The Infrastructure Blueprint: The NodeClass Logic (Karpenter)

The Infrastructure Blueprint: The NodeClass Logic (Karpenter)

Q5: The Infrastructure Blueprint (NodeClass) Concepts: EC2NodeClass, AMI, Subnet, SG, EBS SCENARIO: Security team mandates: specific AMI, private subnets only, custom security groups, and encrypted EBS. Where do you configure all this? What's the relationship between NodePool and NodeClass? WHAT THEY'RE TESTING: EC2NodeClass, AMI management, networking, separation of concerns THE ANSWER: • NODEPOOL = WHAT (requirements, constraints, behavior) • NODECLASS = HOW (infrastructure details for cloud provider) • EC2NodeClass configuration:  apiVersion: karpenter.k8s.aws/v1  kind: EC2NodeClass  spec:  amiSelectorTerms:  - id: ami-0123456789 # Specific AMI  subnetSelectorTerms:  - tags: { 'tier': 'private' }  securityGroupSelectorTerms:  - tags: { 'karpenter': 'enabled' }  blockDeviceMappings:  - encrypted: true • NodePool references NodeClass:  spec:  template:  spec:  nodeClassRef:  name: secure-nodeclass → Separation allows: 1 NodeClass for many NodePools, easy AMI rotation

Midnight Cleanup: Consolidation & Drift (Karpenter)

SCENARIO: It's 2 AM, traffic is at 5%, but we have 50 nodes running at 10% utilization. Also, some nodes are running an old AMI from 3 months ago. How does Karpenter handle both issues? WHAT THEY'RE TESTING: Consolidation, Drift Detection, Expiration (TTL) THE ANSWER: • CONSOLIDATION (underutilized nodes):  disruption:  consolidationPolicy: WhenEmptyOrUnderutilized  consolidateAfter: 30s  - Karpenter identifies low-utilization nodes  - Drains pods to other nodes, terminates empty ones • DRIFT DETECTION (old AMI):  - Karpenter compares node spec vs current NodeClass  - If AMI changed in NodeClass, node is marked 'drifted'  - Gracefully replaces with new node running correct AMI • EXPIRATION (TTL):  expireAfter: 720h # Force refresh every 30 days → All three are types of DISRUPTION - Karpenter's cleanup mechanism

Unstuck: The Karpenter Lifecycle

SCENARIO: You deploy a new ML training job requiring 8 GPUs, but pods are stuck in Pending. The K8s Scheduler logs show 'no nodes available'. Walk me through exactly what Karpenter does to resolve this, step by step. WHAT THEY'RE TESTING: K8s Scheduler vs Karpenter's role, the 4-step lifecycle THE ANSWER: • WATCH: Karpenter controller watches for pods marked 'unschedulable' by K8s scheduler • EVALUATE: Reads ALL constraints from Pod Spec:  - Resource requests (8 GPUs, memory, CPU)  - nodeSelector, nodeAffinity, tolerations  - Topology spread constraints • PROVISION: Calls AWS EC2 API to launch instance matching ALL requirements  - Selects p3.16xlarge (8 GPUs) in correct zone  - Applies NodePool's taints, labels, kubelet config • RESULT: Node joins cluster, K8s scheduler binds the pod → Key insight: Karpenter provisions, K8s scheduler still does final binding!

Migrate a stateful .NET app from Azure VMs to Azure Container Apps with zero downtime. Handle SQL Server Always On AG failover.

Migrate a stateful .NET app from Azure VMs to Azure Container Apps with zero downtime. Handle SQL Server Always On AG failover. 🎓 Ideal for: Cloud Engineers, DevOps Architects, SREs, Platform Engineers 🌐 For full transcripts, diagrams & PDF downloads, visit: 👉 https://www.DevOpsInterview.Cloud 📥 Download our ebook: 100 Real-World DevOps & Cloud Questions

Design Multi-Tenant Argo CD: SSO, Cluster Sharding & Namespace Isolation

📌 Design multi-tenant Argo CD with SSO, cluster sharding, and namespace isolation for 100+ teams. 🎓 Ideal for: Cloud Engineers, DevOps Architects, SREs, Platform Engineers 🌐 For full transcripts, diagrams & PDF downloads, visit: 👉 www.DevOpsInterview.Cloud 📥 Download our ebook: 100 Real-World DevOps & Cloud Questions