Skip to main content

CI/CD Interview Questions (50+ Detailed Q&A)

1. Concepts & Pipelines

Answer:
  • CI (Integration): Merge code often -> Build -> Test. Detect bugs early.
  • CD (Delivery): Code is ready to deploy. Artifact created. Manual approval to Prod.
  • CD (Deployment): Zero touch. Pass test -> Auto Deploy to Prod.
Answer: Running a script twice produces the same result. Example: mkdir flow fails 2nd time. mkdir -p is idempotent. Ansible/Terraform are idempotent.
Answer: Checkout -> Lint -> Compile/Build -> Unit Test -> SAST -> Package (Docker) -> Publish Artifact -> Deploy Dev -> Integration Test -> Deploy Staging -> E2E Test -> Deploy Prod.
Answer:
  • Mutable: SSH into server, apt-get update. Drift happens. Hard to reproduce.
  • Immutable: Build new Image/VM. Replace old one. Consistent. Rollback easy.
Answer:
  • Provisioning: Create Infra (Terraform, CloudFormation).
  • Config Mgmt: Configure OS/Software (Ansible, Chef, Puppet).
Answer:
  • Monorepo: Smart change detection needed (Did /lib change? Build all dependents). Shared tooling.
  • Polyrepo: Simple. Repo change = Pipeline run. Dependency hell.
Answer: Store binaries (Jar, Docker Image). Nexus, Artifactory, Container Registry. Versioned, Immutable.
Answer:
  • SaaS (GitHub Actions): Easy. Pay/min. Security risk (Shared environment).
  • Self-hosted: Control hardware, Network access (VPC), Cheaper at scale. Maintenance overhead.
Answer: Defining workflow in YAML/Groovy (Jenkinsfile, .gitlab-ci.yml) stored in Git. Version controlled, Peer reviewed.
Answer: Splitting tests (Unit, Integration, Lint) to run concurrently to reduce pipeline time. Matrix builds (Node 14, 16, 18).

2. Testing Strategies

Answer: Shape: Pyramid.
  • Base: Unit (70%). Fast, Cheap.
  • Middle: Integration (20%).
  • Top: E2E (10%). Slow, Flaky. If Inverted (Pizza/IceCream Cone): Anti-pattern. Slow feedback loop.
Answer:
  • Unit: Single function/class. Mock everything.
  • Integration: Interaction (Service + DB).
  • E2E: Full user journey (Selenium/Cypress). Real browser.
Answer:
  • Smoke: “Is it on fire?”. Basic check (Can I login?). Run after deployment.
  • Sanity: Check specific new functionality.
Answer: % of code executed during tests. Metric, not goal. 100% coverage doesn’t mean bug free.
Answer: Check code without running it. Formatting, Syntax, Potential bugs. ESLint, SonarQube.
Answer: Testing early in the lifecycle (Dev machine, pre-commit) rather than waiting for QA phase.
Answer: Passes sometimes, fails others (Timing, Network). Fix: Retries, Isolate environment, remove sleep() use waitFor().
Answer: For Microservices. Ensures Consumer and Provider agree on API schema. Prevents breaking changes.
Answer:
  • Load: Normal expected load.
  • Stress: Breaking point.
  • Soak: Long duration (Memory leaks).
  • Spike: Sudden burst. Tool: JMeter, K6.
Answer: Don’t use Prod data (Privacy). Synthetic data or Anonymized dump. Reset after test.

3. Deployment Patterns

Answer: PROD (Blue). Deploy to Idle (Green). Test Green. Switch Load Balancer -> Green. Rollback: Switch back. Cost: Double resource usage.
Answer: Deploy to small % (5%). Monitor metrics (Errors, Latency). Gradually increase (10%, 50%, 100%). Limits blast radius.
Answer: Replace instances one by one (or batch). Zero downtime. Risk: Version compatibility (Running v1 and v2 same time).
Answer: Deploy code to prod but keep it hidden behind if (flag). Decouples Deployment (Binary move) from Release (Feature visibility). A/B Testing.
Answer: Traffic copy (Mirroring). Send Request to v1 and v2. Return v1 result. Compare v2 result async. Test accuracy/performance without user impact.
Answer: Git is Truth. Cluster Agent (Argo) pulls state from Git -> Applies to K8s. Detects Drift (Manual changes reverted).
Answer: Down all old. Up all new. Downtime exists. Needed if Schema change is backward incompatible or Singleton app.
Answer: Auto-rollback on health check failure. Versioned artifacts essential. Database rollback is the hard part (Backward compatible schema changes).
Answer: Experiment. Group A sees feature X, Group B sees Y. Measure conversion. Business decision, not just technical.
Answer: Artifact built ONCE. Promoted Dev -> QA -> Prod. Configuration injected per env (Env vars). Never rebuild for Prod (Risk different code).

4. Security (DevSecOps)

Answer:
  • SAST: Static. Source Code scan. (Whitebox). Find SQLi pattern.
  • DAST: Dynamic. Running App scan. (Blackbox). Attack running endpoint.
Answer: Software Composition Analysis. Check package.json against CVE database (Snyk, Dependabot). Find vulnerable libraries.
Answer: Scan Docker layers for OS vulnerabilities (Trivy, Clair).
Answer: Never commit output. Use GH Secrets / Vault. Mask secrets in logs.
Answer: CI Runner should have minimal IAM permissions. Don’t give Admin.
Answer: GPG signing. Verify author identity.
Answer: Attacker compromises a dependency (npm pip) or build tool (SolarWinds). Mitigation: Lockfiles, Vendor dependencies, SLSA.
Answer: Notary / Cosign. Ensures image running in Prod is the one built by CI.
Answer: OPA (Open Policy Agent). Ensure Infra meets rules (No public Buckets) in pipeline.
Answer: Ephemeral runners (clean slate). Network isolation. Audit logs.

5. Tools & Troubleshooting

Answer: Running Docker commands inside a Docker container (Agent). Needs Privileged mode (Security risk) or Socket binding. Kaniko builds images without Daemon.
Answer:
  • Jenkins: Old, Powerful, Plugin hell, Self-hosted maintenance.
  • GHA: YAML, Integrated, Marketplace, SaaS.
Answer: Cache node_modules or maven repo. Speeds up build. Use checksum of lockfile as cache key.
Answer: Major.Minor.Patch (1.0.0). Breaking.Feature.Fix.
Answer: Conventional Commits (feat: login, fix: bug). Auto generate changelog based on types.
Answer:
  1. Read Logs.
  2. Reproduce locally.
  3. Check environment diff (Env vars).
  4. Flakiness?
Answer: Store State remotely (S3 + Locking). Never in Git.
Answer: Run as a Job in CD (Pre-sync hook). Tools: Flyway, Liquibase.
Answer: Trigger deploy via Slack bot (/deploy prod). Visibility for team.
Answer: Measuring DevOps performance.
  1. Deployment Frequency.
  2. Lead Time for Changes (Code to Prod).
  3. Change Failure Rate.
  4. Time to Restore Service (MTTR).