118 DevOps Interview Questions and Answers (2026)

Blog / 118 DevOps Interview Questions and Answers (2026)
DevOps interview questions and answers

DevOps sits at the center of how modern software actually ships, and interviewers know it. They're no longer satisfied with buzzwords about pipelines and "automating things"; they want to see that you understand flow, reliability, and the trade-offs behind every deploy. Walk in shaky on containers, IaC, or incident response and it shows fast.

This guide gives you 118 questions with concise, interview-ready answers, including code and examples where they help. It's organized Junior to Mid to Senior, so you build from fundamentals like CALMS and the Three Ways up to deployment strategies, observability, and DevSecOps. Work through it and you'll speak about DevOps like someone who's done the job.

Q1.
What is DevOps to you, and how does it differ from just "automating things"?

Junior

To me, DevOps is a culture and operating model that aligns development and operations around shared goals to deliver value quickly, reliably, and continuously. Automation is a powerful enabler, but DevOps is fundamentally about people, ownership, and feedback, not just scripts and pipelines.

  • DevOps is about outcomes: Faster lead time, stable releases, quick recovery: the whole system delivering value, measured by things like the DORA metrics.

  • Automation is a means, not the goal: You can fully automate a broken process and just ship failures faster; automation without culture change misses the point.

  • The cultural core: Shared ownership ("you build it, you run it"), blameless learning, and tearing down the dev/ops wall.

  • How I'd summarize it in an interview: automation is the how; collaboration, feedback, and ownership are the why and the what.

Q2.
How do you define 'Shared Ownership' between Dev and Ops teams?

Junior

Shared ownership means Dev and Ops are jointly accountable for the full lifecycle of a service, from writing code to running it in production. Instead of developers "throwing code over the wall" and ops being blamed for outages, both teams share responsibility for reliability, performance, and delivery.

  • "You build it, you run it": Amazon's model: the team that writes a service also operates it, including being on-call for it.

  • Aligns incentives: When developers feel the pain of production (pages, incidents), they build more operable, observable, resilient software.

  • What it requires in practice:

    • Shared tooling and dashboards, shared on-call rotations, and shared metrics/SLOs so both sides see the same reality.

    • A blameless culture, so shared accountability doesn't turn into shared finger-pointing.

  • Contrast: it's not "no ownership" (diffusion of responsibility); accountability is explicit and collective, often defined per service.

Q3.
How does DevOps help in breaking down "silos" between development, QA, and operations?

Junior

DevOps breaks down silos by replacing hand-offs between separate Dev, QA, and Ops teams with shared goals, shared tooling, and continuous collaboration across the whole delivery lifecycle. Instead of each function optimizing its own step and blaming the next, teams are aligned around delivering working software to users.

  • Shared goals and metrics: Everyone is measured on delivery and stability (e.g. DORA metrics) rather than local KPIs that pit teams against each other.

  • Quality becomes everyone's job: Testing shifts left into automated CI pipelines, so QA collaborates early rather than gatekeeping at the end.

  • Shared tooling and visibility: Common CI/CD pipelines, version control, and observability dashboards give all three functions one source of truth.

  • Cross-functional teams and ownership: Embedding ops and QA skills into product teams removes the wall and the slow, error-prone hand-offs between them.

  • Feedback loops close the gap: production signals flow back to developers quickly, so problems are owned collectively, not tossed over a fence.

Q4.
What is DevOps to you, and how does it differ from traditional IT or Agile?

Junior

DevOps, to me, is a culture and set of practices that unites development and operations around continuously delivering reliable value to users. It differs from traditional IT (which separates build from run behind hand-offs) and complements Agile: Agile made development iterative, and DevOps extends that agility all the way through operations and into production.

  • vs. Traditional IT:

    • Traditional IT has siloed teams, manual hand-offs, infrequent large releases, and ops as a cost center focused on stability at the expense of speed.

    • DevOps uses shared ownership, automation, and small frequent releases to get both speed and stability.

  • vs. Agile:

    • Agile optimizes the dev process (short iterations, fast feedback within the team) but often stops at "done" on a developer's machine.

    • DevOps extends the flow to deployment and operations, closing the last-mile gap Agile left open.

  • Common thread: DevOps builds on Agile principles and applies them to the entire value stream, not just coding.

Q5.
What does 'feedback loops' mean in the context of DevOps, and how do you shorten them?

Junior

A feedback loop is the cycle between making a change and learning its effect: the faster and more accurate that signal, the faster teams correct course. DevOps optimizes for short, high-quality feedback everywhere from code commit to production behavior.

  • What it is: Any mechanism that tells you whether a change worked: test results, build status, code review, monitoring, user reports.

  • Why short loops matter:

    • Defects are cheaper to fix the closer you catch them to their cause; a bug found in code review beats one found in production.

    • Small, frequent signals keep context fresh so the fix is obvious.

  • How to shorten them:

    1. Fast automated tests and CI on every commit so failures surface in minutes.

    2. Small batch sizes (trunk-based, frequent deploys) so each change is easy to attribute.

    3. Observability: metrics, logs, traces, and alerting that expose production behavior quickly.

    4. Progressive delivery (canary, feature flags) to learn from real users with low blast radius.

    5. Blameless postmortems to feed operational learning back into the process.

Q6.
What role does version control play as the single source of truth in a DevOps workflow?

Junior

Version control is the authoritative record of what the system should be: application code, infrastructure, configuration, and pipelines all live in Git so that the repository, not a person's laptop or a manually-tweaked server, defines the desired state. This makes changes traceable, reviewable, and reproducible.

  • Single source of truth: One authoritative place answers 'what is deployed and why', eliminating configuration drift and tribal knowledge.

  • What it enables:

    • Auditability: every change has an author, timestamp, and reviewed diff.

    • Reproducibility: you can rebuild any past state from a commit or tag.

    • Collaboration: pull requests and code review become the gate for change.

    • Rollback: revert a commit to restore a known-good state.

  • Extends beyond app code:

    • Infrastructure as Code and GitOps treat Git as the desired state; agents reconcile the environment to match.

    • Pipelines defined as code (.gitlab-ci.yml, workflow files) are versioned alongside the app.

Q7.
What are the Four Golden Signals of monitoring?

Junior

The Four Golden Signals (from Google's SRE book) are the core metrics for monitoring any user-facing system: latency, traffic, errors, and saturation. Together they answer: is it slow, how busy is it, is it failing, and how close is it to its limit?

  • Latency: Time to serve a request; track successful and failed latency separately (a fast error is still bad).

  • Traffic: Demand on the system: requests/sec, transactions/sec, or connections.

  • Errors: Rate of failed requests (explicit like HTTP 500, or implicit like wrong content or policy-violating latency).

  • Saturation: How full the system is: CPU, memory, I/O, queue depth. Often the leading indicator of impending problems.

  • Why they matter: They focus alerting on user-visible symptoms rather than every internal cause, keeping dashboards small and meaningful.

Q8.
What are 'Feature Flags' and how do they decouple deployment from release?

Junior

Feature flags (feature toggles) are conditional switches in code that let you turn functionality on or off at runtime without redeploying. They decouple deployment (shipping code to production) from release (making it visible to users), so you can deploy dark code and enable it later, for specific users, on your own schedule.

  • Deployment vs. release:

    • Deploy: the binary is in production but the feature is flagged off.

    • Release: flip the flag to expose it, no new deploy needed.

  • What this enables:

    • Progressive rollouts and targeting: enable for internal users, a percentage, or a region.

    • Instant kill switch: disable a broken feature without a rollback deploy.

    • A/B testing and experimentation on live traffic.

    • Trunk-based development: merge incomplete work safely behind an off flag.

  • Costs to manage:

    • Flags accumulate as tech debt; remove stale ones to avoid combinatorial complexity.

    • Each flag adds a code path that ideally should be tested.

python

if flags.is_enabled("new_checkout", user): return new_checkout(cart) # released to this user else: return old_checkout(cart) # deployed but hidden

Q9.
What is the fundamental difference between Continuous Delivery and Continuous Deployment?

Junior

Both automate the pipeline up to production-ready, but Continuous Delivery stops at a manual approval before production, while Continuous Deployment pushes every passing change to production automatically with no human gate.

  • Continuous Delivery:

    • Every change is automatically built, tested, and made deployable; a human decides when to press the button.

    • Suits regulated environments or teams wanting a business/release-timing checkpoint.

  • Continuous Deployment:

    • If all automated checks pass, the change goes to production with no manual step.

    • Requires very high confidence: strong test coverage, monitoring, and automated rollback.

  • The core distinction: It is the presence (Delivery) or absence (Deployment) of the manual approval gate before prod.

  • Shared foundation: Both build on Continuous Integration; Deployment is essentially Delivery with the last gate automated away.

Q10.
Explain the typical anatomy of a CI/CD pipeline and what stages should exist and why.

Junior

A CI/CD pipeline is a sequence of automated stages that take a commit and progressively validate it until it's safely in production, ordered so the cheapest, fastest checks fail first.

  1. Source / trigger: A commit or merge request kicks off the pipeline from version control.

  2. Build: Compile and package into an immutable artifact (jar, container image) built once and reused downstream.

  3. Test: Fast unit tests first, then integration and end-to-end; fail fast to give quick feedback.

  4. Quality & security gates: Static analysis, coverage thresholds, SAST/dependency scanning.

  5. Publish artifact: Store the versioned artifact in a repository/registry as the single source of truth for deployment.

  6. Deploy to staging: Promote to a production-like environment for smoke/acceptance tests.

  7. Deploy to production: Automatic or gated; often progressive (canary/blue-green) with monitoring and rollback.

The guiding principle is progressive validation with increasing confidence and cost: fast cheap checks early, expensive real-environment checks later.

Q11.
In a CI/CD context, what is the difference between a "Build Tool" and a "CI Server"?

Junior

A build tool compiles and packages your code; a CI server orchestrates when and where that build tool (and tests, deploys) runs in response to events like commits.

  • Build tool:

    • Runs locally or in CI to compile, resolve dependencies, and package artifacts: e.g. Maven, Gradle, npm, Make.

    • Concerned with the how of turning source into a deliverable.

  • CI server:

    • Listens for triggers (push, PR), provisions runners, and invokes the build tool plus tests and deploy steps: e.g. Jenkins, GitLab CI, GitHub Actions.

    • Concerned with the when, where, and orchestration around the build.

  • Relationship: the CI server calls the build tool: they are complementary, not interchangeable.

Q12.
Explain the definitive differences between Continuous Integration, Continuous Delivery, and Continuous Deployment.

Junior

All three are stages of increasing automation: CI verifies every merge, Continuous Delivery keeps every build deployable and releases with a manual approval, and Continuous Deployment removes that approval so every passing change ships automatically.

  • Continuous Integration (CI):

    • Developers merge frequently; each merge triggers an automated build and tests to catch integration problems early.

    • Scope ends at a validated, tested build.

  • Continuous Delivery:

    • Extends CI so every validated build is automatically pushed to release-ready state (staging/artifact).

    • Releasing to production is a deliberate business decision: a human clicks "deploy".

  • Continuous Deployment:

    • Removes the manual gate: every change that passes the pipeline goes straight to production automatically.

    • Demands high test confidence plus safeguards like feature flags, canaries, and automated rollback.

  • Key distinction: Delivery vs Deployment differ only by that final manual approval step.

Q13.
What is a 'Build Artifact' and why is it important to make them immutable?

Junior

A build artifact is the packaged, deployable output of a build (a JAR, container image, binary, or tarball); making it immutable means it is built once and never altered, so the exact thing you tested is the exact thing you ship.

  • What it is: The compiled/assembled result stored in a registry or artifact repository (e.g. Nexus, Artifactory, a container registry).

  • Why immutability matters:

    • Consistency: promote the same artifact through dev, staging, prod instead of rebuilding per environment (which can introduce differences).

    • Traceability: a fixed version/hash maps to a known commit, aiding audits and rollbacks.

    • Reproducibility: no "works in staging, broke in prod" from an accidentally changed build.

  • How it's enforced: "Build once, deploy many": version artifacts immutably and never overwrite a published tag.

Q14.
Explain the 'Test Pyramid' and its role in a CI pipeline.

Junior

The Test Pyramid is a strategy for balancing test types: many fast unit tests at the base, fewer integration tests in the middle, and very few slow end-to-end tests at the top: it keeps CI fast and reliable by favoring cheap tests.

  • Layers (bottom to top):

    1. Unit tests: numerous, fast, isolated: they pinpoint failures precisely.

    2. Integration/service tests: fewer, verify components work together (DB, APIs).

    3. End-to-end/UI tests: fewest, exercise full user flows: slow and more brittle.

  • Why the shape: Cost and speed rise, and stability falls, as you go up: too many E2E tests give slow, flaky pipelines.

  • Role in CI:

    • Run the broad, fast unit base on every commit for quick feedback; reserve the expensive top layers for later stages.

    • The "ice cream cone" anti-pattern (mostly E2E tests) inverts this and makes CI slow and unreliable.

Q15.
What is a smoke test, and where does it fit in the deployment process?

Junior

A smoke test is a small, fast set of checks that confirm a freshly deployed build is fundamentally alive and functional before you trust it or send real traffic to it.

  • Purpose: catch catastrophic failures early:

    • Verifies the app starts, key endpoints respond, DB connects, and critical paths work: not exhaustive coverage.

    • Name comes from hardware: power it on and see if it smokes.

  • Where it fits in deployment:

    • Runs right after a deploy to an environment, often against staging or a canary before full rollout.

    • A common gate: hit a /health endpoint and a few core routes; failure triggers an automatic rollback or halts the pipeline.

  • Distinct from other tests:

    • Unit/integration tests run pre-deploy on the build; smoke tests run post-deploy on the running system.

    • Should be fast and shallow: seconds, not minutes.

Q16.
What is the core philosophy behind "Infrastructure as Code" (IaC)?

Junior

Infrastructure as Code treats provisioning and configuring infrastructure the same way you treat application code: define it in version-controlled, machine-readable files so environments are automated, repeatable, and auditable instead of hand-built.

  • Core principles:

    • Version controlled: infrastructure lives in Git, giving history, review, and rollback.

    • Repeatable and consistent: the same code produces identical environments, eliminating snowflakes.

    • Automated: no manual clicking in consoles, which removes human error.

    • The code is the documentation and the source of truth for what exists.

  • Why it matters:

    • Enables code review, testing, and CI/CD for infrastructure changes.

    • Makes disaster recovery and scaling a matter of re-running code, not tribal knowledge.

Q17.
What problem does containerization solve for a developer that a Virtual Machine does not?

Junior

Containers solve the "works on my machine" problem by packaging an app with its exact dependencies into a lightweight, portable image, while being far faster and smaller than a VM because they share the host OS kernel instead of booting a full guest OS.

  • Consistent environments: The image bundles code, runtime, and libraries, so it behaves identically on a laptop, CI, and prod.

  • Lightweight vs VMs:

    • Containers share the host kernel: startup is seconds, images are MBs, and density is high.

    • A VM virtualizes hardware and runs a full guest OS: minutes to boot, GBs in size.

  • Fast, repeatable workflow: A Dockerfile makes environments reproducible and versioned; spin up/tear down cheaply.

  • Trade-off: Weaker isolation than VMs (shared kernel), so mixing untrusted tenants may still warrant VM boundaries.

Q18.
How do containers support the "Build Once, Run Anywhere" principle in DevOps?

Junior

Containers package an application together with all its dependencies, libraries, and runtime into a single immutable image, so the same artifact runs identically across dev, CI, staging, and production regardless of the host's setup.

  • Self-contained image: The image bundles code plus dependencies, so it doesn't rely on host-installed libraries ("works on my machine" goes away).

  • Kernel-level abstraction: Containers share the host kernel but isolate userspace, so any Linux host with a container runtime runs the same image.

  • Immutability and versioning: You build once, tag the image, and promote that exact tag through environments: no rebuilding per stage.

  • The real limits of "anywhere":

    • CPU architecture still matters (an amd64 image won't run on arm64 without a multi-arch build).

    • Config and secrets are injected per environment (env vars, mounts), keeping the image itself unchanged.

Q19.
Can you explain the 'Three Pillars of Observability'?

Junior

The three pillars are metrics, logs, and traces: complementary data types that together let you understand a system's internal state from its external outputs.

  • Metrics: Numeric measurements aggregated over time (request rate, error count, CPU). Cheap to store, ideal for dashboards and alerting on trends.

  • Logs: Timestamped, discrete event records (ideally structured/JSON). Rich context for debugging a specific event, but costly at high volume.

  • Traces: Follow a single request across services via a shared trace ID, showing latency and causality per hop.

  • They answer different questions: Metrics tell you something is wrong, traces tell you where, logs tell you why.

  • Caveat: pillars alone aren't observability: True observability means you can answer novel questions without shipping new code; correlate the three (e.g. exemplars linking metrics to traces).

Q20.
What is a runbook, and what role does it play in incident response?

Junior

A runbook is a documented, step-by-step procedure for handling a specific operational task or failure scenario. In incident response it lets any on-call engineer act quickly and consistently, without needing to reconstruct tribal knowledge under pressure.

  • What it contains:

    • Symptoms/alert that triggers it, diagnostic steps, remediation commands, and escalation contacts.

    • Often includes verification steps to confirm the fix worked.

  • Role in incident response:

    • Reduces MTTR by turning diagnosis into a checklist rather than improvisation.

    • Lowers reliance on a single expert and reduces human error during stressful outages.

  • Keep them useful:

    • Update after each incident/postmortem so they stay accurate.

    • Automating a well-proven runbook step turns it into self-healing (the natural next stage).

Q21.
How do you define a Blameless Postmortem, and why is it critical for a DevOps culture?

Mid

A blameless postmortem is a structured, written review of an incident that focuses on the systemic and process causes rather than assigning fault to individuals. It assumes people acted reasonably given the information they had, so the goal is learning and prevention, not punishment.

  • Core principle: assume good intent: Engineers describe what they saw and did honestly because they won't be punished, which surfaces the real chain of events.

  • Focuses on systems, not people: Asks "how did the system allow this?" instead of "who broke it?" (e.g. missing guardrails, unclear runbook, weak alerting).

  • Why it's critical for DevOps culture:

    • Psychological safety: fear of blame hides information, so blameless reviews maximize learning.

    • It drives concrete, tracked action items that harden the system over time.

    • It reinforces shared ownership: failure is a property of the system everyone owns, not one person's mistake.

  • Typical structure: timeline, impact, root/contributing causes, what went well, and follow-up actions with owners.

Q22.
What is the difference between DevOps and SRE?

Mid

DevOps is a broad culture and set of practices for closing the gap between development and operations; SRE is a specific, prescriptive implementation of those principles pioneered by Google that applies software engineering to operations problems. A common framing: "class SRE implements interface DevOps."

  • DevOps is the philosophy: Describes what to achieve (collaboration, fast flow, shared ownership) but is deliberately non-prescriptive about how.

  • SRE is a concrete practice:

    • Provides specific tools: SLIs, SLOs, error budgets, toil reduction, and a cap on operational work (often ~50%).

    • Uses error budgets to balance reliability against feature velocity in a data-driven way.

  • Scope difference: DevOps spans the whole delivery lifecycle; SRE focuses on reliability, availability, and operating systems at scale.

  • Overlap: both reject dev/ops silos, embrace automation, and treat failure as a learning opportunity via blameless postmortems.

Q23.
What are the "Three Ways" of DevOps as described in The Phoenix Project?

Mid

The Three Ways are the underlying principles from The Phoenix Project (and The DevOps Handbook) that all DevOps practices derive from: optimizing flow, amplifying feedback, and fostering continual experimentation and learning.

  • First Way: Flow (systems thinking): Optimize the whole left-to-right flow from Dev to Ops to the customer; work in small batches and never pass defects downstream.

  • Second Way: Feedback: Create fast, constant feedback loops from right to left (monitoring, testing, alerts) so problems are seen and fixed at the source.

  • Third Way: Continual learning and experimentation:

    • Build a culture of experimentation, taking risks, and learning from failure (blameless postmortems, chaos engineering).

    • Requires the first two Ways as a foundation before safe experimentation is possible.

Q24.
What does it mean to "Shift Left" in a delivery pipeline, and what are the benefits?

Mid

"Shift Left" means moving quality and security activities (testing, security scanning, feedback) earlier in the delivery pipeline, closer to the developer, rather than saving them for the end. The goal is to catch defects when they're cheapest and fastest to fix.

  • What moves left:

    • Testing: unit and integration tests run on every commit, not in a late QA phase.

    • Security ("DevSecOps"): SAST, dependency scanning, and secrets detection in CI or even pre-commit hooks.

    • Feedback: linting and static analysis in the IDE and pull request.

  • Benefits:

    • Cost: a bug caught at commit time is orders of magnitude cheaper than one found in production.

    • Speed: tight, fast feedback loops keep context fresh for the developer.

    • Quality and security become shared, continuous responsibilities instead of a final gate.

  • Caveat: shifting left only works if the tests and scans are fast and low-noise; slow or flaky checks push developers to bypass them.

Q25.
What is "Value Stream Mapping," and how can a developer use it to identify bottlenecks?

Mid

Value Stream Mapping (VSM) is a Lean technique that diagrams every step needed to take a change from idea to production, capturing the time and wait between each step. It makes the whole flow visible so you can see where work actually sits idle and target the real bottleneck.

  • What you capture per step:

    • Process time: how long the actual work takes (coding, review, testing).

    • Wait time: how long work sits idle in a queue between steps.

    • Flow efficiency: process time divided by total lead time, often shockingly low.

  • How a developer uses it:

    • Map the real path: commit, code review, build, test, staging, approval, deploy.

    • Look for the biggest wait, not the biggest work: often a change waits days for review or a manual approval.

    • Attack that bottleneck first (e.g., automate the approval, parallelize tests); optimizing elsewhere won't move the total.

  • Key insight: most lead time is waiting, not working, so removing queues and hand-offs beats making people type faster.

Q26.
Why is Lead Time for Changes a better metric than Lines of Code?

Mid

Lead Time for Changes measures how long it takes a committed change to reach production: an outcome metric tied to customer value and flow. Lines of Code measures activity, not value, and rewards the wrong behavior. One tells you if you're delivering; the other tells you almost nothing.

  • Why Lines of Code fails:

    • More code is a cost (to maintain, test, secure), not an achievement; the best fix is often fewer lines.

    • It's easily gamed and says nothing about whether users got value.

  • Why Lead Time for Changes is better:

    • It's a DORA metric: correlated with high organizational and delivery performance.

    • It measures the whole system (review, testing, deploy), exposing bottlenecks a code count hides.

    • Shorter lead time means faster feedback, smaller batches, and lower risk per change.

  • Rule: measure the flow of value and outcomes, not the volume of output.

Q27.
Why is reducing batch size important in a DevOps delivery workflow?

Mid

Reducing batch size means shipping many small changes instead of few large ones. Small batches flow faster, fail smaller, and give quicker feedback, which is the foundation of continuous delivery.

  • Faster feedback: A small change is reviewed, tested, and validated quickly, so you learn if it works while context is fresh.

  • Lower risk and easier debugging:

    • When something breaks, there are few suspects; rollback or revert is trivial.

    • Large batches bundle many changes, so a failure is expensive to diagnose and to unwind.

  • Smoother flow:

    • Small, frequent merges avoid painful long-lived branches and big-bang integration.

    • Reduces the transaction cost of each release by making deploys routine and automated.

  • Trade-off: it only pays off if the cost of each deploy is low, which is why batch reduction and pipeline automation go hand in hand.

Q28.
What are Work-In-Progress (WIP) limits, and how do they improve flow in a delivery pipeline?

Mid

Work-In-Progress (WIP) limits cap how many items can be active in a stage at once (from Kanban). By constraining how much you start, they force teams to finish work before starting more, which paradoxically speeds up overall delivery.

  • How they work:

    • Each column (e.g., "In Review", "Testing") gets a maximum number of items.

    • When a column is full, you can't pull new work in; you must help clear the existing items first.

  • Why they improve flow:

    • Little's Law: cycle time = WIP / throughput, so less WIP directly shortens delivery time.

    • They expose bottlenecks: work piling up at a full column makes the constraint visible.

    • They cut costly context switching and the illusion of progress from many half-done tasks.

  • The mindset shift: value is delivered only when work is finished, so "stop starting, start finishing."

Q29.
Can you explain Trunk-Based Development vs. GitFlow, and when would you use one over the other?

Mid

Both are branching strategies. Trunk-Based Development keeps everyone committing to one shared branch with very short-lived branches, optimizing for continuous integration; GitFlow uses multiple long-lived branches (develop, feature, release, hotfix) for structured, scheduled releases.

  • Trunk-Based Development:

    • Developers merge small changes to main at least daily; branches live hours to a day.

    • Incomplete work is hidden behind feature flags rather than kept on a branch.

    • Minimizes merge conflicts and enables true CI and continuous deployment.

  • GitFlow:

    • Long-lived develop and release branches with explicit feature and hotfix branches.

    • Well suited to versioned/released software and gated review cycles.

    • Long-lived branches drift apart, causing painful merges and delayed integration.

  • When to use which:

    • Trunk-based: web services and SaaS shipping continuously with strong test automation.

    • GitFlow: products with discrete versioned releases, multiple supported versions, or infrequent deploys.

Q30.
What is "Trunk-Based Development," and how does it facilitate Continuous Integration?

Mid

Trunk-Based Development is a branching model where all developers integrate small changes into a single shared branch (the trunk) frequently, keeping any side branches short-lived. That frequent integration is exactly what Continuous Integration requires, so the two reinforce each other.

  • Core practice:

    • Commit to main (or a branch merged within a day) so code never diverges far.

    • Keep changes small and always releasable; trunk stays green.

  • How it enables CI:

    • CI means integrating and testing continuously; short-lived branches make merges frequent and small.

    • Conflicts are caught early and are tiny, not massive end-of-sprint merges.

    • Every commit runs the pipeline against the real integrated state, giving accurate feedback.

  • Enablers it depends on:

    • Feature flags to hide unfinished work while still merging it.

    • Strong automated test coverage so a green trunk is trustworthy.

Q31.
What is an "Error Budget," and how does it help balance feature velocity with system stability?

Mid

An error budget is the amount of unreliability you're allowed before breaching your SLO: if your SLO is 99.9% availability, the budget is the remaining 0.1% of failures over the window. It converts reliability into a currency that teams spend, turning 'ship features vs. keep it stable' into a data-driven decision rather than an argument.

  • Definition:

    • Error budget = 100% minus the SLO target, measured over a rolling window (e.g. 30 days).

    • 99.9% monthly availability allows roughly 43 minutes of downtime.

  • How it balances velocity and stability:

    • Budget remaining: ship freely, take risks, deploy fast.

    • Budget exhausted: freeze risky releases and prioritize reliability work until it recovers.

  • Why it works:

    • It sets a shared, objective goal so dev and ops aren't in conflict: 100% reliability isn't the target, meeting the SLO is.

    • It makes the cost of instability visible and enforceable via an agreed policy.

Q32.
Can you explain the relationship between SLIs, SLOs, and SLAs?

Mid

They form a hierarchy: an SLI is the measurement, an SLO is the internal target for that measurement, and an SLA is the external contract with consequences. You measure with SLIs, aim at SLOs, and promise SLAs.

  • SLI (Service Level Indicator):

    • A quantitative metric of service behavior: request latency, error rate, availability, throughput.

    • Usually a ratio of good events to total events (e.g. % of requests under 200ms).

  • SLO (Service Level Objective):

    • The internal target for an SLI over a window (e.g. 99.9% of requests succeed monthly).

    • Drives the error budget and engineering priorities.

  • SLA (Service Level Agreement):

    • A formal contract with customers including consequences (refunds, credits) if breached.

    • Typically looser than the SLO so you have internal buffer to react before violating the contract.

  • Rule of thumb: SLA is stricter/looser deliberately: set SLO tighter than SLA so you catch problems before customers invoke the contract.

Q33.
What are the DORA metrics, and how do they help measure the effectiveness of a DevOps practice?

Mid

DORA (DevOps Research and Assessment) metrics are four research-backed measures that correlate with high software delivery performance. Two measure throughput (speed) and two measure stability, so together they show whether you ship fast without breaking things.

  • Throughput metrics:

    • Deployment Frequency: how often you release to production.

    • Lead Time for Changes: time from commit to running in production.

  • Stability metrics:

    • Change Failure Rate: percentage of deployments causing a failure needing remediation.

    • MTTR / Failed Deployment Recovery Time: how long to restore service after a failed change.

  • Why they help:

    • Speed and stability are balanced, not traded off: elite teams score well on all four, disproving the myth that fast means fragile.

    • They measure outcomes of the whole delivery system, not individual output, guiding where to invest (CI, testing, automation).

Q34.
How do you determine if an alert is actionable vs. noise?

Mid

An alert is actionable if it signals a real, user-impacting problem that a human must intervene on right now; it's noise if it's informational, self-resolving, or requires no decision. The core rule: every page should demand human action, or it shouldn't page.

  • Traits of an actionable alert:

    • Symptom-based: fires on user-visible impact (SLO breach, error rate) rather than a raw cause like high CPU.

    • Urgent: needs response before it resolves on its own.

    • Has a clear response: a runbook or obvious next step exists.

  • Signs of noise:

    • Auto-resolves before anyone looks, flaps repeatedly, or is routinely acknowledged and ignored.

    • No action possible, or it's purely informational (better as a dashboard/log).

  • How to decide and tune:

    • Track alert-to-action ratio; if most pages lead to "no action," adjust thresholds, add duration windows, or downgrade to a ticket.

    • Alert on SLO/error-budget burn rate rather than every threshold to cut false positives.

Q35.
What is the difference between availability and reliability, and why does the distinction matter operationally?

Mid

Availability is the fraction of time a system is up and reachable; reliability is whether it correctly does what it's supposed to do over time. A system can be available but unreliable (responding, but returning wrong answers), so treating them as one number hides real user pain.

  • Availability:

    • Typically measured as uptime percentage (the "nines"): is the service responding to requests?

    • Focuses on presence, not correctness.

  • Reliability:

    • Probability the system performs correctly under expected conditions for a given period.

    • Captures correctness, consistency, and freedom from data corruption or degraded behavior.

  • Why the distinction matters operationally:

    • An endpoint returning HTTP 200 with corrupt data counts as available but is unreliable: naive uptime checks miss it.

    • They drive different SLIs: availability tracks success/error ratio, reliability tracks correctness, latency, and durability.

    • Remedies differ: availability improves with redundancy and failover; reliability improves with testing, validation, and data integrity controls.

Q36.
Explain the difference between Blue-Green and Canary deployments and when you would use one over the other.

Mid

Both are progressive delivery strategies, but Blue-Green swaps all traffic between two full environments at once, while Canary shifts a small percentage of traffic to the new version first and gradually increases it. Blue-Green optimizes for instant rollback; Canary optimizes for limiting blast radius while you observe real behavior.

  • Blue-Green:

    • Two identical environments: Blue (live) and Green (new). You deploy to Green, test, then flip the router to send 100% of traffic to it.

    • Rollback is instant: flip back to Blue.

    • Cost: you run double the infrastructure during the switch.

  • Canary:

    • Route a small slice (e.g. 5%) to the new version, watch metrics/errors, then ramp to 100%.

    • Detects problems with real traffic before full exposure; only that slice is affected on failure.

    • Needs good observability and often automated analysis to decide promote vs. abort.

  • When to choose:

    • Blue-Green: you need a clean, all-or-nothing cutover with fast rollback and can afford duplicate capacity.

    • Canary: risky changes where you want gradual validation against production traffic and metrics.

Q37.
What is a Rolling Update, and what are its potential risks compared to Blue-Green?

Mid

A rolling update replaces instances of the old version with the new one incrementally, a few at a time, until the whole fleet is upgraded, without needing a second full environment. It's resource-efficient but exposes users to a mixed-version state and offers slower, messier rollback than Blue-Green.

  • How it works:

    • Pods/instances are updated in batches governed by settings like maxSurge and maxUnavailable in Kubernetes.

    • Health checks gate each batch before proceeding.

  • Risks vs. Blue-Green:

    • Mixed versions run simultaneously, so old and new must be backward compatible (API and DB).

    • Rollback is slower: you must roll the fleet back batch by batch, not flip a switch.

    • A bad release can affect users during the gradual rollout before it's caught.

  • Advantages:

    • No duplicate infrastructure, so cheaper than Blue-Green.

    • Built into orchestrators like Kubernetes as the default strategy.

Q38.
When a deployment fails, what are the pros and cons of "Rolling Back" versus "Rolling Forward"?

Mid

Rolling back reverts to the last known-good version to restore service fast; rolling forward fixes the defect in a new release and deploys ahead. Choose rollback for urgent recovery and roll forward when a fix is quick or rollback is unsafe (e.g. irreversible migrations).

  • Rolling back:

    • Pro: fastest path to a stable, previously verified state, minimizing MTTR under pressure.

    • Con: doesn't fix the root cause, and may be blocked by forward-only DB schema changes or data already written by the new version.

  • Rolling forward:

    • Pro: keeps momentum, addresses the actual bug, and is the only option when a schema/data change can't be reversed.

    • Con: slower and riskier under an active incident since you're shipping unproven code while users are impacted.

  • Deciding factor:

    • Blast radius and reversibility: if the change is backward-compatible, roll back; if it's a one-way migration, roll forward.

    • Design for both: use expand/contract migrations and backward-compatible changes so rollback stays a safe option.

Q39.
What are the trade-offs of using Feature Flags (Feature Toggles) for releases?

Mid

Feature flags decouple deployment from release so you can ship code dark, roll out gradually, and kill a feature instantly, but they add runtime complexity and technical debt if not managed. They're a powerful release-control tool that must be treated as code with a lifecycle.

  • Benefits:

    • Deploy != release: merge to main and deploy continuously while features stay off.

    • Instant rollback via toggle, no redeploy, enabling fast incident mitigation.

    • Enables targeting, canaries, and A/B experiments from the same build.

  • Costs:

    • Combinatorial complexity: many flags multiply code paths and make testing harder.

    • Stale flags become debt and hidden risk if never cleaned up.

    • Runtime dependency: the flag service is now on the critical path (needs caching/fallbacks).

  • Good practice:

    • Give each flag an owner and an expiry, and remove it once fully rolled out.

    • Default to safe (off) behavior when the flag system is unreachable.

Q40.
What is A/B testing as a release strategy, and how does it differ from canary deployment?

Mid

A/B testing routes different user segments to different variants to measure which performs better against a business metric (conversion, engagement); it's an experimentation strategy, not primarily a safety one. Canary deployment instead exposes a new version to a small group to verify it's stable and safe before full rollout, a technical/operational goal.

  • A/B testing:

    • Purpose: compare variants to optimize a business/UX outcome, judged by statistical significance.

    • Routing: users split deterministically by attributes (cohort, geography) so results are attributable.

    • Both variants are considered production-ready.

  • Canary deployment:

    • Purpose: detect regressions in error rate, latency, or crashes with limited blast radius.

    • Routing: a small random percentage of traffic, promoted or rolled back based on health metrics.

  • Bottom line: A/B answers "which is better for the business?"; canary answers "is this release safe to ship?"

Q41.
What is the difference between deploying and releasing, and why is decoupling them valuable?

Mid

Deploying is putting new code onto production infrastructure; releasing is exposing that code to users. Decoupling them lets you ship at any time and control feature exposure separately, drastically reducing deployment risk.

  • Deploy = technical act: Move the artifact to production servers/pods; it can be running but dormant or hidden.

  • Release = business act: Turn the feature on for some or all users, often via a feature flag.

  • Why decoupling is valuable:

    • Deploy during business hours safely because nothing changes for users until you flip the flag.

    • Progressive exposure: enable for internal users, then 1%, then 100%.

    • Instant rollback of a bad feature by toggling off, no redeploy needed.

    • Enables trunk-based development: merge unfinished features behind flags without releasing them.

  • Enabling techniques: Feature flags, canary releases, blue-green deployments, and dark launches all separate deploy from release.

Q42.
What is a 'Quality Gate' in a pipeline, and what types of checks belong there?

Mid

A quality gate is an automated checkpoint in the pipeline that must pass before a change proceeds; if any criterion fails, the pipeline stops, preventing bad code from advancing toward production.

  • Purpose:

    • Enforce a consistent, objective quality bar so standards don't depend on individual reviewers.

    • Fail fast: block early rather than discovering problems in production.

  • Checks that belong there:

    • Test results: unit, integration, and coverage thresholds.

    • Static analysis: linting, code smells, maintainability (e.g. SonarQube).

    • Security scanning: SAST, dependency/CVE scans, container image and IaC scanning.

    • Policy checks: no hardcoded secrets, license compliance, required approvals.

  • Design principle: Gates should be binary and automated; avoid flaky checks that erode trust and get bypassed.

Q43.
What is the role of an artifact repository in the delivery process, and why shouldn't we just deploy from source?

Mid

An artifact repository stores versioned, immutable build outputs (packages, container images) so you deploy the exact bytes you tested. Deploying from source instead would rebuild on every environment, breaking the guarantee that what you tested is what you ship.

  • Build once, deploy many: The same artifact flows through dev, staging, and prod, eliminating rebuild drift.

  • Immutability and traceability: Each artifact is versioned and immutable, so you can trace exactly what's running and roll back to a prior version instantly.

  • Why not deploy from source:

    • Rebuilds are non-deterministic: dependency versions, base images, or toolchains can shift between builds.

    • Slower and duplicated work per environment.

    • You'd be testing one build and shipping a different one.

  • Additional benefits: Caches dependencies, enforces retention/promotion policies, and supports vulnerability scanning of stored artifacts (e.g. Nexus, Artifactory, a container registry).

Q44.
Why is Continuous Integration considered a developer practice rather than just a tool setup?

Mid

CI is a discipline about how developers work (integrating small changes frequently into a shared mainline), not just a server that runs builds: the tool only enforces habits the team must actually practice.

  • The core practice is frequent integration: Developers merge to trunk at least daily in small batches, avoiding long-lived divergent branches.

  • Behaviors the tool can't do for you:

    • Writing automated tests, committing small increments, and pulling latest changes often.

    • Prioritizing a fix when the build breaks over starting new work.

  • A pipeline without the habits fails: You can install a CI server and still get painful "integration hell" if people integrate rarely or ignore red builds.

  • The tool amplifies discipline: Automation gives fast feedback, but it only pays off when the team commits to acting on that feedback.

Q45.
How do you handle a broken build in a shared pipeline, and what is the cultural protocol?

Mid

A broken build on the shared mainline is treated as the team's top priority: stop introducing new changes, fix or revert quickly to restore green, then diagnose, because a red trunk blocks everyone.

  • Immediate technical response:

    • Revert the offending commit if a fix isn't fast: restoring green quickly beats debugging on a broken mainline.

    • Reproduce locally and add a test so the same break can't recur silently.

  • Cultural protocol:

    • "Don't commit on a broken build": adding changes on top makes the cause harder to isolate.

    • Fixing the build is a shared, blameless responsibility, not just the author's fault.

    • The person who broke it (or whoever notices) owns getting it green before new feature work.

  • Preventive measures: Run tests locally or use pre-merge PR checks so breakage rarely reaches the shared mainline.

Q46.
What is continuous testing, and how does it differ from simply running tests in CI?

Mid

Continuous testing is the practice of evaluating quality and risk at every stage of the delivery pipeline, from commit through production; running tests in CI is just one slice of it. It treats testing as a continuous risk-assessment activity rather than a single gate.

  • Running tests in CI: Typically executes a fixed suite (mostly unit/integration) when code is merged: verifies the build.

  • Continuous testing is broader:

    • Spans the whole lifecycle: static analysis, security scans, performance, and post-deploy checks in production.

    • Emphasizes risk-based feedback: is this change safe to release, not just does it compile.

  • Key differences:

    • Scope: CI testing is a stage; continuous testing is end-to-end across delivery.

    • Includes production validation like monitoring, canary analysis, and synthetic tests.

  • Takeaway: CI testing is necessary but not sufficient: continuous testing extends confidence all the way to the running system.

Q47.
What is Configuration Drift, and how do you prevent or detect it?

Mid

Configuration drift is when the actual state of running infrastructure diverges over time from its defined or intended state, usually from manual changes and hotfixes made outside your automation.

  • How it happens:

    • Someone SSHes in to fix an incident, tweaks a config, or installs a package by hand and never codifies it.

    • Result: servers that should be identical become subtly different snowflakes, causing "works on that box" bugs.

  • How to prevent it:

    • Manage all changes through IaC (Terraform, Ansible) and forbid manual edits.

    • Use immutable infrastructure: rebuild and replace instead of patching in place.

  • How to detect it:

    • Run terraform plan to see diffs between code and reality.

    • Config tools running in check/dry-run mode, or drift-detection features (e.g. AWS CloudFormation drift detection), report deviations.

Q48.
Explain the "Cattle vs. Pets" analogy and how it changes the way you write software.

Mid

"Pets" are servers you name, nurture, and heal when sick; "cattle" are identical, numbered machines you replace rather than repair. Treating infrastructure as cattle pushes you to write software that is stateless, disposable, and automatable.

  • Pets: hand-managed, unique:

    • Given names, manually configured, indispensable; if one dies you scramble to nurse it back.

    • Leads to snowflake servers and drift.

  • Cattle: interchangeable, disposable:

    • Identical, auto-provisioned, referred to by number; if one is unhealthy you kill it and spin up a replacement.

    • Enables autoscaling, self-healing, and safe rolling deploys.

  • How it changes your software:

    • Design apps to be stateless: push state to external stores (databases, object storage, caches) so any instance can serve any request.

    • Make startup and shutdown clean and fast, and tolerate instances being killed at any time.

    • Externalize config and logs so nothing important lives only on one box.

Q49.
What is "Immutable Infrastructure," and how does it differ from "Mutable Infrastructure"?

Mid

Immutable infrastructure means once a server or image is deployed you never modify it: to change anything you build a new version and replace the old one. Mutable infrastructure is updated in place over its lifetime.

  • Mutable (traditional):

    • Long-lived servers get patched, updated, and reconfigured in place (SSH, apt upgrade, config management).

    • Prone to configuration drift and hard-to-reproduce state.

  • Immutable:

    • Bake a versioned artifact (a machine image or container) and deploy fresh instances from it; never edit a running one.

    • To update: build a new image, roll it out, terminate the old instances.

  • Why immutable wins:

    • No drift, predictable and reproducible environments, and trivial rollback (redeploy the previous image).

    • Pairs naturally with containers and the cattle model.

Q50.
What is the difference between Declarative and Imperative Infrastructure as Code?

Mid

Declarative IaC describes the desired end state and lets the tool figure out how to reach it; imperative IaC specifies the exact sequence of steps to execute. Most modern tools favor declarative.

  • Declarative ("what"):

    • You state the goal ("5 servers, this config") and the engine computes the diff and converges to it.

    • Idempotent by nature: re-running yields the same state. Examples: Terraform, Kubernetes manifests, CloudFormation.

  • Imperative ("how"):

    • You write ordered commands that create/change resources step by step.

    • More control over sequencing but you must handle current state and idempotency yourself. Examples: shell scripts, AWS CLI calls.

  • Trade-off:

    • Declarative is easier to maintain and reason about drift; imperative suits one-off procedural tasks.

    • Note: tools like Ansible are largely declarative in intent but expressed as ordered tasks.

Q51.
Why is environment parity (dev/staging/prod) important, and how do you achieve it?

Mid

Environment parity means dev, staging, and prod are as similar as possible in configuration, dependencies, and data shape, so code behaves the same everywhere and "works on my machine" surprises disappear before production.

  • Why it matters:

    • Bugs from version or config mismatches (different DB version, OS, library) get caught early instead of in prod.

    • Gives confidence that a passing staging test predicts prod behavior, one of the Twelve-Factor principles (dev/prod parity).

  • How to achieve it:

    • Use containers/images so the same artifact runs in every environment.

    • Provision every environment from the same IaC, differing only in parameters (size, scale).

    • Externalize configuration and secrets via environment variables, not code.

    • Use the same backing services and versions; scale down but don't substitute (no SQLite in dev, Postgres in prod).

  • Reality check: Perfect parity is costly (prod data volume, scale); aim for functional parity where it affects correctness.

Q52.
What are ephemeral (preview) environments, and how do they improve the development workflow?

Mid

Ephemeral (preview) environments are short-lived, isolated environments spun up automatically for a branch or pull request, then torn down when it merges or closes: they let you review real running changes before production.

  • How they work:

    • A CI pipeline deploys the PR's code to a fresh, isolated stack (often with a unique URL) using IaC and containers.

    • The environment is destroyed on merge/close, so it costs nothing when idle.

  • Why they improve the workflow:

    • Reviewers and stakeholders test the actual running feature, not just diff lines.

    • Isolation means parallel PRs don't collide on a shared staging box.

    • Catches integration and config issues early, and enables QA/design sign-off before merge.

  • Prerequisites: Fully automated provisioning (IaC), fast builds, and disposable infrastructure; managed platforms like Vercel, Netlify, or Kubernetes preview namespaces make this easy.

Q53.
What is the difference between configuration management and provisioning in infrastructure automation?

Mid

Provisioning creates the infrastructure (servers, networks, load balancers); configuration management sets up and maintains the software and state on that infrastructure once it exists.

  • Provisioning: bring resources into existence:

    • Declaratively defines the desired infrastructure and calls cloud/provider APIs to create it.

    • Tools: Terraform, CloudFormation, Pulumi.

  • Configuration management: shape what runs on it:

    • Installs packages, manages files/services, enforces desired state on existing machines.

    • Tools: Ansible, Chef, Puppet.

  • Overlap and modern shift: Tools blur the line, but the immutable-infrastructure trend favors baking config into images (e.g. Packer) and replacing rather than mutating servers.

Q54.
How do you manage Secrets (API keys, passwords) in a DevOps environment without hardcoding them?

Mid

Store secrets outside code in a dedicated secrets manager, inject them at runtime, and control access with least-privilege policies and auditing: source control and images should never contain plaintext secrets.

  • Use a secrets manager: e.g. HashiCorp Vault, AWS Secrets Manager, Azure Key Vault: centralized storage, access control, and audit logs.

  • Inject at runtime, not build time: Deliver via environment variables or mounted files fetched at startup, so secrets stay out of images and repos.

  • Never commit plaintext: Use .gitignore, pre-commit secret scanners (git-secrets, gitleaks), and encrypt if secrets must live in Git (SOPS, sealed-secrets).

  • Least privilege and rotation: Scope access per service, prefer short-lived/dynamic credentials, and rotate regularly.

Q55.
What is "GitOps," and how does it differ from traditional CI/CD?

Mid

GitOps is an operating model where Git is the single source of truth for declarative infrastructure and application state, and an agent in the cluster continuously reconciles the live system to match the repo. It differs from traditional CI/CD by using pull-based reconciliation instead of push-based deployment.

  • Git as source of truth: Desired state is declared in Git; changes happen through pull requests, giving review, audit, and easy rollback (revert the commit).

  • Pull vs push:

    • Traditional CI/CD pushes: the pipeline runs kubectl apply with cluster credentials.

    • GitOps pulls: an in-cluster agent (Argo CD, Flux) watches the repo and applies changes itself.

  • Continuous reconciliation: The agent detects and corrects drift automatically, keeping live state converged on Git.

  • Relationship, not replacement: CI still builds and tests; GitOps governs the CD/deploy step declaratively.

Q56.
How should a "12-Factor App" handle environment-specific configurations?

Mid

A 12-Factor app stores config in the environment, not in code: anything that varies between deploys (dev, staging, prod) lives in environment variables, so the same build runs everywhere with different config injected.

  • Config in the environment: Credentials, hostnames, and toggles come from env vars, keeping them out of the codebase.

  • Strict separation of config from code: Litmus test: the repo could be open-sourced with no secrets leaked.

  • No environment-named config files: Avoid grouping like config/production.rb; these don't scale and get committed. Treat each var independently.

  • One build, many deploys: The same artifact is promoted across environments; only injected config changes.

Q57.
How does the 'Twelve-Factor App' methodology relate to modern DevOps practices?

Mid

The Twelve-Factor App is a set of principles for building portable, scalable web apps, and it maps almost directly onto DevOps goals: automation, consistency across environments, and disposable, cloud-native services. It's essentially a blueprint for apps that are easy to deliver continuously.

  • Enables CI/CD and repeatability: Codebase tracked in version control, config in the environment, and one build promoted across deploys support automated pipelines.

  • Supports containers and scaling: Stateless processes and horizontal concurrency map cleanly onto containers and orchestrators like Kubernetes.

  • Improves observability and resilience: Logs as event streams to stdout and fast startup/graceful shutdown (disposability) fit centralized logging and self-healing platforms.

  • Reduces environment drift: Declaring and isolating dependencies keeps dev/prod parity, a core DevOps aim.

Q58.
What is "Container Orchestration," and why is it necessary once you move beyond a few containers?

Mid

Container orchestration is the automated management of the full lifecycle of containers across a cluster of machines: scheduling, networking, scaling, and healing. Once you have more than a handful of containers spread over multiple hosts, doing this by hand becomes error-prone and impossible to keep consistent.

  • What it automates:

    • Scheduling: deciding which node runs which container based on resources.

    • Self-healing: restarting failed containers and rescheduling off dead nodes.

    • Scaling: adding/removing replicas to match load.

    • Networking and service discovery: giving containers stable ways to find each other.

    • Rollouts: rolling updates and rollbacks without downtime.

  • Why it's necessary at scale:

    • Manual placement across many hosts can't track capacity or recover from failure fast enough.

    • Declarative desired state: you say "run 5 replicas" and the orchestrator continuously reconciles reality to match.

  • Common tools: Kubernetes, Nomad, Docker Swarm, ECS.

Q59.
What is "Service Discovery," and why is it a core requirement of containerized microservices?

Mid

Service discovery is the mechanism by which services find each other's network locations dynamically, without hardcoding IPs or ports. It's core to microservices because containers are ephemeral: they get new IPs on every restart, scale, or reschedule.

  • Why static addressing fails:

    • Orchestrators create and destroy containers constantly, so IPs change unpredictably.

    • Replicas scale up and down, so "where is service X" has many, shifting answers.

  • How it works:

    • A registry tracks healthy instances (via health checks) and their addresses.

    • Clients resolve a stable logical name to a live instance, often via DNS or a load-balancing virtual IP.

  • Two patterns:

    • Server-side: clients hit a stable endpoint (e.g. a Kubernetes Service) that load-balances to pods.

    • Client-side: the client queries the registry and picks an instance itself.

  • Tools: Kubernetes DNS/Service, Consul, etcd.

Q60.
Can you explain the concept of 'Sidecar' containers and why they are used in a DevOps context?

Mid

A sidecar is a helper container that runs alongside your main application container in the same unit (e.g. a Kubernetes Pod), sharing its network and volumes to add functionality without modifying the app itself.

  • Separation of concerns: Cross-cutting infrastructure (logging, proxying, security) lives in the sidecar, keeping the app focused on business logic.

  • Shared context: Same lifecycle, network namespace, and volumes as the main container, so they communicate over localhost or a shared filesystem.

  • Common uses:

    • Service mesh proxy (e.g. Envoy in Istio) handling mTLS, retries, and routing.

    • Log shippers that tail files and forward to a central system.

    • Secret/config agents that fetch and refresh credentials.

  • Benefit for DevOps:

    • Reusable, language-agnostic capabilities added uniformly across services without touching each codebase.

    • Trade-off: extra resource overhead and complexity per instance.

Q61.
What is the difference between "Monitoring" and "Observability"?

Mid

Monitoring tells you whether known conditions are happening ("is CPU high, is the service down?"), while observability is the property of a system that lets you ask arbitrary new questions about its internal state from its outputs, so you can debug problems you didn't anticipate.

  • Monitoring: known-unknowns:

    • Predefined metrics, dashboards, and alerts on failure modes you expect.

    • Answers "what" is broken (a threshold crossed).

  • Observability: unknown-unknowns:

    • Rich, high-cardinality telemetry lets you explore "why" without shipping new code.

    • Built on the three pillars: metrics, logs, and traces.

  • Relationship:

    • Monitoring is a subset/outcome of an observable system, not a competitor to it.

    • Monitoring catches expected failures; observability helps diagnose novel ones in complex, distributed systems.

Q62.
What is the difference between "Structured Logging" and "Unstructured Logging," and why does it matter for DevOps?

Mid

Structured logging emits logs as machine-parseable key-value data (typically JSON), whereas unstructured logging emits free-form text lines. Structure matters in DevOps because it makes logs searchable, filterable, and aggregatable at scale, which plain text isn't.

  • Unstructured logging:

    • Human-readable free text like User 42 login failed.

    • Fine for local debugging, but querying requires brittle regex/grep parsing.

  • Structured logging:

    • Consistent fields (level, user_id, trace_id) a machine can index directly.

    • Enables precise queries, aggregation, and correlation across services.

  • Why it matters for DevOps:

    • Centralized platforms (ELK, Loki, Splunk) ingest and search structured logs efficiently.

    • A shared trace_id ties logs to distributed traces for faster root-cause analysis.

    • Reliable alerting on specific fields instead of fragile text matching.

json

{"timestamp":"2024-01-01T12:00:00Z","level":"error","event":"login_failed","user_id":42,"trace_id":"abc123"}

Q63.
What is distributed tracing, and why is it important in a microservices architecture?

Mid

Distributed tracing tracks a single request as it flows across multiple services, stitching each hop into one end-to-end timeline via a shared trace context. It's essential in microservices because no single service has the full picture of a request.

  • Core concepts:

    • A trace is a tree of spans; each span is one unit of work with start/end time and metadata.

    • Context (trace ID, span ID) is propagated between services, usually via headers like traceparent (W3C Trace Context).

  • Why microservices need it:

    • One user action may fan out across dozens of services; tracing pinpoints which hop added latency or failed.

    • Reveals service dependencies and cascading failures that per-service metrics/logs hide.

  • Practical notes:

    • Standardize with OpenTelemetry for instrumentation and export.

    • Use sampling (head or tail) to control volume; correlate trace IDs into logs to jump between pillars.

Q64.
What is the difference between synthetic monitoring and real user monitoring?

Mid

Synthetic monitoring probes your system with scripted, simulated requests on a schedule; real user monitoring (RUM) captures telemetry from actual users' interactions. Synthetic is proactive and controlled; RUM is passive and reflects real experience.

  • Synthetic monitoring:

    • Scripted checks (ping, API call, browser flow) from known locations at fixed intervals.

    • Catches problems before users hit them, works with zero traffic, and gives consistent baselines for SLAs.

    • Blind spot: only tests paths you scripted, not real-world diversity.

  • Real user monitoring:

    • Collects actual metrics (page load, errors, Core Web Vitals) from real browsers/devices.

    • Reflects true experience across geographies, devices, and networks.

    • Blind spot: needs real traffic and can't test before launch or catch issues on unvisited paths.

  • Use both: Synthetic for uptime/regression alerting; RUM for understanding and prioritizing real user pain.

Q65.
How do you decide what belongs in a metric, a log, or a trace when instrumenting a system?

Mid

Pick the signal by the question you need to answer and the cost of the data: metrics for aggregate trends and alerting, logs for detailed discrete events, traces for request flow across services. They overlap, so choose the cheapest signal that answers the question.

  • Use a metric when:

    • You want to aggregate, alert, or trend over time (rate, latency, error ratio, queue depth).

    • Beware cardinality: never put unbounded values (user IDs, request IDs) in labels.

  • Use a log when:

    • You need rich per-event context to debug a specific occurrence (the failing payload, stack trace, decision reason).

    • Prefer structured logs so they're queryable, not just human-readable.

  • Use a trace when: The question is 'where in the request path' across service boundaries, or latency attribution per hop.

  • Rules of thumb:

    • High-cardinality identifiers belong in logs/traces, not metric labels.

    • Correlate them: attach trace IDs to logs and exemplars to metrics so you can pivot between signals.

Q66.
What is "Idempotency," and why is it a critical requirement for any automation script?

Mid

Idempotency means running an operation multiple times produces the same end state as running it once. It's critical for automation because scripts get retried, interrupted, and re-run, and a non-idempotent script can corrupt state or duplicate resources on the second run.

  • What it looks like:

    • Declare desired state, don't blindly repeat actions: 'ensure this file exists' instead of 'append this line'.

    • Check-then-act or use naturally idempotent operations (PUT over POST, mkdir -p).

  • Why automation demands it:

    • Failures and retries are normal (network blips, timeouts, CI reruns); safe re-execution prevents drift and duplicates.

    • Enables convergence: run the same playbook repeatedly and always land in the correct state.

  • Where you see it: IaC and config tools (Terraform, Ansible) are built around it; APIs use idempotency keys to dedupe requests.

Q67.
How do you define "Toil" in an SRE context, and why is it important to minimize it?

Mid

In SRE, toil is manual, repetitive, automatable operational work that scales linearly with service growth and adds no lasting value. It's minimized because it crowds out engineering work, burns out staff, and grows unboundedly with the system.

  • Characteristics of toil: Manual and repetitive, automatable, reactive/interrupt-driven, tactical (no enduring value), and scales with load.

  • What it is not: Overhead like meetings or HR isn't toil; genuine engineering and one-off project work isn't toil.

  • Why minimize it:

    • Linear scaling means toil grows with the service, capping how much you can run per engineer.

    • It causes burnout, errors, and career stagnation, and starves long-term reliability improvements.

  • How SRE addresses it: Google's guideline caps toil at roughly 50% of an SRE's time; measure it and invest the rest in automation and engineering.

Q68.
Explain the concept of "Mean Time to Recovery" (MTTR) and why it is often more important than "Mean Time Between Failures" (MTBF).

Mid

MTTR (Mean Time to Recovery) is the average time to restore service after a failure; MTBF (Mean Time Between Failures) measures how long the system typically runs between failures. In modern distributed systems, failures are inevitable, so recovering fast (low MTTR) usually matters more than trying to never fail (high MTBF).

  • MTTR: focus on recovery speed:

    • Measures detection + diagnosis + repair time; lowering it directly reduces downtime and user impact.

    • Improved by good monitoring, alerting, runbooks, automated rollbacks, and practice.

  • MTBF: focus on failure frequency: Chasing very high MTBF often means slowing change and adding cost, with diminishing returns.

  • Why MTTR often wins:

    • You can't prevent every failure in complex systems, but you can control how quickly you bounce back.

    • Fast recovery makes it safe to ship frequently, aligning with CI/CD and the "fail fast, recover fast" mindset.

Q69.
How does an on-call rotation work, and what practices keep it sustainable for a team?

Mid

An on-call rotation assigns responsibility for responding to production alerts to one or a few engineers at a time, cycling through the team on a schedule. The aim is reliable 24/7 coverage that shares the burden fairly and avoids burning anyone out.

  • How it works:

    • A tool (PagerDuty, Opsgenie) routes alerts to the current primary; a secondary/escalation path covers missed pages.

    • Shifts rotate (weekly is common) with a defined handoff of open issues.

  • Sustainability practices:

    • Reduce alert noise: page only on actionable, user-impacting issues to prevent alert fatigue.

    • Maintain runbooks and good dashboards so responders aren't lost.

    • Fair scheduling, compensation/time-off, and follow-the-sun rotations across time zones where possible.

    • Blameless postmortems that feed fixes back, so recurring pages actually get eliminated.

Q70.
How would you describe a typical incident management process, including severity levels and escalation?

Mid

Incident management is the structured process of detecting, responding to, resolving, and learning from service disruptions. A typical flow moves from detection through triage, mitigation, resolution, and a postmortem, with severity levels driving how urgently and widely the response escalates.

  • Lifecycle stages:

    1. Detect (alert or report) and declare the incident.

    2. Assign roles: an Incident Commander coordinates while others investigate.

    3. Mitigate first (restore service), then resolve the root cause.

    4. Run a blameless postmortem with action items.

  • Severity levels:

    • SEV1: major outage, all-hands, immediate exec/customer comms; SEV2: significant but partial impact; SEV3+: minor or degraded, lower urgency.

    • Severity sets response time, who's paged, and communication cadence.

  • Escalation:

    • If the primary can't resolve or acknowledge in time, the page escalates to secondary, then to specialists or management.

    • Clear communication channels (status page, incident chat) keep stakeholders informed.

Q71.
What is the purpose of readiness and liveness health checks in a deployed service?

Mid

Liveness and readiness checks are health probes that tell the orchestrator (like Kubernetes) whether a container is alive and whether it's ready to receive traffic. They serve different purposes: liveness triggers restarts, readiness controls traffic routing.

  • Liveness probe:

    • Answers "is the process healthy or stuck?" If it fails, the orchestrator restarts the container.

    • Catches deadlocks or hung states that a running process alone can't reveal.

  • Readiness probe:

    • Answers "can this instance serve requests now?" If it fails, the instance is pulled from the load balancer but not restarted.

    • Useful during startup (warming caches, connecting to DB) or when a dependency is temporarily unavailable.

  • Why separate them:

    • A slow-starting app shouldn't be killed by a liveness probe; readiness just delays traffic until it's prepared.

    • Together they enable zero-downtime rollouts and automatic recovery.

Q72.
What is graceful degradation, and how does it contribute to fault tolerance?

Mid

Graceful degradation is designing a system so that when a component fails, it loses functionality gracefully rather than crashing entirely. It contributes to fault tolerance by keeping core features available even when non-critical dependencies are down.

  • Core idea: degrade, don't collapse:

    • An e-commerce site whose recommendation service fails should still let users browse and buy, just without recommendations.

    • Serve stale cached data or a default response instead of erroring out.

  • Common techniques:

    • Fallbacks and defaults when a dependency is unavailable.

    • Circuit breakers to stop hammering a failing service and fail fast.

    • Feature flags to shed non-essential load under stress.

  • How it aids fault tolerance:

    • Isolates failures so one broken component doesn't cascade into a full outage.

    • Preserves the most valuable user journeys, reducing business impact during partial failures.

Q73.
What does "DevSecOps" mean in practice, and how does it change the developer's responsibility?

Mid

DevSecOps means integrating security into every stage of the DevOps lifecycle rather than bolting it on at the end: security becomes a shared, continuous, automated responsibility instead of a separate gate owned by one team.

  • "Shift left" security: Vulnerabilities are found during coding and CI, where they're cheaper to fix, not in production audits.

  • Automation over manual review: SAST, SCA, secret scanning, and IaC scanning run automatically in the pipeline.

  • How the developer's role changes:

    • Developers own the security of what they ship: they triage scanner findings and fix them like any bug.

    • They write secure code and secure config (least privilege, no hardcoded secrets) as part of "done".

    • Security teams shift to enabling: providing tooling, guardrails, and paved paths rather than acting solely as a blocking gate.

  • Culture, not just tooling: shared accountability and fast feedback loops matter as much as the scanners.

Q74.
What is "Software Composition Analysis" (SCA), and where does it fit in the pipeline?

Mid

Software Composition Analysis (SCA) scans your third-party and open-source dependencies (including transitive ones) for known vulnerabilities and license risks, so you understand and control the code you didn't write but still ship.

  • What it does:

    • Inventories dependencies and matches versions against vulnerability databases (CVE/NVD, advisories).

    • Flags risky licenses (e.g. GPL in a proprietary product) and often generates an SBOM.

  • Where it fits in the pipeline:

    • In the developer IDE and pre-commit for the earliest feedback.

    • In CI on every build/PR, failing the build on high-severity issues.

    • Continuously post-deploy: new CVEs appear against already-shipped versions, so re-scan even without code changes.

  • How it differs from SAST: SCA analyzes your dependencies; SAST analyzes your own source code.

  • Tools: Dependabot, Snyk, Trivy, OWASP Dependency-Check.

Q75.
What does Security as Code mean in a modern pipeline?

Mid

Security as Code means expressing security policies, controls, and tests as version-controlled, automated artifacts that run in the pipeline, rather than as manual checklists or documents: security becomes reviewable, repeatable, and enforced by machines.

  • What gets codified:

    • Policies as code: rules evaluated automatically (OPA/Rego, Kyverno, Sentinel) to allow or block deploys.

    • Scanning config: SAST/SCA/IaC scans defined in the repo and run in CI.

    • Guardrails: IaC security rules, admission controllers, network policies.

  • Why it matters:

    • Consistency: the same rules apply everywhere, no human forgetting a step.

    • Auditability and review: changes to security posture go through Git PRs like any code.

    • Scalable enforcement: policies act as automatic gates instead of manual sign-offs.

  • It's the security expression of the broaderEverything-as-Code / GitOps mindset.

Q76.
Where in the CI/CD pipeline should security scanning (SAST/DAST) occur, and why?

Mid

Run different scans at the stages where they can actually see what they need: SAST early on source code, DAST later against a running app, so each catches its class of issues with the fastest possible feedback.

  • SAST (static analysis) runs early:

    • Analyzes source code without running it, so it fits at commit/PR and in CI build stages.

    • Catches insecure patterns (SQLi, hardcoded secrets) close to when they're written, where they're cheapest to fix.

  • DAST (dynamic analysis) runs later:

    • Tests a running application from the outside, so it needs a deployed build (staging/test environment).

    • Finds runtime and config issues SAST can't see (auth flaws, exposed endpoints).

  • Why the placement:

    • Shift left where possible (SAST/SCA) for fast, cheap feedback that fails the build.

    • DAST is slower, so run it on staging deploys or nightly rather than every commit.

  • Layer them: SAST + SCA + secret scanning early, DAST pre-prod, plus runtime scanning after deploy for defense in depth.

Q77.
What is a 'Flaky Test' and how does it undermine DevOps culture?

Mid

A flaky test is a test that passes or fails non-deterministically on the same code, without any change to the code under test. It erodes trust in the pipeline: engineers stop believing red builds and start ignoring or blindly re-running them.

  • Common causes:

    • Timing/race conditions: reliance on sleep() or async ordering instead of proper synchronization.

    • Shared/leaky state: tests depending on execution order or leftover data.

    • External dependencies: real networks, clocks, or third-party services that vary.

  • Why it undermines DevOps culture:

    • Destroys signal: a red build no longer clearly means "broken code," so the safety net loses value.

    • Normalizes ignoring failures: people habitually re-run until green, which can mask real bugs.

    • Slows delivery and morale: wasted reruns, blocked merges, and distrust in automation.

  • How to manage it:

    • Detect: track pass/fail history to quantify flakiness rates.

    • Quarantine: isolate known-flaky tests so they don't block the pipeline, then fix or delete them.

    • Fix root cause: mock external systems, control the clock, and remove inter-test state.

Q78.
What is the difference between horizontal and vertical scaling, and when would you choose each?

Mid

Vertical scaling ("scale up") adds more power (CPU, RAM) to a single instance; horizontal scaling ("scale out") adds more instances and distributes load across them. Horizontal is the default for resilient, elastic systems, while vertical is simplest when the workload can't be distributed.

  • Vertical scaling:

    • Bigger box: upgrade to a larger instance type.

    • Pros: no app changes, no distributed-state complexity.

    • Cons: hard ceiling (max instance size), single point of failure, often requires downtime/restart.

  • Horizontal scaling:

    • More boxes behind a load balancer.

    • Pros: near-linear elasticity, redundancy/high availability, no single point of failure.

    • Cons: needs stateless services (or externalized state), plus load balancing and data-consistency handling.

  • When to choose:

    • Vertical: stateful monoliths, single-node databases, quick short-term relief.

    • Horizontal: stateless web/API tiers, unpredictable or spiky traffic, HA requirements.

Q79.
What is autoscaling, and what signals typically drive scaling decisions?

Mid

Autoscaling automatically adjusts capacity to match demand: adding resources when load rises and removing them when it falls, so you meet SLOs without over-provisioning. It's driven by observed signals (metrics), schedules, or predictions.

  • Types of autoscaling:

    • Horizontal (e.g. Kubernetes HPA): change the number of replicas/instances.

    • Vertical (e.g. VPA): change resource requests/limits of a workload.

    • Cluster-level: add/remove nodes when pods can't be scheduled.

  • Common driving signals:

    • Resource utilization: CPU and memory (the classic defaults).

    • Custom/business metrics: requests per second, queue depth, latency.

    • Scheduled: known daily/weekly patterns (scale up before business hours).

    • Predictive: forecast demand from historical trends.

  • Practical concerns:

    • Cooldowns/stabilization windows prevent thrashing (rapid scale up/down flapping).

    • Scaling isn't instant: warm-up time matters, so leave headroom for spikes.

Q80.
Explain the CALMS framework and why each pillar is necessary for a successful DevOps transition.

Senior

CALMS is a framework for assessing and guiding a DevOps transformation across five pillars: Culture, Automation, Lean, Measurement, and Sharing. It emphasizes that DevOps is a cultural shift enabled by tooling, not tooling alone.

  • Culture: The foundation: collaboration, shared ownership, and blameless learning. Without it, tools just automate dysfunction.

  • Automation: Automate repetitive work (builds, tests, deploys, infrastructure) to remove manual error and speed up feedback.

  • Lean: Eliminate waste, work in small batches, and optimize the flow of value end to end rather than local efficiency.

  • Measurement: You can't improve what you don't measure: track metrics (e.g. DORA: deploy frequency, lead time, MTTR, change fail rate) to guide decisions.

  • Sharing: Share knowledge, tooling, and responsibility across teams to reinforce the culture and break silos.

  • Why all five: they're interdependent (e.g. automation without culture fails, measurement without sharing doesn't spread learning).

Q81.
What is 'Platform Engineering' and how does it differ from traditional DevOps?

Senior

Platform Engineering is the discipline of building an internal developer platform (IDP): a self-service product that packages infrastructure, pipelines, and tooling so product teams can ship without deep ops expertise. It's an evolution of DevOps that treats the platform itself as a product with users.

  • Traditional DevOps:

    • A cultural movement: "you build it, you run it," breaking the wall between dev and ops.

    • Each team owns its full pipeline, which can duplicate effort and create high cognitive load.

  • Platform Engineering:

    • Centralizes common concerns (CI/CD, provisioning, observability) into a reusable, self-service platform.

    • Reduces developer cognitive load with "golden paths": paved, opinionated defaults teams can adopt.

    • Measured as a product: adoption, developer satisfaction, and time-to-first-deploy.

  • Key difference: DevOps is a philosophy about breaking silos; Platform Engineering is the concrete productized answer to the toil that pure "every team does everything" DevOps created at scale.

Q82.
What is Conway's Law, and how does it influence the way DevOps teams are structured?

Senior

Conway's Law states that organizations design systems that mirror their own communication structures. In DevOps it's a warning: your team boundaries end up baked into your architecture, so you should shape teams deliberately to get the architecture you want.

  • The core observation: If four teams write a compiler, you get a four-pass compiler: system interfaces follow human communication paths.

  • Implication for DevOps:

    • Siloed teams (separate dev, QA, ops) produce hand-off-heavy, poorly integrated systems.

    • Small, cross-functional teams owning a service end-to-end produce loosely coupled, independently deployable services (microservices).

  • The Inverse Conway Maneuver: Deliberately structure teams to match the target architecture, letting the desired system emerge.

  • Related idea: Team Topologies uses this to design stream-aligned, platform, and enabling teams that minimize hand-offs.

Q83.
What is the 'Andon Cord' concept, and how does it apply to stopping the line when a build breaks?

Senior

The Andon Cord comes from the Toyota Production System: any worker can pull a cord to halt the assembly line when they spot a defect, so problems are fixed at the source instead of shipping downstream. In DevOps it maps to "stop the line" on a broken build: everyone prioritizes fixing it before adding new work.

  • The manufacturing origin: Empowering the person closest to the problem to stop production prevents defects from compounding.

  • The software equivalent:

    • A red build on the main branch is a stopped line: no new commits until it's green.

    • The team swarms to fix or revert immediately, treating a broken pipeline as the top priority.

  • Why it matters:

    • Keeps the main branch always releasable, a prerequisite for continuous delivery.

    • Small failures stay cheap: fixing now costs far less than debugging a pile of stacked changes later.

    • Reinforces a blameless culture where surfacing problems is rewarded, not punished.

Q84.
Why is 'automating everything' not always the right answer, and how do you decide what to automate?

Senior

Automation has real cost (building, testing, maintaining it), so it pays off only when a task is repetitive, stable, and error-prone enough that the investment returns value. Automating a rarely-run or constantly-changing task can cost more than it saves and can encode bad decisions at scale.

  • Automation is not free:

    • It's code you must write, test, secure, and maintain as the underlying system changes.

    • Brittle automation on a shifting target creates more toil than it removes.

  • When it backfires:

    • One-off tasks: manual is faster than automating something you'll never repeat.

    • Poorly understood processes: automating a broken process just makes mistakes faster.

    • High-judgment decisions that genuinely need a human in the loop.

  • How to decide:

    1. Frequency x effort: high repetition and high manual cost favor automation.

    2. Stability: automate mature, well-understood processes, not moving targets.

    3. Risk: error-prone manual steps (deploys, secrets) benefit even at lower frequency.

    4. ROI over the lifetime: weigh build plus maintenance cost against time saved.

  • Rule of thumb: standardize and document a process first, then automate it once it's stable and repeated.

Q85.
What are the trade-offs of a Mono-repo vs. Multi-repo strategy for CI/CD pipelines?

Senior

A mono-repo stores many projects in one repository; a multi-repo gives each service its own. The trade-off is centralized consistency and easy cross-project changes versus independent ownership and simpler, faster per-service pipelines.

  • Mono-repo:

    • Pros: atomic cross-service changes, shared tooling and standards, easy code reuse and refactoring.

    • CI/CD challenge: naive builds rebuild everything; you need change detection to build only affected projects.

    • Needs tooling (Bazel, Nx, Turborepo) to scale and stay fast.

  • Multi-repo:

    • Pros: clear ownership, isolated and simple pipelines, independent versioning and deploy cadence.

    • CI/CD challenge: coordinated changes across repos need version pinning and dependency management.

    • Risk of drift: each repo may diverge in tooling and standards.

  • How to choose:

    • Highly coupled services and shared libraries lean mono-repo (with build caching).

    • Independent teams and services with separate lifecycles lean multi-repo.

Q86.
How does your choice of branching strategy impact your "Lead Time for Changes" (DORA metric)?

Senior

Branching strategy directly shapes lead time because it determines how long code sits unmerged and how much batching and merge friction stand between a commit and production. Short-lived branches shorten lead time; long-lived branches lengthen it.

  • Trunk-based development shortens lead time:

    • Small, frequent merges to main mean changes flow to production in hours, with tiny, low-risk batches.

    • Continuous integration keeps the branch always releasable, so nothing waits.

  • Long-lived feature branches (or heavy GitFlow) lengthen it:

    • Work accumulates for days or weeks, then a large batch waits on review, merge conflicts, and release windows.

    • Big merges are riskier, so they attract more gatekeeping, adding delay.

  • The mechanism:

    • Lead time = coding + review + integration + release wait; branching mainly inflates the integration and wait portions.

    • Use feature flags to decouple deploy from release so you can merge small and still hide unfinished work.

Q87.
How do you distinguish between a 'Vanity Metric' and an 'Outcome Metric' in a delivery pipeline?

Senior

A vanity metric looks impressive and always trends up but doesn't inform a decision or reflect real value; an outcome metric ties to business or user results and changes your behavior when it moves. The test: "if this number changed, would I do anything differently?"

  • Vanity metrics:

    • Raw counts that only grow: lines of code, number of commits, story points, total builds run.

    • Easy to game, flattering, and rarely linked to customer value.

  • Outcome metrics:

    • Reflect results: lead time, change failure rate, error budget burn, conversion, feature adoption, customer-reported incidents.

    • Actionable and often bounded/ratio-based so they can move in both directions.

  • How to distinguish: Ask: does it map to a user or business outcome? Is it a ratio/rate rather than a cumulative count? Can it get worse? Does it trigger a decision?

Q88.
If your 'Change Failure Rate' is high but your 'MTTR' is low, what does that tell you about your team's process?

Senior

It tells you your team is excellent at recovery but weak at prevention: bad changes reach production often, but you detect and roll back or fix them fast. You're stable in the sense of resilient, but your quality gates before deploy are letting too much through.

  • What the combination reveals:

    • Strong operational muscle: good monitoring, fast rollback, automated deploys, and a healthy blameless response culture.

    • Weak pre-production safety: insufficient testing, poor code review, missing staging validation, or overly large changes.

  • Risks of relying on low MTTR:

    • Users still experience each failure; frequent incidents cause fatigue and erode trust even if fixed quickly.

    • Fast recovery can mask root causes, so the same class of defects keeps recurring.

  • Where to invest: Shift left: more automated tests, smaller batches, progressive delivery (canary/feature flags) to catch failures before full rollout.

Q89.
How can DORA metrics be gamed or misinterpreted by management?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q90.
If your Change Failure Rate is high but your Deployment Frequency is also high, what does that tell you about your pipeline?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q91.
What is the 'Deployment Rework Rate' from the 2024 DORA reports?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q92.
How do you handle database schema migrations in a zero-downtime deployment environment?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q93.
What is "Dark Launching," and when would you use it?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q94.
What is "Backward Compatibility" in the context of microservices deployment, and why is it mandatory for DevOps?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q95.
What is 'Progressive Delivery,' and how do feature flags enable it?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q96.
How do you achieve a zero-downtime release for a stateful application?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q97.
When would you choose a Push-based vs. a Pull-based (GitOps) deployment model?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q98.
What is 'Dark Launching' and how does it differ from a Canary release?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q99.
What is shadow deployment (traffic mirroring), and when would you use it?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q100.
What criteria would you use to trigger an automated rollback during a deployment?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q101.
How do you identify and resolve bottlenecks in a CI/CD pipeline that has slowed down over time?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q102.
Why is the "Continuous Integration" part of the pipeline often considered the most difficult to maintain as a team grows?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q103.
How do you ensure a CI/CD pipeline remains "fast" without sacrificing reliability?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q104.
What is Policy as Code, and how does it support compliance in a DevOps pipeline?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q105.
How do you approach secrets rotation as an ongoing practice rather than a one-time setup?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q106.
How does adopting serverless/FaaS change your delivery and operational responsibilities?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q107.
What are the delivery and operational trade-offs of a microservices architecture versus a monolith?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q108.
What is the difference between push-based and pull-based monitoring, and what are the trade-offs?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q109.
Can you explain the RED method and the USE method for monitoring, and when each applies?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q110.
What is "Chaos Engineering," and what is the goal of injecting failure into a production system?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q111.
What are RTO and RPO, and how do they shape a disaster recovery strategy?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q112.
What is the circuit breaker pattern, and why is it relevant to operating resilient services?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q113.
How do you implement the "Principle of Least Privilege" within a CI/CD pipeline?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q114.
What is Software Supply Chain Security, and why is it a DevOps concern?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q115.
How would you design a CI/CD pipeline for a monorepo with multiple services to avoid full rebuilds on every commit?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q116.
How does capacity planning fit into an SRE/DevOps practice?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q117.
What is an Internal Developer Platform, and how does self-service infrastructure help delivery?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Q118.
How do you think about cost management (FinOps) as part of DevOps operations?

Senior
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.