Test yourself
Policy-as-code at scale
Final exam · 12 questions · answers explained as you pick
Rego & testing
6 questions
01Rego evaluates policy as…
Incorrect — Rego is declarative, not a procedural language.
Correct — You describe what a violation looks like; OPA finds it in the document.
Incorrect — Regex is a tool within rules, not the model itself.
Incorrect — Policies are data-driven queries, not compiled code.
02The input document in Rego is…
Incorrect — Input is whatever JSON you evaluate — admission review, a plan, config.
Incorrect — The policy is separate from the input it judges.
Correct — The same engine judges any structured input.
Incorrect — OPA evaluates in-memory documents, not live queries.
03A deny rule fires when…
Incorrect — Rego collects the values a rule produces; false is not collected.
Correct — Non-empty deny means the request is rejected.
Incorrect — Empty input usually produces no violations.
Incorrect — Rego has no imperative exit; it is set-based.
04opa test lets you…
Incorrect — That is profiling, not testing.
Correct — Untested policy is untested code that can block every deploy.
Incorrect — It tests Rego logic, not YAML style.
Incorrect — It verifies policies; it does not write them.
05Testing a policy with both passing and failing fixtures matters because…
Correct — You must prove it allows the good and blocks the bad.
Incorrect — It does not; this is about coverage, not a rule.
Incorrect — Speed is unrelated.
Incorrect — Fixtures are test data, not security.
06Keeping decision logic in Rego rather than app code gives you…
Incorrect — Performance is not the point.
Correct — The same rule can run in CI, admission, and audit.
Incorrect — Policy still needs tests — more, if anything.
Incorrect — Rego is not a crypto tool.
6 questions · explanations appear as you answer
Engines, lifecycle & enforcement
6 questions
01Kyverno’s main advantage over Gatekeeper is…
Incorrect — Performance is not the deciding factor.
Correct — The tradeoff: Rego expresses logic YAML cannot.
Incorrect — Kyverno is Kubernetes-native, like Gatekeeper.
Incorrect — Both operate as admission controllers.
02You reach for Gatekeeper/Rego over Kyverno when…
Incorrect — Kyverno is usually terser for simple rules.
Correct — Rego handles logic Kyverno’s declarative syntax struggles with.
Incorrect — Both use CRDs.
Incorrect — Neither is an encryption tool.
03A policy exception at scale must be…
Incorrect — Real systems need escape hatches; the point is control.
Incorrect — Unrecorded exceptions are invisible risk.
Correct — An exception without expiry is just a hole with paperwork.
Incorrect — Forks make policy drift uncontrollable.
04Rolling a new enforcing policy out safely means…
Incorrect — A bad policy then blocks every deploy at once.
Correct — Measure violations first, fix, then turn on blocking.
Incorrect — That is the outage you are trying to avoid.
Incorrect — Policies are code and need version control.
05Running the same policy in CI and at admission gives…
Incorrect — It is defense in depth, not waste.
Correct — Direct kubectl apply still hits admission.
Incorrect — Same policy, same input — same decision.
Incorrect — Admission checks are lightweight.
06Audit mode is valuable because it…
Correct — You learn the blast radius before flipping to deny.
Incorrect — Audit mode is about visibility, not crypto.
Incorrect — It changes the action, not the speed.
Incorrect — It complements, not replaces, opa test.
6 questions · explanations appear as you answer