40 Kubernetes Interview Questions and Answers (2026)

Kubernetes shows up on nearly every backend, DevOps, and platform engineering job posting in 2026. Knowing the definitions is the easy part. What separates strong candidates is troubleshooting instinct: when a Pod won't start, when do you check logs versus events versus node conditions, and what does each exit code actually tell you.

These 40 questions cover both. The first half builds the conceptual foundation interviewers expect everyone to know. The second half focuses on the scenario-based and troubleshooting questions that actually separate candidates in 2026 interviews. Answers are written to be said out loud, not read from a textbook. If you're also preparing for cloud and infrastructure roles, our cloud and DevOps interview questions guide covers AWS Lambda, Docker, and microservices, pairing well with the Kubernetes content here.

Architecture questions test whether you understand the system you're deploying to, not just the kubectl commands. Expect questions about the control plane, worker nodes, and how Pods actually work under the hood.

Kubernetes (K8s) is an open-source container orchestration platform that automates deployment, scaling, and management of containerized applications. Google open-sourced it in 2014, based on lessons from their internal system called Borg. It is now maintained by the CNCF.

Docker alone manages individual containers on a single host. It does not solve the problems that appear when you run hundreds of containers across dozens of machines: which node should run which container, what happens when a container crashes, how do containers find each other, and how do you update an application with zero downtime.

Kubernetes solves these with five core capabilities:

The control plane makes global decisions about the cluster and detects and responds to cluster events. It runs on master nodes (or is fully managed in EKS/GKE/AKS).

kube-apiserver: the front end of the control plane. Every interaction with the cluster, including kubectl commands, goes through the API server. It validates requests and writes the desired state to etcd.

etcd: a distributed, consistent key-value store. The single source of truth for all cluster state: every Pod, Deployment, Service, and Secret is stored here. Uses the Raft consensus algorithm for consistency across replicas. If etcd is lost, cluster state is lost, which is why etcd backups are critical.

kube-scheduler: watches for newly created Pods with no assigned node and selects a suitable node based on resource requirements, affinity rules, and taints/tolerations.

kube-controller-manager: runs controller processes that watch the cluster state via the API server and move it toward the desired state. Includes the Node controller, Replication controller, and Endpoints controller.

kubelet: the agent on every node. It receives Pod specs from the API server and ensures the described containers are running and healthy. It reports node and Pod status back to the control plane.

kube-proxy: maintains network rules on each node that allow Pods to communicate with each other and with Services. Implements the Service abstraction at the network level (via iptables or IPVS).

Container runtime: the software that actually runs containers. containerd or CRI-O are the standard choices today. Docker Engine itself was deprecated as a direct Kubernetes runtime in 1.24, replaced by the Container Runtime Interface.

A Pod is the smallest deployable unit in Kubernetes. It wraps one or more containers that share the same network namespace (same IP, same port space) and can share storage volumes. Containers in a Pod communicate via localhost.

Kubernetes does not manage individual containers directly because real applications often need tightly coupled helper processes: a logging sidecar, a proxy, or an init step. The Pod abstraction lets you group these together as one schedulable, network-addressable unit.

Pods are ephemeral. If a Pod dies, Kubernetes does not resurrect that exact Pod, it creates a new one with a new IP. This is why you never rely on a Pod's IP directly and instead use a Service.

A ReplicaSet ensures a specified number of identical Pod replicas are running at all times. If a Pod dies, the ReplicaSet creates a replacement. A ReplicaSet has no built-in support for rolling updates.

A Deployment is a higher-level object that manages ReplicaSets. It adds rolling updates, rollbacks, and revision history on top of what a ReplicaSet provides. When you update a Deployment's Pod template, it creates a new ReplicaSet and gradually shifts Pods from the old ReplicaSet to the new one.

In practice, you always create Deployments, never ReplicaSets or Pods directly. A Deployment creates a ReplicaSet, which creates Pods. If you manually create a standalone Pod and it dies, it is gone permanently. If a Deployment-managed Pod dies, the ReplicaSet immediately creates a new one.

A Namespace is a way to divide cluster resources between multiple users, teams, or environments within a single cluster. It provides a scope for names, meaning two resources with the same name can coexist in different namespaces.

Some resources are not namespaced: Nodes, PersistentVolumes, and ClusterRoles exist at the cluster level, not within a namespace.

Labels are key-value pairs attached to Kubernetes objects (Pods, Services, Deployments) for identification and organization. They carry no inherent meaning to Kubernetes; you define what they mean.

Selectors query objects by their labels. This is how a Deployment knows which Pods belong to it, and how a Service knows which Pods to route traffic to.

If a Deployment's selector and the Pod template's labels do not match, Kubernetes rejects the configuration. This selector mechanism is how higher-level controllers find the Pods they manage.

Both store configuration data that is decoupled from your container image, letting you change configuration without rebuilding images. The difference is intent and handling.

ConfigMap: stores non-sensitive configuration such as feature flags, log levels, URLs, and non-secret settings. Stored as plain text in etcd.

Secret: stores sensitive data such as passwords, API keys, and TLS certificates. Values are base64-encoded (not encrypted by default, just encoded). For real protection you must enable encryption at rest for etcd.

Both can be consumed as environment variables or mounted as files:

These are the three core Service types, each exposing Pods differently.

ClusterIP (default): exposes the Service on an internal cluster IP, only reachable from within the cluster. Used for internal service-to-service communication.

NodePort: exposes the Service on a static port (30000-32767 by default) on every node's IP. Accessible externally via NodeIP:NodePort, but exposes node IPs directly, which is not ideal for production.

LoadBalancer: provisions an external load balancer through the cloud provider (AWS ELB, GCP Cloud Load Balancer, Azure Load Balancer). Each LoadBalancer Service gets its own external IP. Works well for a handful of services but becomes expensive at scale since every Service gets a separate cloud load balancer.

The common production pattern: use ClusterIP for internal services, and a single Ingress (backed by one LoadBalancer Service for the Ingress Controller itself) to route external traffic to many internal Services.

An Ingress is a Kubernetes resource that manages external HTTP/HTTPS traffic and routes it to different Services based on rules you define (hostname, path). It requires an Ingress Controller (NGINX Ingress, Traefik, AWS Load Balancer Controller) running in the cluster to actually implement the rules.

The key difference: a LoadBalancer Service gives you one external IP per Service, each with its own cloud load balancer cost. An Ingress lets you route many different paths and hostnames through a single entry point and a single load balancer, dramatically reducing cost and complexity as the number of services grows.

Workload questions test whether you know which Kubernetes object to use for a given scenario and how scaling, updates, and health checks actually work in production.

Deployment: for stateless applications where every replica is interchangeable. Pods get random names and are not guaranteed any particular identity. Best for web servers, APIs, and anything where replicas are clones of each other.

StatefulSet: for stateful applications that need stable, unique network identities and stable storage. Pods get predictable names (pod-0, pod-1, pod-2) and are created/deleted in order. Each Pod gets its own PersistentVolumeClaim that survives Pod rescheduling. Best for databases, message queues, and anything where each replica has a distinct role or owns specific data.

DaemonSet: ensures a copy of a specific Pod runs on every node (or a selected subset). When a new node joins, the DaemonSet automatically schedules a Pod on it. Best for log collectors, monitoring agents, and CNI network plugins that need to run on every node.

A rolling update gradually replaces old Pods with new ones, maintaining availability throughout. You control the pace with maxSurge and maxUnavailable.

Kubernetes keeps old ReplicaSets around (by default, the last 10 revisions) so rollbacks are fast: it just scales the old ReplicaSet back up and scales the broken one down.

Horizontal Pod Autoscaler (HPA): adjusts the number of Pod replicas based on observed metrics (CPU, memory, or custom metrics via the Metrics API). Scales out (more Pods) under load, scales in when load drops.

Vertical Pod Autoscaler (VPA): adjusts the CPU and memory requests/limits of existing Pods rather than the replica count. Useful when you're not sure what resource values to set and want Kubernetes to recommend or automatically apply them based on observed usage.

The two solve different scaling problems: HPA handles "I need more capacity," VPA handles "each instance needs more or less resources than I gave it." They can be combined carefully but require coordination since VPA restarts Pods to apply new resource values, which can conflict with HPA's scaling decisions if misconfigured.

requests: the amount of CPU/memory Kubernetes guarantees the container. The scheduler uses this to decide which node has room for the Pod.

limits: the maximum amount the container is allowed to use. Exceeding the memory limit triggers an OOM kill. Exceeding the CPU limit causes throttling (not termination).

Based on how requests and limits are set, every Pod gets a Quality of Service (QoS) class:

Guaranteed: requests equal limits for both CPU and memory, on every container in the Pod. Highest priority, least likely to be evicted under node pressure.

Burstable: requests are set but are lower than limits (or only some resources have limits). Medium priority.

BestEffort: no requests or limits set at all. Lowest priority, first to be evicted when a node runs low on resources.

QoS class matters during node memory pressure: Kubernetes evicts BestEffort Pods first, then Burstable, and Guaranteed Pods last.

A Job runs a Pod (or several) to completion for a one-off task, then stops. Unlike a Deployment, it does not keep the Pod running indefinitely.

A CronJob creates Jobs on a recurring schedule, using standard cron syntax.

Use Jobs for database migrations, batch processing, and one-time data backfills. Use CronJobs for nightly reports, periodic cleanup tasks, and scheduled backups.

An init container runs and completes before the main application containers in a Pod start. Each init container must complete successfully before the next one (or the main containers) begins. If an init container fails, the Pod restarts according to its restart policy.

Init containers keep this setup logic separate from the application image and guarantee strict ordering, which a single container with a startup script cannot guarantee as cleanly.

All three are health checks the kubelet runs against a container, but they answer different questions and trigger different actions.

Liveness probe: "Is this container still alive and functioning?" If it fails, Kubernetes kills and restarts the container. Use for detecting deadlocks or unrecoverable states.

Readiness probe: "Is this container ready to receive traffic?" If it fails, the Pod is removed from Service endpoints (no traffic routed to it) but is NOT restarted. Use for temporary unavailability, like a Pod still loading a large cache on startup.

Startup probe: "Has this container finished its slow startup process?" Liveness and readiness probes are disabled until the startup probe succeeds. Use for applications with a long, variable startup time, to avoid the liveness probe killing the container before it has even finished booting.

A Pod Disruption Budget (PDB) limits how many Pods of a replicated application can be down simultaneously during voluntary disruptions: node drains for maintenance, cluster autoscaler scale-downs, or manual evictions.

PDBs only protect against voluntary disruptions (things Kubernetes initiates deliberately). They cannot protect against involuntary disruptions like a node crashing unexpectedly or a hardware failure.

Without a PDB, a cluster admin draining a node for maintenance could accidentally take down every replica of a service at once if they all happen to be scheduled there. With a PDB, the drain operation respects the minimum availability and proceeds Pod by Pod instead.

Networking questions separate candidates who have run real clusters from those who have only read documentation. Expect questions about DNS, CNI plugins, and why Services sometimes fail to route traffic.

Kubernetes requires a flat networking model: every Pod gets its own unique IP address, and every Pod can communicate with every other Pod across the entire cluster without NAT, regardless of which node they're on.

Kubernetes itself does not implement this networking. It defines the requirement and delegates implementation to a CNI (Container Network Interface) plugin: Calico, Cilium, Flannel, or the cloud provider's native CNI (AWS VPC CNI, Azure CNI).

The CNI plugin is responsible for assigning IP addresses to Pods, setting up routes between nodes so Pods on different nodes can reach each other, and enforcing NetworkPolicies if the plugin supports it (not all CNIs do; Calico and Cilium do, basic Flannel does not).

Without a CNI installed, Pods on different nodes have no route to each other. A fresh kubeadm cluster will show nodes stuck in NotReady until a CNI is applied.

Every Service gets a stable DNS name automatically, resolved through CoreDNS (the default cluster DNS addon). The format is:

Within the same namespace, you can just use the Service name:

This is the mechanism that solves the "Pods are ephemeral with changing IPs" problem. Application code never hardcodes a Pod IP; it always calls a Service name, and kube-proxy handles routing that request to one of the currently healthy Pod IPs behind that Service.

A normal ClusterIP Service load-balances requests across Pods behind a single virtual IP. A headless Service (set clusterIP: None) skips the virtual IP entirely. DNS queries against a headless Service return the individual Pod IPs directly.

Use headless Services with StatefulSets when clients need to address a specific replica directly (connect to the primary database instance, not just any instance) rather than being load-balanced to a random one. This pairs with the StatefulSet concept covered in Q11, and is especially relevant when running databases like MongoDB or Redis in Kubernetes.

A NetworkPolicy controls which Pods are allowed to communicate with which other Pods, and on which ports. By default, Kubernetes allows all Pods to talk to all other Pods unrestricted. NetworkPolicies let you implement a default-deny, allow-specific-traffic model.

This policy says: only Pods labeled app=frontend may send traffic to Pods labeled app=backend, and only on port 8080. Everything else is denied.

An Ingress resource is just a set of routing rules, a declaration of intent. It does nothing on its own. An Ingress Controller is the actual software that watches Ingress resources and implements the routing: it's typically a reverse proxy (NGINX, Traefik, HAProxy) running as a Deployment in your cluster, exposed via a LoadBalancer Service.

Different controllers support different annotation-based features (rate limiting, custom headers, canary deployments) beyond the base Ingress spec. Choosing an Ingress Controller is an architectural decision, not just a default that works the same everywhere.

CNI (Container Network Interface) is the standard interface Kubernetes uses to delegate Pod networking setup to a plugin. Without a CNI plugin installed, Pods cannot get assigned IP addresses or communicate across nodes.

Calico: widely used, supports NetworkPolicy enforcement, BGP-based routing, good performance at scale. Common choice for production clusters needing network policy enforcement.

Cilium: eBPF-based, increasingly popular for its performance and observability features. Supports advanced NetworkPolicy, including L7-aware policies (for example, allow only specific HTTP methods/paths).

Flannel: simple, easy to set up, but does not support NetworkPolicy enforcement. Good for simple clusters where network segmentation isn't a requirement.

AWS VPC CNI / Azure CNI: cloud-native plugins that assign Pods real VPC IPs, integrating tightly with the cloud provider's networking and security groups.

Storage questions test whether you understand how Kubernetes decouples storage provisioning from consumption and how configuration data flows into containers.

A PersistentVolume (PV) is a piece of storage in the cluster, provisioned either manually by an admin or dynamically via a StorageClass. It exists independently of any Pod's lifecycle.

A PersistentVolumeClaim (PVC) is a request for storage by a user/Pod. It specifies size and access mode, and Kubernetes binds it to a matching PV.

The PV/PVC split decouples storage provisioning from storage consumption. Developers write PVCs without needing to know the underlying storage infrastructure. Admins (or dynamic provisioners) handle PVs.

A StorageClass defines a "class" of storage with a specific provisioner and parameters (disk type, IOPS, replication). When a PVC requests a StorageClass, Kubernetes automatically provisions a matching PV on demand, rather than requiring an admin to pre-create volumes manually.

volumeBindingMode: WaitForFirstConsumer delays volume creation until a Pod actually uses the PVC, which lets the scheduler factor in storage availability zone constraints when picking a node. Without dynamic provisioning, an admin would need to manually provision a cloud disk for every single PVC requested, which does not scale.

Both mounting strategies are common, and the choice matters for how configuration changes propagate.

As environment variables: simple, but changes to the ConfigMap/Secret do NOT automatically update already-running Pods. You need to restart the Pod to pick up new values.

As a mounted volume: Kubernetes updates the mounted files automatically when the underlying ConfigMap/Secret changes (after a short propagation delay, typically under a minute), without restarting the Pod. The application needs to watch the file for changes itself if it wants to reload configuration live.

Use environment variables for simple, rarely-changing settings. Use volume mounts when you want configuration to update without a full Pod restart, or when mounting TLS certificates that rotate periodically.

The value is injected at runtime by the kubelet, never baked into the image or visible in the Deployment YAML itself (only the Secret name and key are referenced). To inspect it for debugging:

For stronger security than the Kubernetes-native Secret object, many production setups integrate an external secrets manager (AWS Secrets Manager, HashiCorp Vault) using a tool like External Secrets Operator, which syncs secrets from the external store into native Kubernetes Secrets automatically and supports rotation.

Troubleshooting questions are where senior candidates separate themselves. These scenario-based questions test whether you can systematically diagnose real production issues, not just recite definitions.

CrashLoopBackOff is a status, not a root cause. It means the container starts, exits, Kubernetes restarts it, it exits again, and Kubernetes is now waiting an exponentially increasing delay (10s, 20s, 40s, up to 300s) before trying again.

Common root causes, in order of frequency: missing or malformed environment variables/Secrets, a database or dependency that isn't reachable yet, an application bug causing an unhandled exception on startup, or a memory limit set too low (OOMKilled).

Exit codes communicate why a container stopped. Codes 0 through 125 are application-defined. Codes above 128 typically mean the process was terminated by a signal, following the convention: 128 + signal number.

The 137 vs 143 distinction is a very common interview question. 143 means the container received SIGTERM and shut down gracefully within the grace period. 137 means it either ignored SIGTERM and got force-killed with SIGKILL after the grace period expired, or was killed immediately by the OOM killer.

ImagePullBackOff means Kubernetes cannot pull the container image specified in the Pod spec, and is backing off between retries.

Wrong image name or tag: typo in the image reference, or the tag doesn't exist in the registry. Fix: verify the exact image name and tag.

Private registry without credentials: the cluster has no way to authenticate to a private registry. Fix: create an imagePullSecret and reference it in the Pod spec.

Network or DNS issue reaching the registry: the node cannot resolve or reach the registry endpoint. Fix: check node network policies, proxy configuration, or registry status.

Rate limiting: public registries like Docker Hub rate-limit anonymous pulls. Fix: authenticate even for public images, or use a registry mirror.

Pending means the Pod has been accepted by the API server but has not yet been scheduled to a node, or the node cannot start it.

Insufficient cluster resources: no node has enough free CPU/memory to satisfy the Pod's resource requests.

Fix: scale the cluster, free up resources, or lower the Pod's requests.

Unsatisfiable scheduling constraints: nodeSelector, affinity rules, or taints/tolerations that no available node matches.

PersistentVolumeClaim not bound: the Pod references a PVC that has no matching PV and dynamic provisioning failed or is misconfigured.

No nodes available at all: cluster autoscaler is still spinning up capacity, or all nodes are NotReady.

This is one of the most common real-world scenarios. Here is a systematic approach:

The single most common root cause: a typo or mismatch between the Service's selector and the Pod's labels, resulting in zero matched endpoints. The second most common: a failing readiness probe silently removing otherwise-healthy Pods from rotation.

This is a deceptively deep question that tests whether you understand the graceful termination sequence.

If you manually created a standalone Pod (not managed by a Deployment), deleting it is permanent. No controller exists to recreate it.

This tests incident response methodology, not just Kubernetes trivia. Start broad before going deep. A simultaneous multi-service failure usually points to a shared dependency, not N independent bugs.

Likely root causes for simultaneous failures: a shared dependency went down (database, DNS, a common upstream API), a node or availability zone outage, a NetworkPolicy or DNS change that broke connectivity cluster-wide, an etcd or API server issue affecting the whole control plane, or a recent cluster-wide change (a Helm upgrade, a CNI update, a cert rotation) that landed just before the failures started.

The instinct to demonstrate here: check what changed recently and what is shared across the failing services, rather than debugging each failing service in isolation as if they were unrelated.

Things to look for: a Pod with no resource limits set (BestEffort QoS) consuming far more than expected, a memory leak in a long-running Pod that has been up for days, too many Pods scheduled onto one node because of poor anti-affinity configuration, or a DaemonSet (running on every node) that recently got more resource-hungry after an update.

Longer-term fix: set sane resource requests and limits everywhere, use the Vertical Pod Autoscaler in recommendation mode to right-size requests based on actual historical usage, and configure pod anti-affinity for resource-heavy workloads so they spread across nodes rather than clustering.

Security questions round out the interview with topics that matter in production clusters: access control, secrets management, and packaging. Expect at least one question from this category in any senior-level interview.

RBAC (Role-Based Access Control) controls who can perform which actions on which resources in the cluster. Two object types work together.

Role (or ClusterRole for cluster-wide scope): defines a set of permissions, specifying which verbs (get, list, create, delete) are allowed on which resources, within a namespace (Role) or cluster-wide (ClusterRole).

RoleBinding (or ClusterRoleBinding): grants the permissions defined in a Role to a specific user, group, or ServiceAccount.

The principle: a Role defines WHAT is allowed, a RoleBinding defines WHO gets that permission. Follow least privilege: grant the narrowest Role that lets someone do their job, scoped to a namespace whenever possible rather than cluster-wide.

No, and this catches many people off guard. By default, Secret values are only base64-ENCODED (not encrypted) and stored as plain text within etcd. Anyone with access to etcd, or with sufficient RBAC permissions to read Secret objects via the API, can trivially retrieve the real value.

To actually encrypt Secrets at rest, you must explicitly configure encryption at the API server level using an EncryptionConfiguration:

Managed Kubernetes services (EKS, GKE, AKS) typically offer this as a configurable option (often integrated with the cloud provider's KMS) rather than something you configure on raw etcd yourself. Always verify whether encryption at rest is actually enabled, rather than assuming Kubernetes secrets are secure by default just because the name says "Secret."

Pod Security Standards (PSS) define three security policy levels that restrict what a Pod is allowed to do at the cluster or namespace level. They replaced PodSecurityPolicy (PSP), which was deprecated in 1.21 and removed in 1.25.

Privileged: unrestricted, allows known privilege escalations. Use only for trusted, infrastructure-level workloads (CNI plugins, monitoring agents that need host access).

Baseline: prevents known privilege escalations while allowing default Pod configurations to work. Disallows things like running with the host network namespace, host PID namespace, or privileged containers.

Restricted: heavily restricted, follows current Pod hardening best practices. Requires running as non-root, disallows privilege escalation, and drops all Linux capabilities by default.

Applying these labels to a namespace enforces the policy at admission time, rejecting any Pod spec that violates the chosen level.

Helm is the most widely used package manager for Kubernetes. A Helm chart packages a complete application's Kubernetes resources (Deployments, Services, ConfigMaps, Ingress, etc.) into a single, versioned, reusable template.

A chart's values.yaml lets you parameterize environment-specific settings (replica count, image tag, resource limits) without duplicating YAML files per environment:

Adopt Helm when you're deploying the same application across multiple environments with different configuration, you want versioned, rollback-able releases instead of raw kubectl apply, or you're installing third-party software (most popular open-source Kubernetes tools ship official Helm charts as the primary installation method).

Skip Helm when you have a single simple application with one environment and raw YAML manifests are still easy to manage by hand. Helm adds real value once you have multiple environments or multiple similar deployments that would otherwise mean copy-pasting YAML.