Home Certification Certified Calico Operator: Level 1 Exam Answers – Tigera

Certified Calico Operator: Level 1 Exam Answers – Tigera

2015
0
Certified Calico Operator Level 1 Exam Answers – Tigera

Enroll Here: Certified Calico Operator: Level 1 Exam Answers

Week 1

Question 1: What are the key principles of the Kubernetes networking model?

  • Every pod gets its own IP address
  • Containers within a pod share the pod IP address
  • Containers within a pod can communicate freely with each other
  • Pods are in the same subnet
  • Pods can communicate with each other directly without NAT
  • Pods are in an overlay network
  • Network isolation is provided by network policy
  • Pods can communicate with workloads outside of the cluster without NAT

Question 2: Kubernetes supports network plugins using which APIs?

  • Kubenet
  • CNI
  • IPAM
  • REST

Question 3: Kubernetes Services:

  • Can be thought of as a virtual load balancer built into the pod network
  • Normally use label selectors to define which pods belong to a Service
  • Are discoverable by pods through DNS (kube-dns)
  • Allow pods to communicate with each other without NAT
  • May include external load balancers

Question 4: Calico can be installed:

  • As part of hosted Kubernetes platform (e.g. EKS, AKS, GKE, IKS)
  • As part of a kubernetes distro or installer (e.g. kops, kubespray, microk8s, etc)
  • Using YAML manifests
  • Using the Tigera Calico operator

Week 2:

Question 1: Traditional enterprise network security was implemented using:

  • Designing a physical topology of network devices (firewalls, routers, switches)
  • Static IP address ranges
  • Active Directory

Question 2: Kubernetes network security:

  • Assumes a flat network
  • Is defined using network policy
  • Is abstracted from the network by using label selectors
  • Relies on network plugins to enforce network policy
  • Relies on capabilities of the underlying network

Question 3: How do traditional firewalls work with Kubernetes?

  • Don’t use them
  • Use them at the perimeter
  • Use them within the cluster

Question 4: Calico network policies:

  • Provide features beyond Kubernetes network policies
  • Can be namespaced or non-namespaced
  • Can be used alongside Kubernetes network policies
  • Can be used to protect hosts as well as pods
  • Are higher priority than Kubernetes network policies
  • Are managed using calicoctl
  • Can be used to enforce security within an Istio service mesh
  • Can reference Calico network sets in their rules using label selectors

Question 5: Network policy best practices include:

  • Per namespace or cluster wide default deny or default app policies
  • Ingress and egress rules for every pod
  • Using separate policies for ingress vs egress
  • Defining standard schemas for network policies and pod labels

Question 6: You can manage trust across teams using:

  • Calico network policies alongside Kubernetes network policies
  • Referencing namespace or service accounts in Calico policies
  • Giving dev teams access to Calico network policies and security teams access to Kubernetes network policies

Question 7: Calico host endpoints can be used to:

  • Secure the host interfaces to the underlying network
  • Secure physical hosts on-premise or private cloud but not public cloud virtual machines
  • Secure the host interface to pods
  • Secure the host loopback interface
  • Secure Kubernetes node ports

Week 3:

Question 1: Calico networking:

  • Connects pods to the host using veth pairs
  • Configures the host to act as a virtual router
  • Programs local routes on each host for each of the pods on the host
  • Always uses BGP
  • Can use BGP if desired
  • Is non-overlay only for the best possible performance
  • Can run as an overlay if desired
  • Uses the Docker bridge

Question 2: Overlay networks:

  • Encapsulate pod-to-pod packets inside node-to-node packets
  • Can be implemented using VLANs
  • Can be implemented using IPIP
  • Can be implemented using VXLAN
  • Can be implemented using WireGuard with the added benefit of encryption

Question 3: WireGuard:

  • Can be thought of as an overlay network with the added benefit of encryption
  • Uses state of the art encryption
  • Can be used by Calico to secure all pod-to-pod traffic over the underlying network
  • Requires operators to configure certificates or key sharing protocols across the cluster

Question 4: Calico IP Pools:

  • Define ranges of IP addresses that can be used for Calico IPAM
  • Define valid IP address ranges that can be used in network policies
  • Define IP range specific network behaviors such as overlay modes or NAT outgoing
  • Can be constrained to only be used by specific nodes, namespaces, or pods
  • Define the block sizes to be used in BGP route aggregation

Question 5: BGP is:

  • A standards based routing protocol supported by most routers
  • Used to build the internet
  • Can be used between Calico nodes to share routes
  • Can be used to share routes between Calico and the underlying network
  • Can be used to share service IPs with the underlying network
  • Often available to use in public cloud networks
  • Often used in on-prem or private cloud networks

Week 4:

Question 1: Kubernetes Services:

  • Can be thought of as a virtual load balancer built into the pod network
  • Normally use label selectors to define which pods belong to a Service
  • Allow pods to communicate with each other without NAT
  • Are discoverable by pods through DNS (kube-dns)
  • May include external load balancers

Question 2: Cluster IP services:

  • Preserve pod source IP addresses all the way to the backing pods
  • NAT the source IP as part of load balancing to the backing pods
  • NAT the destination IP as part of load balancing to the backing pods
  • Load balance to backing pods without NAT per the Kubernetes network model
  • Can be discovered using DNS (kube-dns)
  • Can be advertised over BGP

Question 3: Node port services – When using Kube-Proxy:

  • Preserve client source IP addresses all the way to the backing pods
  • NAT the source IP as part of load balancing to the backing pods
  • NAT the destination IP as part of load balancing to the backing pods
  • Load balance to backing pods without NAT per the Kubernetes network model

Question 4: Load balancer services typically:

  • Use external network load balancers
  • Use node ports
  • Always preserve client source IP
  • Preserve source IP for services with externalTrafficPolicy:local

Question 5: Kube-proxy:

  • Intercepts connections to services using rules it has programmed in the kernel
  • Load balances connections to services to the pods backing the service
  • Handles packets using golang
  • Can use either iptables or IPVS rules for load balancing
  • Scales to thousands of services

Question 6: Kube-proxy IPVS mode:

  • Scales to thousands of services
  • Uses less CPU than iptables with a few hundred services
  • Uses less CPU than iptables with thousands of services

Question 7: Calico native service handling:

  • Replaces kube-proxy
  • Is implemented by the Calico eBPF dataplane
  • Always preserves client source IP addresses
  • Optionally supports DSR (Direct Server Return)
  • Scales to thousands of services
  • Has lower throughput than kube-proxy
  • Has lower latency and uses less CPU than kube-proxy

Question 8: Calico can use BGP to:

  • Advertise the cluster IP range of services
  • Advertise external IP range of services
  • Enable the underlying network to load balance services without a load balancer

Certified Calico Operator: Level 1 Final Exam Answers: Kubernetes Networking

Question 1: The Kubernetes network model specifies that pods can communicate with each other directly without NAT

  • True
  • False

Question 2: Kubernetes pod networking typically uses subnets as a security boundary

  • True
  • False

Question 3: Containers within a pod share an IP address and can communicate freely with each other

  • True
  • False

Question 4: Which of the following Kubernetes Service types preserve client source IP addresses by default when using kube-proxy

ANY ONE

  • Cluster IP services
  • Node Port services
  • Load Balancer services (when using a load balancer that itself preserves source IP)

Question 5: Calico can be installed

  • As part of hosted Kubernetes platform (e.g. EKS, AKS, GKE, IKS)
  • As part of a kubernetes distro or installer (e.g. kops, kubespray, microk8s, etc)
  • Using YAML manifests
  • Using the Tigera Calico operator

Question 6: Kubernetes supports network plugins using which API?

  • REST
  • IPAM
  • CNI
  • Kubenet

Question 7: Preserving client source IP when handling services is useful for

  • Network policy
  • Application logs and troubleshooting
  • Easier service discovery

Question 8: Depending on your network plugin and associated configuration, pods may be able communicate with workloads outside of the cluster without NAT

  • True
  • False

Question 9: Kubernetes Services can be thought of as a virtual load balancer built into the pod network

  • True
  • False

Question 10: The Kubernetes network model is based on an overlay network

  • True
  • False

Question 11: Which of the following Kubernetes Service types preserve client source IP address by default when using Calico native service handling

  • Cluster IP services
  • Node Port services
  • Load Balancer services (when using a load balancer that itself preserves source IP)

Question 12: Kubernetes Services can be thought of as a virtual firewall built into the pod network

  • True
  • False

Question 13: The pods in a Kubernetes cluster are in an L2 subnet

  • True
  • False

Question 14: The Kubernetes network model specifies that pods can communicate with workloads outside of the cluster without NAT

  • True
  • False

Certified Calico Operator: Level 1 Final Exam Answers: Network Policy

Question 1: How do traditional firewalls work with Kubernetes?

  • Don’t use them
  • Use them at the perimeter
  • Use them within the cluster

Question 2: Network policy cannot be used to secure node ports because the NAT takes place before network policy sees the packets

  • True
  • False

Question 3: Kubernetes network security relies on network plugins to enforce network policy

  • True
  • False

Question 4: Calico network policies can be

  • namespaced
  • non-namespaced

Question 5: Network policy cannot be used to enforce security between applications running in the host network namespace

  • True
  • False

Question 6: How do Kubernetes aware firewalls fit with Kubernetes

  • Don’t use them
  • Use them at the perimeter
  • Use them within the cluster

Question 7: Calico host endpoints allow you to secure your nodes using network policy

  • True
  • False

Question 8: Kubernetes network policies can be

  • True
  • False

Question 9: Calico can automatically create host endpoints for every node

  • True
  • False

Question 10: Calico network policies provide a subset of Kubernetes network policy features

  • True
  • False

Question 11: Calico network policies can be used alongside Kubernetes network policies

  • For defense in depth
  • As part of a shift-left approach to network security across dev and security teams
  • To improve performance

Question 12: In addition to pods, Calico network policies can also reference

  • Calico Network Sets
  • Kubernetes Service Accounts
  • Kubernetes Deployments
  • Calico Host Endpoints

Question 13: Kubernetes network policies can be

  • namespaced
  • non-namespaced

Question 14: Following best practices, every pod should have network policy applied to it with

  • Ingress rules
  • Egress rules
  • Deny rules

Question 15: When using Istio service mesh with Calico you need to use Istio RBAC for security within the service mesh and network policy for security within the network layer

  • True
  • False

Question 16: It is a best practice to define a standard you will follow for network policies and pod labels across the cluster

  • True
  • False

Question 17: Kubernetes network security normally identifies workloads using

  • IP address ranges
  • label selectors

Question 18: Traditional enterprise network security was often implemented by designing physical network topologies of network devices and firewalls using static IP address ranges

  • True
  • False

Question 19: Calico network policies always take priority over Kubernetes network policies

  • True
  • False

Certified Calico Operator: Level 1 Final Exam Answers: Pod Connectivity

Question 1: Calico IP Pools define valid IP address ranges that can be used in network policies

  • True
  • False

Question 2: Calico does not support VXLAN but you can run Calico on top of flannel VXLAN

  • True
  • False

Question 3: You can limit which IP Pools can be used by each node based on the node labels

  • True
  • False

Question 4: Calico can use BGP to learn routes from the underlying network

  • True
  • False

Question 5: You can force pods to use a specific IP Pool using

  • namespace or pod labels
  • namespace or pod annotations

Question 6: Calico connects pods to the host network namespace using veth pairs

  • True
  • False

Question 7: Calico BGP route aggregation is based on

  • Number of pods on the node
  • Number IPs in the IP Pool divided by number of nodes
  • IP Pool block sizes

Question 8: WireGuard can be thought of as an overlay network with the added benefit of encryption

  • True
  • False

Question 9: Calico can provide both overlay and non-overlay networking

  • True
  • False

Question 10: Calico uses BGP to program local routes on each host to the pods on the host

  • True
  • False

Question 11: Calico IP Pools are used by Calico networking to determine whether to use NAT when pods try to make outbound connections to destinations outside of the cluster

  • True
  • False

Question 12: Calico IP Pools are used by Calico networking to determine whether to use an overlay network

  • True
  • False

Question 13: WireGuard must be configured with keys from a key store such as Vault

  • True
  • False

Question 14: Calico IP Pools are used by Calico IPAM to define

  • The ranges of IP addresses that can be used
  • Whether the IPs are allocated using a round robin or random distribution algorithm
  • The block size (number of IPs) to try to allocate to a node when it needs more IP addresses

Question 15: Calico configures each host to act as a virtual router

  • True
  • False

Question 16: Calico can use BGP in public clouds as the main mechanism for avoiding overlays

  • True
  • False

Question 17: Calico can use BGP to share routes to the pods on each node with the underlying network

  • True
  • False

Question 18: Calico can use BGP between nodes to share routes

  • True
  • False

Question 19: Calico connects pods to the network using the Docker bridge

  • True
  • False

Question 20: Overlay networks encapsulate pod-to-pod packets inside node-to-node packets

  • True
  • False

Certified Calico Operator: Level 1 Final Exam Answers: Kubernetes Services

Question 1: Source IP can be preserved for node port and load balancer services by

  • disabling NAT outgoing
  • using Calico network policy
  • specifying externalTrafficPolicy:local

Question 2: Calico native service handling

  • Has lower latency and uses less CPU than kube-proxy
  • Has lower throughput than kube-proxy
  • Scales to thousands of services

Question 3: Advertising services work with most underlying networks in

  • On-prem, private cloud, and public clouds environments
  • Public clouds environments
  • On-prem and private clouds environments

Question 4: Kube-proxy supports the following modes

  • iptables
  • eBPF
  • IPVS

Question 5: Cluster IP services preserve the client pod source IP address so network policy applied to the backing pods works as expected

  • True
  • False

Question 6: Calico service advertisement uses BGP to

  • Advertise the cluster IP range of services
  • Advertise the external IP range of services
  • Allocate service load balancer IPs

Question 7: Calico native service handling relies on DSR (Direct Server Return)

  • True
  • False

Question 8: Kube-proxy’s implementation of Node Port services normally NATs the destination IP as part of load balancing to the backing pods

  • True
  • False

Question 9: Node ports with externalTrafficPolicy:local only work on nodes which are hosting at least one pod backing the service

  • True
  • False

Question 10: Advertising services allows the underlying network to load balance services as an alternative to using an external load balancer

  • True
  • False

Question 11: Kubernetes service Cluster IPs are are discoverable by pods through DNS (kube-dns)

  • True
  • False

Question 12: Kubernetes services allow pods to communicate with each other without NAT

  • True
  • False

Question 13: Cluster IP services NAT the destination IP as part of load balancing to the backing pods

  • True
  • False

Question 14: Kube-proxy’s implementation of Node Port services normally NATs the source IP as part of load balancing to the backing pods

  • True
  • False

Question 15: Cluster IP services NAT the source IP as part of load balancing to the backing pods

  • True
  • False

Question 16: Load balancer services typically use a combination of an external load balancer and node ports

  • True
  • False

Question 17: Kube-proxy IPVS mode:

  • Scales to thousands of services
  • Uses less CPU than iptables with hundreds of services
  • Uses less CPU than iptables with thousands of services

Question 18: Calico native service handling always preserves client source IP addresses

  • True
  • False

Question 19: extrenalTrafficPolicy:local is supported by all load balancers

  • True
  • False

Question 20: Calico’s eBPF dataplane replaces kube-proxy

  • True
  • False

LEAVE A REPLY

Please enter your comment!
Please enter your name here