# Calico Kubernetes CNI Quiz - Section 1 ## Question 1 What is Calico's primary function as a Container Network Interface (CNI) in Kubernetes? - [ ] A) Manage container orchestration - [ ] B) Provide network connectivity and security policy between pods - [ ] C) Monitor cluster performance - [ ] D) Distribute container workloads across nodes <details> <summary>Show Answer</summary> **Correct Answer: B) Provide network connectivity and security policy between pods** Calico is a CNI plugin that provides network connectivity between pods in a Kubernetes cluster and implements network security policies. It establishes a flat Layer 3 network and allows pods on different nodes to communicate directly without encapsulation by default. </details> ## Question 2 Which network protocol does Calico primarily use for routing traffic between nodes? - [ ] A) VXLAN - [ ] B) BGP (Border Gateway Protocol) - [ ] C) IPSec - [ ] D) OSPF <details> <summary>Show Answer</summary> **Correct Answer: B) BGP (Border Gateway Protocol)** By default, Calico uses BGP (Border Gateway Protocol) to route packets between nodes without requiring encapsulation. This approach provides high performance and efficient routing by leveraging standard IP routing principles. </details> ## Question 3 What is the primary Calico component responsible for programming routes and ACLs? - [ ] A) calico-typha - [ ] B) calico-kube-controllers - [ ] C) calico-felix - [ ] D) calico-bird <details> <summary>Show Answer</summary> **Correct Answer: C) calico-felix** Felix is Calico's agent that runs on each node. It's responsible for programming routes and ACLs to provide the desired connectivity and policy enforcement for workloads on that node. </details> ## Question 4 Which one of these is NOT a valid Calico network mode? - [ ] A) IPIP - [ ] B) VXLAN - [ ] C) Direct routing - [ ] D) MPLS <details> <summary>Show Answer</summary> **Correct Answer: D) MPLS** Calico supports several network modes including IPIP (IP-in-IP), VXLAN (Virtual Extensible LAN), and direct routing (native BGP), but does not support MPLS (Multiprotocol Label Switching). </details> ## Question 5 What is the purpose of Calico's IPPool resource? - [ ] A) To define the IPs that can access external services - [ ] B) To specify which IP addresses can be assigned to pods - [ ] C) To group IP addresses for monitoring purposes - [ ] D) To create virtual IP pools for load balancing <details> <summary>Show Answer</summary> **Correct Answer: B) To specify which IP addresses can be assigned to pods** IPPool resources in Calico define the IP address ranges (CIDRs) that Calico can assign to pods. They also specify whether IP-in-IP or VXLAN encapsulation should be used for traffic within that pool. </details> ## Question 6 Which Kubernetes resource most directly maps to Calico's NetworkPolicy implementation? - [ ] A) ConfigMap - [ ] B) Service - [ ] C) NetworkPolicy - [ ] D) Ingress <details> <summary>Show Answer</summary> **Correct Answer: C) NetworkPolicy** Calico implements the Kubernetes NetworkPolicy API, extending it with its own custom resources for more advanced policy capabilities. Standard Kubernetes NetworkPolicy resources are directly enforced by Calico. </details> ## Question 7 What is the purpose of Calico's Typha component? - [ ] A) To authenticate users accessing the Kubernetes API - [ ] B) To fan-out Kubernetes API events to multiple Felix instances - [ ] C) To establish BGP connections with external routers - [ ] D) To implement advanced firewall rules <details> <summary>Show Answer</summary> **Correct Answer: B) To fan-out Kubernetes API events to multiple Felix instances** Typha acts as a proxy between the Kubernetes API server and the Felix instances running on each node. It helps reduce the load on the Kubernetes API server in large clusters by sharing a single connection that fans out to multiple Felix instances. </details> ## Question 8 What is the default encapsulation mode for Calico? - [ ] A) IPIP always - [ ] B) VXLAN - [ ] C) No encapsulation (direct routing) - [ ] D) GRE tunneling <details> <summary>Show Answer</summary> **Correct Answer: C) No encapsulation (direct routing)** By default, Calico uses a non-encapsulated approach (direct routing) where packets are natively routed between hosts using BGP to exchange routing information. This provides better performance by avoiding the overhead of encapsulation. </details> ## Question 9 Which command would you use to install the calicoctl command-line tool as a kubectl plugin? - [ ] A) `curl -o kubectl-calico -L https://github.com/projectcalico/calico/releases/latest/download/calicoctl` - [ ] B) `kubectl install calico` - [ ] C) `helm install calico projectcalico/calicoctl` - [ ] D) `apt-get install calicoctl` <details> <summary>Show Answer</summary> **Correct Answer: A) `curl -o kubectl-calico -L https://github.com/projectcalico/calico/releases/latest/download/calicoctl`** To install calicoctl as a kubectl plugin, you download the binary, name it kubectl-calico, and place it somewhere in your PATH. This allows you to use it as `kubectl calico`. </details> ## Question 10 What is a key advantage of Calico's eBPF dataplane compared to the standard Linux dataplane? - [ ] A) Better compatibility with older Linux kernels - [ ] B) Support for Windows nodes - [ ] C) Improved performance and reduced CPU usage - [ ] D) Native integration with service meshes <details> <summary>Show Answer</summary> **Correct Answer: C) Improved performance and reduced CPU usage** Calico's eBPF dataplane bypasses iptables and provides direct, optimized paths for traffic, resulting in improved throughput, reduced latency, and lower CPU usage compared to the standard Linux dataplane that relies on iptables. </details> # Calico Kubernetes CNI Quiz - Section 2 ## Question 11 Which component is responsible for distributing BGP routes in a Calico network? - [ ] A) calico-felix - [ ] B) calico-typha - [ ] C) BIRD - [ ] D) etcd <details> <summary>Show Answer</summary> **Correct Answer: C) BIRD** BIRD (Bird Internet Routing Daemon) is the BGP routing daemon that Calico uses to exchange routing information between nodes. It's responsible for advertising and learning routes to and from other nodes in the cluster. </details> ## Question 12 What is the purpose of Calico's GlobalNetworkPolicy resource? - [ ] A) To define networking policies that apply across all namespaces - [ ] B) To configure global BGP settings - [ ] C) To set up global IP address management - [ ] D) To establish connections with external networks <details> <summary>Show Answer</summary> **Correct Answer: A) To define networking policies that apply across all namespaces** GlobalNetworkPolicy is a Calico-specific resource that extends Kubernetes NetworkPolicy by allowing policies to be applied across all namespaces in a cluster, unlike standard NetworkPolicies which are namespace-scoped. </details> ## Question 13 Which Calico component is responsible for IP address management (IPAM)? - [ ] A) calico-felix - [ ] B) calico-ipam - [ ] C) calico-typha - [ ] D) calico-node <details> <summary>Show Answer</summary> **Correct Answer: B) calico-ipam** The calico-ipam component handles IP address management for Calico. It allocates IP addresses to pods from configured IP pools and ensures there are no conflicts in the allocations. </details> ## Question 14 What happens to existing connections when a NetworkPolicy is updated in Calico? - [ ] A) All existing connections are immediately terminated - [ ] B) Existing connections are maintained but new connections follow the updated policy - [ ] C) Connections are paused until they can be verified against the new policy - [ ] D) All pods are restarted to apply the new policy <details> <summary>Show Answer</summary> **Correct Answer: B) Existing connections are maintained but new connections follow the updated policy** Calico uses connection tracking to maintain state information about existing connections. When policies are updated, existing connections typically remain unaffected while new connection attempts are evaluated against the updated policy. </details> ## Question 15 What is a Route Reflector in Calico BGP networking? - [ ] A) A node that monitors network traffic for security issues - [ ] B) A central component that reflects routes between BGP peers - [ ] C) A special pod that provides external connectivity - [ ] D) A debugging tool for network paths <details> <summary>Show Answer</summary> **Correct Answer: B) A central component that reflects routes between BGP peers** In large Calico deployments, Route Reflectors help scale the BGP network by reducing the number of peer connections needed. They act as central points that receive routes from some peers and reflect them to others, avoiding the need for a full BGP mesh. </details> ## Question 16 Which Calico dataplane mode provides the best performance for most Kubernetes deployments? - [ ] A) Standard Linux with iptables - [ ] B) VXLAN encapsulation - [ ] C) eBPF - [ ] D) IPIP tunneling <details> <summary>Show Answer</summary> **Correct Answer: C) eBPF** The eBPF dataplane generally provides the best performance for most deployments due to its optimized packet processing path that bypasses iptables. It offers lower latency and higher throughput, especially for service traffic. </details> ## Question 17 How does Calico handle pod-to-pod communication across different nodes by default? - [ ] A) By creating overlay networks with VXLAN - [ ] B) By using BGP to propagate routes between nodes - [ ] C) By sending all traffic through the Kubernetes master - [ ] D) By using a central load balancer <details> <summary>Show Answer</summary> **Correct Answer: B) By using BGP to propagate routes between nodes** By default, Calico uses BGP to exchange routing information between nodes. Each node advertises the pod CIDRs it hosts, allowing direct routing of traffic between pods on different nodes without encapsulation. </details> ## Question 18 What is the recommended way to back up Calico network policies? - [ ] A) Export NetworkPolicy objects using kubectl - [ ] B) Take snapshots of the etcd database - [ ] C) Use calicoctl to export resources - [ ] D) Copy the /etc/calico directory from master nodes <details> <summary>Show Answer</summary> **Correct Answer: C) Use calicoctl to export resources** The recommended way to back up Calico configuration is to use `calicoctl get` commands to export resources to YAML files, which can later be restored using `calicoctl apply`. </details> ## Question 19 What is a Calico BGP peer? - [ ] A) A Kubernetes node running Calico - [ ] B) An external router that exchanges routes with the Calico network - [ ] C) A redundant controller for high availability - [ ] D) A virtual network interface <details> <summary>Show Answer</summary> **Correct Answer: B) An external router that exchanges routes with the Calico network** A BGP peer in Calico typically refers to an external router that exchanges routing information with the Calico network. This allows integration between the Kubernetes cluster network and external networks. </details> ## Question 20 Which feature allows Calico to enforce network policy on traffic between pods and external non-Calico networks? - [ ] A) GlobalNetworkPolicy - [ ] B) HostEndpoint - [ ] C) IPPool - [ ] D) NetworkSet <details> <summary>Show Answer</summary> **Correct Answer: B) HostEndpoint** HostEndpoint resources represent the interfaces on the host (rather than in pods) and allow Calico to enforce network policy on traffic passing through these interfaces, including traffic between pods and external networks. </details> # Calico Kubernetes CNI Quiz - Section 3 ## Question 21 What is Calico Enterprise, and how does it differ from open-source Calico? - [ ] A) It's identical but includes professional support - [ ] B) It provides additional features like hierarchical policy, advanced threat defense, and compliance reporting - [ ] C) It's a fully managed cloud offering of Calico - [ ] D) It only differs in its user interface <details> <summary>Show Answer</summary> **Correct Answer: B) It provides additional features like hierarchical policy, advanced threat defense, and compliance reporting** Calico Enterprise builds on open-source Calico and adds enterprise features such as hierarchical network policy, advanced threat defense, compliance reporting, and a management UI. It's designed for organizations with complex security and compliance requirements. </details> ## Question 22 Which command would you use to view the status of BGP peering in a Calico network? - [ ] A) `kubectl get bgppeers` - [ ] B) `calicoctl node status` - [ ] C) `kubectl describe nodes` - [ ] D) `calico-bgp-status` <details> <summary>Show Answer</summary> **Correct Answer: B) `calicoctl node status`** The `calicoctl node status` command displays the status of BGP peering connections between the local node and its BGP peers, showing established connections and route counts. </details> ## Question 23 Which Calico feature allows automatic detection and prevention of IP conflicts? - [ ] A) calico-ipam - [ ] B) Block affinity - [ ] C) IP reputation - [ ] D) Host endpoint monitoring <details> <summary>Show Answer</summary> **Correct Answer: B) Block affinity** Block affinity is a Calico IPAM feature that ensures each node can only allocate IPs from blocks it has affinity with, preventing conflicts between nodes trying to allocate the same IPs to different pods. </details> ## Question 24 When using Calico with Kubernetes, where can network policies be defined? - [ ] A) Only in Kubernetes using NetworkPolicy resources - [ ] B) Only in Calico using GlobalNetworkPolicy resources - [ ] C) In both Kubernetes NetworkPolicy and Calico-specific policy resources - [ ] D) Only in the CNI configuration file <details> <summary>Show Answer</summary> **Correct Answer: C) In both Kubernetes NetworkPolicy and Calico-specific policy resources** Calico implements standard Kubernetes NetworkPolicy resources and also provides its own extended policy resources like NetworkPolicy (namespaced) and GlobalNetworkPolicy (cluster-wide) with additional capabilities. </details> ## Question 25 What happens if a pod matches multiple network policies in Calico? - [ ] A) Only the first matching policy is applied - [ ] B) All matching policies are combined with OR logic - [ ] C) All matching policies are combined with AND logic - [ ] D) The most specific policy overrides more general ones <details> <summary>Show Answer</summary> **Correct Answer: C) All matching policies are combined with AND logic** When multiple policies match a pod in Calico, they are combined using AND logic, meaning traffic must be allowed by all applicable policies to be permitted. This implements a defense-in-depth approach to network security. </details> ## Question 26 Which Calico setting would you modify to enable IPIP encapsulation only for cross-subnet traffic? - [ ] A) `ipipMode: CrossSubnet` - [ ] B) `encapsulation: ipip-cross-subnet` - [ ] C) `enableIPIP: subnet` - [ ] D) `tunnelMode: selective` <details> <summary>Show Answer</summary> **Correct Answer: A) `ipipMode: CrossSubnet`** Setting `ipipMode: CrossSubnet` in an IPPool resource configures Calico to use IPIP encapsulation only when pods communicate across different subnets, while using direct routing within the same subnet for better performance. </details> ## Question 27 What is the purpose of the calico-node DaemonSet? - [ ] A) To run only on master nodes for control plane functions - [ ] B) To run on all nodes and manage network interfaces and routes - [ ] C) To provide a dashboard for monitoring Calico - [ ] D) To manage external access to the cluster <details> <summary>Show Answer</summary> **Correct Answer: B) To run on all nodes and manage network interfaces and routes** The calico-node DaemonSet runs on every node in the cluster. It contains Felix, BIRD (for BGP), and other components needed to configure networking and implement policies on each node. </details> ## Question 28 How does Calico implement Kubernetes NetworkPolicies? - [ ] A) By generating iptables rules or eBPF programs to enforce the policies - [ ] B) By configuring the Linux kernel's network stack directly - [ ] C) By using a proxy to filter traffic - [ ] D) By reconfiguring the container runtime <details> <summary>Show Answer</summary> **Correct Answer: A) By generating iptables rules or eBPF programs to enforce the policies** Calico implements NetworkPolicies by translating them into iptables rules (in standard Linux dataplane) or eBPF programs (in eBPF dataplane) that filter traffic according to the defined policies. </details> ## Question 29 What is the function of Calico's NetworkSet resource? - [ ] A) To define a set of allowed external IP addresses - [ ] B) To group pods into logical networks - [ ] C) To create a set of IP addresses or CIDRs that can be referenced in policies - [ ] D) To establish network segments for traffic isolation <details> <summary>Show Answer</summary> **Correct Answer: C) To create a set of IP addresses or CIDRs that can be referenced in policies** NetworkSet is a Calico resource that defines a named set of IP addresses or CIDRs that can be referenced in network policies, making it easier to manage policies that apply to multiple external endpoints. </details> ## Question 30 Which feature allows Calico to provide security for host interfaces as well as pods? - [ ] A) Host protection policies - [ ] B) Network security groups - [ ] C) Host endpoints - [ ] D) Interface policies <details> <summary>Show Answer</summary> **Correct Answer: C) Host endpoints** Host endpoints allow Calico's network policy engine to protect the interfaces of the host itself, not just pods. This enables consistent security policy enforcement across both pod and host traffic. </details> # Calico Kubernetes CNI Quiz - Section 4 ## Question 31 What type of proxy is Calico's eBPF dataplane able to replace for Kubernetes services? - [ ] A) NGINX Ingress Controller - [ ] B) kube-proxy - [ ] C) Envoy - [ ] D) HAProxy <details> <summary>Show Answer</summary> **Correct Answer: B) kube-proxy** Calico's eBPF dataplane can replace kube-proxy for implementing Kubernetes services, providing better performance by bypassing iptables and implementing service handling directly in eBPF. </details> ## Question 32 Which Calico component is responsible for populating iptables with rules that match Kubernetes NetworkPolicies? - [ ] A) calico-typha - [ ] B) calico-bird - [ ] C) calico-kube-controllers - [ ] D) calico-felix <details> <summary>Show Answer</summary> **Correct Answer: D) calico-felix** Felix, running as part of calico-node on each node, is responsible for programming the Linux networking dataplane including populating iptables with rules that implement the defined NetworkPolicies. </details> ## Question 33 What is the primary benefit of using Calico's native BGP networking over an overlay network like VXLAN? - [ ] A) Simpler troubleshooting - [ ] B) Better performance due to no encapsulation overhead - [ ] C) Improved security features - [ ] D) Required for multi-cluster support <details> <summary>Show Answer</summary> **Correct Answer: B) Better performance due to no encapsulation overhead** Calico's native BGP networking (direct routing) typically offers better performance than overlay networks because packets are natively routed without the overhead of encapsulation and decapsulation required by overlay solutions like VXLAN. </details> ## Question 34 When would you need to use Calico's IPIP or VXLAN encapsulation? - [ ] A) When the underlying network allows direct routing between pods - [ ] B) When nodes are on different Layer 3 networks that don't allow BGP peering - [ ] C) Only when using the eBPF dataplane - [ ] D) Only when connecting to external services <details> <summary>Show Answer</summary> **Correct Answer: B) When nodes are on different Layer 3 networks that don't allow BGP peering** Encapsulation modes like IPIP or VXLAN are typically needed when nodes are on different subnets and the underlying network infrastructure doesn't allow direct routing or BGP peering between them, such as in many cloud environments. </details> ## Question 35 What is the purpose of Calico's "allow-all" default policy profile? - [ ] A) It explicitly allows all traffic by default - [ ] B) It ensures backward compatibility with older Kubernetes versions - [ ] C) It provides a fallback when no NetworkPolicies are defined - [ ] D) It's a sample policy for educational purposes <details> <summary>Show Answer</summary> **Correct Answer: A) It explicitly allows all traffic by default** In earlier versions of Calico, the "allow-all" default policy profile was used to ensure pods could communicate by default (before any NetworkPolicies were defined). In current versions, this behavior is now aligned with the Kubernetes NetworkPolicy model. </details> ## Question 36 How does Calico extend the Kubernetes NetworkPolicy API? - [ ] A) It doesn't; it only implements the standard API - [ ] B) By adding support for egress policies - [ ] C) By adding advanced features like rule ordering, denied rules, and global policies - [ ] D) By supporting additional protocols beyond TCP <details> <summary>Show Answer</summary> **Correct Answer: C) By adding advanced features like rule ordering, denied rules, and global policies** Calico extends the Kubernetes NetworkPolicy API with additional features including explicit rule ordering, denied rules (not just allowed), global policies that apply across namespaces, and selectors with more complex matching capabilities. </details> ## Question 37 What protocol does Calico use for service advertisements in its BGP implementation? - [ ] A) OSPF - [ ] B) BGP - [ ] C) RIP - [ ] D) IS-IS <details> <summary>Show Answer</summary> **Correct Answer: B) BGP** Calico uses BGP not only for pod networking but also to advertise Kubernetes service IPs, allowing external BGP peers to route traffic to services in the cluster. </details> ## Question 38 How can you view all Calico network policies affecting a specific pod? - [ ] A) `kubectl describe pod <pod-name>` - [ ] B) `calicoctl get networksecurity <pod-name>` - [ ] C) `calicoctl policy pod <pod-name>` - [ ] D) There's no direct command; you must analyze labels and policies manually <details> <summary>Show Answer</summary> **Correct Answer: D) There's no direct command; you must analyze labels and policies manually** Calico doesn't provide a built-in command to show all policies affecting a specific pod. You need to examine the pod's labels and then find all policies with selectors that match those labels. </details> ## Question 39 What happens to traffic in Calico if no NetworkPolicies select a pod? - [ ] A) All traffic is allowed - [ ] B) All traffic is denied - [ ] C) Only intra-namespace traffic is allowed - [ ] D) Only ingress traffic is denied, egress is allowed <details> <summary>Show Answer</summary> **Correct Answer: A) All traffic is allowed** By default, if no NetworkPolicies select a pod, all traffic to and from that pod is allowed. This is consistent with the Kubernetes NetworkPolicy model. </details> ## Question 40 Which type of selectors can be used in Calico policies but not in Kubernetes NetworkPolicies? - [ ] A) Namespace selectors - [ ] B) Service account selectors - [ ] C) Node selectors - [ ] D) All of these are Calico-specific extensions <details> <summary>Show Answer</summary> **Correct Answer: B) Service account selectors** Calico extends the Kubernetes NetworkPolicy model with several additional selector types, including the ability to select endpoints based on their service account, which isn't available in standard Kubernetes NetworkPolicies. </details> # Calico Kubernetes CNI Quiz - Section 5 ## Question 41 What is the purpose of a Calico IPAM block? - [ ] A) To group network policies logically - [ ] B) To reserve a range of IP addresses for a specific node - [ ] C) To isolate network traffic between different applications - [ ] D) To define external CIDR ranges that can access the cluster <details> <summary>Show Answer</summary> **Correct Answer: B) To reserve a range of IP addresses for a specific node** In Calico's IPAM system, IP address pools are divided into blocks, and nodes claim "affinity" to specific blocks. This means each node is allocated a portion of the overall IP pool, from which it assigns addresses to local pods. </details> ## Question 42 Which configuration would you use to enable Calico's Wireguard encryption? - [ ] A) Set `encryptionMode: wireguard` in the Felix configuration - [ ] B) Set `wireguardEnabled: true` in the Felix configuration - [ ] C) Install the Wireguard CNI plugin alongside Calico - [ ] D) Enable the encryption operator in the Calico operators configuration <details> <summary>Show Answer</summary> **Correct Answer: B) Set `wireguardEnabled: true` in the Felix configuration** To enable Wireguard encryption in Calico, you set `wireguardEnabled: true` in the Felix configuration, which enables node-to-node encryption of pod traffic using the Wireguard protocol. </details> ## Question 43 What is the purpose of the "DefaultDeny" policy in Calico? - [ ] A) To block all traffic by default - [ ] B) To deny traffic that doesn't match any allow rules - [ ] C) To create a baseline security posture where pods can't communicate until explicitly allowed - [ ] D) To prevent external access to the cluster <details> <summary>Show Answer</summary> **Correct Answer: C) To create a baseline security posture where pods can't communicate until explicitly allowed** A DefaultDeny policy implements a zero-trust network approach where pods are isolated by default and can only communicate when explicitly allowed by policy, providing a more secure baseline than the default allow-all behavior. </details> ## Question 44 How does Calico detect endpoint information for enforcing network policies? - [ ] A) It queries the container runtime API directly - [ ] B) It monitors the Kubernetes API server for pod events - [ ] C) It uses a sidecar in each pod to report its status - [ ] D) It periodically scans the node's network interfaces <details> <summary>Show Answer</summary> **Correct Answer: B) It monitors the Kubernetes API server for pod events** Calico watches the Kubernetes API server for pod-related events to discover the existence of endpoints, their IPs, and labels. It then uses this information to calculate which policies apply to each endpoint. </details> ## Question 45 What component would you use to extend Calico's network policy with application-layer (L7) filtering? - [ ] A) Istio with Calico integration - [ ] B) Calico's L7 plugin (calico-l7) - [ ] C) Felix with deep packet inspection enabled - [ ] D) Envoy network filter <details> <summary>Show Answer</summary> **Correct Answer: A) Istio with Calico integration** Calico can integrate with Istio service mesh to enable application-layer (L7) network policies. This combination allows Calico to enforce policies based on HTTP attributes like paths, methods, and headers. </details> ## Question 46 What is the purpose of the `nodemesh` BGP configuration in Calico? - [ ] A) To enable BGP peering between every node in the cluster - [ ] B) To restrict BGP peering to specific nodes - [ ] C) To establish BGP peering with external routers - [ ] D) To disable BGP completely and use overlay networking <details> <summary>Show Answer</summary> **Correct Answer: A) To enable BGP peering between every node in the cluster** The `nodemesh` BGP configuration controls whether Calico automatically sets up a full BGP mesh between all nodes in the cluster. When enabled, each node establishes BGP peering with every other node. </details> ## Question 47 How can you implement traffic flow logs in a Calico network? - [ ] A) Enable the `flowLogsCollector` plugin - [ ] B) Configure Felix to log traffic with `flowLogsEnabled: true` - [ ] C) Use Calico Enterprise's flow logs feature - [ ] D) Deploy a sidecar container that captures network traffic <details> <summary>Show Answer</summary> **Correct Answer: C) Use Calico Enterprise's flow logs feature** Flow logs, which capture metadata about network connections for visibility and compliance, are a Calico Enterprise feature and not available in the open-source version of Calico. </details> ## Question 48 What is required to use Calico's eBPF dataplane? - [ ] A) A recent Linux kernel (4.18+) with eBPF support - [ ] B) Special hardware with eBPF acceleration - [ ] C) A custom container runtime - [ ] D) Dedicated network interface cards <details> <summary>Show Answer</summary> **Correct Answer: A) A recent Linux kernel (4.18+) with eBPF support** Calico's eBPF dataplane requires a Linux kernel version 4.18 or later with eBPF support. This is a software requirement - no special hardware is needed beyond what's already running Kubernetes. </details> ## Question 49 What is the relationship between Calico and Project Tiger? - [ ] A) They are competing CNI projects - [ ] B) Project Tiger is the upstream project that Calico is based on - [ ] C) Tigera is the company that maintains Calico - [ ] D) Project Tiger is the codename for Calico Enterprise <details> <summary>Show Answer</summary> **Correct Answer: C) Tigera is the company that maintains Calico** Tigera is the company that maintains and develops Calico. They provide both the open-source Calico project and Calico Enterprise, a commercial offering with additional features. </details> ## Question 50 How does Calico handle DNS for service discovery? - [ ] A) Calico includes its own DNS server - [ ] B) It relies on kube-dns or CoreDNS in the Kubernetes cluster - [ ] C) It uses host files managed by Felix - [ ] D) It requires an external DNS solution <details> <summary>Show Answer</summary> **Correct Answer: B) It relies on kube-dns or CoreDNS in the Kubernetes cluster** Calico doesn't implement its own DNS service but integrates with the cluster's DNS service (typically kube-dns or CoreDNS) for service discovery. It ensures its network policies allow the necessary DNS traffic. </details>