (Gateway, HTTPRoute, etc.) C. AWS API Gateway integration D. Automatic REST API generation

Question 60

How are L4-level service mesh features (such as mTLS) implemented in Cilium?

A. Always through the Envoy proxy B. Directly in eBPF (without a proxy) C. Via iptables rules D. Via sidecar containers

Question 61

What does a SPIFFE ID represent in Cilium's SPIFFE integration?

A. Pod IP address B. Cryptographic identifier of a workload C. Node hostname D. Namespace name

Question 62

How do you implement canary deployments in Cilium service mesh?

A. Adjusting Kubernetes Deployment replica count B. Setting weights on backendRefs in HTTPRoute C. DNS round-robin D. Manually changing Pod IPs

Question 63

Under what conditions is traffic redirected to Envoy in Cilium?

A. All traffic is always redirected B. Only traffic with L7 network policies applied C. Only TCP traffic D. Only UDP traffic

Question 64

How do you configure retry policies in Cilium service mesh?

A. Implement in Pod application code B. Via CiliumEnvoyConfig or HTTPRoute retry settings C. Kubernetes livenessProbe D. sysctl parameters

Observability (Questions 65-72)

Question 65

Which component in Hubble's architecture collects flow data on each node?

A. Hubble Relay B. Hubble UI C. Hubble embedded in the Cilium Agent D. Prometheus

Question 66

What is the role of Hubble Relay?

A. Collecting flows from a single node B. Aggregating Hubble data from multiple nodes for cluster-wide observability C. DNS relay D. Load balancing

Question 67

Which L7 protocol is NOT observable through Hubble?

A. HTTP B. DNS C. Kafka D. SMTP

Question 68

What is the command to view flows for a specific namespace in Hubble CLI?

A. hubble observe --namespace default B. hubble get flows --ns default C. hubble watch default D. hubble logs --namespace default

Question 69

What functionality does Hubble UI provide?

A. Service dependency topology map visualization B. Kubernetes resource YAML editing C. Container log viewer D. CI/CD pipeline management

Question 70

What information can be collected through Hubble's Prometheus metrics integration?

A. Flow counts, policy drop counts, HTTP request latency B. CPU usage C. Disk I/O D. Memory usage

Question 71

What is the command to view packets dropped by policies in Hubble?

A. hubble observe --verdict DROPPED B. hubble dropped-packets C. hubble observe --type drop D. hubble policy-violations

Question 72

What is the primary use of the Hubble gRPC API?

A. Pod scheduling B. Programmatic querying and streaming of flow data C. Kubernetes API server access D. Image registry management

Cluster Mesh and External Workloads (Questions 73-80)

Question 73

What is the core architectural component of Cilium ClusterMesh?

A. Centralized control plane B. Each cluster's etcd and clustermesh-apiserver C. Single shared etcd D. Consul

Question 74

What is a Global Service in ClusterMesh?

A. A service using the same IP across all clusters B. A service that distributes traffic across backends in multiple clusters under the same service name C. A service exposed to the external internet D. A DNS-only service

Question 75

How do you set service affinity to prefer the local cluster in ClusterMesh?

A. Add the io.cilium/service-affinity: "local" annotation to the service B. Change affinity-mode in ClusterMesh configuration C. Adjust DNS TTL D. Set BGP priority

Question 76

Why are cross-cluster network policies possible in ClusterMesh?

A. Only IP address-based policies are used B. Identities are synchronized across clusters enabling Identity-based policy enforcement C. A central firewall is used D. VPN tunnels are used

Question 77

What is the purpose of KVStoreMesh?

A. KVStore backup B. A caching layer to reduce KVStore load in large ClusterMesh environments C. KVStore encryption D. KVStore monitoring

Question 78

What does the Cilium External Workloads feature enable?

A. Installing Cilium Agent on external VMs or bare-metal servers to apply Kubernetes cluster network policies B. Managing external DNS servers C. Automatic cloud instance provisioning D. VPN server deployment

Question 79

Which is NOT a required prerequisite for setting up ClusterMesh?

A. Unique cluster ID for each cluster B. Non-overlapping Pod CIDRs between clusters C. All clusters must be on the same cloud provider D. Network connectivity between clusters

Question 80

What is the purpose of the CiliumBGPPeeringPolicy resource in Cilium BGP Control Plane (BGPCP)?

A. Running a BGP daemon inside Pods B. Declaratively defining BGP peering sessions and routes to advertise on nodes C. Automatic external BGP router deployment D. BGP traffic encryption

Summary

Domain Review

Study Tips

1. Understand eBPF fundamentals: Verifier, BPF maps, program types (XDP, tc, socket) -- these concepts appear throughout the exam.
2. Master the Identity-based security model: Understand the label-based Identity allocation and policy enforcement mechanism that differentiates Cilium.
3. Hands-on practice: Use CLI tools like cilium status, cilium endpoint list, and hubble observe hands-on.
4. Reference official documentation: The Concepts section of the Cilium official documentation aligns most closely with the exam scope.