[Golden Kubestronaut] CGOA Practice Exam 80 Questions - Certified GitOps Associate

A) A central database accessible only to operations teams B) Declarative configurations stored in a Git repository serve as the only source of truth for the system C) The current cluster state stored in the Kubernetes API server D) The final build artifact from the CI/CD pipeline

Answer: B

Explanation: In GitOps, Single Source of Truth means the declarative configuration files stored in a Git repository. All infrastructure and application state is managed in Git, which serves as the sole reference point for the desired state the system should reach.

A) Deviation B) Drift C) Delta D) Divergence

Answer: B

Explanation: Drift is the core GitOps term that describes the difference between the Desired State defined in a Git repository and the Actual State running in the cluster.

A) It describes the final state the system should reach B) It describes step-by-step commands to reach a state C) It manually creates each resource in order D) It configures infrastructure procedurally through scripts

Answer: A

Explanation: The declarative approach describes "what" is desired. In contrast, the imperative approach describes "how" to get there step by step. GitOps uses the declarative approach as a core principle.

A) Defining a Deployment with a Kubernetes YAML manifest B) Running kubectl create deployment nginx --image=nginx C) Defining an application package with a Helm chart D) Managing environment-specific configs with Kustomize overlays

Answer: B

Explanation: The kubectl create command directly creates a resource, which is an imperative approach. Defining resources in YAML files and applying them with kubectl apply is declarative, and Helm and Kustomize are also declarative tools.

A) Declarative B) Versioned and Immutable C) Manual Approval Required D) Continuously Reconciled

Answer: C

Explanation: The four OpenGitOps principles are (1) Declarative, (2) Versioned and Immutable, (3) Pulled Automatically, and (4) Continuously Reconciled. Manual approval can be added to workflows but is not a core principle.

A) The process of merging branches in a Git repository B) The process of comparing and aligning desired state with actual state C) The process of running tests in a CI pipeline D) The process of building and pushing container images to a registry

Answer: B

Explanation: Reconciliation is the core mechanism where a GitOps agent periodically compares the desired state defined in Git with the actual state in the cluster, and if differences exist, converges the actual state toward the desired state.

A) When deploying a new application for the first time B) When someone modifies a resource directly in the cluster using kubectl edit C) When a new commit is pushed to Git D) When the CI pipeline builds a new image

Answer: B

Explanation: Drift Detection detects differences between the state defined in Git and the actual cluster state. A typical drift scenario occurs when someone makes direct changes to the cluster via kubectl or other tools.

A) A registry that stores container images B) A declarative store for the desired state of infrastructure and applications C) A place that stores CI/CD pipeline execution logs D) A data source that collects monitoring metrics

Answer: B

Explanation: In GitOps, the Git repository serves as the Single Source of Truth, declaratively storing the desired state of infrastructure and applications.

A) A database that stores runtime data for applications B) A version control system that stores declarations of desired state C) A log system that stores cluster events D) A vault system that encrypts and stores secrets

Answer: B

Explanation: In GitOps, a State Store is a version control system that declaratively stores the desired state of a system. Git is the most representative State Store, providing immutable history and audit trails.

A) Sending code review notifications to developers B) Detecting and alerting when actual state deviates from desired state C) Reporting CI pipeline test results D) Adding automated comments to Git commits

Answer: B

Explanation: A Feedback Loop is the mechanism by which a GitOps agent observes the actual cluster state and detects differences from the desired state, alerting operators so they can respond immediately to drift.

A) Infrastructure can never be changed once deployed B) When changes are needed, existing infrastructure is replaced rather than modified C) All infrastructure configurations are hardcoded D) A deployment method only possible on physical servers

Answer: B

Explanation: Immutable Infrastructure is a pattern where existing infrastructure is not modified (mutated) but rather replaced by deploying a new version. This prevents configuration drift and facilitates rollbacks.

A) Optimizing container image build speed B) Consistency, auditability, and automation of infrastructure and application deployments C) Reducing source code compilation time D) Optimizing network bandwidth

Answer: B

Explanation: GitOps aims to integrate infrastructure and application deployments into Git-based workflows to ensure consistency, auditability, and automation.

A) Compiles code and runs tests B) Applies the state from Git repositories to the cluster and remediates drift C) Automates developer code reviews D) Builds and pushes container images

Answer: B

Explanation: GitOps Software Agents (such as ArgoCD and Flux) apply the desired state declared in Git repositories to clusters and continuously detect and remediate drift.

A) GitOps replaces monitoring tools B) It is essential for observing actual state to compare with desired state C) It only refers to log collection and metric analysis D) It is only used for measuring CI/CD pipeline performance

Answer: B

Explanation: In GitOps, Observability plays a key role in observing the actual state of a cluster and identifying differences from the desired state. It forms the basis for drift detection and automatic remediation.

A) The state of all resources currently running in the cluster B) The target state declaratively defined in a Git repository that the system should reach C) Server configurations manually set by operations teams D) Metric values displayed on a monitoring dashboard

Answer: B

Explanation: Desired State is the target state of the system declaratively defined in a Git repository. GitOps agents continuously reconcile the cluster based on this state.

A) They are completely separate concepts B) Configuration as Code is a prerequisite for GitOps, managing all configurations as code C) GitOps is a new methodology that replaces Configuration as Code D) Configuration as Code applies only to application code

Answer: B

Explanation: Configuration as Code manages infrastructure and application configurations as code (YAML, JSON, HCL, etc.) and is a prerequisite for implementing GitOps. It enables Git version control and automation.

A) A CI server sends deployment commands directly to the cluster B) An agent inside the cluster pulls changes from the Git repository and applies them C) Developers deploy resources directly using kubectl D) An external script connects to servers via SSH to deploy

Answer: B

Explanation: In the pull model, an agent running inside the cluster (ArgoCD, Flux) periodically checks the Git repository and applies changes to the cluster. This eliminates the need for external cluster access, providing a security advantage.

A) Read access to the Git repository is required B) The CI/CD system must hold direct access credentials to the cluster C) Container image registry access is required D) The code review process becomes complex

Answer: B

Explanation: In the push model, CI/CD systems like Jenkins or GitHub Actions must hold credentials such as kubeconfig or ServiceAccount tokens to access the cluster directly. This widens the attack surface.

A) A Deployment replica count changed directly in the cluster B) A ConfigMap change newly committed to the Git repository C) Uncommitted code changes being tested on a developer's local machine D) A new Helm chart version pushed to the Git repository

Answer: C

Explanation: The Reconciliation Loop compares the state committed in the Git repository with the actual cluster state. Changes on a developer's local machine that have not been committed to Git are not a detection target.

A) Servers automatically recovering from physical failures B) Automatically restoring to the desired state when actual state deviates C) Automatically fixing bugs in application code D) Automatically routing around network failures

Answer: B

Explanation: Self-Healing is the mechanism where a GitOps agent detects drift and automatically restores the cluster to the desired state defined in Git. For example, if someone manually changes replica counts, the agent detects this and reverts to the Git-defined value.

A) All environments are managed from a single branch B) Separate branches exist for each environment (dev, staging, prod) C) Only tags are used without branches D) Feature branches deploy directly to production

Answer: B

Explanation: In the Environment per Branch pattern, dedicated branches exist for each environment (main, staging, production). When changes are merged to a branch, the GitOps agent automatically deploys to the corresponding environment.

A) Set the previous image version directly using kubectl B) Create a new commit by reverting to a previous commit in Git C) Restore an etcd backup of the cluster D) Manually re-run the CI/CD pipeline

Answer: B

Explanation: In GitOps, rollbacks are recommended by reverting to a previous commit in Git. This preserves the change history, and the GitOps agent automatically reconciles the cluster to the previous state.

A) More long-running branches reduce merge conflicts B) Short-lived branches and frequent integration enable fast feedback and deployment C) Developers can commit directly to the main branch without code review D) Multiple environments can be managed with a single branch only

Answer: B

Explanation: Trunk-Based Development uses short-lived feature branches and frequent integration into main. Combined with GitOps, it enables frequent deployments and fast feedback loops.

A) It automatically builds container images B) It provides review, approval, and audit trails for changes C) It directly executes deployments to the cluster D) It automatically provisions test environments

Answer: B

Explanation: Pull Requests serve as a critical gate in GitOps workflows, providing code review, team approval, automated validation (CI), and audit trails for change history.

A) Due to Git repository capacity limitations B) Because application source code and deployment configurations have different change cycles and permissions C) Because Git does not handle binary files well D) To increase CI/CD pipeline speed

Answer: B

Explanation: Application source code and deployment configurations (manifests) have different change cycles, access permissions, and review processes. Separating them enables independent management and RBAC application.

A) To increase deployment speed B) To guarantee that applying the same declarative state multiple times produces identical results C) To maintain consistency of Git commit messages D) To reduce container image sizes

Answer: B

Explanation: Idempotency is the property where performing the same operation multiple times produces identical results. Since the GitOps reconciliation loop repeatedly applies state, idempotency is essential to guarantee consistent results each time.

A) There is no difference; they are the same concept B) CI/CD is event-triggered, while Continuous Reconciliation continuously compares and adjusts state C) Only CI/CD provides automation D) Continuous Reconciliation only includes the build phase

Answer: B

Explanation: CI/CD is triggered by events such as commits or merges to perform build-test-deploy. Continuous Reconciliation continuously compares and adjusts desired and actual state regardless of events.

A) Because a separate audit log system was built B) Because all changes are recorded as Git commits tracking who, when, and what was changed C) Because Kubernetes events are permanently stored D) Because CI/CD pipeline logs are archived

Answer: B

Explanation: In GitOps, all infrastructure changes are made through Git commits, so commit history naturally serves as an audit trail. Committer, timestamp, change content, and PR review records are all preserved.

A) All teams share a single repository and namespace B) Separate repositories and namespaces per team, with RBAC to restrict access C) Each team operates an independent Kubernetes cluster D) Manual deployment without GitOps

Answer: B

Explanation: In multi-tenancy environments, Git repositories and namespaces are separated per team, and RBAC is applied through ArgoCD AppProjects or Flux Tenant features to ensure isolation.

A) Copy-pasting the same YAML to all environments B) Sequentially promoting changes from dev to staging to prod through Pull Requests C) Manual deployment to each environment using kubectl D) Writing completely different manifests for each environment

Answer: B

Explanation: Environment Promotion sequentially promotes changes from dev to staging to production through Pull Request workflows. Reviews and automated tests are performed at each stage.

A) Git repository access time limit B) Maximum allowed time for a sync operation to complete C) PR review wait time limit D) Image build timeout

Answer: B

Explanation: Reconciliation Timeout is the maximum time allowed for a sync operation to complete. If resources do not reach a healthy state within this time, the sync is marked as failed.

A) IaC is unrelated to GitOps B) IaC is the foundation of GitOps, defining infrastructure as code managed in Git C) GitOps completely replaces IaC D) IaC is only usable in cloud environments

Answer: B

Explanation: Infrastructure as Code is a methodology for defining infrastructure as code and forms the foundation of GitOps. Infrastructure defined with IaC is stored in Git, and GitOps agents automatically apply it.

A) They directly execute deployments to the cluster B) They immediately notify agents of Git repository changes to trigger faster synchronization C) They build container images D) They run security scans

Answer: B

Explanation: Webhooks send immediate notifications to GitOps agents (ArgoCD, Flux) when changes occur in a Git repository, enabling faster sync without waiting for the polling interval.

A) Merging multiple Git branches into one B) The actual state converging to match the desired state C) Multiple microservices integrating into a monolith D) Distributed systems concentrating into a single data center

Answer: B

Explanation: Convergence means that through the GitOps agent's reconciliation, the cluster's actual state gradually converges and ultimately matches the desired state defined in Git.

A) Because the pull model is faster B) Because cluster credentials do not need to be exposed to external CI/CD systems C) Because the pull model uses encryption D) Because the push model does not use Git

Answer: B

Explanation: In the pull model, an agent inside the cluster reads from Git and applies changes, so cluster credentials (kubeconfig, tokens) do not need to be shared with external systems (Jenkins, GitHub Actions, etc.). This reduces the attack surface.

A) They use different programming languages B) Declarative defines the final state; Procedural defines the steps to reach it C) Declarative is always faster D) Procedural is always safer

Answer: B

Explanation: Declarative Configuration defines "what state the system should be in," while Procedural Configuration defines "what steps should be executed." GitOps uses the declarative approach.

A) They are unrelated B) Observability provides the foundation data for Reconciliation by determining actual state C) Observability replaces Reconciliation D) Both are only used for log analysis

Answer: B

Explanation: Observability provides the capability to determine the actual state of a cluster. GitOps agents use this information to detect differences from the desired state and perform Reconciliation.

A) All changes are applied immediately B) Over time, the cluster state will ultimately match the state defined in Git C) Database transaction consistency D) A state with no network latency

Answer: B

Explanation: In GitOps, Eventual Consistency means that after changes are committed to Git, they may not be applied immediately, but through the reconciliation loop, the cluster will ultimately reach the desired state.

A) Separate Git repositories per environment B) Separate branches per environment C) Separate directories per environment (Kustomize overlays) D) Storing all environment secrets in plaintext in a single file

Answer: D

Explanation: Storing all environment secrets in plaintext in a single file is extremely risky from a security perspective and violates GitOps environment separation principles. Environment separation is implemented at the repository, branch, or directory level.

A) Only sends an email to the administrator when drift occurs B) Automatically restores the cluster to the state defined in Git when drift is detected C) Completely recreates the cluster when drift occurs D) Updates the Git repository to match the cluster state when drift occurs

Answer: B

Explanation: Automated Drift Remediation is the capability where a GitOps agent automatically restores the cluster to the desired state defined in Git when drift is detected. Since Git is always the source of truth, aligning the cluster to Git is the correct direction.

A) Clones Git repositories and generates manifests B) Monitors running application state and compares it to the desired state C) Handles user authentication D) Provides the web UI

Answer: B

Explanation: The Application Controller is the core component of ArgoCD that continuously monitors the state of running applications in the Kubernetes cluster and compares them to the desired state defined in Git.

A) Caches cluster resource state B) Clones Git repositories and generates Kubernetes manifests using Helm, Kustomize, etc. C) Manages RBAC policies D) Delivers notifications to external systems

Answer: B

Explanation: The Repository Server (repo-server) clones Git repositories and renders manifests at the specified path into final Kubernetes resources using Helm, Kustomize, plain YAML, or Config Management Plugins.

A) Stores user sessions and manifest caches B) Maintains Git repository backups C) Caches container images D) Manages SSL certificates

Answer: A

Explanation: In ArgoCD, Redis stores manifest generation result caches and user session data. This reduces load on the Repository Server and improves response times.

A) Manages access permissions to Git repositories B) Provides OIDC/SAML/LDAP authentication for SSO (Single Sign-On) C) Checks the status of Kubernetes resources D) Renders manifests

Answer: B

Explanation: Dex is an OIDC (OpenID Connect) Identity Provider integrated with ArgoCD that supports SSO with various external authentication systems including SAML, LDAP, GitHub, and Google.

A) GitRepository B) HelmRepository C) OCIRepository D) DockerRepository

Answer: D

Explanation: Flux's source-controller supports GitRepository, HelmRepository, OCIRepository, and Bucket source types. DockerRepository is not a resource type used in Flux.

A) Deploys Helm charts B) Applies Kustomize overlays and deploys Kubernetes resources to the cluster C) Fetches sources from Git repositories D) Sends notifications to external systems

Answer: B

Explanation: The kustomize-controller applies Kustomize overlays to sources fetched by the source-controller, generates final manifests, and deploys them to the cluster. It can also process plain YAML.

A) HelmChart B) HelmRelease C) HelmDeployment D) HelmApplication

Answer: B

Explanation: Flux's helm-controller uses the HelmRelease CRD to declaratively manage Helm chart releases. HelmRelease defines chart sources, values, dependencies, and more.

A) Manages inter-Pod communication within the cluster B) Delivers event notifications to external systems (Slack, Teams, Webhook, etc.) C) Updates DNS records D) Automatically renews certificates

Answer: B

Explanation: The notification-controller delivers Flux events (sync success/failure, drift detection, etc.) as notifications to external systems such as Slack, Microsoft Teams, and Webhooks.

A) An error occurred in the ArgoCD server B) The state defined in Git differs from the actual state in the cluster C) Network connectivity was lost D) The authentication token has expired

Answer: B

Explanation: OutOfSync indicates that there is a difference between the desired state defined in the Git repository and the actual state running in the cluster. It can be resolved through manual or automatic sync.

A) All Pods are running normally B) Some resources are in an unhealthy state (e.g., Pod in CrashLoopBackOff) C) The Git repository is inaccessible D) A login error occurred in the ArgoCD UI

Answer: B

Explanation: A Degraded Health Status indicates that some resources of the application are in an unhealthy state. For example, a Pod in CrashLoopBackOff or a Deployment with insufficient replicas.

A) Manages container runtimes B) Packages and deploys Kubernetes applications as templates C) Manages network policies D) Handles cluster authentication

Answer: B

Explanation: Helm is a package manager for Kubernetes that templates Kubernetes resources as packages called charts and deploys them with customizable values.

A) Uses a template engine to generate YAML B) Applies patches and overlays to base manifests to generate environment-specific configurations C) Deploys applications as binary packages D) Builds container images

Answer: B

Explanation: Kustomize applies patches and overlays to base manifests in a template-free manner to perform environment-specific customization. Transformations are defined in a kustomization.yaml file.

A) Automates manifest rendering B) Automatically synchronizes changes to the cluster when detected in the Git repository C) Automatically updates image tags D) Automatically merges PRs

Answer: B

Explanation: When Auto-Sync is enabled, ArgoCD automatically synchronizes to the cluster without manual intervention when changes are detected in the Git repository. When disabled, manual sync via the UI button or CLI is required.

A) Deletes old Git branches B) Automatically deletes resources from the cluster that were removed from Git C) Cleans up unused container images D) Removes expired certificates

Answer: B

Explanation: Prune automatically deletes resources remaining in the cluster when their definitions are removed from the Git repository. Combined with Auto-Sync, it ensures complete alignment between Git and the cluster.

A) Manages project source code B) Restricts the source repositories, target clusters, and namespaces that applications can deploy to C) Defines CI/CD pipelines D) Configures monitoring dashboards

Answer: B

Explanation: AppProject is the RBAC unit in ArgoCD that restricts the Git repositories, target clusters, namespaces, and resource types that Applications belonging to the project can access.

A) Global setting via Flux CLI flags B) Individually configured via the spec.interval field on each resource (GitRepository, Kustomization, etc.) C) Configured via Kubernetes ConfigMap D) Configured via environment variables

Answer: B

Explanation: In Flux, the reconciliation interval is configured individually via the spec.interval field on each resource (GitRepository, Kustomization, HelmRelease, etc.), allowing different intervals per resource.

A) argocd app deploy APP_NAME B) argocd app sync APP_NAME C) argocd app apply APP_NAME D) argocd app push APP_NAME

Answer: B

Explanation: The argocd app sync APP_NAME command synchronizes a specific application with the latest state in the Git repository.

A) ArgoCD itself recovers from failures automatically B) Automatically reverts manual changes in the cluster to the state defined in Git C) Automatically resolves Git repository conflicts D) Automatically renews expired secrets

Answer: B

Explanation: Self-Heal is a sub-option of Auto-Sync that automatically reverts the cluster to the Git-defined state when manual changes (via kubectl edit, etc.) are detected. It immediately remediates drift.

A) Installs a Kubernetes cluster from scratch B) Installs Flux components in the cluster and commits Flux configuration to the Git repository C) Initializes a Helm chart repository D) Sets up a container registry

Answer: B

Explanation: Flux Bootstrap installs Flux controllers in the cluster and commits Flux configuration files (gotk-components.yaml, etc.) to the Git repository. From then on, Flux manages itself through this repository.

A) They are written in the same programming language B) Both are CNCF projects and pull-based GitOps agents C) They use the same CRDs D) They provide the same web UI

Answer: B

Explanation: Both ArgoCD and Flux are CNCF Graduated projects that implement the pull-based GitOps model. While both are written in Go, their architectures, CRDs, and UIs differ.

A) Manages RBAC policies B) Generates manifests with tools not natively supported (jsonnet, cue, etc.) C) Configures cluster networking D) Manages user accounts

Answer: B

Explanation: Config Management Plugin (CMP) allows adding manifest generation tools not natively supported by ArgoCD (Jsonnet, CUE, KCL, etc.) as plugins.

A) Runs cleanup tasks after sync completes B) Runs pre-tasks like database migrations before the actual sync operation C) Sends notifications on sync failure D) Pre-validates the Git repository

Answer: B

Explanation: PreSync Hooks are resources (Jobs, Pods, etc.) that run before the actual sync. They are used for pre-tasks needed before synchronization, such as database schema migrations and configuration validation.

A) There is no difference; they are identical B) Strategic merge patch provides partial overwrites; JSON 6902 specifies explicit add/remove/replace operations C) JSON 6902 is always faster D) Strategic merge patch is only used with Helm

Answer: B

Explanation: Strategic merge patch partially overwrites fields in existing resources, while JSON 6902 patch specifies explicit operations (add, remove, replace, move, copy) with paths.

A) Label and Finalizer B) Annotation and Label C) ConfigMap and Secret D) CRD and Webhook

Answer: B

Explanation: ArgoCD tracks resources it manages using either Annotation (default) or Label methods. The Annotation method uses argocd.argoproj.io/tracking-id, and the Label method uses app.kubernetes.io/instance.

A) Deploying a single application to multiple clusters B) A root Application declaratively manages child Applications to structure large-scale deployments C) Managing all applications in a single Git repository D) Setting up network communication between applications

Answer: B

Explanation: In the App-of-Apps pattern, a root (parent) Application contains child Application resources, and ArgoCD recursively syncs them. This enables systematic management of large-scale microservice deployments.

A) Creates new Kubernetes clusters B) Automatically creates Applications for each cluster based on the list of clusters registered in ArgoCD C) Monitors cluster resource usage D) Manages cluster certificates

Answer: B

Explanation: The Cluster Generator iterates over the list of clusters registered in ArgoCD and automatically creates Applications for each cluster. When a new cluster is registered, applications are automatically created.

A) Creates Applications based on Git commit history B) Scans the directory structure in a Git repository and auto-creates an Application for each directory C) Creates Applications per Git branch D) Manages Application versions based on Git tags

Answer: B

Explanation: The Git Generator - Directory scans directories under a specified path in a Git repository and automatically creates an Application for each directory. When a new directory is added, an Application is automatically created.

A) Optimizes resources through matrix operations B) Combines two Generators to create Applications from their combinations (Cartesian product) C) Validates manifest syntax D) Performs load balancing between clusters

Answer: B

Explanation: The Matrix Generator combines two child Generators to create Applications from their Cartesian product. For example, combining a Cluster Generator with a Git Generator creates Applications for all (cluster x directory) combinations.

A) Install independent ArgoCD instances in each cluster B) A hub cluster's ArgoCD manages multiple spoke clusters C) All clusters share a single Git branch D) Direct API communication between clusters for synchronization

Answer: B

Explanation: In the Hub-Spoke model, a central hub cluster's ArgoCD manages multiple spoke clusters. Registering remote clusters with ArgoCD enables deploying Applications to those clusters.

A) Manually modifying traffic ratios in Git B) Using Argo Rollouts or Flagger to gradually shift traffic C) Replacing all Pods with the new version simultaneously D) Only Blue-Green deployment is supported

Answer: B

Explanation: Implementing Canary Deployment with GitOps uses progressive delivery tools like Argo Rollouts or Flagger. These tools gradually adjust traffic ratios and analyze metrics to perform automatic promotion or rollback.

A) Kubernetes Secrets are only Base64 encoded B) Secrets are encrypted with a public key for safe Git storage, and a cluster controller decrypts them with a private key C) Secrets are stored in an external vault with only references in Git D) Secret files are compressed and stored in Git

Answer: B

Explanation: Sealed Secrets uses asymmetric encryption. Secrets are encrypted with a public key to create SealedSecret resources stored safely in Git, and the Sealed Secrets Controller in the cluster decrypts them with a private key to convert them to regular Secrets.

A) Encrypts secrets and stores them in Git repositories B) Fetches secrets from external secret management systems (Vault, AWS SM, etc.) and syncs them as Kubernetes Secrets C) Exports Kubernetes Secrets to external systems D) Injects secret values as environment variables

Answer: B

Explanation: External Secrets Operator uses the ExternalSecret CRD to fetch secrets from external management systems (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, etc.) and automatically sync them as Kubernetes Secrets.

A) SOPS directly manages secrets in the cluster B) SOPS encrypts YAML/JSON values for safe Git storage, and CI/CD or GitOps tools decrypt them C) SOPS replaces the Kubernetes API D) SOPS encrypts container images

Answer: B

Explanation: SOPS selectively encrypts only the values in YAML or JSON files for safe Git storage. Keys remain in plaintext for reviewability, and Flux's Kustomize Controller natively supports SOPS decryption.

A) Pro: Consistency by managing all apps in a single repo / Con: Complex permission management at scale B) Pro: Complete isolation per team / Con: Difficult dependency management between repos C) Monorepo is not suitable for GitOps D) There are no pros or cons; it is optimal in all situations

Answer: A

Explanation: A Monorepo manages all application deployment configurations in a single repository. The advantage is consistency and simple dependency management; the disadvantage is that fine-grained RBAC and CI/CD pipeline management become complex in large organizations.

A) Automatically merging PRs B) Automatically creating temporary preview environments for each open Pull Request C) Automating PR code reviews D) Adding security scan results to PRs

Answer: B

Explanation: The PullRequest Generator detects open PRs on GitHub, GitLab, etc. and automatically creates temporary Applications (preview environments) for each PR. When a PR is closed, the corresponding environment is automatically deleted.

A) ArgoCD Notifications or Flux notification-controller B) Kubernetes Events alone are sufficient C) Must be implemented with a separate cron job D) Only monitoring tools (Prometheus) are used

Answer: A

Explanation: ArgoCD Notifications (argocd-notifications-controller) and Flux's notification-controller can send alerts for events like drift detection and sync status changes to Slack, Teams, PagerDuty, and more.

A) Only a single environment is needed B) Resources for two environments (Blue and Green) are needed, and a traffic switching mechanism is essential C) Rollback is not possible D) Database migrations are handled automatically

Answer: B

Explanation: Blue-Green deployment simultaneously runs two environments (current Blue and new Green), requiring double the resources. A traffic switching mechanism via Service or Ingress is essential, and this is managed declaratively in Git.

A) When merging Git branches B) When merging results from multiple Generators by a common key to apply overrides to specific combinations C) When merging multiple Helm charts D) When combining manifests into a single file

Answer: B

Explanation: The Merge Generator merges results from multiple Generators based on a common key field. It is useful for generating a full list with a base Generator and then overriding additional parameters for specific items with supplementary Generators.

A) Secrets can be stored in plaintext in Git B) Secrets should be encrypted or only external references stored in Git to prevent plaintext exposure C) Secrets should always be managed only as environment variables D) Secret management is outside the scope of GitOps

Answer: B

Explanation: In GitOps, secrets must never be stored in plaintext in Git. The core principle is to encrypt them with Sealed Secrets or store only references to external secret stores via External Secrets Operator.

A) Immediately install ArgoCD in production B) Convert existing infrastructure and application configurations to declarative code and establish a Git repository strategy C) Grant kubectl access to all developers D) Fully build a monitoring system first

Answer: B

Explanation: To adopt GitOps, existing infrastructure and application configurations must first be converted to declarative code (IaC, Kubernetes manifests), and a Git repository structure (monorepo vs polyrepo), branching strategy, and environment management plan must be established.