Grading Rubric

Criterion	Strong (3)	Adequate (2)	Weak (1)
Identified misleading symptom	Recognized hvs. prefix as Vault token; checked credential age immediately	Tested credentials manually, found them expired, then investigated why	Spent time recreating the Kubernetes Secret or checking ServiceAccount config
Found root cause in security domain	Traced to deleted Vault policy via ESO error logs and Vault audit	Found the ESO error but not the specific Vault policy deletion	Assumed the credentials were just expired and needed manual rotation
Remediated in devops_tooling domain	Restored Vault policy, synced in IaC, forced ESO refresh, verified pipeline	Restored policy manually but did not update IaC	Manually created a new Kubernetes Secret without fixing the Vault integration
Cross-domain thinking	Explained the full chain: Vault policy deletion -> ESO sync failure -> stale credentials -> ImagePullBackOff	Acknowledged Vault and k8s interaction but missed the IaC angle	Treated it as a straightforward Kubernetes Secret management issue

Prerequisite Topic Packs

• k8s-ops — needed for Domain A investigation (ImagePullBackOff, imagePullSecrets, deployment rollout)
• hashicorp-vault — needed for Domain B root cause (Vault policies, dynamic secrets, lease management)
• secrets-management — needed for Domain B (External Secrets Operator, secret synchronization)
• cicd — needed for Domain C remediation (CI/CD pipeline, IaC for Vault policies)
• terraform — needed for Domain C (Vault policy as code, drift detection)

Pages that link here

• Hashicorp Vault
• Secrets Management
• Symptoms: Deployment Stuck, ImagePull Auth Failure, Fix Is Vault Secret Rotation
• Terraform / IaC