24 - Interview Questions & Scenarios

Docker Interview Questions

Conceptual

1. What are containers and how do they differ from VMs? Containers share the host kernel (lightweight, fast). VMs have their own kernel (heavier, stronger isolation). Containers use namespaces + cgroups. → 01 - Containers & Virtualization

2. Explain Docker's architecture Client-server: CLI → Docker daemon → containerd → runc. API-driven. → 02 - Docker Architecture

3. What happens when you run docker run nginx? CLI sends request to daemon → daemon checks local images → pulls if needed → containerd creates container → runc sets up namespaces/cgroups → starts nginx process.

4. How do Docker image layers work? Each Dockerfile instruction creates a read-only layer. Layers are cached and shared. Container adds a writable layer on top (copy-on-write). → 03 - Docker Images & Dockerfile

5. What's the difference between CMD and ENTRYPOINT? ENTRYPOINT is the main executable (hard to override). CMD provides default arguments (easy to override). Combined: ENTRYPOINT ["node"] + CMD ["server.js"] → node server.js.

6. How would you optimize a Docker image? Multi-stage builds, alpine base, .dockerignore, layer caching (least→most changed), non-root user, specific tags. → 08 - Docker Best Practices

7. How do Docker networks work? Bridge (default, single host), overlay (multi-host VXLAN), host (share host network), none (isolated). User-defined bridges provide DNS. → 05 - Docker Networking

8. How is data persisted in Docker? Volumes (Docker-managed, portable), bind mounts (host path), tmpfs (RAM). Volumes survive container deletion. → 06 - Docker Volumes & Storage

Scenario-Based

9. Your container starts but immediately exits. How do you debug?

   bash
   docker logs <container>           # Check stdout/stderr
   docker inspect <container>        # Check State.ExitCode
   docker run -it <image> sh         # Start interactively
   docker events                     # Watch container events

10. Your Docker image is 2GB. How do you reduce it?

    • Multi-stage build (separate build from runtime)
    • Switch to alpine or distroless base
    • Add .dockerignore
    • Combine RUN commands, clean up in same layer
    • Remove dev dependencies

11. Two containers need to communicate. How? Put them on the same user-defined bridge network. They can reach each other by container name (DNS). For different hosts, use overlay network.

Kubernetes Interview Questions

Conceptual

12. Explain Kubernetes architecture Control plane: API server (front door), etcd (state store), controller manager (reconciliation loops), scheduler (pod placement). Nodes: kubelet (pod agent), kube-proxy (networking), container runtime. → 10 - Kubernetes Architecture

13. What happens when you run kubectl apply -f deployment.yaml? kubectl → API server → etcd stores object → Deployment controller creates ReplicaSet → ReplicaSet controller creates Pods → Scheduler assigns Pods to nodes → kubelet starts containers → kube-proxy updates networking.

14. What's the difference between a Deployment and a StatefulSet? Deployment: stateless, random pod names, shared storage, parallel scaling. StatefulSet: stable identities (pod-0, pod-1), dedicated PVCs, ordered scaling. Use StatefulSet for databases. → 16 - StatefulSets & DaemonSets

15. Explain the three types of probes Startup: wait for app to initialize. Liveness: is the app alive? (restart on failure). Readiness: can it handle traffic? (remove from Service on failure). → 11 - Pods & Workloads

16. How does a Kubernetes Service work? Service provides a stable ClusterIP + DNS name. Selector matches pods by labels. kube-proxy creates iptables/IPVS rules to load-balance traffic across matched pods. → 12 - Services & Networking

17. Compare ClusterIP, NodePort, and LoadBalancer ClusterIP: internal only. NodePort: expose on every node:port (30000-32767). LoadBalancer: cloud LB with external IP. Each builds on the previous. → 12 - Services & Networking

18. How does auto-scaling work? HPA: scale pods by CPU/memory/custom metrics. VPA: adjust pod resources. Cluster Autoscaler: add/remove nodes. KEDA: event-driven scaling (queues, cron). → 21 - Auto-Scaling

19. What is RBAC? Role-Based Access Control. Role defines permissions (verbs on resources). RoleBinding assigns Role to users/service accounts. ClusterRole/ClusterRoleBinding for cluster-wide. → 18 - RBAC & Security

20. What is an Ingress? L7 (HTTP) routing rules for external traffic. Host-based and path-based routing. Requires an Ingress Controller (nginx, traefik). Single entry point for multiple services. → 17 - Ingress & Load Balancing

21. How do you handle secrets in Kubernetes? ConfigMaps for non-sensitive config, Secrets for sensitive data (base64, not encrypted). Secure with: etcd encryption at rest, RBAC, External Secrets Operator + Vault. → 13 - ConfigMaps & Secrets

22. What is GitOps? Git as single source of truth. Declarative state in Git. Tools like ArgoCD/Flux continuously sync cluster state to match Git. Rollback = git revert. → 22 - CI-CD with Docker & K8s

Scenario-Based

23. A pod is stuck in Pending state. How do you troubleshoot?

    bash
    kubectl describe pod <name>     # Check Events section

    Common causes:

    • Insufficient resources → scale cluster or reduce requests
    • Node selector/taint mismatch → check tolerations
    • PVC not bound → check PV/StorageClass
    • Image pull error → check registry credentials

24. A pod is in CrashLoopBackOff. How do you fix it?

    bash
    kubectl logs <pod> --previous   # Logs from crashed container
    kubectl describe pod <pod>      # Events, exit codes
    kubectl exec -it <pod> -- sh    # If it stays up long enough

    Common causes:

    • Application error (check logs)
    • Missing config/secrets
    • Failed liveness probe (too aggressive)
    • OOM killed (check resource limits)

25. How do you perform a zero-downtime deployment?

    • Rolling update strategy (maxSurge=1, maxUnavailable=0)
    • Readiness probes (new pods must pass before receiving traffic)
    • Pre-stop hook for graceful shutdown
    • minReadySeconds to avoid too-fast rollouts

    yaml
    spec:
      strategy:
        type: RollingUpdate
        rollingUpdate:
          maxSurge: 1
          maxUnavailable: 0
      minReadySeconds: 10

26. Your application needs to connect to an external database. How? Options:

    • ExternalName Service (DNS CNAME)
    • Endpoints object (manual IP mapping)
    • ConfigMap/Secret for connection string
    • Service mesh egress rules

27. How would you run a database in Kubernetes?

    • StatefulSet with PVC template
    • Headless Service for stable DNS
    • Operator for complex lifecycle (CloudNativePG, Strimzi)
    • Regular backups (CronJob + pg_dump or VolumeSnapshot)
    • Consider managed services (RDS, Cloud SQL) for production

28. Design a multi-tenant cluster

    • Namespace per tenant
    • RBAC: Role per namespace, no cluster-admin
    • Network Policies: isolate namespaces
    • Resource Quotas: prevent resource hogging
    • Pod Security Admission: enforce restricted
    • Separate node pools for strong isolation

29. How would you handle a traffic spike (10x normal)?

    1. HPA scales pods (configured to react quickly)
    2. Cluster Autoscaler/Karpenter adds nodes
    3. Pre-provisioned buffer nodes (overprovisioning)
    4. CDN for static assets
    5. Rate limiting at Ingress
    6. Circuit breakers for downstream services
    7. Queue-based processing for non-real-time work

30. Design a CI/CD pipeline for a microservices application on K8s

    Push → Tests → Build Image → Scan → Push to Registry
                                            ↓
    ArgoCD watches Git repo ← Update manifests (image tag)
         ↓
    Canary 10% → Prometheus analysis → 50% → 100%
    
    Rollback: git revert → ArgoCD syncs
    

System Design Questions (Docker/K8s Angle)

31. Design a log aggregation system

    • DaemonSet log collectors on each node
    • Ship to centralized backend (Elasticsearch/Loki)
    • Query via Kibana/Grafana
    • Retention policies for cost management

32. Design a secrets management system

    • External Secrets Operator
    • HashiCorp Vault as backend
    • Auto-rotation with TTLs
    • Audit logging for all access
    • Encryption at rest in etcd

33. Design a disaster recovery plan

    • Multi-region clusters (active-passive or active-active)
    • etcd backups (automated, tested)
    • Velero for cluster state backup
    • Volume snapshots for data
    • Runbook with RTO/RPO targets
    • Regular DR drills

Quick Reference Card

kubectl Debug Commands

bash
kubectl get pods -o wide              # Pod status + node
kubectl describe pod <name>           # Events and conditions
kubectl logs <pod> -c <container>     # Container logs
kubectl logs <pod> --previous         # Previous crash logs
kubectl exec -it <pod> -- sh          # Shell into pod
kubectl top pods                      # Resource usage
kubectl get events --sort-by='.lastTimestamp'
kubectl run debug --rm -it --image=nicolaka/netshoot -- bash
kubectl auth can-i create pods        # RBAC check

Status Meanings

---