Interview questions

Staff DevOps / SRE Engineer Interview Questions

A Staff SRE/DevOps role sits at the intersection of deep systems expertise, platform strategy, and organizational influence. Interviews at this level evaluate whether you can own reliability and delivery posture across multiple teams, make hard architectural tradeoffs, and drive engineering culture — not just execute on existing tooling. Expect to be judged heavily on judgment, not just knowledge.

What to expect

The typical Staff SRE loop runs 5–6 rounds: a hiring manager screen focused on scope and impact, one or two system design rounds (one infrastructure/reliability-focused, one platform or tooling design), a coding or scripting round that emphasizes automation and operational tooling rather than algorithms, a deep-dive production incident or failure analysis discussion, and a behavioral/leadership round with a director or senior staff peer. Some companies add a cross-functional round with a product or infrastructure partner. At this level, every round is also evaluating your communication with non-SRE stakeholders, your comfort setting direction under ambiguity, and how you think about tradeoffs across cost, reliability, security, and developer velocity.

12 questions, with how to answer them

1. System Design – Reliability

   1. Design a multi-region active-active deployment for a stateful, latency-sensitive service that currently runs in a single region. Walk through how you'd achieve 99.99% availability.

   How to answer: Start by quantifying the availability budget (52 minutes downtime/year) and identifying the failure domains. Decompose the problem: data replication strategy (synchronous vs. async, conflict resolution — CRDTs vs. last-write-wins), traffic routing (anycast, GeoDNS, or global load balancer like AWS Global Accelerator), and the statefulness problem specifically. Discuss how you'd partition or shard state to reduce cross-region coordination. Cover failover detection latency (health check intervals + propagation), chaos engineering to validate assumptions, and operational runbooks. Flag the hard truth: active-active for truly stateful services often requires accepting eventual consistency or scoping 'stateful' down to specific components.

   What they look for: Whether the candidate distinguishes active-active from active-passive and understands why the latter is easier. Depth on data consistency tradeoffs, not just infrastructure. Ability to call out that 99.99% is a systems problem, not just a deployment topology problem.

2. System Design – Platform

   2. Your organization has 40 engineering teams deploying independently. Design an internal developer platform that enforces security and compliance baselines without becoming a bottleneck to deployment velocity.

   How to answer: Frame this as a paved-road problem. Discuss golden-path templates (Backstage or internal service catalog), policy-as-code (OPA/Gatekeeper, Kyverno) enforced at the cluster or CI level rather than as a gate requiring human approval. Separate hard guardrails (no public S3 buckets, required egress controls) from soft nudges (cost estimates, SBOM generation). Discuss how you'd version and communicate breaking changes to the platform, and how you'd instrument adoption vs. shadow-IT escape hatches. Cover the governance model: who owns the platform, how teams contribute, and how you avoid the platform team becoming a monopoly blocker.

   What they look for: Whether the candidate thinks about developer experience as a first-class concern alongside security. Evidence of having operated at this scale — not just theoretical knowledge of tools. Understanding that enforcement without escape valves creates shadow IT.

3. Incident Management & Production Reliability

   3. Describe a major incident you personally drove that involved a cascading failure across multiple systems. Walk through your actions, what you got wrong, and what you changed structurally afterward.

   How to answer: Use a tight narrative: detection (how long, why that long), initial diagnosis (what assumptions were wrong), mitigation vs. root cause distinction, communication cadence with stakeholders, and the post-incident review. The structural changes are the most important part at staff level — don't stop at 'we added a runbook.' Discuss whether you changed on-call rotation design, introduced circuit breakers or load shedding, improved observability to detect the failure class earlier, or changed deployment sequencing. Be honest about your mistakes.

   What they look for: Ownership without defensiveness. The ability to distinguish between a good incident response and a good post-incident process. Whether structural changes were systemic or cosmetic. Staff candidates should be driving the review, not just participating.

4. Observability & Monitoring

   4. Your services emit metrics, logs, and traces, but on-call engineers still take 45+ minutes to localize production incidents. What's broken and how do you fix it?

   How to answer: Diagnose the likely causes: alert fatigue from low-signal alerts, lack of correlation between telemetry signals, missing exemplars linking metrics to traces, dashboards that show symptoms not causes, or runbooks that are stale. Propose a structured approach: audit alert signal-to-noise ratio (what percentage of pages result in action vs. silence?), implement structured logging with consistent trace/span IDs, add RED method (rate, errors, duration) dashboards per service boundary, and introduce automated context gathering at alert time (recent deploys, correlated error spikes). Discuss SLO-based alerting as a forcing function for meaningful signals. Note the human side: on-call rotation health, runbook freshness cadence.

   What they look for: Whether the candidate starts with diagnosis rather than tool prescription. Understanding of the difference between observability and monitoring. Awareness that MTTR is partly a tooling problem and partly a process and culture problem.

5. Coding / Automation

   5. Write a script or tool that monitors a Kubernetes cluster for pods stuck in CrashLoopBackOff, automatically captures diagnostics (logs, events, resource usage), and posts a structured alert to a Slack webhook. How would you make this production-grade?

   How to answer: Sketch the implementation: use the Kubernetes Python client or kubectl with watch/list on pod phase and containerStatuses.state.waiting.reason. On CrashLoopBackOff detection, collect: last N lines of logs (kubectl logs --previous), recent events (core/v1 Events filtered by involvedObject), and current resource requests vs. limits. Structure the Slack payload as a Block Kit message with actionable context. For production-grade: idempotency (don't re-alert for the same pod within a cooldown window — use a local or Redis-backed seen-set), graceful error handling for pods mid-termination, RBAC least-privilege service account, and deployment as a Kubernetes controller or CronJob. Discuss whether this should eventually be replaced by a proper operator pattern.

   What they look for: Operational maturity — not just 'does the script work' but 'is it safe to run in production.' Understanding of Kubernetes internals. Whether the candidate naturally considers idempotency, permissions, and failure modes without prompting.

6. Capacity Planning & Cost

   6. An executive asks why the infrastructure bill grew 40% last quarter with no corresponding growth in traffic. How do you investigate and what do you change?

   How to answer: Structure as an investigation before a solution. Data sources: cost explorer broken down by service/tag/team, resource utilization metrics (CPU/memory for compute, IOPS for storage, data transfer for networking — often the surprise). Common culprits at scale: orphaned resources (snapshots, unattached volumes, idle load balancers), over-provisioned reserved capacity that traffic shifted away from, data transfer costs from cross-AZ or cross-region traffic, or log/metric ingestion costs that exploded with a new service. Propose a chargeback or showback model to make teams aware of their spend. Discuss FinOps as a practice — rightsizing, commitment coverage strategy, spot/preemptible instance usage, and architectural changes like moving from per-request to batched workloads.

   What they look for: Whether the candidate investigates before prescribing. Knowledge of the real cost drivers at scale (networking and storage often surprise people). Evidence of having actually driven cost reduction, not just read about it. Comfort talking to non-technical executives.

7. Security & Compliance

   7. How do you design secrets management for a fleet of microservices running on Kubernetes, across dev/staging/prod environments, with an audit requirement for every secret access?

   How to answer: Evaluate the options honestly: Kubernetes Secrets (base64, etcd encryption at rest required, weak audit trail), Vault (strong audit log, dynamic secrets, lease revocation — operational overhead), cloud-native KMS-backed secrets managers (AWS Secrets Manager, GCP Secret Manager — good audit trail, simpler ops, vendor lock-in). For Kubernetes specifically, discuss the External Secrets Operator pattern to sync from a central secrets manager into Kubernetes Secrets, avoiding direct Vault sidecar complexity. Address the audit requirement: every secrets manager has access logs, but you need to route them to a SIEM and define what 'anomalous access' looks like. Discuss secret rotation, the difference between static and dynamic secrets, and how you handle the bootstrap problem (the secret to get secrets).

   What they look for: Honest evaluation of tradeoffs rather than defaulting to 'just use Vault.' Understanding of the bootstrap problem. Awareness that audit logging is useless without alerting on it. Evidence of having operated secrets management in a real multi-environment setup.

8. Behavioral / Leadership

   8. Tell me about a time you had to convince a skeptical VP or C-level leader to invest in reliability or platform infrastructure that had no immediate feature value. How did you frame it and what happened?

   How to answer: Structure with context (what the reliability gap was, what the business risk was), your approach to quantifying risk in business terms (cost of downtime per hour, customer churn risk, engineering velocity tax from toil), how you navigated the stakeholder — who were their actual concerns, what objections you addressed, what you compromised on. Be honest if it didn't go perfectly. The interviewer wants to see that you can translate technical risk into business language without losing accuracy, and that you can influence without authority at the executive level.

   What they look for: Ability to translate reliability into business outcomes. Political maturity — knowing when to push and when to sequence asks. Comfort operating at executive altitude. Staff engineers who can only convince engineers are limited in their impact.

9. Behavioral / Leadership

   9. You've identified that the on-call rotation across three teams is unsustainable — high alert volume, frequent sleep disruption, and two senior engineers have mentioned they're considering leaving. What do you do?

   How to answer: This is a systems and organizational problem, not just a tooling problem. Start with data: pull alert volume, page timing, time-to-acknowledge, and false-positive rates. Segment by team and service. Present findings to engineering leadership with the retention risk made explicit. Propose a multi-pronged approach: immediate noise reduction (audit and delete or downgrade low-signal alerts), medium-term SLO-based alerting migration, on-call compensation/schedule review, error budget-based escalation policies, and investment in service owners reducing their own alert burden. Discuss how you'd track and report on on-call health as a recurring engineering leadership metric.

   What they look for: Whether the candidate treats this as a cultural and organizational problem, not just a PagerDuty configuration problem. Comfort raising retention risk explicitly in business terms. Ability to drive cross-team change without direct authority over the teams.

10. Architecture & Tradeoffs

    10. Compare Kubernetes, Nomad, and ECS as orchestration platforms for a mid-sized company (200 engineers, mixed workloads). Under what conditions would you recommend each, and what would make you avoid each?

    How to answer: Kubernetes: unmatched ecosystem, self-healing, declarative, but high operational complexity and steep learning curve — right choice when you need advanced scheduling, strong community tooling (Istio, Argo, Kyverno), or multi-cloud portability; avoid if the team lacks k8s expertise and the workloads are simple. Nomad: much simpler ops model, handles non-container workloads (VMs, raw binaries) natively, good for mixed fleets — right choice for teams that find k8s complexity disproportionate to their needs; avoid if you need the k8s ecosystem depth. ECS: low ops overhead when already on AWS, Fargate removes node management entirely — right choice for AWS-centric shops prioritizing simplicity; avoid if you need cloud portability or have complex cross-team platform needs. Frame the recommendation around: team's existing expertise, workload heterogeneity, tolerance for operational complexity, and long-term vendor lock-in risk.

    What they look for: Honest tradeoff reasoning rather than defaulting to Kubernetes. Awareness that orchestration choice is partly a team capability question. Whether the candidate asks clarifying questions about the company's constraints before recommending.

11. Toil & Engineering Productivity

    11. As a Staff SRE, how do you measure and systematically reduce toil across a large engineering organization? What's your framework for deciding what to automate first?

    How to answer: Define toil precisely (manual, repetitive, no enduring value, scales with load — from the SRE book) and contrast with legitimate operational work. Measure: survey + time-tracking audit of on-call work, ticket categorization, automation coverage ratios. Prioritize by: toil frequency × time cost × blast radius if it fails, then filter by automation ROI (one-time investment vs. ongoing savings). Discuss the organizational side: making toil reduction a first-class project in sprint planning, setting an org-level ceiling (e.g., no team should have >50% toil), and reporting on toil trends to engineering leadership. Address the automation trap: automating the wrong thing faster is not progress — sometimes the answer is deprecating a system, not automating its maintenance.

    What they look for: Whether the candidate has internalized the SRE toil definition and applied it operationally. Evidence of having driven org-level toil reduction, not just team-level automation scripts. The insight that deprecation is often better than automation.

12. Organizational Design & Strategy

    12. You're joining a company where SRE is a new function — currently each dev team does their own ops. How do you build the SRE function over 12 months without alienating dev teams or becoming a gatekeeper?

    How to answer: Phase the build: Month 1–2 is listening mode — embed with two or three teams, understand their pain, map their toil, identify the highest-leverage reliability gaps. Don't publish standards yet. Month 3–4: publish initial SLO framework and offer to help teams define their first SLOs — voluntary, not mandated. Month 5–8: stand up shared platform capabilities (observability stack, on-call tooling, incident management process) and demonstrate value through pull, not push. Month 9–12: formalize engagement model (SRE embedded vs. consulting vs. platform-only), establish reliability reviews for new services, and create a community-of-practice for operations across dev teams. Key principles: always position SRE as increasing developer autonomy, not adding gates; make it easier to do the right thing than the wrong thing; track and publish reliability improvements to create internal demand.

    What they look for: Evidence of greenfield SRE buildout experience or at minimum deep thinking about organizational change management. Understanding that technical credibility must precede process authority. Whether the candidate thinks about sequencing and trust-building, not just org charts and tooling.

Study tips

• Prepare three to five concrete examples of org-level impact — reliability improvements you drove that affected multiple teams or the whole company, not just your own service. At staff level, single-team wins are table stakes, not differentiators.
• Practice translating technical risk into dollar figures and business outcomes before your interviews. Know the cost of an hour of downtime for the company you're interviewing at, and be ready to frame reliability investment in those terms rather than nines.
• For system design rounds, practice explicitly stating your assumptions and constraints before diving in. Staff-level interviews penalize candidates who optimize for the wrong scenario. Asking 'is the bottleneck cost, latency, or operational complexity?' before designing signals architectural maturity.
• Review one or two major public postmortems (Google, Netflix, Cloudflare, AWS) in detail — not for the facts, but to practice the language of blameless analysis, contributing factors vs. root causes, and systemic vs. local fixes. Interviewers at this level often probe incident philosophy directly.
• Do not over-rotate on specific tool knowledge (Terraform vs. Pulumi, Prometheus vs. Datadog). Staff-level interviewers care about whether you understand why a category of tooling exists and what tradeoffs matter, not whether you know the exact CLI flags.