Kubernetes Interview Questions 2026: Pods, Services, RBAC and HPA

⏱️4 min read · 675 words

Kubernetes interview questions test your understanding of container orchestration, pod lifecycle, services, networking, scaling, and production operations. This guide covers the most commonly asked K8s questions for DevOps engineers and platform engineers in 2026.

Core Kubernetes Questions

1. What is a Pod and how does it differ from a Container?

A Pod is the smallest deployable unit in Kubernetes. It wraps one or more containers that share:

Network namespace (same IP, share localhost)
Storage volumes
Lifecycle

Usually one container per pod. Use multiple containers for sidecar patterns (logging agent, proxy).

2. Explain the difference between a Deployment, StatefulSet, and DaemonSet

Resource	Use Case	Key Feature
Deployment	Stateless apps (web servers, APIs)	Rolling updates, replica management
StatefulSet	Stateful apps (databases, Kafka)	Stable pod names, ordered deployment, persistent volumes
DaemonSet	Node-level agents (logging, monitoring)	One pod per node automatically

3. What are ConfigMaps and Secrets? How do they differ?

# ConfigMap — non-sensitive configuration
apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  APP_ENV: production
  DB_HOST: postgres-service
  LOG_LEVEL: info

# Secret — sensitive data (base64 encoded, not encrypted by default!)
apiVersion: v1
kind: Secret
metadata:
  name: app-secrets
type: Opaque
data:
  DB_PASSWORD: c2VjcmV0cGFzcw==  # base64 encoded

# Use in Pod
env:
  - name: APP_ENV
    valueFrom:
      configMapKeyRef:
        name: app-config
        key: APP_ENV
  - name: DB_PASSWORD
    valueFrom:
      secretKeyRef:
        name: app-secrets
        key: DB_PASSWORD

4. Explain Kubernetes Services and their types

# ClusterIP (default) — only accessible within cluster
apiVersion: v1
kind: Service
spec:
  type: ClusterIP
  selector:
    app: backend
  ports:
    - port: 8000
      targetPort: 8000

# NodePort — exposes on each node's IP at static port
spec:
  type: NodePort
  ports:
    - port: 80
      nodePort: 30080  # 30000-32767 range

# LoadBalancer — cloud provider creates LB
spec:
  type: LoadBalancer
  # Creates AWS ALB, GCP Load Balancer, Azure LB automatically

# Headless — no virtual IP, returns pod IPs directly (for StatefulSet)
spec:
  clusterIP: None
  selector:
    app: kafka

5. What is the difference between liveness and readiness probes?

containers:
  - name: app
    livenessProbe:       # Is the container alive? If fails: RESTART container
      httpGet:
        path: /health
        port: 8000
      initialDelaySeconds: 30
      periodSeconds: 10
      failureThreshold: 3

    readinessProbe:      # Is the container ready for traffic? If fails: remove from load balancer
      httpGet:
        path: /ready
        port: 8000
      initialDelaySeconds: 5
      periodSeconds: 5

    startupProbe:        # For slow-starting apps — delays liveness check
      httpGet:
        path: /startup
        port: 8000
      failureThreshold: 30   # gives 5*30=150s for startup
      periodSeconds: 5

6. How does Horizontal Pod Autoscaler (HPA) work?

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: myapp-hpa
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: myapp
  minReplicas: 2
  maxReplicas: 20
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 70  # scale when avg CPU > 70%
    - type: Resource
      resource:
        name: memory
        target:
          type: AverageValue
          averageValue: 500Mi
    # Custom metrics (requires metrics-server + Prometheus adapter)
    - type: Pods
      pods:
        metric:
          name: requests_per_second
        target:
          type: AverageValue
          averageValue: 100

7. Explain Kubernetes RBAC

# ServiceAccount — identity for pods
apiVersion: v1
kind: ServiceAccount
metadata:
  name: myapp-sa

# Role — permissions within a namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
rules:
  - apiGroups: [""]
    resources: ["pods", "pods/logs"]
    verbs: ["get", "list", "watch"]

# ClusterRole — cluster-wide permissions
kind: ClusterRole
rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "create", "update", "delete"]

# RoleBinding — attach role to service account
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: myapp-pod-reader
subjects:
  - kind: ServiceAccount
    name: myapp-sa
    namespace: production
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

8. What happens when you run `kubectl apply -f deployment.yaml`?

kubectl sends the manifest to API Server (via HTTPS)
API Server validates and authenticates the request
API Server persists to etcd (cluster state store)
Deployment Controller detects the change via Watch
Controller creates ReplicaSet if needed
ReplicaSet Controller creates Pod specs
Scheduler assigns Pods to nodes (based on resources, taints, affinity)
kubelet on the node pulls the image and starts the container
Pod status updated back to etcd

Kubernetes interview success: understand the control plane (API Server, etcd, Scheduler, Controllers), know the difference between Deployment/StatefulSet/DaemonSet, explain probes clearly, and know networking (Services, Ingress, Network Policies). Production K8s questions often cover RBAC, HPA, resource limits, and pod disruption budgets.