100+ Free CCA Practice Questions

Pass your Cilium Certified Associate (CCA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

Which technology is Cilium built on to enforce networking, security, and observability in the Linux kernel?

eBPF

iptables only

Open vSwitch

LVS

to track

2026 Statistics

Key Facts: CCA Exam

Questions

Linux Foundation

90 min

Time Limit

Linux Foundation

75%

Passing Score

Linux Foundation

$250

Exam Fee

Linux Foundation

2 attempts

Included

CCA product page

12 months

Eligibility Window

Candidate handbook

As of April 15, 2026, the Linux Foundation lists CCA as a 90-minute online proctored multiple-choice exam with a $250 exam-only fee and two attempts within the 12-month eligibility window. The current curriculum weights Architecture at 20%, Network Policy at 18%, Service Mesh at 16%, Network Observability at 10%, Installation and Configuration at 10%, Cluster Mesh at 10%, eBPF at 10%, and BGP and External Networking at 6%.

Sample CCA Practice Questions

Try these sample questions to test your CCA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which technology is Cilium built on to enforce networking, security, and observability in the Linux kernel?

A.eBPF

B.iptables only

C.Open vSwitch

D.LVS

Explanation: Cilium uses eBPF programs attached to kernel hooks (XDP, TC, socket) to implement high-performance networking, policy, and observability without relying on iptables chains.

2Which component runs on every Kubernetes node and compiles and attaches eBPF programs for workloads?

A.cilium-agent

B.cilium-operator

C.hubble-relay

D.ciliumctl

Explanation: cilium-agent runs as a DaemonSet on each node. It manages endpoints, compiles BPF programs, programs the datapath, and enforces policy.

3Which Cilium component performs cluster-wide operations such as garbage collection and identity management?

A.cilium-operator

B.cilium-agent

C.hubble-ui

D.ztunnel

Explanation: cilium-operator runs as a Deployment (not per node) and coordinates cluster-wide actions like CRD lifecycle, identity GC, IPAM allocation, and failure recovery.

4What does a Cilium 'identity' represent?

A.A stable label-based security identity derived from a workload's labels

B.The pod's IP address

C.The cluster name

D.The container image hash

Explanation: Cilium assigns each workload a numeric security identity based on its labels. Policies reference identities, so rules remain valid as IPs change across restarts or scaling.

5Which CRD represents a single workload endpoint and its derived identity?

A.CiliumEndpoint

B.CiliumNode

C.CiliumIdentity only

D.CiliumConfig

Explanation: CiliumEndpoint objects represent workload endpoints in the cluster along with their identity and health. CiliumIdentity CRs store the identity label sets.

6Which Linux technology does Cilium use to attach programs at the earliest packet processing point on NICs for high performance?

A.XDP (eXpress Data Path)

B.tun/tap

C.dummy interface

D.netconsole

Explanation: XDP attaches eBPF programs at the NIC driver or generic XDP hook, allowing packet-level decisions (drop, redirect) before allocating skbs. Cilium uses XDP to accelerate load balancing and DDoS protection.

7Which Cilium feature can completely replace kube-proxy for Service traffic?

A.Cilium kube-proxy replacement (KPR)

B.hubble-relay

C.istio gateway

D.CoreDNS

Explanation: Cilium's kube-proxy replacement uses eBPF programs to implement Service, NodePort, and external load balancing at the socket and XDP layer, bypassing iptables/IPVS.

8Which Cilium datapath mode encapsulates pod-to-pod traffic in tunnels?

A.VXLAN or Geneve tunneling

B.Direct routing only

C.Host networking only

D.Pure L2

Explanation: Cilium supports overlay tunneling with VXLAN (default) or Geneve, which encapsulates inter-node pod traffic without requiring a routable underlay.

9What is 'direct routing' in Cilium?

A.Pod CIDRs are routed directly on the underlying network, with no encapsulation

B.Pods speak directly to the kernel without the agent

C.Traffic uses DNS only

D.Traffic must traverse an external load balancer

Explanation: Direct routing (sometimes called native routing) relies on the underlay network (cloud router, BGP, etc.) to reach pod CIDRs, avoiding encapsulation overhead.

10Which Cilium component fans out Hubble flows from multiple nodes and exposes them to Hubble UI?

A.hubble-relay

B.hubble-node

C.hubble-scanner

D.hubble-operator

Explanation: hubble-relay connects to node-local Hubble servers and aggregates flow data for cluster-wide visibility via Hubble CLI or UI.

About the CCA Exam

The Cilium Certified Associate (CCA) is an entry-level certification for platform and cloud engineers who connect, secure, and observe Kubernetes clusters using Cilium. It is a remotely proctored multiple-choice exam covering Cilium architecture, network policy, service mesh, observability, installation, cluster mesh, eBPF, and BGP.

Assessment

60 multiple-choice questions

Time Limit

90 minutes

Passing Score

75%

Exam Fee

$250 (Cloud Native Computing Foundation (CNCF) / Linux Foundation)

CCA Exam Content Outline

20%

Architecture

Cilium agent, operator, identity model, CiliumEndpoint, envoy integration, datapath modes, and how Cilium implements CNI.

18%

Network Policy

Kubernetes NetworkPolicy vs CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy, L3/L4/L7 rules, FQDN policies, and Hubble flows for policy verification.

16%

Service Mesh

Cilium Service Mesh features, sidecarless mode, Gateway API support, Ingress, mutual authentication, and Envoy DaemonSet.

10%

Network Observability

Hubble UI, Hubble CLI, Hubble Relay, flow visibility, DNS visibility, and Prometheus metrics exported by Cilium.

10%

Installation and Configuration

cilium CLI install, Helm install, values.yaml overrides, upgrades, and cluster health checks.

10%

Cluster Mesh

Multi-cluster connectivity, global services, service affinity, and cluster mesh API server.

10%

eBPF

What eBPF is, how Cilium uses eBPF programs and maps, kube-proxy replacement, and XDP.

BGP and External Networking

CiliumBGPPeeringPolicy, advertising service and pod CIDRs, and external load balancer integration.

How to Pass the CCA Exam

What You Need to Know

Passing score: 75%
Assessment: 60 multiple-choice questions
Time limit: 90 minutes
Exam fee: $250

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CCA Study Tips from Top Performers

1Start with architecture: Cilium agent, operator, identity model, and CNI role.

2Master the difference between NetworkPolicy, CiliumNetworkPolicy, and CiliumClusterwideNetworkPolicy.

3Know L3/L4 policy and the common L7 examples (HTTP method/path, DNS, Kafka).

4Understand FQDN-based egress policy and how DNS visibility works.

5Be comfortable with Hubble CLI (hubble observe) and Hubble Relay for multi-node flows.

6Review Cilium Service Mesh: sidecarless Envoy DaemonSet, Gateway API, Ingress support.

7Study Cluster Mesh concepts including global services and service affinity.

8Know kube-proxy replacement, socket LB, and when XDP acceleration applies.

Frequently Asked Questions

How many questions are on the CCA exam?

CCA is a multiple-choice exam delivered online through a PSI proctored 90-minute session. Linux Foundation does not publish the exact question count, but the format aligns with other CNCF associate-level exams that typically run 60 questions.

What score do you need to pass CCA?

CCA is expected to follow the standard 75% passing threshold used across Linux Foundation multiple-choice associate certifications. Target comfortably above 75% on timed practice sets before scheduling to give yourself margin.

What are the official CCA domain weights?

The current CCA curriculum weights Architecture at 20%, Network Policy at 18%, Service Mesh at 16%, Network Observability at 10%, Installation and Configuration at 10%, Cluster Mesh at 10%, eBPF at 10%, and BGP and External Networking at 6%. The first three domains together account for over half the exam.

Do I need to know eBPF internals for CCA?

Not to kernel-developer depth. You should understand what eBPF is (in-kernel programmable hooks), how Cilium uses eBPF programs and maps, the role of XDP for early packet processing, and how kube-proxy replacement works. Deep BPF bytecode knowledge is out of scope.

How much does the CCA exam cost?

The Linux Foundation lists CCA at $250 for the exam only. A THRIVE-ONE annual subscription bundle is available at $495. Two exam attempts are included within the 12-month eligibility window.

How long should I study for CCA?

Most candidates with prior Kubernetes networking experience prepare in 3 to 6 weeks with 25 to 45 focused study hours. Spend the most time on architecture, network policy, and service mesh because they total 54% of the exam.