100+ Free EX380 Practice Questions

Pass your Red Hat Certified Specialist in OpenShift Automation and Integration (EX380) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~45-60% Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which OpenShift resource is the single object you patch to configure all identity providers for a cluster?

OAuth named 'cluster'

Authentication named 'default'

ClusterAuthConfig named 'oauth'

IdentityProvider named 'cluster'

to track

2026 Statistics

Key Facts: EX380 Exam

210/300

Passing Score (70%)

Red Hat

4 hours

Single Section

Red Hat

$400

Exam Fee (USD)

Red Hat

OCP 4.18

Platform Version

Red Hat

120-180 hrs

Study Time

Recommended

$135-185K

Platform Engineer Salary

Glassdoor 2024

3 years

Cert Valid

Red Hat renewal

EX380 is Red Hat's automation-and-integration specialty for OpenShift platform engineers — a 4-hour, hands-on, performance-based exam with no multiple-choice questions. The passing score is 210/300 (70%) and the exam fee is approximately $400 USD. EX380 builds on EX280 and validates GitOps, OADP, MachineConfig, Loki, and identity-provider integration. It counts toward Red Hat Certified Architect (RHCA).

Sample EX380 Practice Questions

Try these sample questions to test your EX380 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which OpenShift resource is the single object you patch to configure all identity providers for a cluster?

A.OAuth named 'cluster'

B.Authentication named 'default'

C.ClusterAuthConfig named 'oauth'

D.IdentityProvider named 'cluster'

Explanation: Identity providers are configured in the cluster-scoped OAuth resource named 'cluster' (config.openshift.io/v1). The .spec.identityProviders array holds all configured providers. When you edit it the cluster authentication operator rolls out a new oauth-openshift pod with the updated configuration.

2You are configuring an LDAP identity provider on OpenShift. Which two referenced objects must exist before you patch the OAuth resource?

A.A Secret holding the bind password and a ConfigMap holding the CA certificate

B.A Secret holding the bind password and a Secret holding the CA certificate

C.A ConfigMap holding the bind password and a Secret holding the CA certificate

D.Two ConfigMaps in openshift-authentication

Explanation: An LDAP identity provider references the bind password via a Secret and the trusted CA bundle via a ConfigMap, both in the openshift-config namespace. The OAuth spec uses bindPassword.name (Secret) and ca.name (ConfigMap) keyed under 'tls.crt' and 'ca.crt' respectively for trust validation.

3You want OpenShift to authenticate users against Red Hat Single Sign-On (Keycloak) using the OpenID Connect protocol. Which identity provider type do you configure in OAuth/cluster?

A.OpenID

B.Keystone

C.RequestHeader

D.GitHub

Explanation: Keycloak (Red Hat SSO) speaks OIDC, so you select the OpenID identity provider type in the OAuth resource. You configure clientID, clientSecret, an issuer URL pointing at the Keycloak realm, and the claims mapping (email, preferredUsername, name) to populate the OpenShift User resource.

4After configuring an LDAP identity provider you want to synchronize LDAP groups into OpenShift Group resources. Which command performs the sync?

A.oc adm groups sync --sync-config=ldap-sync.yaml --confirm

B.oc create groups --from-ldap ldap-sync.yaml

C.oc sync ldap groups --config=ldap-sync.yaml

D.oc adm policy sync-groups --ldap-config=ldap-sync.yaml

Explanation: oc adm groups sync reads an LDAP sync configuration file and creates or updates Group resources whose members come from LDAP. The --confirm flag actually applies the change; without it the command runs in dry-run mode. The sync config defines the LDAP query, base DN, and the augmented mapping to OpenShift group names.

5Which command grants the cluster-admin ClusterRole to an LDAP-synced group named 'platform-engineers'?

A.oc adm policy add-cluster-role-to-group cluster-admin platform-engineers

B.oc adm policy add-role-to-group cluster-admin platform-engineers

C.oc create rolebinding cluster-admin --group=platform-engineers

D.oc adm grant cluster-admin --group=platform-engineers

Explanation: oc adm policy add-cluster-role-to-group binds a cluster-scoped ClusterRole (cluster-admin) to a Group, generating a ClusterRoleBinding under the hood. add-role-to-group is namespace-scoped, and there is no oc adm grant command.

6You need a kubeconfig that authenticates as a service account named 'argocd-deployer' in namespace 'openshift-gitops'. Which oc command extracts the service account token and prints it?

A.oc create token argocd-deployer -n openshift-gitops

B.oc serviceaccount get-token argocd-deployer -n openshift-gitops

C.oc adm token --serviceaccount=argocd-deployer -n openshift-gitops

D.oc whoami -t --as=system:serviceaccount:openshift-gitops:argocd-deployer

Explanation: oc create token (inherited from kubectl 1.24+) requests a short-lived bound token from the TokenRequest API for the specified service account. This is the modern, recommended method on OpenShift 4.18 because long-lived service-account secret tokens are no longer auto-generated by default.

7Which OAuth identity provider type is appropriate when an external reverse proxy authenticates users (for example via Kerberos) and forwards the username in an HTTP header?

A.RequestHeader

B.BasicAuth

C.OpenID

D.HTPasswd

Explanation: RequestHeader trusts a configured proxy to do the actual authentication and pass the username (and optional email/name) via HTTP headers. You must specify clientCommonNames and the trusted CA so OpenShift verifies the proxy's TLS client certificate before believing the headers.

8Multiple identity providers are configured on the same cluster. What determines the order in which they are presented on the login page?

A.The order of entries in the OAuth/cluster .spec.identityProviders list

B.Alphabetical order by provider name

C.Order is randomized per request

D.Alphabetical order by mappingMethod

Explanation: OpenShift renders the login page using the order of entries you put in OAuth/cluster .spec.identityProviders. To change which provider appears first, reorder the YAML and reapply. There is no separate priority field; ordering equals priority.

9Which identityProvider mappingMethod creates a new User automatically the first time a person logs in, but errors if a different identity claims an existing username?

A.claim

B.lookup

C.generate

D.add

Explanation: claim auto-creates the User and Identity on first login and reuses the username verbatim from the IdP. If a different identity later claims the same username, OpenShift refuses to log it in — protecting against unintentional account takeover. claim is the default and most common choice.

10What does the LDAPSyncConfig field 'augmentedActiveDirectory' allow that the plain 'activeDirectory' schema does not?

A.It supports first-class Group objects in AD that have memberOf references on user entries

B.It synchronizes user passwords in addition to group membership

C.It enables MFA on every login

D.It disables TLS to LDAP

Explanation: The augmentedActiveDirectory schema is for AD deployments where Group objects exist as first-class LDAP entries (so Group attributes like a name and description sync) but membership is still discovered from the user's memberOf attribute. Plain activeDirectory builds Groups from memberOf alone, with no separate Group entry to augment metadata from.

About the EX380 Exam

Performance-based certification for OpenShift platform engineers. EX380 validates hands-on automation and integration skills on Red Hat OpenShift Container Platform 4.18: LDAP and Keycloak identity providers, RBAC at scale, OADP backup and restore, MachineConfig and infra nodes, advanced pod scheduling, OpenShift GitOps with Argo CD, cluster monitoring and alerting, and cluster logging with Vector and Loki.

Assessment

Single 4-hour performance-based hands-on section on a live OpenShift 4.18 cluster

Time Limit

4 hours

Passing Score

210/300 (70%)

Exam Fee

$400 USD (Red Hat)

EX380 Exam Content Outline

15%

Authentication and Identity Management

LDAP, Red Hat SSO (Keycloak) OIDC, multiple identity providers, group sync, RBAC at scale, kubeconfig tokens and certificates

13%

Application Backup and Restore (OADP)

OADP operator, Velero, DataProtectionApplication, Backup and Restore CRs, volume snapshots, schedules, application import/export

13%

Cluster Partitioning and MachineConfig

Infra MachineSets, dedicated nodes, MachineConfigPool, MachineConfig, Machine Config Operator, day-2 cluster configuration

12%

Pod Scheduling and Workload Distribution

Taints, tolerations, node labels, project-level tolerations, PodDisruptionBudget, affinity and anti-affinity rules, topology spread

20%

OpenShift GitOps and Argo CD

OpenShift GitOps operator, Argo CD Application and ApplicationSet CRs, sync waves, sync policies, Helm and Kustomize, repo and cluster management

10%

Cluster Monitoring and Alerting

Cluster monitoring stack, Prometheus, Alertmanager configuration, custom alerts, silences, user-workload monitoring

12%

Cluster Logging and Diagnostics

Cluster Logging operator, Vector collector, Loki LokiStack, log forwarding, ClusterLogForwarder, must-gather, EventRouter

Pipelines and Workload Automation

OpenShift Pipelines (Tekton), Jobs, CronJobs, Tasks and PipelineRuns, integration with GitOps

How to Pass the EX380 Exam

What You Need to Know

Passing score: 210/300 (70%)
Assessment: Single 4-hour performance-based hands-on section on a live OpenShift 4.18 cluster
Time limit: 4 hours
Exam fee: $400 USD

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

EX380 Study Tips from Top Performers

1Build a real OpenShift 4.18 cluster — sandbox.redhat.com gives you a free shared cluster, or use a 60-day developer subscription on bare metal/VMs

2Master Argo CD Application CR fields: spec.source.repoURL, spec.source.path, spec.destination.namespace, spec.syncPolicy.automated.prune/selfHeal

3Learn ApplicationSet generators (List, Cluster, Git directory, Git file, Matrix, Merge) — examiners often ask you to fan out apps across namespaces

4Drill sync waves with the argocd.argoproj.io/sync-wave annotation — lower numbers sync first, negatives are allowed

5OADP: install the operator, create a DataProtectionApplication CR with backup location and snapshot location, then create Backup and Restore CRs

6Memorize MachineConfig structure: machineconfiguration.openshift.io/v1, MachineConfigPool selector, ignition config under spec.config

7Practice creating infra MachineSets by patching the worker MachineSet name and adding role labels — workloads then move via taints/tolerations

8Cluster Logging 4.18 uses Vector + Loki: install Loki Operator, create a LokiStack, install Cluster Logging operator, then a ClusterLogForwarder

9Configure LDAP identity provider via the OAuth resource (oauth/cluster) — bindDN, bindPassword secret, ca configmap, attributes map

10Write Alertmanager configuration via the alertmanager-main secret in openshift-monitoring — receivers, route, inhibit_rules

Frequently Asked Questions

What is the EX380 pass rate?

Red Hat does not publish official pass rates. Industry estimates suggest 45-60% of candidates pass on their first attempt because the exam is hands-on, has no multiple-choice questions, and adds GitOps, OADP, and MachineConfig on top of EX280 fundamentals. The passing score is 210/300 (70%).

What OpenShift version does EX380 cover?

EX380 currently aligns to Red Hat OpenShift Container Platform 4.18. Red Hat explicitly states that DO180/DO280/DO380 from version 4.18 or later are required preparation; older 4.x knowledge alone is insufficient because OADP, Vector, Loki, and the cluster monitoring stack changed materially in 4.18.

Do I need EX280 before EX380?

Red Hat recommends a current EX280 (Red Hat Certified Specialist in OpenShift Administration) certification or equivalent experience before attempting EX380. The exam assumes you already know oc CLI, projects, RBAC fundamentals, routes, and SCCs — EX380 builds automation and integration on top of that foundation.

What is on the EX380 exam?

EX380 tests eight skill areas: identity provider integration (LDAP and Keycloak OIDC), application backup and restore with OADP, cluster partitioning via MachineConfig and infra nodes, pod scheduling (taints, affinity, PDBs), OpenShift GitOps with Argo CD, cluster monitoring and alerting, cluster logging with Vector and Loki, and workload automation with Tekton Pipelines, Jobs, and CronJobs.

How long should I study for EX380?

Plan for 120-180 hours of hands-on study over 10-14 weeks if you already hold EX280. Build a real OCP 4.18 lab, install OpenShift GitOps and OADP operators, write Argo CD ApplicationSets, configure ClusterLogForwarder with Loki, and run timed mock labs to build the speed needed to finish all tasks in 4 hours.

Does EX380 expire?

Yes — EX380 is valid for 3 years from the date you pass. You can recertify by passing the current version of EX380 again, passing a higher-level OpenShift exam, or earning enough Red Hat credentials to maintain RHCA status. Red Hat sends renewal notifications before expiration.

What jobs does EX380 qualify me for?

EX380 targets platform engineering roles: OpenShift Platform Engineer ($135-180K), Site Reliability Engineer ($140-190K), DevOps/GitOps Engineer ($130-175K), and Cloud Infrastructure Architect ($150-200K). Demand is highest in regulated industries — banking, telecom, government, healthcare — that standardize on OpenShift for its security posture and Red Hat support.