All Practice Exams
100+ Free Cilium Certified Associate Practice Questions
Cilium Certified Associate (CCA) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
What does the toPorts field control in a CiliumNetworkPolicy rule?
A
B
C
D
to track
Same family resources
Explore More Linux Foundation Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: Cilium Certified Associate Exam
$250
Exam Fee (USD, includes one free retake)
CNCF / The Linux Foundation
90 min
Exam Duration
The Linux Foundation
8 domains
Blueprint Domains
The Linux Foundation
20%
Largest Domain (Architecture)
The Linux Foundation
2 years
Certification Validity
The Linux Foundation
Multiple-choice
Exam Format (online proctored)
CNCF / The Linux Foundation
The Cilium Certified Associate (CCA) is an online, proctored, multiple-choice exam from CNCF and The Linux Foundation. It costs $250 USD (including one free retake), runs 90 minutes, and the credential is valid for 2 years; the passing score is not officially published. The eight domains are Architecture (20%), Network Policy (18%), Service Mesh (16%), Network Observability (10%), Installation and Configuration (10%), Cluster Mesh (10%), eBPF (10%), and BGP and External Networking (6%).
Sample Cilium Certified Associate Practice Questions
Try these sample questions to test your Cilium Certified Associate exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1What in-kernel technology does Cilium use as the foundation of its datapath for networking, load balancing, and security enforcement?
A.eBPF (extended Berkeley Packet Filter)
B.iptables chains managed by kube-proxy
C.Open vSwitch with OpenFlow rules
D.A userspace proxy that intercepts every packet
Explanation: Cilium is built on eBPF, which lets it run sandboxed programs inside the Linux kernel at hook points such as the network device, socket, and traffic control layers. This in-kernel datapath provides high-performance L3-L7 networking, load balancing, and policy enforcement without the per-packet overhead of long iptables chains.
2Which Cilium component runs as a DaemonSet on every node and is responsible for loading eBPF programs and enforcing network policy locally?
A.cilium-operator
B.cilium-agent
C.clustermesh-apiserver
D.Hubble Relay
Explanation: The cilium-agent runs as a DaemonSet pod on each node, where it manages endpoints, compiles and loads eBPF programs into the kernel, and enforces network policy for pods on that node. It also handles per-node IP allocation tasks and reports endpoint state.
3What is the primary responsibility of the cilium-operator in a Cilium deployment?
A.Loading eBPF bytecode into the kernel on each worker node
B.Terminating TLS for every pod-to-pod connection
C.Cluster-wide tasks such as IPAM coordination, CRD registration, and garbage collection of stale resources
D.Replacing the Kubernetes API server
Explanation: The cilium-operator handles cluster-scoped duties that should not be duplicated on every node: coordinating IP address management (especially in cloud IPAM modes), registering Cilium CRDs, garbage-collecting orphaned CiliumEndpoint and identity objects, and translating Ingress/Gateway API resources. It is not on the per-packet datapath, so a brief operator outage does not stop existing traffic.
4In Cilium, what does a CiliumEndpoint represent?
A.A physical network interface on a node
B.A BGP peering session with an external router
C.A cluster-wide load balancer virtual IP
D.The networking identity and state of a single workload such as a pod
Explanation: A CiliumEndpoint is a custom resource created by the cilium-agent for each managed workload (typically a pod), capturing its IP addresses, security identity, and policy enforcement state. Cilium attaches eBPF programs to the endpoint's network interface to provide connectivity and enforce policy.
5Cilium's security model is described as identity-based rather than IP-based. What does the security identity primarily derive from?
A.The set of labels assigned to the workload
B.The pod's IP address and subnet
C.The node's hostname where the pod runs
D.The container image digest
Explanation: Cilium assigns each workload a numeric security identity derived from its set of labels (for example, the Kubernetes labels on a pod). Policy is enforced against these identities rather than ephemeral pod IPs, so security rules remain stable even as pods are rescheduled and IPs change.
6Which two routing modes does Cilium support for moving traffic between pods on different nodes?
A.Source NAT only and destination NAT only
B.Overlay (tunneling) and native (direct) routing
C.Layer 2 bridging and ARP proxying exclusively
D.DNS round-robin and IPVS hashing
Explanation: Cilium offers overlay (encapsulation) routing using VXLAN or Geneve tunnels, and native (direct) routing where packets are placed on the network without encapsulation. Overlay maximizes portability across environments, while native routing minimizes latency and overhead by relying on the underlying network's routing.
7In Cilium's overlay routing mode, which encapsulation protocols are supported by default for tunneling pod traffic between nodes?
A.GRE and IP-in-IP
B.MPLS and L2TP
C.VXLAN and Geneve
D.PPTP and SSTP
Explanation: Cilium's tunnel (overlay) routing mode encapsulates pod traffic using VXLAN by default, with Geneve available as an alternative tunnel protocol. Encapsulation hides the pod network from the underlying infrastructure, simplifying deployment across heterogeneous networks at the cost of some per-packet overhead.
8Which statement best describes IP Address Management (IPAM) in Cilium?
A.Cilium can only use the Kubernetes host-scope podCIDR and nothing else
B.IPAM is handled entirely by kube-proxy
C.Cilium assigns the same IP to every pod on a node
D.Cilium supports multiple IPAM modes including Cluster Pool (default), Kubernetes host-scope, and cloud-provider modes like AWS ENI and Azure
Explanation: Cilium provides several IPAM backends. Cluster Pool is the default, where the operator carves per-node CIDRs from a cluster-wide pool; Kubernetes host-scope uses the node's podCIDR; and cloud modes such as AWS ENI and Azure allocate provider-native IPs directly to pods. Choosing the right mode affects routing, scale, and IP exhaustion behavior.
9What is the default Cluster Pool IPAM behavior in Cilium?
A.The cilium-operator allocates a per-node PodCIDR from a cluster-wide pool and the agent assigns pod IPs from it
B.Each pod requests an IP directly from the cloud provider's API
C.Pods use the host node's IP address with port mapping
D.IP addresses are statically assigned by an administrator per pod
Explanation: In Cluster Pool IPAM (the default), the cilium-operator partitions a configured cluster-wide CIDR into smaller per-node PodCIDRs, recorded on each CiliumNode resource. The local cilium-agent then hands out individual pod IPs from its node's allocated block, decoupling Cilium from the Kubernetes controller-manager's IPAM.
10Cilium provides what kind of network topology to Kubernetes workloads?
A.A strictly Layer 2 broadcast domain per namespace
B.A flat Layer 3 network that can span multiple clusters
C.A NAT-only network with no direct pod-to-pod routing
D.A separate VLAN for every individual pod
Explanation: Cilium delivers a simple flat Layer 3 network in which every pod is directly addressable and can communicate across nodes, and with Cluster Mesh this flat network can span multiple clusters. This L3 model underpins identity-based policy and efficient eBPF load balancing.
About the Cilium Certified Associate Practice Questions
Verified exam format metadata for Cilium Certified Associate (CCA) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.