HireHireInterview Quizzes › DevOps / SRE Engineer

DevOps / SRE Engineer Interview Questions

Think you're ready? These are the questions that actually decide DevOps / SRE Engineer interviews. Warm up on Easy — then face the Hard round, where 95% of candidates crumble. 30 questions across 3 levels, instant score, completely free.

30Questions
3Difficulty levels
95%Fail the hard round
FreeInstant score
Easy
Warm-up · 10 Qs
Medium
Practical · 10 Qs
Hard
Brutal · 10 Qs
⚡ Take the DevOps / SRE Engineer quiz — get your score →

The DevOps / SRE Engineer interview questions

Below are the real questions, grouped by difficulty. Expand any one to reveal the correct answer and why — or take the timed quiz for a score you can share. Can you clear the Hard round?

Easy round 10 questions

In a Kubernetes Deployment, what is the primary purpose of a readiness probe?
  • A. To restart a container when it becomes unhealthy
  • B. To determine when a Pod is ready to receive traffic from a Service ✓
  • C. To limit the CPU and memory a Pod can consume
  • D. To pull the latest container image on each deploy
Correct answer: B. A readiness probe signals when a Pod can accept traffic; until it passes, the Pod is removed from Service endpoints.
Which HTTP status code range should trigger an SRE's error-rate alert as server-side failures?
  • A. 2xx
  • B. 3xx
  • C. 4xx
  • D. 5xx ✓
Correct answer: D. 5xx codes indicate server-side errors, which are the class of failures SLO error budgets and alerts typically track.
In the context of SRE, what does an 'error budget' represent?
  • A. The maximum cloud spend allowed per month
  • B. The allowable amount of unreliability (1 minus the SLO) over a time window ✓
  • C. The number of engineers on the on-call rotation
  • D. The time reserved for writing incident postmortems
Correct answer: B. An error budget is the acceptable amount of failure, calculated as 100% minus the target SLO, that a service can incur before changes are frozen.
A Terraform apply fails midway leaving some resources created. What does Terraform use to track which resources already exist?
  • A. The .terraform.lock.hcl file
  • B. The state file ✓
  • C. The provider plugin cache
  • D. The variables.tf file
Correct answer: B. Terraform records the real-world resources it manages in its state file, which it reads to reconcile desired vs. actual infrastructure.
In a Dockerfile, why is copying package manifests and installing dependencies before copying application source code a recommended practice?
  • A. It reduces the final image's runtime memory usage
  • B. It lets Docker cache the dependency layer so code changes don't reinstall dependencies ✓
  • C. It encrypts the dependencies in the image
  • D. It is required for multi-stage builds to work
Correct answer: B. Because Docker caches layers, installing dependencies before copying source keeps that layer cached when only application code changes, speeding rebuilds.
What is the main difference between a blue-green deployment and a canary deployment?
  • A. Blue-green shifts all traffic at once between two full environments; canary routes a small percentage of traffic to the new version first ✓
  • B. Canary requires two identical environments while blue-green does not
  • C. Blue-green can only be done on Kubernetes; canary works anywhere
  • D. Canary always rolls back automatically while blue-green never does
Correct answer: A. Blue-green switches all traffic between two complete environments, whereas canary gradually exposes the new version to a subset of traffic before full rollout.
A Linux server shows high load average but low CPU utilization. Which condition most likely explains this?
  • A. Memory is completely free
  • B. Many processes are blocked in uninterruptible I/O wait ✓
  • C. The kernel has disabled swapping
  • D. CPU frequency scaling is turned off
Correct answer: B. Load average counts runnable plus uninterruptible (D-state) processes, so processes blocked on I/O raise load without consuming CPU.
In Prometheus, which metric type is most appropriate for tracking a continuously increasing count of total HTTP requests served?
  • A. Gauge
  • B. Counter ✓
  • C. Histogram
  • D. Summary
Correct answer: B. A counter is a cumulative metric that only increases (or resets to zero on restart), making it ideal for monotonically growing totals like request counts.
What does the CIDR notation 10.0.0.0/24 represent?
  • A. A single host address
  • B. A network with 256 total addresses (254 usable hosts) ✓
  • C. A network with roughly 65,536 addresses
  • D. A broadcast-only reserved range
Correct answer: B. A /24 prefix leaves 8 host bits, yielding 2^8 = 256 addresses with 254 usable after excluding network and broadcast addresses.
When granting an EC2 instance permission to read from an S3 bucket, which AWS mechanism is the best practice rather than embedding access keys?
  • A. Store the keys in a user-data script
  • B. Attach an IAM role to the instance via an instance profile ✓
  • C. Hardcode credentials in environment variables
  • D. Use the root account's access keys
Correct answer: B. Attaching an IAM role through an instance profile provides automatically rotated, temporary credentials without embedding long-lived keys.

Medium round 10 questions

A container in your Kubernetes deployment keeps restarting, and `kubectl get pods` shows status `CrashLoopBackOff`. Which command is the most direct first step to find out why the container is failing?
  • A. kubectl describe node <node-name>
  • B. kubectl logs <pod-name> --previous ✓
  • C. kubectl rollout restart deployment/<name>
  • D. kubectl scale deployment/<name> --replicas=0
Correct answer: B. `kubectl logs --previous` shows the logs from the last terminated container instance, which usually contains the error that caused the crash.
In a Dockerfile, you notice that changing one line of application source code causes the entire `RUN npm install` step to re-run on every build. What is the correct fix to leverage layer caching?
  • A. Combine COPY and RUN into a single instruction
  • B. Copy package.json/package-lock.json and run npm install before copying the rest of the source ✓
  • C. Add --no-cache to the docker build command
  • D. Move the RUN npm install to the last line of the Dockerfile
Correct answer: B. Copying only the dependency manifest first lets Docker cache the install layer, so it only re-runs when dependencies actually change, not on every source edit.
Your service's SLO is 99.9% availability over 30 days. Roughly how much total downtime does the corresponding error budget allow in that period?
  • A. About 43 minutes ✓
  • B. About 4.3 minutes
  • C. About 7 hours
  • D. About 22 minutes
Correct answer: A. 99.9% of 30 days (43,200 minutes) leaves a 0.1% error budget, which is about 43 minutes of allowed downtime.
You need to give a Kubernetes pod read-only access to a database password without baking it into the image or the pod spec in plaintext. Which is the most appropriate native mechanism?
  • A. Set it as a plaintext environment variable in the Deployment YAML
  • B. Store it in a ConfigMap and mount it as a volume
  • C. Store it in a Secret and reference it via envFrom or a mounted volume ✓
  • D. Hardcode it in the container's ENTRYPOINT script
Correct answer: C. Kubernetes Secrets are the built-in resource for sensitive data and can be injected as env vars or mounted files, unlike ConfigMaps which are for non-sensitive config.
In a Terraform workflow, a teammate ran `terraform apply` and now the state file shows resources you don't have locally. What is the primary purpose of using a remote backend with state locking (e.g. S3 + DynamoDB)?
  • A. To automatically format .tf files on save
  • B. To prevent concurrent applies from corrupting shared state and to share state across the team ✓
  • C. To encrypt the Terraform provider binaries
  • D. To replace the need for terraform plan
Correct answer: B. Remote backends with locking give a single shared source of truth for state and prevent two people from applying simultaneously and corrupting it.
A Prometheus alert fires whenever CPU briefly spikes for a few seconds during normal cron jobs, creating noise. Which change best reduces these false-positive alerts?
  • A. Lower the CPU threshold in the alert expression
  • B. Add a `for:` duration so the condition must hold for a sustained period before firing ✓
  • C. Increase the Prometheus scrape interval to 5 minutes
  • D. Delete the alerting rule entirely
Correct answer: B. The `for` clause requires the alert condition to remain true for a specified duration, filtering out short transient spikes.
You're deploying a new version and want zero downtime, with the ability to instantly switch back if the new version fails. Which deployment strategy matches this description?
  • A. Recreate deployment
  • B. Blue-green deployment ✓
  • C. In-place upgrade
  • D. Big-bang deployment
Correct answer: B. Blue-green runs the new version alongside the old, switching traffic over at once and allowing an instant rollback by switching traffic back.
A colleague runs `chmod 777` on a deployment script to 'fix a permission error.' From a security standpoint, why is this generally the wrong fix?
  • A. 777 makes the file read-only for everyone
  • B. 777 grants read, write, and execute to all users, which is overly permissive and a security risk ✓
  • C. 777 only affects the owner, so it changes nothing
  • D. chmod cannot be used on scripts, only chown
Correct answer: B. 777 gives everyone full read/write/execute access, so a more restrictive permission like 755 or 750 should be used to follow least privilege.
In a CI pipeline, your integration tests pass locally but intermittently fail in CI with 'connection refused' when talking to a database container that starts alongside the tests. What is the most likely cause?
  • A. The CI runner has insufficient disk space
  • B. The tests start before the database is fully ready to accept connections (missing readiness/wait check) ✓
  • C. The database image is corrupted
  • D. CI does not support networking between containers
Correct answer: B. A race condition where tests run before the DB finishes initializing is the classic cause; adding a health/readiness wait before running tests fixes it.
You want a Linux service to automatically restart if it crashes and to start on boot. Which is the standard modern approach on most current Linux distributions?
  • A. Add an entry to /etc/crontab that pings the process every minute
  • B. Create a systemd unit file with Restart=on-failure and enable it ✓
  • C. Run the process in a screen session as root
  • D. Put a while-true loop in .bashrc
Correct answer: B. systemd is the standard init/service manager; a unit with Restart=on-failure handles crash recovery and `systemctl enable` handles boot startup.

Hard round 10 questions

A 3-node StatefulSet (Cassandra) runs one pod per node. Node-2 suddenly loses network connectivity and its kubelet stops reporting. After the node goes NotReady, an operator notices the pod for node-2 stays in `Terminating` indefinitely and no replacement pod is created on a healthy node. Why does Kubernetes deliberately NOT reschedule this StatefulSet pod automatically?
  • A. The StatefulSet controller lacks a pod-eviction reconciler, so only Deployments auto-reschedule on node failure
  • B. The API server cannot confirm the old pod is truly gone; creating a same-identity replacement risks two pods with the same stable identity/volume, so it waits for confirmed deletion (force-delete or node removal) ✓
  • C. PodDisruptionBudget blocks the eviction because minAvailable is set to 3
  • D. The default-scheduler has no other node with sufficient CPU, so the pod stays Pending as Terminating
Correct answer: B. For StatefulSets a partitioned/unreachable node's pod is only marked Terminating; Kubernetes will not create a replacement with the same identity until deletion is confirmed, to avoid split-brain on the stable network ID and volume.
A pod has `requests.memory: 256Mi` and `limits.memory: 512Mi`. Under a memory-pressure event the node's kernel OOM killer fires and this pod's container is killed (exit 137) even though it was using ~300Mi, while a neighboring pod using 1Gi survived. The neighbor has `requests.memory: 1Gi, limits.memory: 1Gi`. What best explains the kernel's choice?
  • A. The neighbor was killed first but restarted faster, so it appears to have survived
  • B. The OOM killer always kills the pod with the highest absolute RSS, so the 300Mi pod should not have died
  • C. Guaranteed QoS (requests==limits) pods get a lower oom_score_adj, while Burstable pods exceeding their requests get a higher oom_score_adj, making the Burstable pod a preferred kill target ✓
  • D. cgroup v2 disables per-container OOM scoring, so kills are purely random across the node
Correct answer: C. Kubernetes sets oom_score_adj by QoS class; Guaranteed pods are most protected while Burstable pods using memory above their request receive a higher (worse) score, so they are killed first under node pressure regardless of absolute usage.
Your service has a 99.9% availability SLO over a 30-day window. Multi-window multi-burn-rate alerting uses a fast page when a 1-hour burn rate is high AND a 5-minute burn rate confirms it. If you page at a burn rate of 14.4, roughly how much of the 30-day error budget would be consumed in that 1-hour window if the burn continued, and why is the 14.4 threshold chosen?
  • A. About 2% of the budget; 14.4 is chosen because it equals 1000 minutes of downtime
  • B. About 2% of the budget; 14.4x burn over 1 hour spends ~2% of a 30-day budget, giving a fast but still-meaningful page while the short second window suppresses spikes ✓
  • C. About 50% of the budget; 14.4 corresponds to burning half the month in one hour
  • D. About 0.1% of the budget; 14.4 is simply 99.9 divided by 6.9
Correct answer: B. A 14.4x burn rate consumes ~2% of the monthly budget in one hour (14.4 x (1h/720h) ≈ 2%), the canonical Google SRE fast-burn threshold, with a short secondary window to avoid alerting on transient spikes.
Two engineers run `terraform apply` against the same S3-backed state with DynamoDB locking. Engineer A's apply crashes (laptop dies) mid-write. Engineer B now gets `Error acquiring the state lock` on every command. What is the correct and safest recovery?
  • A. Run `terraform force-unlock <LOCK_ID>` after confirming A's process is dead and no apply is in flight, then re-plan to check state consistency ✓
  • B. Delete the DynamoDB lock table so future runs never lock again
  • C. Run `terraform apply -lock=false` immediately to bypass the stuck lock
  • D. Manually edit terraform.tfstate in S3 to remove the lock field, then apply
Correct answer: A. The lock is a DynamoDB item, not part of state JSON; after verifying no apply is actually running you use `terraform force-unlock <ID>` and re-plan, whereas disabling locking or deleting the table invites concurrent-write corruption.
A 3-node etcd cluster backs your Kubernetes control plane. One etcd member's disk fills and it starts returning slow/failed writes. You observe API server latency spikes and some writes failing, but reads mostly work. Why does losing (or degrading) just ONE of THREE members cause write problems, and what is the quorum math?
  • A. Three members need all 3 for any write (quorum = N); losing one halts all writes
  • B. Quorum is majority = 2 of 3; the cluster can tolerate 1 full failure, but a degraded (slow-but-alive) member can stall the Raft leader's commit latency and cause write timeouts even with quorum technically available ✓
  • C. etcd uses primary-backup, so the single degraded node is the leader and no failover is possible
  • D. Reads require quorum but writes do not, which is why reads fail and writes succeed
Correct answer: B. Quorum for 3 members is 2, so one dead member is tolerable, but a slow-but-alive member can drag down Raft commit latency and leader elections, producing write timeouts even though a bare majority exists.
You must implement a token-bucket rate limiter (capacity C, refill rate R tokens/sec) that allows bursts up to C and is checked on every request. Which implementation correctly refills lazily without a background timer and handles bursts?
  • A. On each request, set tokens = min(C, R); if tokens >= 1 allow and decrement
  • B. On each request, compute elapsed = now - last; tokens = min(C, tokens + elapsed*R); last = now; if tokens >= 1 then tokens -= 1 and allow, else reject ✓
  • C. On each request, if request_count in the current 1-second wall-clock window < R, allow; reset counter each second
  • D. On each request, tokens += R; if tokens > 1 allow and set tokens = 0
Correct answer: B. Correct lazy token-bucket accrues tokens = min(capacity, tokens + elapsed*rate) since the last check, then spends one, which permits bursts up to C and needs no timer thread; the fixed-window counter is a different algorithm with edge-burst problems.
A microservice intermittently fails with `dial tcp: i/o timeout` connecting to an upstream, but only for payloads larger than ~1400 bytes; small requests succeed. `ping` works, DNS resolves, TCP handshake completes. Which root cause is most consistent with these symptoms?
  • A. The upstream's readiness probe is failing, dropping large requests
  • B. A path MTU / MTU mismatch (e.g., a tunnel/overlay reducing MTU) is black-holing large packets because ICMP 'fragmentation needed' is being filtered, so only sub-MTU payloads pass ✓
  • C. DNS TTL expired mid-connection, forcing re-resolution only on large payloads
  • D. The connection pool is exhausted only when payloads exceed 1400 bytes
Correct answer: B. Handshake succeeds (small packets) but large payloads hang — the classic PMTU black hole where ICMP 'fragmentation needed' is filtered, so packets above the path MTU are silently dropped.
You run Prometheus with a metric `http_requests_total{path, method, status, user_id}`. Ingestion is fine at first but after weeks Prometheus OOMs and queries slow drastically. The `user_id` label has ~2 million distinct values. What is the core problem and the correct fix?
  • A. Retention is too long; reduce retention to 7 days to fix memory
  • B. High cardinality: each unique label-set is a separate time series, so `user_id` explodes series count and index memory; remove/aggregate the unbounded label (drop user_id) or move it to logs/traces ✓
  • C. Scrape interval is too short; increase it to 5 minutes to reduce series
  • D. Prometheus needs remote_write enabled; that offloads all series memory automatically
Correct answer: B. An unbounded label like user_id multiplies the number of distinct time series (each stored/indexed separately), so the fix is to drop the high-cardinality label and put per-user detail in logs/traces, not metrics.
During an incident, retries with a fixed 1s interval from thousands of clients hitting a briefly-degraded backend cause a sustained overload that outlasts the original fault (the backend never recovers). Which combination most directly breaks this thundering-herd/retry-storm dynamic?
  • A. Increase the backend's connection timeout and add more retries
  • B. Exponential backoff WITH jitter plus a circuit breaker to stop hammering an unhealthy dependency, optionally with load shedding at the backend ✓
  • C. Switch clients to synchronous retries so they serialize naturally
  • D. Raise the client-side retry count so eventually one succeeds
Correct answer: B. Fixed-interval synchronized retries create a self-sustaining herd; exponential backoff with jitter de-synchronizes clients and a circuit breaker halts requests to an unhealthy backend so it can recover, while load-shedding protects it under overload.
You need the top-10 most frequent failing endpoints from a 200GB access log that cannot fit in memory, and you want bounded memory. Which approach is correct and memory-bounded?
  • A. Load the whole file into a hash map of endpoint->count, then sort — it's O(n) so memory is fine
  • B. Stream line-by-line, maintain a hash map keyed only by endpoint (bounded by the number of distinct endpoints, which is small) incrementing counts, then take the top 10; or use a bounded count-min sketch + heap if distinct keys are huge ✓
  • C. Sort the entire 200GB file first with an external merge sort, then scan — this is the only correct method
  • D. Sample 1% of lines randomly; the top-10 from the sample is always exactly correct
Correct answer: B. Distinct endpoints are typically bounded and small, so a streaming pass with a per-endpoint counter uses memory proportional to distinct keys (not file size); if the keyspace were huge, a count-min sketch plus a top-k heap keeps memory bounded.

Prep for another role

Questions are original, written and independently verified for HireHire's role interview quizzes. They reflect the kind of knowledge DevOps / SRE Engineer interviews test, not any specific company's questions. HireHire maps live tech & IT jobs across India, updated regularly. Last updated: July 2026.