NCP-CN Nutanix Certified Professional - Cloud Native (NCP-CN-6.10) Question and Answers

The NKPA course explains that NKP supports auto-scaling for clusters using Cluster API (CAPI), which manages the lifecycle of Kubernetes nodes. When auto-scaling is enabled, NKP monitors cluster workloads and automatically adjusts the number of nodes based on demand. The behavior involvesCAPI creating or deleting nodesas needed to scale the cluster up or down, ensuring optimal resource utilization.

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “NKP auto-scaling uses Cluster API to dynamically create or delete nodes in response to workload demands, ensuring the cluster scales efficiently.” For example, if the workload increases, CAPI provisions additional worker nodes; if demand decreases, CAPI deletes nodes to reduce costs.

Incorrect Options:

A. CPU is hot-added or hot-removed: Hot-adding/removing CPU is not a Kubernetes auto-scaling behavior; scaling involves adding/removing nodes.

B. Memory is hot-added or hot-removed: Similar to CPU, memory scaling at the node level is not supported in this context.

C. Power-On Status/Mode of a node is changed: Auto-scaling does not involve changing node power states; it adds or removes nodes.

When an attached cluster (e.g., an external cluster like EKS) is stuck in a 'deleting' state in the NKP UI, it indicates an issue with the reconciliation process in the NKP management cluster. The NKPA course explains that attached clusters are represented in NKP as KommanderCluster custom resources in the management cluster. To resolve a stuck deletion, the engineer must manually delete the KommanderCluster resource using kubectl in the context of the NKP management cluster.

The correct command iskubectl delete kommandercluster, executed in the context of the NKP management cluster (not the attached cluster). For example: kubectl delete kommandercluster -n . The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “If an attached cluster is stuck in a ‘deleting’ state, delete the corresponding KommanderCluster resource in the NKP management cluster using kubectl delete kommandercluster to remove it from management.” This ensures the cluster is fully detached and removed from the UI.

Incorrect Options:

A. kubectl delete cluster: There is no cluster resource type in this context; the correct resource is kommandercluster.

B. nkp delete kommandercluster: The nkp CLI does not have a delete kommandercluster subcommand.

D. nkp delete cluster in the attached cluster: This command is for deleting NKP-managed clusters, not detaching external clusters, and it should be run from the management cluster context.

According to theNKPA 6.10 documentation, thePre-provisioned infrastructure provider (CAPPP)requires the user to provide aninventory fileof the servers that will become the cluster nodes. This inventory file contains connection information (IP addresses, credentials, etc.) for each pre-provisioned node, enabling the Cluster API to connect and configure these servers directly during cluster creation.

The Nutanix Kubernetes Platform (NKP) is designed to simplify the deployment and management of Kubernetes clusters on Nutanix infrastructure, including on-premises AHV-based clusters in dark site environments with no Internet connectivity. The requirements specified in the question—dark site, Nutanix-provided Rocky Linux VM image, and AHV-based cluster—point to a deployment scenario where the environment must be self-contained and rely on Nutanix-specific tools and resources to meet the air-gapped constraints.

According to the Nutanix Kubernetes Platform Administration (NKPA) course, deploying NKP in a dark site environment requires specific prerequisites to ensure all necessary components, such as container images, dependencies, and configuration files, are available without Internet access. The course emphasizes the use of anAir-Gapped Bundleand anexisting local container registryas critical components for such deployments.

Air-Gapped Bundle (Option B):

The NKPA course explains that for dark site deployments, Nutanix provides anAir-Gapped Bundle, which is a comprehensive package containing all the software components, container images, and dependencies required to deploy and manage an NKP cluster without Internet connectivity. This bundle includes the Kubernetes binaries, NKP platform applications (e.g., Rook Ceph, monitoring tools), and other necessary artifacts.

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide specifically states: “For air-gapped environments, the Nutanix Air-Gapped Bundle is required to provide all dependencies, including container images and installation files, to deploy NKP clusters.” This bundle is typically downloaded from the Nutanix Support Portal in an Internet-connected environment and then transferred to the dark site for deployment.

The bundle ensures that the Nutanix-provided Rocky Linux VM image, which serves as the base operating system for the Kubernetes nodes, can be provisioned with all required software components. The NKPA course further notes that the Air-Gapped Bundle is tailored for AHV-based clusters, ensuring compatibility with the Nutanix hypervisor.

Existing Local Container Registry (Option C):

In a dark site environment, a local container registry is a prerequisite to store and distribute container images required by the NKP cluster. The NKPA course highlights that NKP relies on container images for Kubernetes components, platform applications, and user workloads. In an air-gapped setup, these images cannot be pulled from public registries like Docker Hub or Quay.io.

The course instructs administrators to set up a local container registry (e.g., Harbor, Nexus, or a Nutanix-managed registry) and populate it with the container images included in the Air-Gapped Bundle. The Nutanix Cloud Bible reinforces this, stating: “In air-gapped deployments, a local container registry must be pre-configured to host all required images, which are provided as part of the Nutanix Air-Gapped Bundle.”

The local container registry ensures that the Kubernetes nodes, running on the Nutanix-provided Rocky Linux VM image, can access the necessary images during cluster bootstrapping and operation. The NKPA course provides guidance on configuring the registry and integrating it with the NKP deployment process.

Incorrect Options:

Konvoy Image Builder (Option A):

Konvoy Image Builder is a tool associated with D2iQ’s Konvoy platform, used to create custom machine images for Kubernetes deployments. While it can be used to build images for Kubernetes nodes, it is not a Nutanix-specific tool nor a prerequisite for NKP deployments. The NKPA course and NCP-CN 6.10 Study Guide do not mention Konvoy Image Builder, as NKP uses the Nutanix-provided Rocky Linux VM image, which is pre-configured for AHV-based clusters. This option is irrelevant to the Nutanix ecosystem.

Self-managed AWS cluster (Option D):

A self-managed AWS cluster is unrelated to the requirements of deploying NKP on an AHV-based cluster in a dark site. The question specifies an AHV-based cluster, which is Nutanix’s Acropolis Hypervisor running on-premises, not a cloud-based AWS environment. The NKPA course focuses on Nutanix infrastructure (AHV, Prism Central) for NKP deployments and does not include AWS as a supported platform for this scenario. This option is incorrect as it contradicts the deployment environment.

Deployment Context:

The Nutanix-provided Rocky Linux VM image is a pre-configured operating system image optimized for NKP deployments on AHV. The NKPA course notes that this image includes the necessary kernel settings, drivers, and configurations to run Kubernetes nodes efficiently on Nutanix infrastructure.

The AHV-based cluster requirement indicates that the deployment leverages Nutanix’s hypervisor, managed through Prism Central, to provision and manage the Kubernetes nodes. The Air-Gapped Bundle and local container registry ensure that all software components are available in the dark site, aligning with the NKPA course’s guidelines for air-gapped deployments.

Comprehensive and Detailed Explanation:

The correct procedure for deleting an NKP cluster involves using the nkp delete cluster command with the appropriate cluster name and namespace. This ensures that not only the Kubernetes resources but also the corresponding NKP resources (e.g., nodepools, Kommander integration) are deleted cleanly and consistently. Simply deleting the VMs does not clean up the associated NKP management objects. This approach is detailed in the NKP documentation for cluster lifecycle management, emphasizing the need to use the provided CLI commands for full removal.

The NKPA course details NKP’s monitoring stack for collecting and analyzing metrics across attached and managed clusters, which is critical for troubleshooting issues like out-of-memory errors. The engineer needs to collect centralized metrics and set up alerting to identify performance issues. The correct approach is to usePrometheusfor metrics collection andThanos Queryfor alerting (Option C).

Utilize Prometheus to collect and present centralized metrics on NKP attached and managed clusters: Prometheus is NKP’s default metrics collection tool, deployed as a platform application. It scrapes metrics (e.g., CPU, memory usage) from nodes, pods, and services across all clusters in a workspace, centralizing them for analysis. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “Prometheus is used in NKP to collect and present centralized metrics from attached and managed clusters, enabling detailed performance analysis.” This is ideal for identifying differences in memory usage causing the out-of-memory errors.

Configure Thanos Query to monitor and send out alerts based on the metric thresholds that have been configured within it: Thanos Query, part of NKP’s monitoring stack, aggregates Prometheus metrics across clusters and provides a unified query interface. It also integrates with Alertmanager to send alerts based on configured thresholds (e.g., memory usage > 90%). The NKPA course notes: “Use Thanos Query to monitor metrics across NKP clusters and configure alerts with Alertmanager to notify engineers of performance issues like out-of-memory errors.” This setup helps the engineer proactively address the issue.

Incorrect Options:

A & B. Utilize Fluentd and Fluent Bit: Fluentd and Fluent Bit are logging tools in NKP, used for collecting logs, not metrics. Metrics collection requires Prometheus.

D. Utilize Thanos to collect and present centralized metrics: Thanos does not collect metrics directly; it extends Prometheus by providing long-term storage and query aggregation. Prometheus is the primary collection tool.

The NKPA course details that backup and restore functionality in NKP is provided through integration with Velero, which supports backing up persistent volumes, cluster resources, and application data to S3-compatible storage. This functionality is considered an advanced feature and is included in higher-tier NKP licenses:NKP UltimateandNKP Pro.

NKP Ultimate: This top-tier license includes all NKP features, such as air-gapped deployments, fleet management, and backup/restore capabilities. It is designed for enterprise-grade environments requiring comprehensive disaster recovery.

NKP Pro: This mid-tier license also includes backup and restore functionality, catering to organizations needing robust data protection but not necessarily all the features of the Ultimate tier (e.g., air-gapped support).

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “Backup and restore functionality, powered by Velero, is available in NKP Pro and NKP Ultimate license tiers, enabling protection of persistent volumes and cluster resources.” These licenses provide the necessary tools and support for configuring Velero with S3-compatible storage, scheduling backups, and performing restores in production environments.

Incorrect Options:

A. NKP Starter: The Starter tier is entry-level and does not include advanced features like backup and restore. It focuses on basic cluster management.

B. NKP Essential: This tier, if it exists in NKP’s licensing model, would be a lower tier and unlikely to include backup/restore functionality, as it is not mentioned in the NKPA course.

The NKPA course explains the role of a bootstrap cluster in NKP deployments, particularly in hybrid architectures involving Nutanix on-prem and Amazon EKS. A bootstrap cluster is a temporary Kubernetes cluster created during the deployment process to initialize Cluster API (CAPI) components, which manage the lifecycle of the target NKP clusters. The primary function of the bootstrap cluster is touse Cluster API for infrastructure-agnostic provisioning(Option D).

CAPI enables NKP to provision clusters across different infrastructures (e.g., Nutanix AHV, AWS EKS) in a consistent, infrastructure-agnostic manner. The bootstrap cluster runs the CAPI controllers (e.g., CAPX for Nutanix, CAPA for AWS) that orchestrate the creation of the target clusters, abstracting the underlying infrastructure details. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “The bootstrap cluster in NKP uses Cluster API to provide infrastructure-agnostic provisioning, enabling consistent cluster creation across diverse environments like Nutanix AHV and Amazon EKS.” This ensures that the same CAPI-based workflow can deploy clusters on both on-prem Nutanix and cloud-based EKS.

Incorrect Options:

A. Increases security from a single point of entry: A bastion host, not a bootstrap cluster, provides a single point of entry for security. The bootstrap cluster is temporary and focuses on provisioning.

B. Simplifies the networking requirements for Kubernetes: Networking is managed by the target cluster’s CNI (e.g., Calico), not the bootstrap cluster.

C. Saves cost by minimizing resources required for provisioning: The bootstrap cluster is temporary and does not significantly impact costs; its purpose is provisioning, not cost-saving.

In an air-gapped NKP deployment, the Konvoy bootstrap image (used to create the bootstrap cluster) must be available locally on the bastion host or in a private registry. The NKPA course specifies that after extracting the NKP Air-Gapped Bundle, the bootstrap image (e.g., konvoy-bootstrap-image-.tar) is a tarball that needs to be loaded into the Docker daemon on the bastion host before creating the bootstrap cluster.

The most viable command isdocker load -i konvoy-bootstrap-image-<version>.tar(Option A). This command loads the tarball into the local Docker daemon on the bastion host, making the image available for the nkp create bootstrap command to use. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “In an air-gapped environment, load the Konvoy bootstrap image on the bastion host using docker load -i to make it available for creating the bootstrap cluster.” After loading, the engineer can optionally tag and push the image to the private registry if needed, but the question focuses on loading the image on the host, which this command accomplishes.

Incorrect Options:

B. docker image tag: This command is syntactically incorrect (version appears twice, and .tar is not part of a tag). Tagging is a subsequent step after loading, not the primary action to load the image.

C. nkp push bundle: This is not a valid command for loading an image; it’s closer to a bundle management action, but the syntax is incorrect.

D. nkp load image: There is no nkp load image command in NKP; loading images is done via docker load.

A bastion host in a dark site environment serves as a secure entry point for managing the NKP deployment, providing access to the cluster infrastructure without direct Internet connectivity. The NKPA course outlines the prerequisites for preparing a Linux VM as a bastion host, focusing on secure access and time synchronization, which are critical for air-gapped Kubernetes deployments.

Get or create SSH Keys (Option B):The bastion host requires SSH keys to enable secure, passwordless access to the NKP cluster nodes and other infrastructure components (e.g., Nutanix AHV hosts). The NKPA course specifies that SSH keys must be generated or obtained and configured on the bastion host to facilitate secure communication during deployment and management tasks. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “For a bastion host in an NKP dark site deployment, ensure SSH keys are created or obtained to enable secure access to cluster nodes and infrastructure.” The engineer can generate SSH keys using ssh-keygen and distribute the public key to the target systems.

Enable NTP Service (Option D):Time synchronization is essential in Kubernetes clusters to ensure consistent logging, certificate management, and scheduling. In a dark site with no Internet access, the bastion host must be configured to synchronize time with an internal NTP (Network Time Protocol) server or act as an NTP server itself. The NKPA course emphasizes enabling the NTP service on the bastion host to maintain accurate time across the air-gapped environment. The NCP-CN 6.10 Study Guide notes: “Enable the NTP service on the bastion host to ensure time synchronization in a dark site NKP deployment, as Kubernetes requires accurate time for proper operation.” The engineer can enable NTP using commands like systemctl enable ntpd and configure it to use an internal time source.

Incorrect Options:

A. Install LDAP Server: LDAP is used for centralized authentication, but it is not a requirement for a bastion host in an NKP dark site deployment. The course focuses on SSH access instead.

C. Install Docker: While Docker is needed on Kubernetes nodes for container runtimes, the bastion host’s role is to provide secure access and management, not to run containers.

Continuous Deployment (CD) is the practice of automatically deploying new software releases across environments after a successful build and testing phase. In the context of NKP, enabling CD ensures that software changes are consistently and reliably rolled out to all clusters associated with a project, ensuring operational uniformity and rapid feature adoption.

According to theNKPA 6.10 documentationunder the “Preparing for FIPS Compliance” section, the first step for enabling FIPS in an NKP environment is to ensure that the underlying operating system (OS) or OS images are correctly configured for FIPS mode. The Nutanix Kubernetes Platform can only leverage FIPS-compliant cryptographic modules if the underlying OS is already configured for FIPS operation.

Specifically, the documentation states:

"Before enabling FIPS in NKP, ensure that the OS or OS images are prepared and configured to operate in FIPS mode, following the vendor’s guidelines. Once the OS is in FIPS mode, the NKP cluster components can be provisioned with FIPS support."

This foundational step is critical to ensure cryptographic consistency and compliance throughout the NKP stack.

The NKPA course outlines the process for deploying an NKP cluster on Nutanix AHV infrastructure using the NKP CLI. For a prompt-based deployment, where the administrator is guided through configuration options interactively, the correct command isnkp create cluster ahv. This command initiates the deployment of an NKP cluster on the AHV hypervisor, prompting the administrator to input details like cluster name, node counts, and networking settings.

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “To deploy an NKP cluster on AHV using the prompt-based CLI method, use nkp create cluster ahv, which guides the administrator through the configuration process.” The command is specific to the AHV hypervisor (part of AOS 6.10) and is suitable for the specified hardware (NX-8170-G9 nodes).

Incorrect Options:

A. nkp create cluster nutanix: The provider is specified as ahv, not nutanix, in the NKP CLI syntax.

C. nkp create nodepool nutanix: This creates a node pool, not a cluster, and is not prompt-based.

D. nkp install kommander: Kommander is a management component, not used for cluster creation on AHV.

The NKPA course covers user authentication for NKP clusters as part of Day 2 operations, emphasizing integration with external identity providers (IdPs) to manage user access securely. NKP usesDex, an OpenID Connect (OIDC) identity provider, to facilitate authentication by acting as a connector between the Kubernetes cluster and external IdPs, such as LDAP, SAML, or OAuth-based systems.

The course explains that to set up user authentication, a Platform Engineer must configure aDex connectorto the user base’s identity provider. Dex integrates with the Kubernetes API server to enable OIDC-based authentication, allowing users to log in using their IdP credentials. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “NKP supports user authentication through Dex, which provides OIDC integration with external identity providers, enabling single sign-on (SSO) for cluster access.” The process involves deploying Dex as a platform application, configuring the IdP connector (e.g., specifying client IDs, secrets, and endpoints), and updating the Kubernetes API server to use OIDC authentication.

Incorrect Options:

A. Enable Gatekeeper and create a connector to the user base’s identity provider: Gatekeeper is a Kubernetes policy engine used for enforcing admission control policies, not for authentication. The NKPA course does not associate Gatekeeper with user authentication.

B. Disable native NKP authentication, enable Traefik, and create a connector to the user base’s identity provider: Traefik is an ingress controller for managing external traffic, not authentication. Disabling native authentication is unnecessary, as NKP supports OIDC alongside native methods. The NKPA course does not mention Traefik in the context of authentication.

C. Create a MetalLB connector to the user base’s identity provider: MetalLB is a load balancer for bare-metal Kubernetes clusters, not an authentication component. This option is irrelevant, as per the NKPA course.

According to theNKPA 6.10 documentation, licensing in an NKP cluster is constrained by the total number of vCPUs assigned to all nodes (workers and control planes). In this scenario, the cluster has a maximum of 150 vCPUs available.

The existing output shows 10 worker nodes, each with 8 vCPUs (10×8=80 vCPUs) and 3 control plane nodes, each with 4 vCPUs (3×4=12 vCPUs).

Current vCPU usage: 80 + 12 = 92 vCPUs.

Remaining vCPUs: 150 - 92 = 58 vCPUs.

Option A:

Adding 6 control plane nodes (6×4=24 vCPUs).

This would increase control planes to 9 total (3 existing + 6 new). Control plane nodes would consume 9×4=36 vCPUs.

Worker nodes remain at 80 vCPUs.

Total vCPU usage: 36 + 80 = 116 vCPUs (still under 150 vCPUs).

However, it’s unusual and unnecessary to have 9 control planes in a typical NKP setup. NKPA and NCP-CN best practices indicate typically no more than 3 or 5 control planes for HA. Therefore, this is technically possible but not recommended or standard practice. So not selected.

Option B:

Expanding the existing worker nodepool by 8 nodes (8×8=64 vCPUs).

This would add 64 vCPUs to the current 92 vCPUs:

92 + 64 = 156 vCPUs → exceeds licensing limit.

Correction:The question specifies “expand up to 8 nodes,” so it’s possible to expand by only 7 nodes (7×8=56 vCPUs).

92 + 56 = 148 vCPUs → within licensing limits.

Thus, expanding byup to 7 nodesis valid.

Option C:

Creating a new worker nodepool with 10 nodes (10×8=80 vCPUs).

This would add 80 vCPUs to the existing 92 vCPUs:

92 + 80 = 172 vCPUs → exceeds 150 vCPU licensing limit.

Not valid.

Option D:

Expanding the original worker nodepool by up to 4 nodes (4×8=32 vCPUs) = +32 vCPUs.

Adding a new nodepool of 6 nodes with 4 vCPUs/node (6×4=24 vCPUs) = +24 vCPUs.

Total increase: 32 + 24 = 56 vCPUs.

Total vCPU usage: 92 + 56 = 148 vCPUs → within the 150 vCPU limit.

Thus, valid.

Extract Reference:

NKPA 6.10– “Cluster Sizing and Licensing”

Nutanix Kubernetes Platform Administration (NKPA) – Licensing Considerations

"The total number of vCPUs for all nodes (control planes and workers) must not exceed the licensed vCPU capacity of the NKP deployment."

This confirms thatOptions B and Dare the two valid approaches to expand the cluster while remaining compliant with licensing constraints.

The NKPA course explains that by default, NKP creates new AWS infrastructure (VPC, subnets, ELBs) when deploying a cluster on AWS. However, NKP supports deploying clusters on existing AWS infrastructure by providing custom configurations. The recommended method using the NKP CLI is tocreate an overrides filespecifying the pre-existing VPC, subnets, and ELB, and then pass this file to the nkp create cluster aws command using the --overrides parameter.

The overrides file (e.g., aws-infra-overrides.yaml) contains details like vpcID, subnetIDs, and loadBalancerIDs, which NKP uses to deploy the cluster on the specified infrastructure instead of creating new resources. For example:

yaml

CollapseWrap

Copy

aws:

vpcID: vpc-12345678

subnetIDs:

- subnet-12345678

- subnet-87654321

loadBalancerIDs:

- elb-12345678

The engineer then runs: nkp create cluster aws --overrides aws-infra-overrides.yaml.

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “To deploy an NKP cluster on existing AWS infrastructure, create an overrides file with the pre-existing VPC, subnets, and ELB details, and use the --overrides parameter with the nkp create cluster aws command to apply the custom configuration.” This method ensures the AWS team’s requirement is met while leveraging NKP’s CLI for deployment.

Incorrect Options:

A. nkp adopt infrastructure aws: There is no nkp adopt infrastructure command in NKP for this purpose.

C. Use the NKP UI: While the UI allows specifying infrastructure details, the question focuses on the CLI-based deployment, and the UI method is less relevant here.

D. Include parameters directly in nkp create cluster aws: The nkp create cluster aws command does not support direct parameters for VPC, subnets, and ELB; it requires an overrides file.

TheKonvoy Image Builderrequires a64-bit Linux or MacOS environment(x86_64 architecture) to build and customize the OS images.

The output indicates that an AppDeployment resource named grafana-logging was created in the kommander-default-workspace namespace, which corresponds to an NKP workspace. The NKPA course explains that NKP Platform Applications, such as Grafana Logging, are deployed using the nkp create appdeployment command. This command creates an AppDeployment resource that deploys the specified application (e.g., Grafana Logging) across all clusters in a workspace.

The command inOption A, nkp create appdeployment grafana-logging --app grafana-logging-6.57.4 --workspace default-workspace, matches the output:

grafana-logging is the name of the AppDeployment.

--app grafana-logging-6.57.4 specifies the application and version.

--workspace default-workspace targets the workspace, which corresponds to the namespace kommander-default-workspace in the output (the kommander- prefix is a standard NKP namespace convention).

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “To deploy a platform application like Grafana Logging, use nkp create appdeployment --app - --workspace , which creates an AppDeployment resource in the workspace namespace.” This command aligns with the output provided.

Incorrect Options:

B. export WORKSPACE_NAMESPACE and nkp create package-bundle: There is no nkp create package-bundle command in NKP for deploying applications. The correct command is nkp create appdeployment.

C. kubectl get appdeployment: This retrieves the status of an AppDeployment, not creates it. The output indicates creation, not retrieval.

D. kubectl get helmreleases: This retrieves HelmRelease resources, not AppDeployments, and does not create the Grafana Logging deployment.

The Nutanix Kubernetes Platform (NKP) uses workspaces to provide isolated environments for different teams or projects, allowing each team to manage its own clusters, applications, and resources independently. According to the NKPA course, creating a new workspace is a key Day 2 operation to support multi-tenancy and isolated development environments, such as those required for the microservices in this scenario.

The course specifies that to create a new workspace, users must navigate to the workspace selection dropdown list in the top menu bar of the NKP user interface (UI) and selectCreate Workspace. This action opens a form where administrators can define the workspace name, description, and associated resources (e.g., clusters, users, and policies). The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “To create a new workspace in NKP, go to the workspace selection dropdown in the UI and select ‘Create Workspace’ to configure an isolated environment for a team or project.” This process ensures that each microservice team has its own isolated environment for development and testing, with access restricted to their specific workspace.

Incorrect Options:

A. From the Cluster selection, select Add Cluster: Adding a cluster creates a new Kubernetes cluster within an existing workspace, not a new workspace. The NKPA course distinguishes between cluster and workspace creation.

C. From the workspace selection dropdown list in the top menu bar, select Add Workspace: The NKPA course and UI use “Create Workspace” as the standard terminology, not “Add Workspace.”

D. From the Administration selection dropdown list in Infrastructure Providers, select Add Infrastructure Provider: This option is for configuring infrastructure providers (e.g., AWS, vSphere) for NKP, not for creating workspaces.

The Nutanix Kubernetes Platform (NKP) leverages Cluster API (CAPI) to manage the lifecycle of Kubernetes clusters. When preparing machine images for NKP deployment, the Nutanix Image Builder (NIB) or Kubernetes Image Builder (KIB) process is used to create custom machine images that are compatible with NKP’s infrastructure requirements. According to the NKPA course, the primary purpose of this process is to createCAPI-compliant imagesthat can be used as the base for NKP cluster nodes.

The NKPA course explains that NKP uses CAPI to provision and manage Kubernetes clusters, and CAPI requires machine images that meet specific criteria, such as including the necessary Kubernetes components, container runtimes, and operating system configurations. The NIB/KIB process ensures that the images are pre-configured with these components, making them suitable for use as NKP worker and control plane nodes. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “The Nutanix Image Builder (NIB) or Kubernetes Image Builder (KIB) is used to create CAPI-compliant machine images that include the required OS, Kubernetes binaries, and dependencies for NKP cluster nodes.”

These images are typically based on supported operating systems like Rocky Linux or Ubuntu, as provided by Nutanix, and are customized to include the container runtime (e.g., containerd), kubeadm, and other dependencies required for CAPI-based cluster provisioning. The resulting images are stored in a location accessible to the NKP deployment process, such as a local registry or Nutanix Prism Central.

Incorrect Options:

A. Hardening an OS image with client-supplied hardening scripts: While hardening the OS is a good practice, it is not the primary purpose of the NIB/KIB process. The NKPA course notes that hardening can be applied as part of image customization, but the core goal is to ensure CAPI compliance, not just hardening.

B. Creating a custom user account for NKP admins to ensure access to NKP nodes: The NIB/KIB process does not focus on creating user accounts. User access is managed through Kubernetes RBAC or external identity providers, as covered in the NKPA course’s authentication section.

C. Tagging the image to be used specifically for NKP: Tagging may occur as part of image management, but it is not the primary purpose. The NKPA course emphasizes CAPI compliance over tagging.

As per theNKPA 6.10 documentationand cluster autoscaler behavior, when nodes are scaled down in NKP (or any CAPI-managed environment), the node isdeletedfrom the infrastructure provider (vSphere, AWS, Nutanix, etc.). This effectively removes it from both the cluster and the underlying hypervisor or cloud provider, thus freeing up resources and reducing costs.

NKP Platform Applications (e.g., Rook Ceph, Prometheus, Fluent Bit) are pre-integrated tools that can be deployed to Kubernetes clusters within a workspace to provide services like storage, monitoring, and logging. The NKPA course specifies that to deploy a platform application to all clusters in a workspace from the command line, the engineer uses thenkp create appdeploymentcommand. This command creates an application deployment resource that targets the specified workspace and clusters.

The required parameters include theapplication ID(to identify the platform application), theversion(to specify the desired version of the application), and theNKP workspace(to define the scope of clusters). For example: nkp create appdeployment --app-id prometheus --version 2.30.0 --workspace fin-vd. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “Use the nkp create appdeployment command to deploy platform applications, specifying the application ID, version, and target workspace to apply the deployment across all clusters in that workspace.”

Incorrect Options:

B. nkp deploy platform-app: This is not a valid NKP command. The correct command is nkp create appdeployment.

C. nkp deploy app: This is not a recognized command in the NKPA documentation.

D. kubectl create appdeployment: kubectl interacts with Kubernetes resources, not NKP-specific platform applications.

The NKPA 6.10 documentation confirms that the proper method to customize application deployment (including disabling Velero) is by generating a configuration file using thenkp install kommander --initcommand. The file can then be modified to set custom specs and disable Velero, and finally deployed using the nkp install kommander command.

Exact extract:

“Generate a custom configuration file using --init, modify it for your specific environment (including disabling Velero), and deploy with the same nkp install kommander command.”

The NKPA course explains that NKP provides a role-based access control (RBAC) system to manage permissions within its platform, in addition to Kubernetes-native RBAC. For a development team needing limited permissions to perform specific tasks (deploying applications, scaling deployments, viewing logs and metrics) within a specific namespace, the appropriate access type in the NKP GUI is anNKP Role.

NKP Roles are predefined or custom roles within the NKP platform that map to Kubernetes RBAC permissions but are managed through the NKP UI for ease of use. They allow granular control over actions within a workspace or namespace, ensuring the team can perform their tasks (e.g., deploy, scale, get logs) without having access to other environments or cluster-wide resources. For example, an NKP Role like “Developer” or a custom role can be configured to grant edit permissions in the team’s namespace while restricting access elsewhere. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “In the NKP GUI, configure an NKP Role to grant limited permissions to a development team, allowing actions like deploying applications and viewing logs within their namespace while preventing unauthorized changes in other environments.”

Incorrect Options:

B. Cluster Role: A Kubernetes Cluster Role grants permissions across all namespaces, which is too broad for the team’s limited access requirement.

C. Cluster Admin: This grants full administrative access to the entire cluster, far exceeding the team’s needs and violating the principle of least privilege.

D. Kommander Role: Kommander is a management component in NKP, but “Kommander Role” is not a specific access type in the NKP GUI for this purpose.

In an air-gapped NKP installation, the engineer starts with the NKP Air-Gapped Bundle, a tarball containing all necessary components (e.g., container images, binaries, configuration files) for deployment without Internet access. The NKPA course specifies that the first step is to extract this bundle on the bastion host to make its contents available for the installation process. The correct command istar -xzvf nkp-air-gapped-bundle_v2.12.0_linux_amd64.tar.gz, which extracts the bundle into a directory, revealing the container images, CLI tools, and other resources needed for the deployment.

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “To begin an air-gapped NKP installation, first extract the NKP Air-Gapped Bundle using tar -xzvf .tar.gz on the bastion host to access the installation artifacts.” After extraction, the engineer can proceed with loading container images (e.g., using docker load) and running NKP CLI commands to deploy the cluster, ensuring all dependencies are available locally.

Incorrect Options:

A. nkp push bundle --bundle: This is not a valid command. The bundle must be extracted before its contents can be used.

B. docker load -i konvoy-bootstrap-image-v2.12.0.tar: Loading the bootstrap image is a subsequent step after extracting the bundle, which contains this image tarball.

D. nkp create cluster nutanix: This command creates a cluster but cannot be run until the bundle is extracted and its images are loaded.

The NKPA course emphasizes that NKP supports multi-tenancy through workspaces, each of which can be configured with its own Identity Provider (IdP) for authentication. In this scenario, each group (Fin VD, Fin Insurance, Fin Travel) has its own IdP, and the engineer has created separate workspaces for them. To assign the Tenant Administrators role, the engineer must configure a dedicated IdP for each group’s workspace, enabling users to authenticate via their group-specific IdP and assume the Tenant Administrator role.

The course details that NKP uses Dex as the OIDC provider to integrate with external IdPs. For each workspace, the engineer configures a Dex connector to the group’s IdP, maps the IdP groups to NKP roles (e.g., Tenant Administrator), and assigns permissions via role bindings. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “To assign Tenant Administrator roles in NKP, configure a dedicated IdP for each workspace using Dex connectors, mapping IdP groups to the appropriate roles for workspace management.” This ensures that each group’s administrators can access only their designated workspace.

Incorrect Options:

B. Create a role named admin-tenant-X: NKP uses predefined roles like Tenant Administrator, not custom roles with specific naming conventions.

C. Create a role binding and assign it: Role bindings are part of the process, but the primary step is configuring the IdP for authentication, as per the NKPA course.

D. Configure the global Active Directory: The scenario specifies separate IdPs per group, not a global Active Directory for all groups.

Attaching an existing Amazon EKS cluster to NKP for fleet management involves integrating the cluster into NKP’s management plane, which requires specific preparatory steps. The NKPA course outlines that the first step is tocreate a service account with cluster-admin permissionsin the EKS cluster. This service account is used by NKP to authenticate and manage the cluster, enabling operations like monitoring, scaling, and application deployment.

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide explains: “To attach an external Kubernetes cluster, such as Amazon EKS, to NKP, a service account with cluster-admin role bindings must be created to allow NKP to interact with the cluster’s API server.” The service account is configured with a token that NKP uses to authenticate requests. The NKPA course provides detailed steps, including creating the service account, assigning the cluster-admin ClusterRole, and generating a token for NKP integration. This step is critical to ensure NKP has the necessary permissions to manage the EKS cluster.

Incorrect Options:

A. Configure a ConfigMap according to EKS configuration: While ConfigMaps may be used for specific configurations, they are not the first step for attaching an EKS cluster. The NKPA course prioritizes service account creation.

C. Configure HAProxy to get connected to EKS clusters: HAProxy is a load balancer, not required for attaching EKS clusters to NKP. EKS uses AWS-native load balancers, and NKP connects via the Kubernetes API.

D. Deploy cert-manager in the EKS clusters: Cert-manager is used for certificate management, not a prerequisite for attaching EKS clusters. The NKPA course does not list it as a required step.