CNPA Exam Dumps : Certified Cloud Native Platform Engineering Associate

The most effective approach for scalable Kubernetes infrastructure provisioning is Crossplane compositions. Option D is correct because compositions let platform teams define custom CRDs (Composite Resources) that abstract infrastructure details while embedding organizational policies and guardrails. Developers then consume these abstractions through simple Kubernetes-native APIs, enabling self-service at scale.

Option A (Helm with values.yaml) is useful for application deployment but not for scalable infrastructure provisioning across multiple clouds. Option B (imperative scripts) lacks scalability, repeatability, and governance. Option C (static YAML with kubectl apply) is manual and not suited for dynamic, multi-team environments.

Crossplane compositions allow platform teams to curate golden paths while giving developers autonomy. This reduces complexity, ensures compliance, and supports multi-cloud provisioning—all key aspects of platform engineering.

Modern platform engineering requires security and compliance to be integral parts of the delivery process, not afterthoughts. CI/CD pipelines are the foundation for delivering platform software rapidly and reliably, and integrating SBOM generation and automated vulnerability scanning directly within pipelines ensures that risks are identified early in the lifecycle.

Option B is correct because it reflects recommended practices from cloud native platform engineering standards: SBOMs provide a transparent inventory of all software components, including dependencies, which is crucial for vulnerability management, license compliance, and supply chain security. By automating these steps in CI/CD, teams can maintain both velocity and security without manual overhead.

Option A downplays the relevance of SBOMs for platform software, which is inaccurate because platform components (like Kubernetes operators, ingress controllers, or logging agents) are equally susceptible to vulnerabilities. Option C dismisses automation in favor of periodic audits, which contradicts the shift-left security principle. Option D misunderstands CI/CD’s purpose: security must be integrated, not separated.

A key advantage of using a service mesh is its ability to secure service-to-service communication transparently, without requiring application code changes. Option A is correct because service meshes (e.g., Istio, Linkerd) provide mutual TLS (mTLS) by default, ensuring both encryption in transit and authentication between services. This establishes a zero-trust networking model inside the cluster.

Option B (scaling) is managed by Kubernetes (Horizontal Pod Autoscaler), not service mesh. Option C (logging) may be supported as an observability feature, but it is not the primary security benefit. Option D (IP allowlisting) is an outdated, less flexible mechanism compared to identity-based policies that meshes provide.

Service meshes enforce security consistently across all services, support fine-grained policies, and ensure compliance without burdening developers with complex configurations. This makes mTLS a foundational benefit in cloud native platform security.