What are Docker namespaces and cgroups? How do they contribute to containerization?

• Namespaces isolate resources (PID, network, mount points, etc.) for each container.
• Cgroups (Control Groups) limit CPU, memory, and disk usage.
• Together, they ensure process isolation and resource allocation.

Example:

cat /proc/self/cgroup

What is the difference between Docker Volumes, Bind Mounts, and tmpfs?

Example (Volume):

docker run -v myvolume:/data nginx

What are Docker BuildKit advantages?

• Parallel execution speeds up builds.
• Efficient caching reduces rebuild time.
• Security improvements via secret mounts.

Enable BuildKit:

DOCKER_BUILDKIT=1 docker build .

How do you secure a Docker container?

• Use minimal base images (e.g., alpine).
• Run as non-root user.
• Limit container capabilities (--cap-drop=ALL).
• Use read-only filesystems (--read-only).

Example:

docker run --user 1001 --read-only nginx

How do multi-stage builds improve security in Docker?

• Keeps sensitive files out of the final image.
• Reduces attack surface by discarding unnecessary dependencies.

Example:

FROM golang AS build
COPY . .  
RUN go build -o myapp

FROM scratch
COPY --from=build /myapp /myapp
ENTRYPOINT ["/myapp"]

What is Docker Content Trust (DCT)?

DCT provides digital signing and verification of container images.

export DOCKER_CONTENT_TRUST=1
docker push myregistry/myapp:latest

How do you implement Docker image scanning?

Use tools like:

• Trivy for vulnerability scanning
• Snyk for dependency checking
• Anchore for policy compliance

Example:

trivy image nginx:latest

What is Docker layer caching and how do you optimize it?

• Order Dockerfile instructions from least to most frequently changing.
• Group related commands in single RUN instructions.
• Use .dockerignore effectively.

Example:

COPY package*.json ./
RUN npm install
COPY . .

How do you implement Docker networking security?

• Use user-defined networks instead of linking.
• Implement network segmentation.
• Configure network policies.

Example:

docker network create --driver overlay --opt encrypted mynetwork

What are Docker secrets and how do you use them?

Docker secrets securely store sensitive data.

echo "mypassword" | docker secret create db_password -
docker service create --secret db_password mysql

What is the Kubernetes Control Plane architecture?

Components include:
✅ API Server - REST API interface
✅ etcd - Distributed key-value store
✅ Scheduler - Pod placement
✅ Controller Manager - State management

How do you implement custom controllers in Kubernetes?

Custom controllers use the Operator pattern:

type MyController struct {
    client kubernetes.Interface
}

func (c *MyController) Run(stopCh <-chan struct{}) {
    // Controller logic
}

What are Kubernetes admission controllers?

Admission controllers intercept requests to the Kubernetes API server:

• ValidatingWebhookConfiguration
• MutatingWebhookConfiguration

Example:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: my-webhook
webhooks:
  - name: my-webhook.example.com
    rules:
      - apiGroups: [""]
        apiVersions: ["v1"]
        operations: ["CREATE"]

What is a Service Mesh and how does it work?

A Service Mesh provides:

• Traffic Management
• Security (mTLS)
• Observability

Example using Istio:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-service
spec:
  hosts:
  - my-service
  http:
  - route:
    - destination:
        host: my-service
        subset: v1
      weight: 90
    - destination:
        host: my-service
        subset: v2
      weight: 10

How do you implement GitOps in Kubernetes?

GitOps principles:

• Git as single source of truth
• Declarative configurations
• Automated synchronization

Tools:

• ArgoCD
• Flux
• Jenkins X