Blog part 3: Kubernetes oprators interview questions

[bobbyonmagic]

🛠️ General Kubernetes Operator Questions

1️⃣ What is a Kubernetes Operator, and why do we use it?

✅ How to Answer:

"A Kubernetes Operator is a controller that automates the lifecycle of complex applications running in Kubernetes. It extends Kubernetes' capabilities by introducing Custom Resource Definitions (CRDs) that define application-specific configurations.

We use Operators when Helm charts or plain YAML aren't enough, such as when we need:

• Automated self-healing (e.g., restarting failed Laravel instances)
• Scaling logic based on app-specific metrics
• Managing external dependencies (e.g., provisioning databases)
  Operators enable day-2 operations, like upgrades, failover, and monitoring, making them ideal for long-running applications."

---

2️⃣ What is the difference between a Controller and an Operator?

✅ How to Answer:

"A Controller is a core Kubernetes component that ensures a resource's actual state matches its desired state (e.g., ReplicaSet ensures the correct number of pods).

An Operator is a specialized Controller that manages custom application logic via CRDs.
📌 Key Differences:

Feature	Controller	Operator
Works with	Built-in Kubernetes resources	Custom Resources (CRDs)
Automates	Basic Kubernetes features	App-specific lifecycle
Example	Deployment controller	LaravelApp operator

In short, all Operators are Controllers, but not all Controllers are Operators."

---

🔄 Reconciliation & Controller Logic Questions

3️⃣ How does the Reconciliation Loop work in a Kubernetes Operator?

✅ How to Answer:

"The Reconciliation Loop is the heart of an Operator. It continuously:

1. Watches for changes in a Custom Resource (CR) (e.g., LaravelApp).
2. Fetches the actual state from the Kubernetes API.
3. Compares it with the desired state.
4. Takes action if there's a difference (e.g., creates a Deployment, updates an image, or scales pods).
5. Updates the status of the CR.

💡 Example: If a LaravelApp is supposed to have 3 replicas but only 2 are running, the Operator will create another pod to match the desired state."

📌 Key Code in Reconcile()

func (r *LaravelAppReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
    laravelApp := &appv1alpha1.LaravelApp{}
    if err := r.Get(ctx, req.NamespacedName, laravelApp); err != nil {
        return ctrl.Result{}, client.IgnoreNotFound(err)
    }

    // Ensure Deployment exists, create/update if needed
    return ctrl.Result{}, nil
}

---

4️⃣ How do you prevent an Operator from continuously reconciling in an infinite loop?

✅ How to Answer:

"This can happen when the Operator modifies the resource in Reconcile(), triggering another loop.

To prevent this:

• Check for unnecessary updates before modifying resources.
• Use Status fields instead of Spec fields to store internal state.
• Use proper backoff mechanisms (e.g., requeue with a delay).

📌 Example: Avoiding Unnecessary Updates

if existingDeployment.Spec.Replicas == laravelApp.Spec.Replicas {
    return ctrl.Result{}, nil
}

This ensures the Operator only updates when necessary."

---

📜 CRD & Webhook Questions

5️⃣ What are Custom Resource Definitions (CRDs) in Kubernetes?

✅ How to Answer:

"A Custom Resource Definition (CRD) extends Kubernetes by adding a new custom resource type, allowing us to manage application-specific logic within Kubernetes.

💡 Example:
If I need to deploy Laravel applications, I can create a CRD called LaravelApp:

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: laravelapps.example.com
spec:
  group: example.com
  names:
    kind: LaravelApp
    plural: laravelapps
  scope: Namespaced
  versions:
  - name: v1alpha1
    served: true
    storage: true

With this, I can apply LaravelApp resources like:

apiVersion: example.com/v1alpha1
kind: LaravelApp
metadata:
  name: my-laravel
spec:
  replicas: 3
  image: "laravel:latest"

This allows the Operator to manage Laravel applications natively within Kubernetes."

---

6️⃣ What are Webhooks in Kubernetes, and how are they used in Operators?

✅ How to Answer:

"Webhooks allow us to validate or mutate Custom Resources before they are stored in etcd. There are two types:

1. Mutating Webhooks → Modify requests before they are persisted (e.g., adding default values).
2. Validating Webhooks → Reject invalid requests (e.g., prevent replicas: -1).

📌 Example: Webhook to Validate LaravelApp CR

func (r *LaravelApp) ValidateCreate() error {
    if r.Spec.Replicas < 1 {
        return fmt.Errorf("replicas must be at least 1")
    }
    return nil
}

This ensures users can't deploy Laravel apps with zero or negative replicas."

---

⚡ Performance & Debugging Questions

7️⃣ How do you optimize Operator performance?

✅ How to Answer:

"To optimize performance, I follow these best practices:

1. Rate limiting & backoff – Avoid excessive API calls (RequeueAfter: time.Second * 30).
2. Efficient caching – Use Informer cache instead of querying API directly.
3. Status Updates – Store internal state in .status instead of .spec to prevent infinite loops.
4. Leader Election – Ensure only one Operator instance is actively reconciling."

📌 Example: Requeue with Backoff

return ctrl.Result{RequeueAfter: time.Minute}, nil

---

🔒 Security & RBAC Questions

8️⃣ How do you secure a Kubernetes Operator?

✅ How to Answer:

"Security best practices for Operators include:

1. Minimal RBAC permissions – Grant only necessary access.
2. Run as non-root user – Avoid running with full privileges.
3. Secure secrets – Use Kubernetes Secrets instead of environment variables.
4. Enable TLS for webhooks – Prevent MITM attacks on Operator webhooks."

📌 Example: Restricting Operator Permissions

rules:
- apiGroups: ["laravel.example.com"]
  resources: ["laravelapps"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]

---

🧩 Miscellaneous & Scenario-Based Questions

9️⃣ What would you do if an Operator is consuming too many Kubernetes API calls?

✅ How to Answer:

"I would:

1. Enable caching using Informers to reduce direct API calls.
2. Batch updates instead of updating individual resources frequently.
3. Use exponential backoff for retries.
4. Reduce requeue frequency to avoid unnecessary loops."

---

🔟 How would you design an Operator for a multi-tenant system?

✅ How to Answer:

"For a multi-tenant system:

1. Use Namespace-scoped CRDs instead of Cluster-wide CRDs.
2. Leverage NamespaceSelectors to filter resources per tenant.
3. Enforce RBAC restrictions to prevent cross-tenant access."

📌 Example: Restrict CRDs to Tenant Namespaces

namespaceSelector:
  matchLabels:
    tenant: "customer-a"

---

🎯 Final Notes

You're now 100% ready for your interview! 🚀

• Mock questions? ✅ Covered.
• Best responses? ✅ Structured & concise.
• Deep dive on topics? ✅ Advanced topics included.