Kubernetes Custom Resource Definitions (CRDs) extend the Kubernetes API by allowing platform teams to create and expose custom APIs without modifying the core Kubernetes API server code. Option C is correct because this extensibility enables teams to define new abstractions (e.g., Database, Application, or Environment resources) tailored to organizational needs, which developers can consume through a self- service model.
Option A is incorrect because scaling and failover are handled by controllers or operators, not CRDs themselves. Option B is wrong because RBAC is still required for access control over custom resources.
Option D is misleading because multi-cloud support depends on how CRDs and their controllers are implemented, not a built-in CRD feature.
By leveraging CRDs, platform teams can standardize workflows, hide complexity, and implement guardrails, all while presenting developers with simplified abstractions. This is central to platform engineering, as it empowers developers with self-service APIs while maintaining operational control.
References:- CNCF Platforms Whitepaper- Kubernetes Extensibility Documentation- Cloud Native Platform Engineering Study Guide

In Istio, PeerAuthentication is used to configure how workloads authenticate traffic coming from other services in the mesh. Option C is correct because PeerAuthentication primarily secures service-to-service communication using mutual TLS (mTLS), ensuring encryption in transit and verifying the identity of both communicating parties.
Option A (network policies for ingress traffic) relates to Kubernetes NetworkPolicy, not Istio PeerAuthentication. Option B (traffic routing) is handled by Istio's VirtualService and DestinationRule resources. Option D (monitoring/logging) is part of Istio's telemetry features, not PeerAuthentication.
PeerAuthentication policies define whether mTLS is disabled, permissive, or strict, giving platform teams fine-grained control over how services communicate securely. This aligns with zero-trust security models and ensures compliance with organizational policies without requiring application code changes.
References:- CNCF Service Mesh Whitepaper- Istio Security Documentation- Cloud Native Platform Engineering Study Guide

OpenTofu (the open-source fork of Terraform) is one of the most widely used tools for automating environment provisioning. Option D is correct because OpenTofu allows teams to define infrastructure as code, supporting multiple cloud providers and services. It enables declarative, reusable, and version- controlled provisioning workflows, ensuring consistency across environments.
Option A (Kubernetes) orchestrates containers and workloads but does not provision infrastructure outside its cluster scope. Option B (Prometheus) is an observability tool, not an IaC tool. Option C (Docker) manages containers but does not provision full environments or infrastructure.
By using tools like OpenTofu/Terraform, platform engineers ensure scalable, repeatable environment provisioning integrated into CI/CD or GitOps workflows. This aligns with platform engineering's goals of reducing toil and enabling self-service with compliance.
References:- CNCF Platforms Whitepaper- Infrastructure as Code Best Practices- Cloud Native Platform Engineering Study Guide

The main advantage of a platform engineering approach is balancing self-service for developers with organizational governance and standardization. Option A is correct because platforms enable developers to provision infrastructure and application environments independently while embedding security, compliance, and operational guardrails. This ensures that applications with diverse needs (e.g., different scaling patterns, compliance requirements, or environments) can still operate within a unified governance framework.
Option B (isolation only) is sometimes required for compliance but does not address the broader benefit of balancing flexibility and standardization. Option C forces uniformity, which reduces adaptability for varied workloads. Option D (centralized deployments) reduces developer autonomy and scalability.
The platform approach enables golden paths, curated abstractions, and reusable services, allowing diverse applications to thrive while maintaining control. This balance is central to platform engineering's goal of reducing cognitive load and improving developer productivity.
References:- CNCF Platforms Whitepaper- CNCF Platform Engineering Maturity Model- Cloud Native Platform Engineering Study Guide

In most container registries, the latest tag is simply an alias pointing to whichever image was most recently built and pushed, unless explicitly overridden. Option A is correct because the latest tag does not carry any semantic guarantee beyond being the most recently tagged version.
Option B is incorrect-latest does not imply security validation or attestation. Option C is false because production systems should not rely on latest; instead, immutable, versioned tags or digests should be used for reproducibility. Option D is misleading, as latest is not tied to Git history but rather to tag assignment during the build/push process.
While convenient for testing or local development, relying on latest in production pipelines is discouraged.
Platform engineering best practices emphasize explicit versioning and image immutability to ensure consistency, reproducibility, and traceability. Using signed images with SBOM attestation is recommended for security and compliance, while latest should only be used in controlled, non-production workflows.
References:- CNCF Supply Chain Security Whitepaper- CNCF Platforms Whitepaper- Cloud Native Platform Engineering Study Guide