NCP-CN Nutanix Certified Professional - Cloud Native (NCP-CN-6.10) Question and Answers

NKP uses Cluster API (CAPI) to provision and manage Kubernetes clusters across supported infrastructures, including Nutanix AHV, vSphere, AWS, and GCP. CAPI components, such as controllers and providers, are deployed to manage the lifecycle of clusters on these platforms. However, when NKP attaches to a managed Kubernetes service like Azure Kubernetes Service (AKS), CAPI components are not deployed because AKS is managed by Azure, and NKP only integrates with the cluster for fleet management, not provisioning.

The NKPA course explains: “For managed Kubernetes services like AKS, NKP attaches the cluster to its management plane without deploying CAPI components, as the underlying infrastructure is managed by the cloud provider.” The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide reinforces this: “CAPI is used for NKP-managed clusters on Nutanix, vSphere, AWS, and GCP, but not for attached managed services like AKS.”

Incorrect Options:

A. vSphere: NKP deploys CAPI components (e.g., CAPV provider) to manage vSphere-based clusters.

B. GCP: NKP deploys CAPI components (e.g., CAPG provider) for GCP-based clusters.

C. Nutanix: NKP deploys CAPI components (e.g., CAPA provider for AHV) for Nutanix AHV clusters.

NKP Platform Applications (e.g., Rook Ceph, Prometheus, Fluent Bit) are pre-integrated tools that can be deployed to Kubernetes clusters within a workspace to provide services like storage, monitoring, and logging. The NKPA course specifies that to deploy a platform application to all clusters in a workspace from the command line, the engineer uses the nkp create appdeployment command. This command creates an application deployment resource that targets the specified workspace and clusters.

The required parameters include the application ID (to identify the platform application), the version (to specify the desired version of the application), and the NKP workspace (to define the scope of clusters). For example: nkp create appdeployment --app-id prometheus --version 2.30.0 --workspace fin-vd. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “Use the nkp create appdeployment command to deploy platform applications, specifying the application ID, version, and target workspace to apply the deployment across all clusters in that workspace.”

Incorrect Options:

B. nkp deploy platform-app: This is not a valid NKP command. The correct command is nkp create appdeployment.

C. nkp deploy app: This is not a recognized command in the NKPA documentation.

D. kubectl create appdeployment: kubectl interacts with Kubernetes resources, not NKP-specific platform applications.

The NKPA 6.10 documentation clarifies that when creating a workload cluster using the nkp create cluster command, specifying the target workspace (namespace) is critical for properly associating the workload cluster with that workspace in the NKP UI. If the --namespace parameter is omitted, the cluster is provisioned in the default workspace, not in the intended workspace (in this case, code-green).

Key documentation excerpt:

“If you do not specify the workspace (namespace) using the --namespace parameter when creating a cluster, the cluster will be created in the default workspace. It will not appear in custom workspaces until manually assigned.”

NKP uses the Cluster Autoscaler to scale worker node replicas up or down. This ensures that resource availability dynamically matches workload demand by adjusting the number of worker nodes. Pod-level autoscaling (Horizontal-Pod autoscaler) is also supported for pod scaling but is not responsible for node pool expansion or compaction.

Key Reference:

“NKP uses the Cluster Autoscaler to dynamically adjust worker node pool replicas in response to cluster resource demands.”

As outlined in the NKPA 6.10 documentation, Goss is used to validate that an OS image meets the requirements to serve as an NKP node (such as the presence of required packages, kernel modules, and system settings). Goss is not used to modify or harden the image; rather, it validates conformance.

Key reference:

“During the image build process, Goss tests validate that the image meets the required standards for use as a Kubernetes node in NKP deployments.”

The NKPA course specifies that the NKP CLI is the primary tool for deploying NKP clusters with advanced configurations, such as those required for a dark site environment, custom Service and Pod CIDR blocks, and Nutanix AHV clusters. The NKP CLI (nkp) provides granular control over cluster creation, allowing administrators to specify custom networking parameters and air-gapped deployment settings via command-line flags or configuration files.

For a dark site deployment, the NKP CLI uses an Air-Gapped Bundle to provide all necessary dependencies. Custom CIDR blocks are configured using flags like --service-cidr and --pod-cidr during the nkp create cluster command. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “The NKP CLI is used to deploy clusters with custom configurations, including dark site readiness and custom networking, on Nutanix AHV clusters.” For example: nkp create cluster --air-gapped --service-cidr 10.96.0.0/12 --pod-cidr 192.168.0.0/16 --infrastructure nutanix-ahv.

Incorrect Options:

A. kubectl CLI: kubectl manages Kubernetes resources, not NKP cluster deployment.

B. NKP GUI: The GUI supports basic deployments but lacks the flexibility for custom CIDR and dark site configurations.

D. OCP CLI: OpenShift (OCP) is a separate platform, not used for NKP deployments.

NKPA 6.10 recommends leveraging workspaces to isolate different tenants (clients) in a multi-tenant environment. LDAP connectors can be scoped to individual workspaces, allowing separate authentication and RBAC configurations per client.

Key reference from documentation:

“In multi-tenant scenarios, create a dedicated workspace for each tenant and configure a unique LDAP connector within that workspace to integrate their identity source.”

The exhibit shows the NKP UI with the "Create Cluster" option grayed out in a new workspace, indicating that a prerequisite for cluster creation is missing. The NKPA course explains that to create a new Kubernetes cluster in a workspace, an Infrastructure Provider must be configured for that workspace. An Infrastructure Provider defines the underlying infrastructure (e.g., Nutanix AHV, AWS, vSphere) where the cluster will be provisioned, and without it, the Create Cluster option remains disabled in the UI.

The NKP Ultimate license supports creating clusters across various infrastructures, but the workspace must be associated with an Infrastructure Provider to enable cluster creation. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “Before creating a cluster in a new workspace, ensure an Infrastructure Provider is configured for the workspace in the NKP UI; otherwise, the Create Cluster option will be grayed out.” The engineer should navigate to the Infrastructure Providers section in the NKP UI (typically under the Global or Administration view), create a provider (e.g., for Nutanix AHV, AWS, or vSphere), and associate it with the workspace. Once this is done, the Create Cluster option will become available.

Incorrect Options:

A. Create the cluster only using YAML and not the GUI: The issue is not with the GUI itself but with the missing Infrastructure Provider, which affects both GUI and CLI cluster creation. YAML alone does not resolve this.

B. Attach existing clusters instead of creating a new cluster: Attaching existing clusters is an alternative but does not address the requirement to create a new cluster.

D. Ensure NKP is upgraded to a minimum version of 2.12: The NKP Ultimate license implies a recent version, and the course does not indicate that version 2.12 is specifically required for this functionality. The issue is configuration-related, not version-related.

According to the NKPA 6.10 documentation, Rook Ceph is the recommended out-of-the-box storage solution integrated with NKP for persistent data storage, backups, and object storage within the Kubernetes environment.

Key Reference:

“Rook Ceph is integrated with NKP for providing persistent storage and backup support within the cluster.”

The NKPA course specifies the supported operating systems for NKP clusters deployed using the Nutanix provisioning method (CAPX), which leverages Cluster API for Nutanix (CAPX) to provision clusters on Nutanix AHV. The supported OS platforms for CAPX are Rocky Linux and Ubuntu, as these distributions are tested and optimized for Nutanix infrastructure and Kubernetes requirements.

Rocky Linux is a CentOS replacement adopted by Nutanix after CentOS 8’s end-of-life in 2021, providing a stable, enterprise-grade OS. Ubuntu, particularly LTS versions like 20.04 or 22.04, is widely supported due to its compatibility with Kubernetes and Nutanix AHV. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “When deploying NKP with the Nutanix provisioning method (CAPX), the supported OS platforms are Rocky Linux and Ubuntu, ensuring compatibility with Nutanix AHV and Kubernetes.” These OS images are typically prepared using NKP Image Builder (NIB) to include necessary components like kubeadm and containerd.

Incorrect Options:

A. CentOS and Rocky Linux: CentOS 8 is no longer supported post-2021, and Nutanix has shifted to Rocky Linux.

C. Flatcar, Rocky Linux, and Ubuntu: Flatcar Container Linux is not a supported OS for CAPX in NKP deployments.

D. CentOS and Ubuntu: CentOS is not supported, as noted above.

As per the “Nutanix Kubernetes Platform Administration (NKPA)” documentation, during the preparation of the environment for an air-gapped deployment, the first task involves installing critical software packages on the bastion host. The bastion host acts as a jump host in a secure network and requires tools such as yum-utils, bzip2, and wget to facilitate the retrieval and processing of required images and configuration files.

Specifically, in the NKPA 6.10 course under "Preparing the Air-gapped Environment", the documentation clearly states:

"The initial step for configuring the bastion host includes installing required pre-requisites like yum-utils, bzip2, and wget. This ensures that the host has the basic tools to download and manage required container images and other dependencies."

This step is explicitly called out as the first actionable item before proceeding to more advanced tasks like configuring public IP access or creating a bootstrap cluster. The need for these pre-requisite packages is foundational, as they are required to handle image downloading and manipulation in the subsequent steps of the air-gapped installation process.

According to the NKPA 6.10 documentation, the Pre-provisioned infrastructure provider (CAPPP) requires the user to provide an inventory file of the servers that will become the cluster nodes. This inventory file contains connection information (IP addresses, credentials, etc.) for each pre-provisioned node, enabling the Cluster API to connect and configure these servers directly during cluster creation.

The NKPA course explains that NKP provides a role-based access control (RBAC) system to manage permissions within its platform, in addition to Kubernetes-native RBAC. For a development team needing limited permissions to perform specific tasks (deploying applications, scaling deployments, viewing logs and metrics) within a specific namespace, the appropriate access type in the NKP GUI is an NKP Role.

NKP Roles are predefined or custom roles within the NKP platform that map to Kubernetes RBAC permissions but are managed through the NKP UI for ease of use. They allow granular control over actions within a workspace or namespace, ensuring the team can perform their tasks (e.g., deploy, scale, get logs) without having access to other environments or cluster-wide resources. For example, an NKP Role like “Developer” or a custom role can be configured to grant edit permissions in the team’s namespace while restricting access elsewhere. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “In the NKP GUI, configure an NKP Role to grant limited permissions to a development team, allowing actions like deploying applications and viewing logs within their namespace while preventing unauthorized changes in other environments.”

Incorrect Options:

B. Cluster Role: A Kubernetes Cluster Role grants permissions across all namespaces, which is too broad for the team’s limited access requirement.

C. Cluster Admin: This grants full administrative access to the entire cluster, far exceeding the team’s needs and violating the principle of least privilege.

D. Kommander Role: Kommander is a management component in NKP, but “Kommander Role” is not a specific access type in the NKP GUI for this purpose.

The primary benefit of a private registry is to ensure security and privacy for container images, especially when dealing with sensitive data and compliance requirements (such as financial or government use cases). While secure connections to public registries like DockerHub or GitHub container registries are possible, using a private registry ensures full control over image access and auditing.

Key reference:

“Private registries ensure images remain within the security and compliance boundaries of the enterprise, avoiding potential risks associated with public SaaS registries.”

The NKPA 6.10 documentation outlines that in air-gapped environments where default pod network CIDR conflicts exist, the cluster manifest (created via the nkp create cluster command) should be updated to specify an alternate, non-conflicting pod CIDR block range before deployment.

According to the NKPA 6.10 documentation, licensing in an NKP cluster is constrained by the total number of vCPUs assigned to all nodes (workers and control planes). In this scenario, the cluster has a maximum of 150 vCPUs available.

The existing output shows 10 worker nodes, each with 8 vCPUs (10×8=80 vCPUs) and 3 control plane nodes, each with 4 vCPUs (3×4=12 vCPUs).

Current vCPU usage: 80 + 12 = 92 vCPUs.

Remaining vCPUs: 150 - 92 = 58 vCPUs.

Option A:

Adding 6 control plane nodes (6×4=24 vCPUs).

This would increase control planes to 9 total (3 existing + 6 new). Control plane nodes would consume 9×4=36 vCPUs.

Worker nodes remain at 80 vCPUs.

Total vCPU usage: 36 + 80 = 116 vCPUs (still under 150 vCPUs).

However, it’s unusual and unnecessary to have 9 control planes in a typical NKP setup. NKPA and NCP-CN best practices indicate typically no more than 3 or 5 control planes for HA. Therefore, this is technically possible but not recommended or standard practice. So not selected.

Option B:

Expanding the existing worker nodepool by 8 nodes (8×8=64 vCPUs).

This would add 64 vCPUs to the current 92 vCPUs:

92 + 64 = 156 vCPUs → exceeds licensing limit.

Correction: The question specifies “expand up to 8 nodes,” so it’s possible to expand by only 7 nodes (7×8=56 vCPUs).

92 + 56 = 148 vCPUs → within licensing limits.

Thus, expanding by up to 7 nodes is valid.

Option C:

Creating a new worker nodepool with 10 nodes (10×8=80 vCPUs).

This would add 80 vCPUs to the existing 92 vCPUs:

92 + 80 = 172 vCPUs → exceeds 150 vCPU licensing limit.

Not valid.

Option D:

Expanding the original worker nodepool by up to 4 nodes (4×8=32 vCPUs) = +32 vCPUs.

Adding a new nodepool of 6 nodes with 4 vCPUs/node (6×4=24 vCPUs) = +24 vCPUs.

Total increase: 32 + 24 = 56 vCPUs.

Total vCPU usage: 92 + 56 = 148 vCPUs → within the 150 vCPU limit.

Thus, valid.

Extract Reference:

NKPA 6.10 – “Cluster Sizing and Licensing”

Nutanix Kubernetes Platform Administration (NKPA) – Licensing Considerations

"The total number of vCPUs for all nodes (control planes and workers) must not exceed the licensed vCPU capacity of the NKP deployment."

This confirms that Options B and D are the two valid approaches to expand the cluster while remaining compliant with licensing constraints.

To push the NKP Catalog Applications image bundle to a private registry, the official nkp push bundle command must be used with the specified parameters to authenticate and push the bundle to the registry.

Exact extract:

“Use the nkp push bundle command to upload the NKP catalog applications image bundle to the specified private registry, ensuring secure and complete image upload.”

The kube-prometheus-stack is a key component of NKP’s monitoring stack, providing tools for metrics collection, visualization, and alerting. The NKPA course explains that Alertmanager, a component of the kube-prometheus-stack, is responsible for handling alerts generated from Prometheus metrics. It aggregates, deduplicates, and routes notifications to the appropriate channels (e.g., email, Slack, PagerDuty), ensuring that the Platform Engineer stays informed of critical events and anomalies in the NKP cluster, such as node failures, resource exhaustion, or application errors.

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “Alertmanager in the kube-prometheus-stack processes alerts from Prometheus, enabling administrators to stay informed of cluster events through configured notification channels.” By configuring Alertmanager with appropriate routing rules and receivers, the engineer can receive real-time notifications about cluster events, driving proactive management and productivity.

Incorrect Options:

A. prometheus-operator: The operator manages Prometheus and related resources but does not directly handle event notifications.

B. service monitors: Service monitors define how Prometheus scrapes metrics, not how events are communicated.

D. node-exporter: Node-exporter collects node-level metrics, not event notifications.

As per the NKPA 6.10 documentation, the correct approach for deleting an entire NKP-managed cluster (including nodes and deployed applications) is to use the nkp delete cluster command with the cluster name and --kubeconfig parameter. The --self-managed flag ensures the deletion of resources provisioned by the cluster.

Exact extract:

“Use nkp delete cluster --cluster-name= --self-managed --kubeconfig= to delete a cluster and its associated resources.”

When deploying NKP to AWS, the bootstrap process requires AWS credentials to interact with AWS APIs for provisioning resources like EC2 instances. The NKPA course specifies that the nkp CLI supports the --aws-profile flag to specify a custom AWS profile for authentication. This profile, defined in the AWS credentials file (~/.aws/credentials), contains the access key and secret key for the desired AWS account.

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “To deploy NKP on AWS with custom credentials, use the --aws-profile= flag during the nkp create bootstrap command to reference a specific AWS profile.” This approach leverages the AWS CLI’s profile management, ensuring secure and flexible credential handling. For example, the command would be nkp create bootstrap --aws-profile=my-profile --kubeconfig bootstrap-cluster.conf.

Incorrect Options:

B. --cloud-credentials=<my-profile></my-profile>: This flag is not used by the nkp CLI. The NKPA course specifies --aws-profile for AWS.

C. --with-aws-bootstrap-credentials=true: This flag does not exist in the NKPA documentation for NKP bootstrap.

D. --aws-access-key=<aws access="" key=""> --aws-secret-key=<aws secret="" key=""></aws></aws>: While these flags may be used in some tools, the NKPA course recommends using --aws-profile to avoid hardcoding sensitive credentials.

The Nutanix Kubernetes Platform (NKP) uses workspaces to provide isolated environments for different teams or projects, allowing each team to manage its own clusters, applications, and resources independently. According to the NKPA course, creating a new workspace is a key Day 2 operation to support multi-tenancy and isolated development environments, such as those required for the microservices in this scenario.

The course specifies that to create a new workspace, users must navigate to the workspace selection dropdown list in the top menu bar of the NKP user interface (UI) and select Create Workspace. This action opens a form where administrators can define the workspace name, description, and associated resources (e.g., clusters, users, and policies). The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “To create a new workspace in NKP, go to the workspace selection dropdown in the UI and select ‘Create Workspace’ to configure an isolated environment for a team or project.” This process ensures that each microservice team has its own isolated environment for development and testing, with access restricted to their specific workspace.

Incorrect Options:

A. From the Cluster selection, select Add Cluster: Adding a cluster creates a new Kubernetes cluster within an existing workspace, not a new workspace. The NKPA course distinguishes between cluster and workspace creation.

C. From the workspace selection dropdown list in the top menu bar, select Add Workspace: The NKPA course and UI use “Create Workspace” as the standard terminology, not “Add Workspace.”

D. From the Administration selection dropdown list in Infrastructure Providers, select Add Infrastructure Provider: This option is for configuring infrastructure providers (e.g., AWS, vSphere) for NKP, not for creating workspaces.

In an air-gapped NKP environment with no Internet access, a bastion host is a critical component for secure management. The NKPA course defines the primary purpose of a bastion host as providing a secure point for creating and operating NKP clusters. The bastion host acts as a jump server, allowing administrators to securely access the isolated environment, manage cluster deployments, and perform operations like cluster creation, scaling, and upgrades without exposing the environment to external threats.

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “In a dark site NKP deployment, a bastion host serves as a secure entry point for administrators to create, manage, and operate NKP clusters, ensuring isolation from external networks.” The bastion host is configured with SSH keys and tools like the NKP CLI to facilitate secure interactions with the cluster infrastructure.

Incorrect Options:

A. To store and manage sensitive data: The bastion host is not a storage system; its role is access and management, not data storage.

C. To serve as a load balancer: A bastion host does not perform load balancing; that role is handled by Kubernetes components like MetalLB or cloud-native load balancers.

D. To act as a firewall: While a bastion host enhances security, it is not a firewall. Firewalls are separate components in the network architecture.

The NKPA course clarifies that NKP licenses are based on the number of CPU cores in the infrastructure hosting the Kubernetes clusters. This licensing model applies to both on-premises (e.g., Nutanix AHV) and cloud-based deployments. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “NKP licenses are obtained based on the total number of CPU cores allocated to the clusters managed by the platform.” This core-based licensing ensures flexibility across different infrastructure types while aligning with the resource consumption of Kubernetes workloads.

Incorrect Options:

A. Flash: Flash storage is not a licensing unit for NKP.

B. CPU Sockets: Nutanix licenses for other products may use sockets, but NKP uses cores.

C. TiBs: Terabytes are used for storage licensing, not NKP.

The NKPA course explains that NKP’s monitoring stack includes Prometheus for metrics collection and storage, and Fluent Bit for log collection and forwarding. To retain system resource utilization data over several months, the company must focus on Prometheus, as it is responsible for storing time-series metrics data, such as CPU, memory, and network utilization, which are critical for long-term trend analysis.

To handle the increased workload from the online retail application, the Platform Engineer should adjust Prometheus by increasing its container resource limits and memory settings to ensure it can process and store more metrics, and increasing its storage to retain data for several months. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “For long-term metrics retention in NKP, scale the Prometheus deployment by increasing its resource limits (CPU and memory) and expanding its persistent storage to accommodate larger time-series data.” This involves editing the Prometheus deployment’s resource settings (e.g., via kubectl edit deployment) and updating the PersistentVolumeClaim (PVC) to allocate more storage.

Incorrect Options:

A. Adjust the number of replicas for Fluent Bit: Fluent Bit handles logs, not metrics. Increasing replicas does not address long-term metrics storage.

B. Adjust the number of replicas for Prometheus: Increasing replicas improves availability but does not directly address storage or resource needs for metrics retention.

C. Adjust the resource settings for Fluent Bit: Fluent Bit is for log collection, not metrics storage, and is not relevant for this use case.

The Secure Tunnel feature in NKP relies on HTTPS (TCP port 443) to establish secure, encrypted connections between the attached cluster and the management cluster, enabling fleet management even in restricted network environments.

Exact extract:

“Secure Tunnel uses TCP/443 (HTTPS) for establishing a secure connection between the attached cluster and NKP.”

Continuous Deployment (CD) is the practice of automatically deploying new software releases across environments after a successful build and testing phase. In the context of NKP, enabling CD ensures that software changes are consistently and reliably rolled out to all clusters associated with a project, ensuring operational uniformity and rapid feature adoption.

According to the NKPA 6.10 documentation under the “Preparing for FIPS Compliance” section, the first step for enabling FIPS in an NKP environment is to ensure that the underlying operating system (OS) or OS images are correctly configured for FIPS mode. The Nutanix Kubernetes Platform can only leverage FIPS-compliant cryptographic modules if the underlying OS is already configured for FIPS operation.

Specifically, the documentation states:

"Before enabling FIPS in NKP, ensure that the OS or OS images are prepared and configured to operate in FIPS mode, following the vendor’s guidelines. Once the OS is in FIPS mode, the NKP cluster components can be provisioned with FIPS support."

This foundational step is critical to ensure cryptographic consistency and compliance throughout the NKP stack.

The error states:

pgsql

Copy

error upgrading CAPI components: unable to upgrade CAPI components: deployment "capp-controller-manager" is not ready after 10m0s: failed to connect to the management cluster: context deadline exceeded

This clearly points to connectivity issues between the VM (or nodes) and the management cluster, typically caused by registry communication issues in air-gapped or private environments. When the VM cannot connect to the registry to pull required images or configuration, the CAPI (Cluster API) components cannot be initialized, causing a timeout.

Key Reference:

Nutanix Kubernetes Platform Administration (NKPA) 6.10 – “Air-Gapped and Registry Communication Issues”

NCP-CN 6.10 Study Guide – “Cluster API Upgrade Process and Network Prerequisites”

=======