Correct Answer: B) Provide network connectivity and security policy between pods

Calico is a CNI plugin that provides network connectivity between pods in a Kubernetes cluster and implements network security policies. It establishes a flat Layer 3 network and allows pods on different nodes to communicate directly without encapsulation by default.

Correct Answer: B) BGP (Border Gateway Protocol)

By default, Calico uses BGP (Border Gateway Protocol) to route packets between nodes without requiring encapsulation. This approach provides high performance and efficient routing by leveraging standard IP routing principles.

Correct Answer: C) calico-felix

Felix is Calico's agent that runs on each node. It's responsible for programming routes and ACLs to provide the desired connectivity and policy enforcement for workloads on that node.

Correct Answer: D) MPLS

Calico supports several network modes including IPIP (IP-in-IP), VXLAN (Virtual Extensible LAN), and direct routing (native BGP), but does not support MPLS (Multiprotocol Label Switching).

Correct Answer: B) To specify which IP addresses can be assigned to pods

IPPool resources in Calico define the IP address ranges (CIDRs) that Calico can assign to pods. They also specify whether IP-in-IP or VXLAN encapsulation should be used for traffic within that pool.

Correct Answer: C) NetworkPolicy

Calico implements the Kubernetes NetworkPolicy API, extending it with its own custom resources for more advanced policy capabilities. Standard Kubernetes NetworkPolicy resources are directly enforced by Calico.

Correct Answer: B) To fan-out Kubernetes API events to multiple Felix instances

Typha acts as a proxy between the Kubernetes API server and the Felix instances running on each node. It helps reduce the load on the Kubernetes API server in large clusters by sharing a single connection that fans out to multiple Felix instances.

Correct Answer: C) No encapsulation (direct routing)

By default, Calico uses a non-encapsulated approach (direct routing) where packets are natively routed between hosts using BGP to exchange routing information. This provides better performance by avoiding the overhead of encapsulation.

Correct Answer: A) curl -o kubectl-calico -L https://github.com/projectcalico/calico/releases/latest/download/calicoctl

To install calicoctl as a kubectl plugin, you download the binary, name it kubectl-calico, and place it somewhere in your PATH. This allows you to use it as kubectl calico.

Correct Answer: C) Improved performance and reduced CPU usage

Calico's eBPF dataplane bypasses iptables and provides direct, optimized paths for traffic, resulting in improved throughput, reduced latency, and lower CPU usage compared to the standard Linux dataplane that relies on iptables.

Correct Answer: C) BIRD

BIRD (Bird Internet Routing Daemon) is the BGP routing daemon that Calico uses to exchange routing information between nodes. It's responsible for advertising and learning routes to and from other nodes in the cluster.

Correct Answer: A) To define networking policies that apply across all namespaces

GlobalNetworkPolicy is a Calico-specific resource that extends Kubernetes NetworkPolicy by allowing policies to be applied across all namespaces in a cluster, unlike standard NetworkPolicies which are namespace-scoped.

Correct Answer: B) calico-ipam

The calico-ipam component handles IP address management for Calico. It allocates IP addresses to pods from configured IP pools and ensures there are no conflicts in the allocations.

Correct Answer: B) Existing connections are maintained but new connections follow the updated policy

Calico uses connection tracking to maintain state information about existing connections. When policies are updated, existing connections typically remain unaffected while new connection attempts are evaluated against the updated policy.

Correct Answer: B) A central component that reflects routes between BGP peers

In large Calico deployments, Route Reflectors help scale the BGP network by reducing the number of peer connections needed. They act as central points that receive routes from some peers and reflect them to others, avoiding the need for a full BGP mesh.

Correct Answer: C) eBPF

The eBPF dataplane generally provides the best performance for most deployments due to its optimized packet processing path that bypasses iptables. It offers lower latency and higher throughput, especially for service traffic.

Correct Answer: B) By using BGP to propagate routes between nodes

By default, Calico uses BGP to exchange routing information between nodes. Each node advertises the pod CIDRs it hosts, allowing direct routing of traffic between pods on different nodes without encapsulation.

Correct Answer: C) Use calicoctl to export resources

The recommended way to back up Calico configuration is to use calicoctl get commands to export resources to YAML files, which can later be restored using calicoctl apply.

Correct Answer: B) An external router that exchanges routes with the Calico network

A BGP peer in Calico typically refers to an external router that exchanges routing information with the Calico network. This allows integration between the Kubernetes cluster network and external networks.

Correct Answer: B) HostEndpoint

HostEndpoint resources represent the interfaces on the host (rather than in pods) and allow Calico to enforce network policy on traffic passing through these interfaces, including traffic between pods and external networks.

Correct Answer: B) It provides additional features like hierarchical policy, advanced threat defense, and compliance reporting

Calico Enterprise builds on open-source Calico and adds enterprise features such as hierarchical network policy, advanced threat defense, compliance reporting, and a management UI. It's designed for organizations with complex security and compliance requirements.

Correct Answer: B) calicoctl node status

The calicoctl node status command displays the status of BGP peering connections between the local node and its BGP peers, showing established connections and route counts.

Correct Answer: B) Block affinity

Block affinity is a Calico IPAM feature that ensures each node can only allocate IPs from blocks it has affinity with, preventing conflicts between nodes trying to allocate the same IPs to different pods.

Correct Answer: C) In both Kubernetes NetworkPolicy and Calico-specific policy resources

Calico implements standard Kubernetes NetworkPolicy resources and also provides its own extended policy resources like NetworkPolicy (namespaced) and GlobalNetworkPolicy (cluster-wide) with additional capabilities.

Correct Answer: C) All matching policies are combined with AND logic

When multiple policies match a pod in Calico, they are combined using AND logic, meaning traffic must be allowed by all applicable policies to be permitted. This implements a defense-in-depth approach to network security.

Correct Answer: A) ipipMode: CrossSubnet

Setting ipipMode: CrossSubnet in an IPPool resource configures Calico to use IPIP encapsulation only when pods communicate across different subnets, while using direct routing within the same subnet for better performance.

Correct Answer: B) To run on all nodes and manage network interfaces and routes

The calico-node DaemonSet runs on every node in the cluster. It contains Felix, BIRD (for BGP), and other components needed to configure networking and implement policies on each node.

Correct Answer: A) By generating iptables rules or eBPF programs to enforce the policies

Calico implements NetworkPolicies by translating them into iptables rules (in standard Linux dataplane) or eBPF programs (in eBPF dataplane) that filter traffic according to the defined policies.

Correct Answer: C) To create a set of IP addresses or CIDRs that can be referenced in policies

NetworkSet is a Calico resource that defines a named set of IP addresses or CIDRs that can be referenced in network policies, making it easier to manage policies that apply to multiple external endpoints.

Correct Answer: C) Host endpoints

Host endpoints allow Calico's network policy engine to protect the interfaces of the host itself, not just pods. This enables consistent security policy enforcement across both pod and host traffic.

Correct Answer: B) kube-proxy

Calico's eBPF dataplane can replace kube-proxy for implementing Kubernetes services, providing better performance by bypassing iptables and implementing service handling directly in eBPF.

Correct Answer: D) calico-felix

Felix, running as part of calico-node on each node, is responsible for programming the Linux networking dataplane including populating iptables with rules that implement the defined NetworkPolicies.

Correct Answer: B) Better performance due to no encapsulation overhead

Calico's native BGP networking (direct routing) typically offers better performance than overlay networks because packets are natively routed without the overhead of encapsulation and decapsulation required by overlay solutions like VXLAN.

Correct Answer: B) When nodes are on different Layer 3 networks that don't allow BGP peering

Encapsulation modes like IPIP or VXLAN are typically needed when nodes are on different subnets and the underlying network infrastructure doesn't allow direct routing or BGP peering between them, such as in many cloud environments.

Correct Answer: A) It explicitly allows all traffic by default

In earlier versions of Calico, the "allow-all" default policy profile was used to ensure pods could communicate by default (before any NetworkPolicies were defined). In current versions, this behavior is now aligned with the Kubernetes NetworkPolicy model.

Correct Answer: C) By adding advanced features like rule ordering, denied rules, and global policies

Calico extends the Kubernetes NetworkPolicy API with additional features including explicit rule ordering, denied rules (not just allowed), global policies that apply across namespaces, and selectors with more complex matching capabilities.

Correct Answer: B) BGP

Calico uses BGP not only for pod networking but also to advertise Kubernetes service IPs, allowing external BGP peers to route traffic to services in the cluster.

Correct Answer: D) There's no direct command; you must analyze labels and policies manually

Calico doesn't provide a built-in command to show all policies affecting a specific pod. You need to examine the pod's labels and then find all policies with selectors that match those labels.

Correct Answer: A) All traffic is allowed

By default, if no NetworkPolicies select a pod, all traffic to and from that pod is allowed. This is consistent with the Kubernetes NetworkPolicy model.

Correct Answer: B) Service account selectors

Calico extends the Kubernetes NetworkPolicy model with several additional selector types, including the ability to select endpoints based on their service account, which isn't available in standard Kubernetes NetworkPolicies.

Correct Answer: B) To reserve a range of IP addresses for a specific node

In Calico's IPAM system, IP address pools are divided into blocks, and nodes claim "affinity" to specific blocks. This means each node is allocated a portion of the overall IP pool, from which it assigns addresses to local pods.

Correct Answer: B) Set wireguardEnabled: true in the Felix configuration

To enable Wireguard encryption in Calico, you set wireguardEnabled: true in the Felix configuration, which enables node-to-node encryption of pod traffic using the Wireguard protocol.

Correct Answer: C) To create a baseline security posture where pods can't communicate until explicitly allowed

A DefaultDeny policy implements a zero-trust network approach where pods are isolated by default and can only communicate when explicitly allowed by policy, providing a more secure baseline than the default allow-all behavior.

Correct Answer: B) It monitors the Kubernetes API server for pod events

Calico watches the Kubernetes API server for pod-related events to discover the existence of endpoints, their IPs, and labels. It then uses this information to calculate which policies apply to each endpoint.

Correct Answer: A) Istio with Calico integration

Calico can integrate with Istio service mesh to enable application-layer (L7) network policies. This combination allows Calico to enforce policies based on HTTP attributes like paths, methods, and headers.

Correct Answer: A) To enable BGP peering between every node in the cluster

The nodemesh BGP configuration controls whether Calico automatically sets up a full BGP mesh between all nodes in the cluster. When enabled, each node establishes BGP peering with every other node.

Correct Answer: C) Use Calico Enterprise's flow logs feature

Flow logs, which capture metadata about network connections for visibility and compliance, are a Calico Enterprise feature and not available in the open-source version of Calico.

Correct Answer: A) A recent Linux kernel (4.18+) with eBPF support

Calico's eBPF dataplane requires a Linux kernel version 4.18 or later with eBPF support. This is a software requirement - no special hardware is needed beyond what's already running Kubernetes.

Correct Answer: C) Tigera is the company that maintains Calico

Tigera is the company that maintains and develops Calico. They provide both the open-source Calico project and Calico Enterprise, a commercial offering with additional features.

Correct Answer: B) It relies on kube-dns or CoreDNS in the Kubernetes cluster

Calico doesn't implement its own DNS service but integrates with the cluster's DNS service (typically kube-dns or CoreDNS) for service discovery. It ensures its network policies allow the necessary DNS traffic.