Design secure Kubernetes with CI/CD

Q: Design secure Kubernetes with CI/CD

This is a System Design interview question from Salesforce for Software Engineer roles. View the full question and solution on PracHub.

Q: How do I approach System Design interview questions?

System Design questions require understanding of core concepts and practice. PracHub provides solutions with explanations to help you master system design interviews.

Question

Kubernetes Architecture, Troubleshooting, Security, and CI/CD (GKE/EKS)

Context: You are the on-call software engineer for a managed Kubernetes cluster (GKE or EKS). Answer the following sections concisely and practically as if in a technical screen.

1) Control Plane Components

Describe the purpose and responsibilities of these components:

API server
Scheduler
Controller manager
etcd

2) Worker Node Responsibilities

Explain what runs on worker nodes and the role of each:

kubelet
kube-proxy
CRI (container runtime)
CNI (networking)

3) CrashLoopBackOff Diagnosis and Fix

A Deployment rollout is stuck with Pods in CrashLoopBackOff. Walk through the kubectl commands you would run and the key signals you would inspect to identify root cause and fix it.

4) Security Hardening Plan

Propose a practical hardening plan covering:

RBAC and least privilege for humans and services
NetworkPolicy (ingress and egress)
Secrets at rest with KMS and runtime access
Pod security standards and securityContext defaults
Image scanning and supply-chain integrity
Admission controls and policy enforcement

5) CI/CD for GKE/EKS with Canary and Rollbacks

Design an end-to-end pipeline (tools are your choice) that:

Builds, tests, scans, signs, and deploys images/manifests
Performs progressive delivery (canary) with automatic or manual promotion
Supports rapid, safe rollback