Back to the course
Test yourself

OPA & Rego

Final exam · 14 questions · answers explained as you pick
Beginner
4 questions
01Open Policy Agent (OPA) is…
Incorrect — Gatekeeper is the k8s integration; OPA itself is general-purpose.
Correct — anything that sends JSON and acts on a decision can use it.
Incorrect — no.
Incorrect — no.
02The key limitation to remember about OPA is that it…
Incorrect — JSON is exactly what it reads.
Incorrect — it works in many places.
Correct — a decision that is ignored enforces nothing.
Incorrect — it does not.
03In Rego, a reference to a missing field evaluates to…
Correct — a policy can silently pass because a checked field is absent — guard and test for it.
Incorrect — undefined is not the same as false — that is the trap.
Incorrect — it does not raise; it is undefined.
Incorrect — it is undefined, with specific evaluation semantics.
04Multiple rules with the same name in Rego are…
Incorrect — it is allowed and meaningful.
Correct — this is core to how Rego composes conditions.
Incorrect — body lines are ANDed; separate rules of the same name are ORed.
Incorrect — no.
4 questions · explanations appear as you answer
Intermediate
5 questions
01The common Rego idiom for validation policies is…
Correct — what Conftest and Gatekeeper expect.
Incorrect — less useful; you want the list of problems.
Incorrect — not how Rego returns results.
Incorrect — Rego does not use exceptions for this.
02For authorization, you should write…
Incorrect — an unmatched input is undefined, which a caller may mishandle as allow.
Correct — a gap becomes a deny, not an accidental allow.
Incorrect — that permits anything not explicitly denied — unsafe.
Incorrect — then nothing is decided.
03The difference between input and data in OPA is…
Incorrect — they are distinct documents.
Incorrect — reversed.
Correct — logic stays in rules; mutable facts live in data.
Incorrect — policies live under data, but data here means loaded facts.
04Conftest is used to…
Correct — parses the file to JSON, runs deny rules, exits non-zero on violations.
Incorrect — no.
Incorrect — no.
Incorrect — that is Cosign.
05A Conftest warn rule (vs deny)…
Incorrect — that is deny; warn is advisory.
Correct — a common reason bad config still ships; use deny to block.
Incorrect — unrelated.
Incorrect — it is shown, just non-blocking.
5 questions · explanations appear as you answer
Advanced
5 questions
01OPA Gatekeeper enforces policy by…
Incorrect — that is a scanner, not Gatekeeper.
Incorrect — it runs in-cluster at admission.
Correct — a non-compliant resource is rejected before it is created.
Incorrect — no.
02When adopting Gatekeeper on a running cluster you should…
Correct — audit-before-enforce; deny-first breaks the next deploy.
Incorrect — that rejects every non-compliant deploy at once.
Incorrect — then it enforces nothing.
Incorrect — never.
03OPA bundles are…
Incorrect — no — they are policy/data tarballs.
Correct — update policy centrally; sign so OPA trusts the source.
Incorrect — no.
Incorrect — no.
04Why sign OPA bundles?
Correct — an unsigned bundle from an untrusted endpoint is remote control of policy.
Incorrect — signing is not compression.
Incorrect — unrelated.
Incorrect — it is a security control, not required.
05A slow Rego policy in an admission/request hot path is…
Incorrect — it adds latency to real operations.
Incorrect — it is an availability concern.
Correct — a policy bug in the hot path can become an outage.
Incorrect — it is a real failure mode.
5 questions · explanations appear as you answer