Grading Rubric

Criterion	Strong (3)	Adequate (2)	Weak (1)
Identified misleading symptom	Tested cross-namespace connectivity on both ports; identified NetworkPolicy as the blocker within 10 min	Noticed the metrics port was blocked but took time to find the NetworkPolicy	Investigated Grafana data sources or Prometheus configuration extensively
Found root cause in kubernetes domain	Found the default-deny NetworkPolicy and the missing port 9090 allow rule	Found the NetworkPolicy but not the missing port detail	Assumed the services stopped exporting metrics
Remediated in networking domain	Created a targeted NetworkPolicy allowing Prometheus scrapes from monitoring namespace, plus DNS egress	Added a broad allow rule that fixed the issue but was overly permissive	Changed Prometheus configuration or service annotations instead
Cross-domain thinking	Explained the tension between security hardening and observability; proposed standard templates	Acknowledged NetworkPolicy broke metrics but did not propose prevention	Treated it as a single-domain observability or Kubernetes issue

Prerequisite Topic Packs

• prometheus-deep-dive — needed for Domain A investigation (scrape targets, target health, PromQL)
• monitoring-fundamentals — needed for Domain A (Grafana data sources, dashboard troubleshooting)
• k8s-networking — needed for Domain B root cause (NetworkPolicy, pod-to-pod connectivity)
• k8s-services-and-ingress — needed for Domain B (cross-namespace service access)
• firewalls — needed for Domain C remediation (network policy design, allow/deny rules)

Pages that link here

• Firewalls
• K8S Networking
• Kubernetes Services & Ingress
• Monitoring Fundamentals
• Prometheus Deep Dive
• Symptoms: Grafana Dashboard Empty, Prometheus Scrape Blocked by NetworkPolicy