DevOps Engineer Interview Questions

Commit triggers CI: lint, unit/integration tests, build a versioned container, scan it (deps + image), sign it, and push to a registry. CD then promotes through environments with automated checks — canary or blue-green in prod, health gates, and an automatic rollback if SLOs breach. Infra is Terraform so the target is reproducible. I cut a team's deploy lead time from 45 minutes to 6 building roughly this.

Stabilize first — mitigate or roll back to restore service before root-causing. Communicate status on a single channel. Once it's stable, I run a blameless postmortem: timeline, contributing causes, and concrete action items with owners. After one ECS incident I added a circuit breaker and CPU throttling so the same fault now auto-recovers in under 30s.

Everything reproducible from version control — no click-ops in prod. Terraform for provisioning, modules for reuse, remote state with locking, and plan-review in PRs. The payoff is no config drift and a prod environment you can rebuild. Migrating 60+ services to Terraform is what ended our drift problem.

Alert on symptoms users feel (SLO burn — latency, error rate, availability), not on every CPU spike. I use the four golden signals, set alerts to burn-rate thresholds to avoid noise, and keep dashboards for diagnosis separate from pages. Good observability dropped our MTTD from 22 minutes to under 3.

Measure first — find the biggest cost drivers by service. Then right-size over-provisioned resources, use autoscaling, move stateless/batch workloads to spot with graceful interruption handling, adopt savings plans for the steady base, and kill idle resources. I cut compute 38% this way with no SLA regression — most of it was autoscaling + spot done safely.

Serverless for spiky, event-driven, or low-baseline workloads where you want zero idle cost and minimal ops. Containers/Kubernetes for steady high-throughput services, long-running processes, or when you need fine-grained control over runtime and networking. It's a cost-and-control tradeoff, not a religion.

Secrets in a manager (Vault/Secrets Manager), never in code or images; short-lived credentials via OIDC instead of long-lived keys; scan deps and images in CI; sign images and enforce policy gates. I added signed images, SBOMs, and CI policy gates to close an audit finding before a SOC 2 review.

S: Devs resisted required CI gates as 'slowing them down'. T: Improve reliability without killing velocity. A: I made the gates fast (parallelized, cached), showed the data on escaped defects, and piloted with one willing team. R: Lead time actually dropped and the gates spread voluntarily once the pilot team's release pain went away.