NCP-CN 6.10 · Cloud Native (NKP)

Memorize the tier matrix. Starter = core "get started," Nutanix-only, managed OS, limited apps. Pro = adds bring-your-own OS, platform & data services, the observability stack, AI Navigator, and the data-services backups. Full Stack = the Pro feature set bundled together with Nutanix Cloud Infrastructure (NCI). Ultimate = adds fleet management (single management cluster across any provider, manage EKS/AKS), granular RBAC, NKP Insights, and Kubecost.

Managed Rocky Linux is available in all tiers. Bring-your-own Linux OS (and the prepackaged Ubuntu / Canonical image) is Pro and Ultimate only.

Starter = Nutanix AHV only. AHV is supported on all tiers. To run on AWS, Azure, or Google Cloud you need Pro or Ultimate.

Pro and Ultimate only.

The first cluster you deploy. It provisions and manages the lifecycle of the workload (worker) clusters; in an enterprise deployment you don't run apps on it, it's the orchestrator. Conceptually like Prism Central: everything rolls up to it.

NKP Ultimate. Always. The trigger phrases also include "hybrid multicloud," "managing EKS/AKS/upstream CNCF," and granular global/workspace/project RBAC. The question doesn't have to say the literal words "fleet management."

Pro: No, each infrastructure provider needs its own environment with its own management cluster. Ultimate: Yes, a single environment / single management cluster deploys and manages clusters across any provider, and you can mix providers.

Dex.

SAML, OpenID (OIDC), GitHub, and LDAP, the four authentication types.

Calico and Cilium, the two bundled CNIs. Kubernetes NetworkPolicies determine which pods can talk to each other.

Traefik = L7 ingress (HTTP traffic into internal services). MetalLB = L4 load balancer that gives a pod a real external IP on your network (not just the internal cluster network), packaged by default so on-prem behaves like cloud.

CSI driver = all tiers (Starter up). Block storage (Nutanix Volumes) = all NCI customers. File storage = requires NUS Pro (Nutanix Unified Storage Pro) or NKP Full Stack.

Volume provisioning, resize, cloning, snapshot/restore; supports RWO and RWX. Available in all licensing.

Cluster API (CAPI / "Cappy") automates create / scale / upgrade / destroy of clusters and nodes, with a provider component for AHV, AWS, Azure, and Google Cloud. NKP orchestrates the hosts; Kubernetes orchestrates the workloads.

Observability = Pro and Ultimate only. Grafana = visualization/dashboards (27 built-in). Prometheus = metrics. Loki + Fluent Bit/Fluentd = logs.

Pro and Ultimate only. Can be disabled for air-gapped / high-security / no-internet environments.

CSI driver = all NKP tiers. Nutanix Volumes = all NCI tiers. NDK (Nutanix Data Services for Kubernetes) = Pro/Ultimate, and only on an NCI cluster (not bare metal, not cloud, those bring a different storage provider).

Velero is the CNCF tool that backs up persistent volumes and Kubernetes resources for a pod / deployment / replica set. Pro/Ultimate. Core commands: velero backup create <name> (add the volume snapshot if it has volumes), velero restore create, velero backup get. To change a schedule you create a new one and delete the old, you can't edit it in flight.

Pro and Ultimate only.

Requires NKP Ultimate (it's fleet management). NKP cannot manage Red Hat / OpenShift, its architecture prevents it.

Kubecost (renamed/replaced by OpenCost in newer versions; for this exam it's Kubecost). Provides chargeback / showback per container. Included with NKP Ultimate.

NKP has a built-in Git operator: a Git repo holds declarative config as the single source of truth; the cluster continuously reconciles to it and self-heals drift, giving simple rollback/DR. Paste a repo URL into a workspace deployment to wire it up. For the exam, treat GitOps as an Ultimate feature.

Included with NKP Ultimate. It runs on the management cluster and is therefore updated via LCM with the management cluster. Produces RCAs (root-cause analysis) and alerts at severities critical / warning / notice.

Single cluster = standalone NKP, can't attach other clusters. Multi-cluster = a management cluster doing full Kubernetes LCM of managed clusters. Managed = created and lifecycle-managed by the management cluster. Attached = a pre-existing external cluster connected for visibility and limited control, not full orchestration.

Cluster managers handle the cluster lifecycle (the CAPI controller). App managers handle environment-level integration: auth, authz, GitOps, Kubernetes Federation. Application types: Cluster apps (load balancers / ingress, enabled by default) → Platform apps (production services, enabled on demand) → Catalog apps (user apps: Nutanix e.g. Kafka/Zookeeper, Partner e.g. NVIDIA, Customer in-house). Consumable via CLI, GUI, or GitOps.

Understand what the air-gap bundle does, why it exists, and its config flags. Air gap = no internet: build the OS package bundle on an internet-connected host, move it in, seed a local registry, run NKP locally. Seeding the registry is a push (nkp push bundle).

Gatekeeper = policy as code / policy administration, built on OPA (Open Policy Agent). (Dex, by contrast, is the authentication point.)

RBAC comes with all tiers. But granular global / workspace / project-based roles require Ultimate (it falls under fleet management). Starter and Pro get limited RBAC.

Yes, but with a caveat: it requires migration / rebuild (there are 4 migration options depending on how you do it).

The only difference between NKP Full Stack and NKP Ultimate is that Full Stack includes NCI. (Ultimate adds fleet management on top.) Gotcha: going from an existing NCI cluster to NKP Full Stack on the same cluster requires you to unlicense the NCI first, then relicense it via the Full Stack license.

Workspace = grants access to an entire cluster (or clusters); you can create namespaces on those clusters. Project = a single namespace (or set) on predefined clusters, the smallest unit where a user creates pods; carries quotas/limits and its own secrets. Hierarchy: Global > Workspace > Project, with access decreasing. Separate teams → separate workspaces.

The NCP-CN blueprint is a public document, the "this is on the exam" badges came straight from it. The exam follows the blueprint's structure, questions are randomized, and you can flag questions to revisit.

No, the exam is 100% multiple choice. You never type a command string. What matters is reading a command and understanding what it does.

Seed with nkp push bundle --bundle <...>/container supplying the URL, username/password, and the cert to the bastion host. A common failure: if a check returns a non-empty string, the host's temp directory is mounted with the noexec option, fix the mount.

From the bastion host (which pushes the images) and from the cluster nodes that pull images, all within the air-gapped network.

A Linux box running Docker. nkp create cluster builds a bootstrap in Docker on the bastion, which provisions the management host on Nutanix and transfers control to it; the bastion then becomes a standalone box again. It must be on the same network, reach the infra-provider API (Prism Central and Prism for Nutanix), be SSH-reachable, push images to the registry, and it holds the first kubeconfig.

It runs the CAPI (Cappy) controllers and creates the initial cluster object. Built in Docker on the bastion, it creates cluster certificates, initializes the control plane and its node, joins worker nodes, deploys core services (networking, storage, autoscaler), then pivots/transfers its role to the permanent management cluster.

Because the command wasn't run with -A / --all-namespaces. By default kubectl get pods only shows the default namespace.

NIB = Nutanix Image Builder → builds CAPI-compliant node images for Nutanix infrastructure. KIB = Konvoy Image Builder → builds images for the other providers (AWS, Azure, NOT Google Cloud for this exam).

x86-64 / AMD64 only. No ARM64 (at the time of this exam version).

Everything is version-tied. The bundle, the ready node-OS images, the NKP binary, and the Konvoy image builder must all match the NKP version (e.g., 2.17.1 across the board).

KIB ships a default YAML per infrastructure provider (e.g., an Amazon Machine Image YAML); you edit it as needed, then build the image.

You build the OS package bundle on an internet-connected machine, move it to the air-gapped environment, and create the OS image locally. The bundles are obtained separately and packaged up.

nkp create cluster nutanix is the primary deploy command: it creates the bootstrap, deploys the CAPI resources, builds the base cluster, moves CAPI components from bootstrap to the new cluster, deletes the bootstrap, then deploys Commander. Commander = the NKP management UI, the landing screen you log into. As of this version it is a separate URL and login, not integrated into Prism Central.

Straightforward via the Nutanix licensing portal, except the NCI → NKP Full Stack case: unlicense the NCI portion, then apply the Full Stack license (see B12).

Get a free voucher in Nutanix University (My Certifications → request voucher); vouchers are now exam-specific. The NKPA may be a prerequisite for the NCP-CN voucher to appear. If you fail: request a new voucher (1-2 business days via your CSE) and wait out the cooldown (24 hours or one week).

Global = access across all clusters in the management cluster. Workspace = access to specific cluster(s); can create namespaces there. Project = specific namespace(s) only, on predefined clusters. Access decreases Global → Workspace → Project. Roles and bindings are defined per level.

Because Fluent Bit by default only collects admin/node logs; to capture pod/application logs you add Fluent Bit alongside the pod. Fluent Bit (lightweight per-node collector) forwards to Fluentd, which is visualized in Grafana.

Default CSI driver; PVs with provision/resize/clone; RWO and RWX. For object storage, Nutanix Objects provides S3-compatible storage for unstructured data.

Rook/Ceph = the internal object storage NKP pre-provisions; it stores logging, Insights, and backups, and is required for bare-metal clusters. Velero = the backup tool that stores into Rook/Ceph. They're complementary, not duplicative.

Know the minimum recommended cluster resources. Ultimate needs more than Starter, on the classic 16-vs-32 question, 32 is the answer for the higher tier (16 is the trap).

etcd = the distributed key-value store, the "brain" of Kubernetes, it holds all cluster state. Prometheus = metrics. There may be a question on what etcd does.

Be able to read and edit/update a ConfigMap. Questions show a ConfigMap with one variable (e.g., memory) changed and ask you to compare options.

The cluster autoscaler is off by default; it adds worker nodes when pods can't schedule due to resource constraints and removes nodes on low utilization. Distinguish it from application autoscaling (pod replicas / HPA). Configurable via CLI config or Commander.

You must detach an attached cluster before you can delete it (via the Commander 3-dot/hamburger menu). Order of operations matters.

Finalizers. Finalizers are the last pieces of a cluster that must be cleared before deletion can complete; check/remove them.

Understand the logical multi-tenant model: workspaces and projects plus per-tenant login URLs isolate tenants. Understanding workspaces vs projects is the key.

A "why did this fail?" answer is the infrastructure-provider resources weren't provided. You can manage a Nutanix cluster other than where the management cluster runs, as long as they have network connectivity; you define additional infrastructure providers (AWS, Azure) with the prerequisites the slide lists.

You bind a group to a role; roles are defined separately. Cluster roles grant access across entire clusters. Understand where roles and bindings sit across the three levels (global / workspace / project).

NKP provides a dedicated login URL for each individual tenant, so a group can be inside Commander but see only its own workspace.

A managed (workload) cluster runs your Kubernetes manifests; the management cluster is just the orchestrator. Create managed clusters under the 4 CAPI providers: Nutanix, Azure, vSphere, and VMware Cloud Director, each with its own prerequisites.

Attach an existing AKS/EKS (or other supported) cluster by establishing a network connection/tunnel (VPN or direct route) and providing credentials (a kubeconfig/token). Attaching gives observability and some management, not full orchestration.

A project = a namespace (or group) scoped to specific clusters; the smallest unit where a user creates pods. You set CPU and memory quotas/limits; each project has its own secrets (its own namespace, so secrets don't leak across namespaces); app deployments are scoped to the project's namespace + project name.

Platform applications are Pro/Ultimate only. Enable them via the UI button or the CLI app deployment. To validate a deployment, use a kubectl command (screenshot-context questions).

Specify DockerHub credentials, doubles the DockerHub rate-pull limit at no cost.

Create an EKS service-account-generated token, which builds a kubeconfig, then plug that into NKP Ultimate.

Rook/Ceph stores Velero backups / stateful data by default; if the Rook/Ceph cluster isn't up first, it can't restore the stateful PVs.

A project, it applies to all clusters defined inside it.

With an app deployment in the production workspace, rather than manual per-cluster config overrides.

The self-managed, air-gapped single-cluster option (it runs Commander on itself rather than under a separate management cluster).

YAML, always.

The kubelet ensures pods run on each host; Prometheus is the monitoring capability.

Fleet management (→ NKP Ultimate).

You must have a storage location registered.

docker load -i OR podman load -i, you can use Docker or Podman with NKP.

Application auto scaling is based on the pod/deployment config; cluster auto scaling = worker nodes. The trap answer was the application/pod one.

Run the CAPI (Cappy) controllers and create the initial cluster object.

Commander.

Enabling the tier deploys many marketplace apps (Rook/Ceph, Velero, Grafana, Prometheus...); you need enough worker nodes in the management cluster or the pods can't be scheduled.

Create a separate workspace for each team (not separate projects under one workspace). The HR / Finance / XYZ pattern.

Roughly 20%, and the terms are intentionally intermixed to trick you.

A vulnerability scanner that scans manifests and image layers for known CVEs.

Always restore create or backup create.

A push, nkp push bundle.

Create a secret for the object credentials and set the environment variables needed to talk to the store.

The pod and service CIDR. Usually fine to leave alone, but in crowded environments these can overlap.

Deployed inside that project (scoped to the project's namespace).

Existing pods keep running; it may not start new ones, but the running ones continue.

Workspace names, not commands (the titles were just shortened for the quiz).

tar + XZ, a .tar.xz tarball.

Know both minimums; on the 16-vs-32 question, 32 is correct for the higher tier (16 is the trap).

Lots of air-gap and error questions, "just like the real exam."

Make sure it's a supported OS.

Move the Starter license first, then add the Ultimate license (this is the "choose two" / ordered question).

Fluent Bit = lightweight per-node/per-pod collector (pod logs need Fluent Bit in the pod); Fluentd = the aggregator it forwards to. (See C16.)

Gatekeeper = policy administration via OPA (Open Policy Agent); Dex = the authentication point.

A logical / process-of-elimination question (not deeply covered in the deck).

Scale the heaviest-load component first.

Use kubectl config use-context (select the EKS context).

Self-managed, they aren't managed by someone else.

kubectl describe.

The bootstrap builds the initial cluster on the bastion (in Docker) before pivoting to the management cluster. (See C5.)

NKP deploys Kubernetes from Kubernetes using Docker on the bastion (the bootstrap runs inside Docker). (See C4/C5.)

Terraform is outside this construct (never used in NKP here), it's the wrong answer; the right answer is the workspace/project one.

32. 16 is the trap because you instinctively want the lower number.

Host the NKP bundle images and provide a local registry for air gap. (The green distractor "sounds right" but isn't.)