Knowledge Check - Containers and AI Platform
Test your understanding of the key concepts from Module 6. Select the best answer for each question, then submit to see your results. You need to score at least 60% to pass.
A team migrating a public-facing web tier onto a Managed Kubernetes public cluster declares a Service of type LoadBalancer and assumes it now has a highly available, source-IP-preserving external load balancer equivalent to the Managed Network Load Balancer used elsewhere in the estate. The architect pushes back. Why is this assumption wrong, and what is the correct way to front the workload?
On Managed Kubernetes a LoadBalancer Service does not provision a managed external LB. IONOS reserves a static public IP and attaches it as a secondary IP to one worker node, and kube-proxy NATs traffic to the target pod, so there is no HA, source IP is lost unless externalTrafficPolicy is set to Local, and throughput is capped at that single node's public ceiling. Production ingress is built by provisioning a load balancer separately and running an in-cluster ingress controller, because manifests do not auto-provision a managed LB. Scaling the pool or changing externalTrafficPolicy does not turn the single ingress node into a managed multi-node L4 balancer.
A cost-conscious team running batch jobs on a Managed Kubernetes cluster wants the node pool to drop to zero nodes overnight when no jobs run, and they also want the cluster's control-plane events to flow into the centralized Logging Service alongside their application logs. The architect explains that both expectations collide with platform boundaries. Which statement correctly describes those boundaries?
The autoscaler floor on Managed Kubernetes is one warm node; there is no scale-to-zero, so a batch design must assume at least one node is always running and billable. Separately, control-plane events are not surfaced through the Logging Service, so centralized observability of the managed control plane is not available and visibility must be sourced from in-cluster signals. These boundaries are independent of cluster type and are not unlocked by toggling scanning or audit export.
An architect is designing a private Managed Kubernetes cluster for a regulated workload and lists the prerequisites. The build is for a private cluster whose data plane must be isolated, whose API server must remain reachable only by the operations team, and whose nodes must communicate across a second VDC. Which set of decisions is correct?
Private clusters isolate the data plane, not the API endpoint, so the API server is still reachable and must be guarded with an IP allowlist. The two network dependencies, a NAT Gateway for egress and a Cross-Connect for cross-VDC node traffic, must exist before the cluster is built, and the node-pool type is immutable after creation so it has to be chosen correctly up front. Security groups bind to worker NICs rather than to a cluster object, and placing the control plane in-region is what preserves sovereignty.
A platform team wants to govern access to its Container Registry the way it governs its cloud accounts, by defining roles such as read-only developer, pipeline-pusher, and admin, and binding human users and groups to those roles. They also want an anonymous public-pull tier for open-source images. The architect explains the registry does not work that way. What is the correct governance model?
The Container Registry provides token-only access with no RBAC and no role-to-user bindings, so there is no IAM-role inheritance and no public, anonymous-pull tier. Governance is enforced through token discipline: one narrowly scoped token per pipeline stage, with expiry and rotation, and tokens are deleted rather than disabled when retired. The distractors invent RBAC, a public-pull tier, and a disable action that the service does not provide.
An enterprise wants to add generative AI to a regulated, in-country application and must keep all processing in Germany, avoid running and patching GPU infrastructure, and integrate using its existing OpenAI client libraries. It also needs retrieval over a private corpus. Which approach fits the platform's enterprise default and its current direction?
Managed inference on the Model Hub is the enterprise default: an OpenAI-compatible API with per-token pricing, a stateless service, and processing that occurs in-country, which removes the burden of running and patching GPU serving. For retrieval, the durable pattern is customer-built, using embeddings from the hub, vectors stored in Managed PostgreSQL, and the corpus in Object Storage, deliberately avoiding the deprecating managed vector-store feature. Routing to a US region breaks the in-country requirement, and self-hosting from day one takes on SLA and redundancy responsibilities the requirements did not ask for.
A customer deploys an open-source model on the AI Model Hub and asks how EU AI Act responsibilities are allocated, including the case where IONOS modifies a model, for example by quantizing it. Which allocation is correct?
Under the EU AI Act the customer is the deployer, or the provider of its own AI system, and is responsible for its own risk assessment. For the majority of unmodified open-source models on the hub IONOS acts as a distributor or intermediary, but when IONOS modifies a model, for example through quantization, it assumes AI provider transparency obligations for that modification. Statelessness and in-country processing are sovereignty properties and do not exempt either party from the Act.