Top 40 Kubernetes Interview Questions & Answers 2026

Pod is one or more containers sharing network namespace (same IP), storage volumes, and lifecycle. Smallest unit because containers in pod are always co-located and co-scheduled. Use cases: main container + sidecar (logging, proxy), init containers for setup. Usually deploy one container per pod; multi-container for tightly coupled processes only.

Pod: single instance of containers. ReplicaSet: ensures specified number of pod replicas running. Deployment: manages ReplicaSets, provides declarative updates, rollback, scaling. Hierarchy: Deployment → ReplicaSet → Pods. Usually create Deployments, not ReplicaSets directly. Deployment handles rolling updates by creating new ReplicaSet.

StatefulSets manage stateful applications with: stable network identities (pod-0, pod-1), stable persistent storage, ordered deployment/scaling/deletion. Use for: databases, distributed systems (Kafka, ZooKeeper), apps needing stable hostnames. Each pod gets own PVC. Headless service required for DNS. More complex than Deployments; use only when needed.

Services provide stable networking for pods. Types: (1) ClusterIP (default) - internal only, (2) NodePort - exposes on node port, (3) LoadBalancer - cloud provider LB, (4) ExternalName - DNS CNAME. Services use selectors to find pods. Endpoints track pod IPs. For stateful apps, use headless service (clusterIP: None) for direct pod DNS.

Requirements: all pods can communicate without NAT, nodes can communicate with pods. CNI plugins implement networking (Calico, Flannel, Cilium). Each pod gets unique IP. kube-proxy handles service routing (iptables, IPVS, or eBPF). Network policies control traffic between pods. Ingress controllers route external HTTP traffic.

ConfigMaps store non-sensitive configuration (env vars, config files). Secrets store sensitive data (passwords, tokens) - base64 encoded, not encrypted by default. Consume as: environment variables, volume mounts, or command arguments. Enable encryption at rest for Secrets. Use external secret managers (Vault, AWS Secrets Manager) for production.

HPA automatically scales pod replicas based on metrics. Default: CPU utilization. Custom metrics: memory, requests/sec, queue length. Components: metrics-server collects data, HPA controller checks every 15s. Configure: minReplicas, maxReplicas, target metric. Scaling formula: desiredReplicas = currentReplicas * (currentMetric / targetMetric). Use with PodDisruptionBudget.

Role-Based Access Control manages permissions. Components: (1) Role/ClusterRole - defines permissions (verbs on resources), (2) RoleBinding/ClusterRoleBinding - grants role to users/service accounts. Role is namespaced; ClusterRole is cluster-wide. Best practices: least privilege, use service accounts for apps, audit regularly. Default deny; explicitly grant access.

Liveness: is container alive? Failure restarts container. Readiness: is container ready for traffic? Failure removes from service. Startup: for slow-starting containers, disables liveness check initially. Probe types: HTTP GET, TCP socket, exec command. Configure: initialDelaySeconds, periodSeconds, failureThreshold. Don't make liveness depend on external dependencies.

Steps: (1) kubectl describe pod - check events, conditions, (2) kubectl logs pod [-c container] - application logs, (3) kubectl get events - cluster events, (4) Check pod status: Pending (scheduling), CrashLoopBackOff (container failing), ImagePullBackOff (image issue). Common causes: resource limits, failed probes, missing configs/secrets, image issues.