Interview › Kubernetes, Docker, Helm & Podman
What is a multi-stage build, and why does it reduce image size and risk?
Kubernetes, Docker, Helm & Podman · Advanced level
Answer
A multi-stage build uses one stage to compile or package the application and a later runtime stage to contain only what is needed to run it. That reduces image size, removes build tools, and reduces vulnerability surface.
Technical explanation
Build stages can be named and artifacts copied from one stage to another with COPY --from.
Never rely on multi-stage builds alone to protect secrets; do not pass secrets through normal build args or copied files.
Container image quality affects supply chain, startup time, vulnerability surface, rollout reliability, and debugging workflows.
Prefer reproducible builds: pinned dependencies, small build context, deterministic Dockerfile order, non-root runtime, and immutable image references.
Understand the runtime boundary: an image is not a VM, and container isolation depends on kernel, namespaces, cgroups, capabilities, seccomp, and mounts.
Hands-on example
1. Create a tiny sample app and Dockerfile for this exercise: convert a single-stage build into a multi-stage build.
2. Build and inspect it with docker build or podman build, docker history, image inspect, and a vulnerability or size scan if available.
3. Run it locally with explicit env vars, ports, user, volumes, and signal tests depending on the question.
4. Convert the final runtime assumptions into Kubernetes fields such as image, command, args, ports, securityContext, probes, and volumeMounts.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Kubernetes, Docker, Helm & Podman interview questions
- What is Kubernetes, and what problem does it solve over running containers manually?
- Explain the Kubernetes control plane components (API server, etcd, scheduler, controller manager).
- What runs on a worker node (kubelet, kube-proxy, container runtime)?
- What is a Pod, and why does Kubernetes schedule Pods rather than containers?
- What is the difference between a Pod, a ReplicaSet, and a Deployment?
- How does a Deployment perform a rolling update, and how do maxSurge and maxUnavailable work?
- How do you roll back a Deployment, and how does Kubernetes track revisions?
- What is a Service, and what are the types (ClusterIP, NodePort, LoadBalancer, ExternalName)?