A Cloud Engineer manages an NKP environment and is preparing a machine image to become an NKP cluster node. Which statement is regarding the default node preparation process?
A. Shell scripts are used to harden the OS image for use as an NKP node.
B. Ansible is used to validate the OS image is capable of running NKP.
C. Goss is used to make the OS image CAPI compliant for use as an NKP node.
D. Goss is used to validate the OS image is capable of running NKP.
Explanation:
When preparing an image to become a node in the Nutanix Kubernetes Platform (NKP), Nutanix requires a process to ensure that the base operating system image meets the requirements to successfully run as part of a Kubernetes cluster. The default preparation process does not configure or harden the image but rather validates it against required specifications.
The tool used here is Goss (Go Server Spec), which is a lightweight testing and validation utility. Goss uses simple YAML definitions to check whether packages, services, files, users, and configurations are present on a machine. In NKP, Goss runs a series of predefined tests against the image to confirm that the OS has the necessary prerequisites (like kernel settings, container runtime compatibility, and system packages) to support Kubernetes through Cluster API (CAPI).
The important detail is that Goss does not alter the image or add missing components — it simply validates. If validation fails, the engineer must update or rebuild the image. If it passes, the image is declared ready to function as an NKP node. This makes D the correct option.
Why the Other Options Are Incorrect
A. Shell scripts are used to harden the OS image for use as an NKP node.
This is incorrect because the default NKP node preparation process does not include OS hardening. Hardening (such as disabling unnecessary services, applying CIS benchmarks, or changing kernel parameters) is a security practice that may be applied by an organization separately, but Nutanix does not ship or run shell scripts for this purpose during node preparation. The focus of preparation is validation of readiness, not security hardening.
B. Ansible is used to validate the OS image is capable of running NKP.
This is incorrect because Ansible is a configuration management and automation tool, not the mechanism NKP uses for validation. Ansible could theoretically be used by a customer to automate OS preparation, but in the default NKP workflow, validation is performed using Goss. Ansible is not part of the standard tooling Nutanix uses for this process.
C. Goss is used to make the OS image CAPI compliant for use as an NKP node.
This is a common distractor. While Goss is involved, it is only used to check compliance, not to make an image compliant. Compliance requires starting with a Nutanix-approved or supported base image (for example, Ubuntu or RHEL versions listed in the support matrix). Goss will then run tests to confirm whether that image meets the requirements. If it fails, the engineer must adjust the image manually. Therefore, saying Goss “makes” the image compliant is inaccurate.
D. Goss is used to validate the OS image is capable of running NKP.
This is correct. Goss tests validate the OS image against the requirements for running Kubernetes and meeting CAPI specifications. Validation ensures that the image is fit for use in an NKP cluster without modifying it. This matches the official documentation.
Key Exam Takeaways
Remember: Goss = Validation.
It does not harden (A), does not use Ansible (B), and does not make compliance (C).
The purpose of node preparation is checking readiness, not configuring or modifying the base image.
References
Nutanix Kubernetes Platform Documentation – Node Preparation
“The NKP default node preparation process uses Goss tests to validate whether the base image is capable of running NKP. These tests confirm that the OS and its components meet the requirements for CAPI compliance.”
👉 Nutanix Portal – NKP Node Preparation
Goss Official Documentation
– Explains how Goss validates system state without altering it.
👉 https://goss.rocks/
Nutanix Support Matrix for NKP
– Lists supported OS images and versions for NKP clusters (shows compliance depends on image choice, not tooling).
👉 Nutanix Support Portal
A Platform Engineer works for a service provider and needs to establish access and authentication for multiple clients into an NKP cluster. Each client has their own LDAP source that should be used for authentication into the cluster. How would this be accomplished?
A. A common LDAP source needs to be established and client specific groups and users need to be configured within this common LDAP provider. Then an LDAP connector would be created for this LDAP provider.
B. An NKP workspace needs to be created for each client and an LDAP connector would be created for each NKP workspace.
C. An NKP project would be created for each client and an LDAP connector would be created for each NKP project. Users would provide the project name their company was assigned as part of their login.
D. The LDAP connector configuration would be modified to include an array for each client LDAP source to authenticate with. Users would provide the client name defined in the array as part of their login.
Explanation:
In Nutanix Kubernetes Platform (NKP), multi-tenancy is achieved through workspaces, which isolate resources, identity providers, and access control boundaries. When each client has their own LDAP source, the recommended approach is:
Create a separate NKP workspace per client.
Configure a dedicated LDAP connector within each workspace.
This ensures that each client’s authentication is scoped to their own identity provider, maintaining isolation and security.
This is explicitly supported in NKP’s architecture. The official documentation states:
“Choose whether to establish an external LDAP globally or for a specific workspace… Workspace LDAP – identity provider serves a specific workspace… Establish LDAP for a specific workspace in the scope of multiple tenants.”
❌ Why the other options are incorrect:
A. Common LDAP source with client-specific groups This violates tenant isolation. Clients would share the same LDAP backend, risking cross-access and misconfiguration. Not scalable or secure.
C. NKP project per client with LDAP connector Projects are scoped within workspaces and do not support independent identity providers. LDAP connectors are not configured at the project level.
D. LDAP connector with array of sources NKP does not support multiplexing multiple LDAP sources within a single connector. Each connector is tied to one LDAP source. This approach is unsupported and would fail operationally.
A company uses an Artifactory private registry for development. The NKP deployment must use this private registry since the Security Administrator has the firewall configured to reject connections to public container registries. The first task is to push the NKP bundle to this private registry. What options should be used to push the NKP bundle to this private registry?
A. --registry-mirror-url, --registry-mirror-username and --registry-mirror-password
B. --mirror-url, --mirror-username and --mirror-password
C. --registry-url, --registry-username and --registry-password
D. --to-registry, --to-registry-username and --to-registry-password
A Platform Engineer is deploying an NKP workload cluster using the nkp create cluster vsphere command. The cluster will be utilized by the company’s code-green team and the engineer has already created a code-green NKP workspace on the NKP management cluster. After issuing the deploy command, the engineer monitored the build using the nkp describe cluster command and confirmed it completed successfully. However, a few hours later, after logging into the NKP UI, the engineer checked the code-green NKP workspace and saw that the NKP workload cluster was not there. What is the likely reason the NKP workload cluster is not in the code-green NKP workspace?
A. The vSphere cluster cannot be displayed in the NKP UI unless its Kubernetes version is within ‘N - 1’ versions of the NKP management cluster’s Kubernetes version.
B. The vSphere service account credentials had expired prior to the engineer’s attempt to view the cluster in the NKP UI. Once the credentials are refreshed, the vSphere cluster will reappear in the NKP workspace.
C. The engineer did not supply the --namespace code-green parameter as part of the nkp create cluster vsphere command, therefore it was created in the default workspace and needs to be manually attached.
D. NKP vSphere clusters cannot be assigned NKP workspaces and instead are assigned the default NKP workspace. The cluster can be viewed from this workspace instead.
A Platform Engineer has a requirement for backup and recovery and would like to leverage an Out-Of-The-Box solution distributed with NKP. What is the backup and recovery solution distributed for NKP?
A. Tar
B. Kasten
C. Velero
D. Nutanix Snapshot
A Platform Engineer is attaching existing Kubernetes clusters to NKP, but some of them have network restrictions, so there is a need to use Secure Tunnel. The Platform Engineer needs to ask the Security Engineer to modify the firewall rules. What must the firewall rules allow on the attached cluster network?
A. HTTPS (TCP/443)
B. NTP Service (UDP/123)
C. Secured LDAP (TCP/636)
D. iSCSI (TCP/860 & 3260)
In an effort to control cloud cost consumption, auto-scale is configured to meet demands as needed.
What is the behavior for when nodes are scaled down?
A. Node is changed to a status of Hibernate.
B. Node is CAPI deleted from its infrastructure provider, effectively removing it from its hypervisor.
C. Node is changed to a status of Power-Off for stand-by.
D. Node is paused in Kubernetes and the infrastructure continues to consume the resources at the current level.
After a finished project, three Kubernetes clusters within a workspace were deleted, so the workspace is empty. Now a Platform Engineer needs to delete the workspace. How should the engineer delete the workspace in NKP?
A. Run kubectl delete workspace
B. Run kubectl delete workspace
C. From NKP UI, on top menu bar select Global, then select Workspaces in the menu, select the three-dot button for the workspace to delete, and then click Delete.
D. Ask a workspace user to delete the workspace. The user has the Delete option in their workspace home page.
A Platform Engineer is attempting to delete an attached cluster from the NKP UI, but it is stuck in a 'deleting' state and does not get removed. How can the engineer resolve this attempt to detach the cluster so that it is removed from the UI and no longer managed by NKP?
A. Run the kubectl delete cluster command in the context of the NKP management cluster.
B. Run the nkp delete kommandercluster command in the context of the NKP attached cluster.
C. Run the kubectl delete kommandercluster command in the context of the NKP management cluster.
D. Run the nkp delete cluster command in the context of the NKP attached cluster.
NKP cluster nodes require a disk for some of its deployed components, outside of an application’s persistent volume requirements. What are these components and where are they deployed?
A. kubelet and containerd, in /opt/nkp
B. kubelet and containerd in /var/lib
C. kubectl and kubelet in /opt/nkp
D. kubectl and kubelet in /var/nkp
A Platform Engineer wants to deploy a custom OS image for multiple NKP clusters for Nutanix AHV and AWS. Which two tools come bundled to facilitate creating and placing a custom image into the respective image repository?
A. Konvoy Image Builder
B. Nutanix Image Builder
C. Terraform
D. Ansible
An administrator has experienced issues with an NKP-managed workload cluster and has been tasked with deploying NKP Insights in order to:
Resolve common anomalies
Check security issues
Verify whether workloads follow best practicesUpon trying to enable NKP Insights, the cluster that needs to be chosen is grayed out.Which missing prerequisite should be enabled?
A. Velero
B. Cert-manager
C. Nutanix Objects
D. Rook Ceph
| Page 1 out of 5 Pages |