Name three Linux namespaces and explain what each one isolates.
WHAT IT TESTS: Kernel primitives behind container isolation. ANSWER OUTLINE: Name three of PID, Network, Mount, UTS, IPC, User, Cgroup, Time; say what each hides; cite CLONE_NEW* or /proc/pid/ns.
How do Docker images and containers differ and relate?
This tests your grasp of the immutable template versus mutable runtime boundary. A good answer: an image is a read-only layered template with code and dependencies; a container is a runnable instance with a writable layer on top.
Pod Topology Spread: Spreading Pods for High Availability
Pod Topology Spread Constraints prevent putting all your pods in one basket. They instruct the scheduler to distribute a service's pods evenly across nodes or zones, improving availability. The main footgun is that it's a soft preference by default.
The Sidecar Pattern: Your App's Helper Container
The Sidecar pattern attaches a helper container to your main application, like a sidecar on a motorcycle. It handles peripheral tasks like logging or networking, letting you add features without changing the app's code.
GitOps Principles: Your Repo as the Source of Truth
GitOps treats infrastructure state like code, with your Git repo as the single source of truth. Automated agents pull declarative configs from the repo to reconcile the live system, making it ideal for Kubernetes.
Prometheus Alertmanager: Taming Your Alert Storms
Alertmanager is the traffic controller for your Prometheus alerts, turning a potential flood into actionable notifications. It groups, deduplicates, and routes alerts to services like PagerDuty. The footgun: don't load balance traffic to an HA cluster.
PromQL: Querying Time Series Data as Vectors
PromQL treats metrics as vectors of values over time, letting you slice and aggregate system state. It's used for Grafana dashboards and Alertmanager rules. The footgun: applying `rate()` to a gauge instead of a counter produces silent, nonsensical results.
Prometheus Exporters: Translating Metrics for Monitoring
A Prometheus Exporter is a translator, converting metrics from third-party systems like databases or hardware into the format Prometheus can scrape. Use one when you can't modify an app's code directly.
Prometheus Architecture: A Pull-Based Monitoring System
Prometheus is a monitoring system that actively pulls metrics from your services, rather than waiting for them to push data. It's the standard for tracking performance in dynamic environments like Kubernetes.
Falco: Real-Time Threat Detection for Cloud-Native
Falco is a runtime security camera, watching Linux syscalls to detect threats in real time. It's used in Kubernetes to spot abnormal behavior like privilege escalation or writing to /etc. The key is it only *detects* and *alerts*; it doesn't block threats.
Pod Priority: Deciding Who Gets Evicted in Kubernetes
Pod Priority is a VIP pass for your critical workloads, telling the scheduler which pods can bump others off a node. This ensures system-critical services run even on a full cluster. The footgun: high-priority pods can cause cascading evictions if not planned.
Pod Disruption Budgets: Stop Upgrades From Killing Your App
A Pod Disruption Budget (PDB) is a contract with Kubernetes to maintain minimum availability. It limits how many pods can be voluntarily terminated at once during node drains or cluster upgrades, preventing self-inflicted outages.
Init Containers: Setup Tasks Before Your Main App Runs
Init containers are setup tasks that run to completion before your main application starts. Use them to wait for dependencies, fetch configs, or run database migrations.
Kubernetes Pods: The Atomic Unit of Deployment
A Pod is the smallest deployable unit in Kubernetes, a wrapper for one or more containers that run together on one machine. It's used for tightly coupled 'sidecar' helpers, like a log shipper.
Container Image Signing: Verifying What You Run
Think of image signing as a digital "tamper-evident seal" on your containers. It proves who built an image and that it hasn't been altered. This is crucial for production systems to prevent running malicious code.