CI/CD Interview Questions and Answers

A continuous integration pipeline turns a commit into a tested, immutable artifact; continuous delivery takes that artifact toward production. The canonical stages are build, test, package, and deploy, but the load-bearing ideas live in the gaps between them. The single most important principle is build once, deploy many: you produce one artifact (a container image pinned by digest, a versioned tarball, a Helm chart) and promote that exact bit-for-bit artifact through dev, staging, and prod. If each environment rebuilds from source, you are testing a different binary than the one you ship, and 'works in staging' stops meaning anything.

Fast feedback is the second pillar. A pipeline that takes 40 minutes gets bypassed; engineers stop running it locally and start merging on hope. You shorten it by parallelizing independent jobs (lint, unit tests, and image build can run concurrently), failing fast on cheap checks before expensive ones, and caching aggressively. Cache the things that are expensive to recompute and stable between runs — dependency directories (node_modules, ~/.m2, the Go build cache), Docker layers via BuildKit and a registry-backed cache, and test fixtures. The classic gotcha is a cache key that is too coarse (keyed on the branch, so it serves stale deps) or too fine (keyed on every file, so it never hits). Key dependency caches on the lockfile hash.

Know your artifact-promotion mechanics. Immutable, content-addressed references (the image digest sha256:..., not the mutable :latest tag) make rollbacks deterministic and prevent the 'someone repushed latest' class of incident. Treat the pipeline itself as code (pipeline-as-code in YAML, reviewed in PRs) so changes to how you ship are auditable the same way application changes are.

A rolling deployment replaces old instances with new ones gradually — Kubernetes Deployments do this by default (the RollingUpdate strategy), spinning up new pods and terminating old ones within maxSurge and maxUnavailable bounds. It needs no extra infrastructure and little or no extra capacity, but during the rollout both versions serve traffic simultaneously, so your app must tolerate version skew (especially around database schema). Rollback is just another rolling update back to the previous ReplicaSet, which is not instant.

Blue-green keeps two full environments; you deploy to the idle one (green), smoke-test it out of band, then flip the load balancer or Service selector from blue to green in one cutover. The win is a near-instant switch and an instant rollback (flip back). The cost is doubled infrastructure during the window and a hard moment where 100% of traffic moves at once. Canary is the risk-averse middle ground: route a small slice of real traffic (1%, then 5%, 25%, 100%) to the new version while watching error rate, latency, and saturation — promote on healthy metrics, auto-roll-back on regression. Canary catches problems blue-green's synthetic smoke test misses, because real users exercise real paths, but it requires traffic-shaping (a service mesh, an ingress that supports weighting, or a controller like Argo Rollouts or Flagger) and good observability to make the promote/abort decision.

Feature flags decouple deploy from release: you ship the code dark and turn the feature on later, per user segment, without another deploy. This is powerful — it enables trunk-based development, lets you kill a feature instantly without a rollback, and supports A/B testing — but flags accumulate technical debt. Stale flags become dead conditionals and a combinatorial testing burden, so a mature shop has a flag-retirement process. The senior-level answer to 'which strategy?' is always 'it depends on blast radius, statefulness, and how good your metrics are' — name the trade-off, do not just recite definitions.

GitOps is delivery where Git is the single source of truth for desired state and an in-cluster agent continuously reconciles the live cluster toward what the repo declares. The defining shift is from push to pull. In a push model, a CI runner holds cluster credentials and runs kubectl apply or helm upgrade from outside — which means your kubeconfig and cloud creds live in the CI system, drift between what is in Git and what is live goes unnoticed, and an out-of-band kubectl edit silently sticks. In a pull model, an operator inside the cluster (Argo CD or Flux) watches the repo, diffs desired vs actual, and applies the difference itself. No external system needs cluster-admin, the agent detects and (optionally) corrects manual drift, and every change to production is a reviewed, revertible Git commit.

The four GitOps principles (as defined by the OpenGitOps project) to be able to state: the system is declarative (you describe what, not how), the desired state is versioned and immutable in Git, changes are pulled and applied automatically by an agent, and the agent continuously reconciles to detect and correct drift. The practical payoff is a clean audit trail (git log is your deploy history), straightforward rollback (git revert the commit, the operator converges back), and disaster recovery (re-point the operator at the repo and the cluster rebuilds itself). The honest gotchas: secrets cannot sit in plaintext in Git (you need Sealed Secrets, SOPS, or an external secrets operator), reconcile loops can fight you if something outside Git keeps writing the same resources, and 'everything is a commit' adds friction to genuine emergencies — so teams keep a documented break-glass path.

Argo CD and Flux are the two dominant CNCF GitOps controllers and a near-certain interview topic — both are graduated CNCF projects (Flux graduated November 2022, Argo December 2022). Argo CD is application-centric and ships a rich web UI and CLI: you define Application (or ApplicationSet) custom resources, and the UI gives you a live resource tree, sync status, diffs, and a manual sync/rollback button — which makes it popular where humans want visibility and self-service. It has first-class multi-cluster support, RBAC, SSO, and projects for tenancy. Flux is a set of composable controllers (source-controller, kustomize-controller, helm-controller, notification-controller) with no built-in UI; it leans CLI- and Kubernetes-native, integrates cleanly with Kustomize and Helm, and many find it lighter and more GitOps-purist. Both watch Git, both reconcile, both support Helm and Kustomize, both detect drift.

The differentiators worth naming: Argo CD gives you a powerful UI and an explicit Application abstraction with strong visualization and manual-promotion ergonomics; Flux gives you a modular, controller-per-concern design that composes well and feels native to anyone comfortable in YAML and kubectl. Progressive delivery differs too — Argo CD pairs with Argo Rollouts for canary/blue-green, while Flux pairs with Flagger (note both are separate add-on projects, not built into the core GitOps controller). There is no universally correct answer; the strong response is to tie the choice to the team: Argo CD when you want a visual control plane and self-service for many app teams, Flux when you want a lean, composable, automation-first setup. Mentioning that ApplicationSet (Argo) and Kustomization layering / overlays (Flux) handle the multi-environment fan-out shows depth.

Secrets are where pipelines leak. The rules: never commit secrets to Git or bake them into images, never echo them into logs, scope them to the smallest job that needs them, and prefer short-lived, federated credentials over long-lived static keys — OIDC federation (a GitHub Actions or GitLab job exchanging its identity token for a short-lived cloud role) eliminates the standing access key entirely. At the cluster edge, GitOps secrets go through Sealed Secrets (encrypted with a controller-held key, safe to commit to Git), SOPS (encrypt values with KMS or age), or an External Secrets Operator that syncs from Vault or a cloud secret manager. Rotate regularly, and assume any secret that ever touched a log is compromised.

Supply-chain security has become a default interview area since SolarWinds and Log4Shell. Be ready to discuss: pinning dependencies and base images by digest, generating an SBOM (software bill of materials) so you know what you ship, scanning images and dependencies for CVEs (Trivy, Grype) as a pipeline gate, and signing artifacts so you can verify provenance — Sigstore/cosign for signing images and the SLSA framework for build-integrity levels. Admission control (for example, verifying signatures before a pod is allowed to run) closes the loop. A clean way to frame it is the SLSA threat model: protect the source, the build, and the dependencies.

Rollbacks and testing tie it together. A good pipeline makes rollback boring: because you build immutable, digest-pinned artifacts, rolling back is redeploying the previous known-good digest (or, in GitOps, git revert and let the operator converge) — not a frantic hotfix. Have a rollback strategy before you need it, and know that some changes (a destructive DB migration, a consumed message) are not trivially reversible, which is why you decouple schema changes from code deploys with the expand/contract pattern: add columns backward-compatibly, deploy code that handles both shapes, migrate the data, then remove the old shape. In the pipeline, layer the test pyramid — many fast unit tests, fewer integration tests, a thin slice of end-to-end — plus security scans and (for risky changes) a smoke test against the freshly deployed canary before promotion.