Thursday , May 29 2025
Breaking News

Certified Calico Operator: Level 1 Exam Answers – Tigera

Clear My Certification December 17, 2020 Certification, Featured Leave a comment 1,554 Views

Enroll Here: Certified Calico Operator: Level 1 Exam Answers

Week 1:

Question 1: What are the key principles of the Kubernetes networking model?

  • Every pod gets its own IP address
  • Containers within a pod share the pod IP address
  • Containers within a pod can communicate freely with each other
  • Pods are in the same subnet
  • Pods can communicate with each other directly without NAT
  • Pods are in an overlay network
  • Network isolation is provided by network policy
  • Pods can communicate with workloads outside of the cluster without NAT

Question 2: Kubernetes supports network plugins using which APIs?

  • Kubenet
  • CNI
  • IPAM
  • REST

Question 3: Kubernetes Services:

  • Can be thought of as a virtual load balancer built into the pod network
  • Normally use label selectors to define which pods belong to a Service
  • Are discoverable by pods through DNS (kube-dns)
  • Allow pods to communicate with each other without NAT
  • May include external load balancers

Question 4: Calico can be installed:

  • As part of hosted Kubernetes platform (e.g. EKS, AKS, GKE, IKS)
  • As part of a kubernetes distro or installer (e.g. kops, kubespray, microk8s, etc)
  • Using YAML manifests
  • Using the Tigera Calico operator

Week 2:

Question 1: Traditional enterprise network security was implemented using:

  • Designing a physical topology of network devices (firewalls, routers, switches)
  • Static IP address ranges
  • Active Directory

Question 2: Kubernetes network security:

  • Assumes a flat network
  • Is defined using network policy
  • Is abstracted from the network by using label selectors
  • Relies on network plugins to enforce network policy
  • Relies on capabilities of the underlying network

Question 3: How do traditional firewalls work with Kubernetes?

  • Don’t use them
  • Use them at the perimeter
  • Use them within the cluster

Question 4: Calico network policies:

  • Provide features beyond Kubernetes network policies
  • Can be namespaced or non-namespaced
  • Can be used alongside Kubernetes network policies
  • Can be used to protect hosts as well as pods
  • Are higher priority than Kubernetes network policies
  • Are managed using calicoctl
  • Can be used to enforce security within an Istio service mesh
  • Can reference Calico network sets in their rules using label selectors

Question 5: Network policy best practices include:

  • Per namespace or cluster wide default deny or default app policies
  • Ingress and egress rules for every pod
  • Using separate policies for ingress vs egress
  • Defining standard schemas for network policies and pod labels

Question 6: You can manage trust across teams using:

  • Calico network policies alongside Kubernetes network policies
  • Referencing namespace or service accounts in Calico policies
  • Giving dev teams access to Calico network policies and security teams access to Kubernetes network policies

Question 7: Calico host endpoints can be used to:

  • Secure the host interfaces to the underlying network
  • Secure physical hosts on-premise or private cloud but not public cloud virtual machines
  • Secure the host interface to pods
  • Secure the host loopback interface
  • Secure Kubernetes node ports

Week 3:

Question 1: Calico networking:

  • Connects pods to the host using veth pairs
  • Configures the host to act as a virtual router
  • Programs local routes on each host for each of the pods on the host
  • Always uses BGP
  • Can use BGP if desired
  • Is non-overlay only for the best possible performance
  • Can run as an overlay if desired
  • Uses the Docker bridge

Question 2: Overlay networks:

  • Encapsulate pod-to-pod packets inside node-to-node packets
  • Can be implemented using VLANs
  • Can be implemented using IPIP
  • Can be implemented using VXLAN
  • Can be implemented using WireGuard with the added benefit of encryption

Question 3: WireGuard:

  • Can be thought of as an overlay network with the added benefit of encryption
  • Uses state of the art encryption
  • Can be used by Calico to secure all pod-to-pod traffic over the underlying network
  • Requires operators to configure certificates or key sharing protocols across the cluster

Question 4: Calico IP Pools:

  • Define ranges of IP addresses that can be used for Calico IPAM
  • Define valid IP address ranges that can be used in network policies
  • Define IP range specific network behaviors such as overlay modes or NAT outgoing
  • Can be constrained to only be used by specific nodes, namespaces, or pods
  • Define the block sizes to be used in BGP route aggregation

Question 5: BGP is:

  • A standards based routing protocol supported by most routers
  • Used to build the internet
  • Can be used between Calico nodes to share routes
  • Can be used to share routes between Calico and the underlying network
  • Can be used to share service IPs with the underlying network
  • Often available to use in public cloud networks
  • Often used in on-prem or private cloud networks

Week 4:

Question 1: Kubernetes Services:

  • Can be thought of as a virtual load balancer built into the pod network
  • Normally use label selectors to define which pods belong to a Service
  • Allow pods to communicate with each other without NAT
  • Are discoverable by pods through DNS (kube-dns)
  • May include external load balancers

Question 2: Cluster IP services:

  • Preserve pod source IP addresses all the way to the backing pods
  • NAT the source IP as part of load balancing to the backing pods
  • NAT the destination IP as part of load balancing to the backing pods
  • Load balance to backing pods without NAT per the Kubernetes network model
  • Can be discovered using DNS (kube-dns)
  • Can be advertised over BGP

Question 3: Node port services – When using Kube-Proxy:

  • Preserve client source IP addresses all the way to the backing pods
  • NAT the source IP as part of load balancing to the backing pods
  • NAT the destination IP as part of load balancing to the backing pods
  • Load balance to backing pods without NAT per the Kubernetes network model

Question 4: Load balancer services typically:

  • Use external network load balancers
  • Use node ports
  • Always preserve client source IP
  • Preserve source IP for services with externalTrafficPolicy:local

Question 5: Kube-proxy:

  • Intercepts connections to services using rules it has programmed in the kernel
  • Load balances connections to services to the pods backing the service
  • Handles packets using golang
  • Can use either iptables or IPVS rules for load balancing
  • Scales to thousands of services

Question 6: Kube-proxy IPVS mode:

  • Scales to thousands of services
  • Uses less CPU than iptables with a few hundred services
  • Uses less CPU than iptables with thousands of services

Question 7: Calico native service handling:

  • Replaces kube-proxy
  • Is implemented by the Calico eBPF dataplane
  • Always preserves client source IP addresses
  • Optionally supports DSR (Direct Server Return)
  • Scales to thousands of services
  • Has lower throughput than kube-proxy
  • Has lower latency and uses less CPU than kube-proxy

Question 8: Calico can use BGP to:

  • Advertise the cluster IP range of services
  • Advertise external IP range of services
  • Enable the underlying network to load balance services without a load balancer

Certified Calico Operator: Level 1 Final Exam Answers: Kubernetes Networking

Question 1: The Kubernetes network model specifies that pods can communicate with each other directly without NAT

  • True
  • False

Question 2: Kubernetes pod networking typically uses subnets as a security boundary

  • True
  • False

Question 3: Containers within a pod share an IP address and can communicate freely with each other

  • True
  • False

Question 4: Which of the following Kubernetes Service types preserve client source IP addresses by default when using kube-proxy

ANY ONE

  • Cluster IP services
  • Node Port services
  • Load Balancer services (when using a load balancer that itself preserves source IP)

Question 5: Calico can be installed

  • As part of hosted Kubernetes platform (e.g. EKS, AKS, GKE, IKS)
  • As part of a kubernetes distro or installer (e.g. kops, kubespray, microk8s, etc)
  • Using YAML manifests
  • Using the Tigera Calico operator

Question 6: Kubernetes supports network plugins using which API?

  • REST
  • IPAM
  • CNI
  • Kubenet

Question 7: Preserving client source IP when handling services is useful for

  • Network policy
  • Application logs and troubleshooting
  • Easier service discovery

Question 8: Depending on your network plugin and associated configuration, pods may be able communicate with workloads outside of the cluster without NAT

  • True
  • False

Question 9: Kubernetes Services can be thought of as a virtual load balancer built into the pod network

  • True
  • False

Question 10: The Kubernetes network model is based on an overlay network

  • True
  • False

Question 11: Which of the following Kubernetes Service types preserve client source IP address by default when using Calico native service handling

  • Cluster IP services
  • Node Port services
  • Load Balancer services (when using a load balancer that itself preserves source IP)

Question 12: Kubernetes Services can be thought of as a virtual firewall built into the pod network

  • True
  • False

Question 13: The pods in a Kubernetes cluster are in an L2 subnet

  • True
  • False

Question 14: The Kubernetes network model specifies that pods can communicate with workloads outside of the cluster without NAT

  • True
  • False

Certified Calico Operator: Level 1 Final Exam Answers: Network Policy

Question 1: How do traditional firewalls work with Kubernetes?

  • Don’t use them
  • Use them at the perimeter
  • Use them within the cluster

Question 2: Network policy cannot be used to secure node ports because the NAT takes place before network policy sees the packets

  • True
  • False

Question 3: Kubernetes network security relies on network plugins to enforce network policy

  • True
  • False

Question 4: Calico network policies can be

  • namespaced
  • non-namespaced

Question 5: Network policy cannot be used to enforce security between applications running in the host network namespace

  • True
  • False

Question 6: How do Kubernetes aware firewalls fit with Kubernetes

  • Don’t use them
  • Use them at the perimeter
  • Use them within the cluster

Question 7: Calico host endpoints allow you to secure your nodes using network policy

  • True
  • False

Question 8: Kubernetes network policies can be

  • True
  • False

Question 9: Calico can automatically create host endpoints for every node

  • True
  • False

Question 10: Calico network policies provide a subset of Kubernetes network policy features

  • True
  • False

Question 11: Calico network policies can be used alongside Kubernetes network policies

  • For defense in depth
  • As part of a shift-left approach to network security across dev and security teams
  • To improve performance

Question 12: In addition to pods, Calico network policies can also reference

  • Calico Network Sets
  • Kubernetes Service Accounts
  • Kubernetes Deployments
  • Calico Host Endpoints

Question 13: Kubernetes network policies can be

  • namespaced
  • non-namespaced

Question 14: Following best practices, every pod should have network policy applied to it with

  • Ingress rules
  • Egress rules
  • Deny rules

Question 15: When using Istio service mesh with Calico you need to use Istio RBAC for security within the service mesh and network policy for security within the network layer

  • True
  • False

Question 16: It is a best practice to define a standard you will follow for network policies and pod labels across the cluster

  • True
  • False

Question 17: Kubernetes network security normally identifies workloads using

  • IP address ranges
  • label selectors

Question 18: Traditional enterprise network security was often implemented by designing physical network topologies of network devices and firewalls using static IP address ranges

  • True
  • False

Question 19: Calico network policies always take priority over Kubernetes network policies

  • True
  • False

Certified Calico Operator: Level 1 Final Exam Answers: Pod Connectivity

Question 1: Calico IP Pools define valid IP address ranges that can be used in network policies

  • True
  • False

Question 2: Calico does not support VXLAN but you can run Calico on top of flannel VXLAN

  • True
  • False

Question 3: You can limit which IP Pools can be used by each node based on the node labels

  • True
  • False

Question 4: Calico can use BGP to learn routes from the underlying network

  • True
  • False

Question 5: You can force pods to use a specific IP Pool using

  • namespace or pod labels
  • namespace or pod annotations

Question 6: Calico connects pods to the host network namespace using veth pairs

  • True
  • False

Question 7: Calico BGP route aggregation is based on

  • Number of pods on the node
  • Number IPs in the IP Pool divided by number of nodes
  • IP Pool block sizes

Question 8: WireGuard can be thought of as an overlay network with the added benefit of encryption

  • True
  • False

Question 9: Calico can provide both overlay and non-overlay networking

  • True
  • False

Question 10: Calico uses BGP to program local routes on each host to the pods on the host

  • True
  • False

Question 11: Calico IP Pools are used by Calico networking to determine whether to use NAT when pods try to make outbound connections to destinations outside of the cluster

  • True
  • False

Question 12: Calico IP Pools are used by Calico networking to determine whether to use an overlay network

  • True
  • False

Question 13: WireGuard must be configured with keys from a key store such as Vault

  • True
  • False

Question 14: Calico IP Pools are used by Calico IPAM to define

  • The ranges of IP addresses that can be used
  • Whether the IPs are allocated using a round robin or random distribution algorithm
  • The block size (number of IPs) to try to allocate to a node when it needs more IP addresses

Question 15: Calico configures each host to act as a virtual router

  • True
  • False

Question 16: Calico can use BGP in public clouds as the main mechanism for avoiding overlays

  • True
  • False

Question 17: Calico can use BGP to share routes to the pods on each node with the underlying network

  • True
  • False

Question 18: Calico can use BGP between nodes to share routes

  • True
  • False

Question 19: Calico connects pods to the network using the Docker bridge

  • True
  • False

Question 20: Overlay networks encapsulate pod-to-pod packets inside node-to-node packets

  • True
  • False

Certified Calico Operator: Level 1 Final Exam Answers: Kubernetes Services

Question 1: Source IP can be preserved for node port and load balancer services by

  • disabling NAT outgoing
  • using Calico network policy
  • specifying externalTrafficPolicy:local

Question 2: Calico native service handling

  • Has lower latency and uses less CPU than kube-proxy
  • Has lower throughput than kube-proxy
  • Scales to thousands of services

Question 3: Advertising services work with most underlying networks in

  • On-prem, private cloud, and public clouds environments
  • Public clouds environments
  • On-prem and private clouds environments

Question 4: Kube-proxy supports the following modes

  • iptables
  • eBPF
  • IPVS

Question 5: Cluster IP services preserve the client pod source IP address so network policy applied to the backing pods works as expected

  • True
  • False

Question 6: Calico service advertisement uses BGP to

  • Advertise the cluster IP range of services
  • Advertise the external IP range of services
  • Allocate service load balancer IPs

Question 7: Calico native service handling relies on DSR (Direct Server Return)

  • True
  • False

Question 8: Kube-proxy’s implementation of Node Port services normally NATs the destination IP as part of load balancing to the backing pods

  • True
  • False

Question 9: Node ports with externalTrafficPolicy:local only work on nodes which are hosting at least one pod backing the service

  • True
  • False

Question 10: Advertising services allows the underlying network to load balance services as an alternative to using an external load balancer

  • True
  • False

Question 11: Kubernetes service Cluster IPs are are discoverable by pods through DNS (kube-dns)

  • True
  • False

Question 12: Kubernetes services allow pods to communicate with each other without NAT

  • True
  • False

Question 13: Cluster IP services NAT the destination IP as part of load balancing to the backing pods

  • True
  • False

Question 14: Kube-proxy’s implementation of Node Port services normally NATs the source IP as part of load balancing to the backing pods

  • True
  • False

Question 15: Cluster IP services NAT the source IP as part of load balancing to the backing pods

  • True
  • False

Question 16: Load balancer services typically use a combination of an external load balancer and node ports

  • True
  • False

Question 17: Kube-proxy IPVS mode:

  • Scales to thousands of services
  • Uses less CPU than iptables with hundreds of services
  • Uses less CPU than iptables with thousands of services

Question 18: Calico native service handling always preserves client source IP addresses

  • True
  • False

Question 19: extrenalTrafficPolicy:local is supported by all load balancers

  • True
  • False

Question 20: Calico’s eBPF dataplane replaces kube-proxy

  • True
  • False

About Clear My Certification

Check Also

certiprof exam answers

Lean leadership Professional Certification LLPC Certiprof Exam Answers

Lean leadership Professional Certification LLPC Certiprof Exam Answers The Lean Leadership certification is designed to …

Leave a Reply

Your email address will not be published. Required fields are marked *

© Copyright 2025, Priya Dogra - All Rights Reserved