100+ Free EX328 Practice Questions

Pass your Red Hat Certified Specialist in Building Resilient Microservices (EX328) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

On OpenShift Service Mesh 3.x, which Operator do you install from OperatorHub to deploy the Istio control plane?

Service Mesh Operator (ServiceMeshControlPlane)

Sail Operator (Istio CR)

Maistra Control Plane Operator

Envoy Operator

to track

2026 Statistics

Key Facts: EX328 Exam

210/300

Passing Score

Red Hat

4 hours

Exam Duration

Red Hat

OSSM 3 / OCP 4.18

Product Version

Red Hat

$500

Exam Fee (varies)

Red Hat

60-100 hrs

Study Time

Recommended

3 years

Cert Validity

Red Hat

EX328 is Red Hat's specialty exam covering OpenShift Service Mesh 3 on OpenShift 4.18 (Sail Operator + community Istio). The 4-hour, performance-based test requires 210/300 (70%) to pass. Candidates configure Gateways and VirtualServices, implement canary/mirroring/fault injection, build resilience with timeouts/retries and circuit breakers via outlier detection, secure traffic with mTLS and JWT (PeerAuthentication, RequestAuthentication, AuthorizationPolicy), and observe with Kiali, Jaeger, and Prometheus. Certification is valid for 3 years.

Sample EX328 Practice Questions

Try these sample questions to test your EX328 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1On OpenShift Service Mesh 3.x, which Operator do you install from OperatorHub to deploy the Istio control plane?

A.Service Mesh Operator (ServiceMeshControlPlane)

B.Sail Operator (Istio CR)

C.Maistra Control Plane Operator

D.Envoy Operator

Explanation: OpenShift Service Mesh 3 is built on community Istio and is installed via the Sail Operator. The Sail Operator manages the Istio, IstioCNI, and IstioRevision custom resources and replaces the OSSM 2 ServiceMeshControlPlane (SMCP) approach. Subscribing to the Sail Operator and creating an Istio CR is the supported install path on OCP.

2Which custom resource do you create to actually deploy the Istio control plane on OpenShift Service Mesh 3?

A.ServiceMeshControlPlane

B.Istio

C.IstioOperator

D.ControlPlane

Explanation: After installing the Sail Operator, you create an Istio custom resource (kind: Istio in the sailoperator.io API group). The Sail Operator reconciles this CR and deploys the istiod control plane in the chosen namespace and revision. SMCP is the OSSM 2 resource and is not used in OSSM 3.

3Which Operator/CR is responsible for installing the Istio CNI plugin used to redirect pod traffic to the sidecar in OSSM 3?

A.Sail Operator using the IstioCNI CR

B.OpenShift SDN Operator

C.Multus CNI Operator

D.OVN-Kubernetes Operator

Explanation: The Sail Operator manages a separate IstioCNI custom resource that deploys the Istio CNI plugin DaemonSet. The CNI plugin programs iptables rules so traffic is captured by the sidecar without requiring NET_ADMIN on application pods. You typically create the IstioCNI CR in the istio-cni namespace.

4Which annotation, when added to a workload's pod template, tells Istio to inject an Envoy sidecar proxy?

A.sidecar.istio.io/inject: "true"

B.istio.io/sidecar: enabled

C.service-mesh.io/inject: yes

D.envoy/inject: "true"

Explanation: Setting the annotation sidecar.istio.io/inject: "true" on a pod template explicitly enables sidecar injection by the istio-sidecar-injector mutating webhook. It can also be set to "false" to opt a pod out, even when the namespace is labeled for injection. Namespace-level injection is typically toggled with the istio-injection=enabled or istio.io/rev=<revision> label.

5Which namespace label enables automatic sidecar injection for all pods in that namespace using the default Istio revision?

A.istio-injection=enabled

B.istio.io/inject=on

C.service-mesh-member=true

D.istio=auto

Explanation: Adding the label istio-injection=enabled to a namespace causes the Istio mutating admission webhook to inject the istio-proxy sidecar into all newly created pods in that namespace. Pod-level annotations such as sidecar.istio.io/inject can override this on individual workloads. For revision-based installs, the label istio.io/rev=<revision> is used instead.

6Which CR replaces OpenShift Service Mesh 2's ServiceMeshMemberRoll for declaring which namespaces participate in the mesh under OSSM 3?

A.ServiceMeshMemberRoll is still required

B.There is no MemberRoll; namespace membership is implicit via injection labels and discovery selectors

C.MeshMembership CR

D.IstioPolicy CR

Explanation: OSSM 3 follows upstream Istio: there is no ServiceMeshMemberRoll. A namespace becomes part of the mesh by being selected through discoverySelectors on the Istio CR and/or being labeled for sidecar injection (istio-injection=enabled or istio.io/rev). This is a major architectural change from OSSM 2 where SMMR explicitly listed member namespaces.

7Which CLI tool is provided with Istio for analyzing configuration, debugging, and proxy introspection?

A.istiod

B.istioctl

C.envoyctl

D.meshctl

Explanation: istioctl is the Istio command-line tool used for installation analysis, configuration validation (istioctl analyze), proxy debugging (istioctl proxy-status, proxy-config), and ad-hoc diagnostics. istiod is the control plane process running inside the cluster, not a client tool.

8Which istioctl command shows the synchronization status of all sidecar proxies with the istiod control plane?

A.istioctl proxy-status

B.istioctl analyze

C.istioctl version

D.istioctl describe

Explanation: istioctl proxy-status (alias istioctl ps) lists each sidecar/Envoy registered with istiod along with the sync state of CDS, LDS, EDS, and RDS. It is the first-line diagnostic to confirm that proxies are receiving and acknowledging configuration from the control plane.

9Which istioctl subcommand dumps the live Envoy listeners, clusters, routes, or endpoints for a specific pod?

A.istioctl proxy-config

B.istioctl get

C.istioctl debug

D.istioctl x precheck

Explanation: istioctl proxy-config (alias pc) takes a subcommand such as listeners, clusters, routes, endpoints, secret, or bootstrap and queries the Envoy admin API of the named pod via istiod. It is the canonical way to inspect what configuration a sidecar has actually loaded.

10Which Istio control-plane component is responsible for distributing configuration (xDS) to sidecar proxies and acting as the certificate authority?

A.Pilot only

B.Citadel only

C.istiod (which subsumes Pilot, Citadel, and Galley)

D.Mixer

Explanation: Modern Istio uses a single control-plane binary, istiod, which combines the duties of the legacy Pilot (xDS to sidecars), Citadel (mTLS CA and SDS), and Galley (config validation). Mixer was removed long ago. Knowing istiod is the single point of contact for sidecars is fundamental to debugging mesh issues.

About the EX328 Exam

Performance-based certification for engineers building resilient microservices with OpenShift Service Mesh 3 (Istio under the hood, installed via the Sail Operator). EX328 validates skills with Istio CRDs (Gateway, VirtualService, DestinationRule, ServiceEntry, Sidecar, PeerAuthentication, RequestAuthentication, AuthorizationPolicy), traffic management (canary, mirroring, fault injection), resilience (timeouts, retries, outlier detection), mTLS, observability (Kiali, Jaeger, Prometheus), and microservice routing on OpenShift Container Platform 4.18.

Assessment

Performance-based hands-on tasks (no fixed question count)

Time Limit

4 hours

Passing Score

210/300 (70%)

Exam Fee

$500 USD (varies by region) (Red Hat)

EX328 Exam Content Outline

10%

Install and Configure OpenShift Service Mesh

Sail Operator, Istio CR, IstioCNI, sidecar injection, namespace selectors

20%

Istio CRDs and Traffic Routing

Gateway, VirtualService, DestinationRule, ServiceEntry, Sidecar, header/URI matching

15%

Traffic Management Patterns

Canary, blue/green, mirroring, fault injection (delay/abort), traffic splitting

15%

Resilience Patterns

Timeouts, retries, perTryTimeout, retryOn, circuit breaker via outlier detection, connection pool / bulkhead

20%

Service Mesh Security

PeerAuthentication mTLS modes, RequestAuthentication JWT, AuthorizationPolicy, TLS termination/origination

10%

Observability

Kiali service graph, Jaeger tracing, Prometheus metrics, Telemetry CR, Envoy admin interface

10%

Microservice Routing & Operations

OpenShift Routes integrating with ingress gateways, multi-cluster trust, revision-based upgrades, troubleshooting

How to Pass the EX328 Exam

What You Need to Know

Passing score: 210/300 (70%)
Assessment: Performance-based hands-on tasks (no fixed question count)
Time limit: 4 hours
Exam fee: $500 USD (varies by region)

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

EX328 Study Tips from Top Performers

1Build a real lab with OpenShift 4.18 and OpenShift Service Mesh 3 (Sail Operator) — there is no substitute for hands-on practice on a live cluster

2Master the canonical Istio CRD trio: Gateway (listeners), VirtualService (L7 routing), DestinationRule (subsets, LB, outlier detection)

3Practice canary by weight, header-based dark launch, and traffic mirroring with mirrorPercentage — know when to use each

4Memorize fault injection: spec.http[].fault.delay.fixedDelay and spec.http[].fault.abort.httpStatus with percentage.value

5Tune resilience: spec.http[].timeout, retries.attempts/perTryTimeout/retryOn (5xx,connect-failure,refused-stream)

6Outlier detection vs connection pool: outlier ejects unhealthy hosts; connectionPool caps concurrency (bulkheading)

7Know mTLS modes (STRICT, PERMISSIVE, DISABLE) on PeerAuthentication and tls.mode (ISTIO_MUTUAL, SIMPLE, MUTUAL, DISABLE) on DestinationRule

8RequestAuthentication validates JWTs (jwtRules.issuer/jwksUri); AuthorizationPolicy enforces with source.requestPrincipals

9Use istioctl proxy-status, proxy-config (listeners/clusters/routes/endpoints/secret), and analyze for fast diagnosis

10Time yourself in 4-hour scenario blocks so you stay efficient under exam time pressure

Frequently Asked Questions

What does EX328 actually test?

EX328 is a 4-hour performance-based exam on a live OpenShift Service Mesh / Istio environment. You install/verify the Sail Operator and Istio control plane, configure Gateway + VirtualService for ingress, implement canary and traffic mirroring, inject faults to test resilience, configure timeouts/retries and circuit breaking via outlier detection, enforce mTLS with PeerAuthentication and validate JWTs with RequestAuthentication, and write AuthorizationPolicy. The exam evaluates the final cluster state, not the specific commands you use.

What is the passing score for EX328?

The passing score is 210 out of 300 (70%). Each task contributes to the total based on the success criteria. Verify your work end-to-end before submitting — partial credit is generally not given on individual tasks.

Which OpenShift Service Mesh version does EX328 cover?

EX328 currently aligns with OpenShift Service Mesh 3 (built on community Istio and installed via the Sail Operator) on OpenShift Container Platform 4.18. This replaces the OSSM 2 model (ServiceMeshControlPlane and ServiceMeshMemberRoll). Confirm the exact version on the official EX328 page before scheduling.

How is OpenShift Service Mesh 3 different from OSSM 2?

OSSM 3 aligns directly with upstream Istio: there is no ServiceMeshControlPlane or ServiceMeshMemberRoll. Instead, the Sail Operator manages the Istio, IstioCNI, and IstioRevision custom resources. Namespaces opt in via standard Istio labels (istio-injection=enabled or istio.io/rev=<revision>), and configuration uses upstream Istio APIs without Maistra extensions.

Are RHCSA or other certifications required to take EX328?

EX328 has no formal prerequisites, but Red Hat strongly recommends OpenShift Administrator (EX280)-level skills and prior experience deploying microservices on OpenShift. The exam assumes comfort with oc/kubectl, YAML, troubleshooting Pods/Services/Routes, and basic HTTP/networking concepts.

How should I study for EX328?

Set up a lab with OpenShift 4.18 and OpenShift Service Mesh 3 (Sail Operator). Practice every objective: install the Operator and Istio CR, label namespaces for injection, configure Gateways with TLS, write VirtualServices with weighted routes/header matching/mirror/fault, set up DestinationRules with subsets/outlierDetection/connectionPool, enforce mTLS via PeerAuthentication, validate JWTs via RequestAuthentication, write AuthorizationPolicies, and verify with Kiali/Jaeger/Prometheus. Plan 60-100 hours of focused lab time.

Does EX328 expire?

Yes. Red Hat certifications are valid for 3 years. You can renew by re-taking EX328, by passing a higher Red Hat certification, or via other recognized renewal paths defined by Red Hat at renewal time.