NCP-CN Exam Dumps - Nutanix Certified Professional (NCP) Questions and Answers

The NKPA course covers user authentication for NKP clusters as part of Day 2 operations, emphasizing integration with external identity providers (IdPs) to manage user access securely. NKP usesDex, an OpenID Connect (OIDC) identity provider, to facilitate authentication by acting as a connector between the Kubernetes cluster and external IdPs, such as LDAP, SAML, or OAuth-based systems.

The course explains that to set up user authentication, a Platform Engineer must configure aDex connectorto the user base’s identity provider. Dex integrates with the Kubernetes API server to enable OIDC-based authentication, allowing users to log in using their IdP credentials. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “NKP supports user authentication through Dex, which provides OIDC integration with external identity providers, enabling single sign-on (SSO) for cluster access.” The process involves deploying Dex as a platform application, configuring the IdP connector (e.g., specifying client IDs, secrets, and endpoints), and updating the Kubernetes API server to use OIDC authentication.

Incorrect Options:

A. Enable Gatekeeper and create a connector to the user base’s identity provider: Gatekeeper is a Kubernetes policy engine used for enforcing admission control policies, not for authentication. The NKPA course does not associate Gatekeeper with user authentication.

B. Disable native NKP authentication, enable Traefik, and create a connector to the user base’s identity provider: Traefik is an ingress controller for managing external traffic, not authentication. Disabling native authentication is unnecessary, as NKP supports OIDC alongside native methods. The NKPA course does not mention Traefik in the context of authentication.

C. Create a MetalLB connector to the user base’s identity provider: MetalLB is a load balancer for bare-metal Kubernetes clusters, not an authentication component. This option is irrelevant, as per the NKPA course.

According to theNKPA 6.10 documentation, theFIPS Compliant Build featureis exclusively available forEnterprise tierlicensing. This ensures compliance with NIST security standards and provides hardened cryptographic capabilities throughout the Kubernetes cluster stack.

Exact extract from documentation:

“The FIPS-compliant build feature is included in the NKP Enterprise tier, enabling deployments in environments that require strict security compliance.”

Attaching an existing Amazon EKS cluster to NKP for fleet management involves integrating the cluster into NKP’s management plane, which requires specific preparatory steps. The NKPA course outlines that the first step is tocreate a service account with cluster-admin permissionsin the EKS cluster. This service account is used by NKP to authenticate and manage the cluster, enabling operations like monitoring, scaling, and application deployment.

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide explains: “To attach an external Kubernetes cluster, such as Amazon EKS, to NKP, a service account with cluster-admin role bindings must be created to allow NKP to interact with the cluster’s API server.” The service account is configured with a token that NKP uses to authenticate requests. The NKPA course provides detailed steps, including creating the service account, assigning the cluster-admin ClusterRole, and generating a token for NKP integration. This step is critical to ensure NKP has the necessary permissions to manage the EKS cluster.

Incorrect Options:

A. Configure a ConfigMap according to EKS configuration: While ConfigMaps may be used for specific configurations, they are not the first step for attaching an EKS cluster. The NKPA course prioritizes service account creation.

C. Configure HAProxy to get connected to EKS clusters: HAProxy is a load balancer, not required for attaching EKS clusters to NKP. EKS uses AWS-native load balancers, and NKP connects via the Kubernetes API.

D. Deploy cert-manager in the EKS clusters: Cert-manager is used for certificate management, not a prerequisite for attaching EKS clusters. The NKPA course does not list it as a required step.

The NKPA course addresses resource contention in Kubernetes clusters, where one application (e.g., ApplicationB) consumes excessive resources, impacting others (e.g., ApplicationA). To mitigate this, the course recommendsimplementing Quotas and Limit Ranges.

Resource Quotasrestrict the total amount of CPU, memory, and other resources a namespace can consume, ensuring fair resource allocation across teams.

Limit Rangesset minimum and maximum resource limits for individual pods and containers within a namespace, preventing any single application from monopolizing resources.

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “To prevent resource contention in NKP clusters, apply Resource Quotas to limit namespace resource usage and Limit Ranges to enforce pod and container resource boundaries.” For example, the administrator can create a ResourceQuota to cap ApplicationB’s namespace resource usage and a LimitRange to restrict its pod resource requests/limits, ensuring ApplicationA has sufficient resources.

Incorrect Options:

B. Setting up Network Policies: Network Policies control network traffic, not resource usage.

C. Configuring RBAC: RBAC manages access permissions, not resource allocation.

D. Implementing Continuous Deployment (CD): CD automates deployments but does not address resource contention.

TheKonvoy Image Builderrequires a64-bit Linux or MacOS environment(x86_64 architecture) to build and customize the OS images.

The NKPA course addresses performance issues in NKP clusters, such as high CPU and memory consumption on worker nodes, by recommending scaling options to distribute workloads more effectively. The Kubernetes cluster in the scenario has 4 workers, each with 8 vCPUs and 32 GB RAM, and is running out of resources. The most effective solution is toadd more workersto the cluster to increase overall capacity and balance the load, rather than modifying existing workers or reducing application replicas.

The correct action is toadd one more workerusing the command nkp scale nodepools ${NODEPOOL_NAME} --replicas=5 --cluster-name=${CLUSTER_NAME} -n ${CLUSTER_WORKSPACE} (Option D). This command scales the specified node pool to 5 replicas (from the current 4), adding one additional worker to the cluster. The new worker will have the same configuration (8 vCPUs, 32 GB RAM) as the existing workers, providing additional capacity to alleviate resource contention. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “To address performance issues due to resource exhaustion in an NKP cluster, scale out by adding workers using nkp scale nodepools --replicas --cluster-name -n .”

Incorrect Options:

A. Call tech support to investigate: While support can help, the issue is clearly resource exhaustion, which can be resolved by scaling the cluster—a task the Platform Engineer can perform directly.

B. Ask developers to lower application replicas: Reducing replicas may decrease resource usage but could impact application availability or performance, which is not ideal for a development cluster.

C. Add more CPU and memory to workers with nkp scale --cpu 16 --memory 64: The nkp scale command does not support --cpu and --memory flags for resizing existing workers. Resizing VMs typically requires updating the node pool configuration and replacing nodes, which is more complex than adding new workers.

The NKPA course clarifies that NKP licenses are based on the number ofCPU coresin the infrastructure hosting the Kubernetes clusters. This licensing model applies to both on-premises (e.g., Nutanix AHV) and cloud-based deployments. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “NKP licenses are obtained based on the total number of CPU cores allocated to the clusters managed by the platform.” This core-based licensing ensures flexibility across different infrastructure types while aligning with the resource consumption of Kubernetes workloads.

Incorrect Options:

A. Flash: Flash storage is not a licensing unit for NKP.

B. CPU Sockets: Nutanix licenses for other products may use sockets, but NKP uses cores.

C. TiBs: Terabytes are used for storage licensing, not NKP.

As per the “Nutanix Kubernetes Platform Administration (NKPA)” documentation, during the preparation of the environment for an air-gapped deployment, the first task involves installing critical software packages on the bastion host. The bastion host acts as a jump host in a secure network and requires tools such as yum-utils, bzip2, and wget to facilitate the retrieval and processing of required images and configuration files.

Specifically, in theNKPA 6.10 course under "Preparing the Air-gapped Environment", the documentation clearly states:

"The initial step for configuring the bastion host includes installing required pre-requisites like yum-utils, bzip2, and wget. This ensures that the host has the basic tools to download and manage required container images and other dependencies."

This step is explicitly called out as the first actionable item before proceeding to more advanced tasks like configuring public IP access or creating a bootstrap cluster. The need for these pre-requisite packages is foundational, as they are required to handle image downloading and manipulation in the subsequent steps of the air-gapped installation process.

The NKPA course explains that NKP uses Grafana Loki as part of its logging stack to implement a multi-tenant logging system, allowing teams to access their logs securely within their respective namespaces. The exhibit indicates two namespaces, tenant-innovation and tenant-analytics, each with a ConfigMap for logging configuration. The requirement is to set a retention period of 30 days for tenant-innovation and 7 days for tenant-analytics.

The correct YAML output (Option A) configures Loki’s retention period using ConfigMaps in the appropriate namespaces:

For tenant-innovation, the ConfigMap logging-innovation-config in the tenant-innovation namespace sets retention_period: 30d.

For tenant-analytics, the ConfigMap logging-analytics-config in the tenant-analytics namespace sets retention_period: 7d.

The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “In NKP, configure multi-tenant logging with Grafana Loki by creating a ConfigMap per namespace, specifying retention periods under loki.structuredConfig.limits_config.retention_period (e.g., 30d for 30 days, 7d for 7 days).” The d suffix denotes days, aligning with the requirement for 30 days and 7 days retention periods.

Incorrect Options:

B: The second ConfigMap incorrectly uses the tenant-innovation namespace instead of tenant-analytics, breaking the multi-tenant isolation.

C: The retention periods are set to 30h and 7h (hours), not 30d and 7d (days), which does not meet the requirement.

D: Both ConfigMaps use a generic tenant namespace, which does not match the specific namespaces (tenant-innovation, tenant-analytics) shown in the exhibit.

The NKPA course outlines the specifics of integrating Azure Kubernetes Service (AKS) with NKP, focusing on fleet management and the deployment architecture. The correct statements are:

Existing AKS clusters must be attached to the Management cluster (Option A):NKP does not provision AKS clusters directly because AKS is a managed Kubernetes service. Instead, NKP attaches existing AKS clusters to its management plane for centralized management. The Nutanix Cloud Native (NCP-CN) 6.10 Study Guide states: “For AKS integration, existing AKS clusters must be attached to the NKP Management cluster using the Attach Cluster functionality, as NKP does not provision AKS clusters.” This involves creating a service account with cluster-admin permissions in the AKS cluster and providing its kubeconfig to NKP.

NKP Management cluster with the Kommander component must be installed before installing NKP on AKS cluster (Option C):The Kommander component is part of the NKP Management cluster and provides the centralized management plane for fleet management, including AKS clusters. The NKPA course specifies that an NKP Management cluster with Kommander must be deployed before attaching or managing external clusters like AKS. The NCP-CN 6.10 Study Guide notes: “An NKP Management cluster with Kommander must be installed prior to integrating AKS clusters, as Kommander enables the fleet management capabilities for external clusters.”

Incorrect Options:

B. AKS best practices encourage building customized images: AKS best practices recommend using the default node images provided by Azure, which are optimized for AKS features like autoscaling and security. Custom images can lead to loss of functionality, as noted in previous questions (e.g., Q91).

D. AKS clusters can be deployed as Management or Pro NKP clusters: AKS clusters are attached, not deployed, by NKP. Additionally, AKS clusters cannot serve as NKP Management clusters; the Management cluster must be deployed on supported infrastructure like Nutanix AHV, AWS, or vSphere. “Pro NKP clusters” is not a valid term in NKP documentation—Pro refers to a license tier, not a cluster type.