Skip to content

Quiz: Policy Engines

← Back to quiz index

3 questions

L1 (2 questions)

1. What problem do policy engines solve that RBAC alone cannot?

Show answer RBAC controls who can do what (identity-based: 'can this user create a Deployment?'). Policy engines control what can exist (content-based: 'does this specific Deployment have resource limits, use an approved image registry, and run as non-root?'). RBAC cannot inspect the content of a resource being created. Policy engines validate the actual specification against organizational standards at admission time.

2. What are the key differences between OPA Gatekeeper and Kyverno?

Show answer OPA Gatekeeper uses Rego (a custom policy DSL with a steep learning curve), supports validation well but has limited mutation, and requires two objects (ConstraintTemplate + Constraint). Kyverno uses native YAML (low learning curve), has first-class support for validation, mutation, and resource generation, and is defined in a single ClusterPolicy. Kyverno is easier for Kubernetes-native teams; Gatekeeper is better for complex cross-platform logic.

L2 (1 questions)

1. What is the recommended rollout strategy for a new Kyverno or Gatekeeper policy, and why?

Show answer Deploy in Audit mode first. Review violations with kubectl get policyreport -A (Kyverno) or kubectl get constraint -o yaml (Gatekeeper). Fix existing resources that violate the policy. Only then switch to Enforce mode. Enforcing immediately will reject creation and updates for all non-compliant resources, potentially breaking existing workloads and deployments.