Skip to content

OPA Gatekeeper Quiz

Test your understanding of OPA Gatekeeper and the Rego policy language with the following questions.


Questions

1. What language is used to write policies in OPA Gatekeeper?

  • A) YAML
  • B) JSON
  • C) Rego
  • D) HCL
Show Answer

Answer: C) Rego

Explanation: OPA (Open Policy Agent) uses a declarative policy language called Rego. Rego is optimized for querying JSON/YAML data and making policy decisions.

rego
package kubernetes.admission

violation[{"msg": msg}] {
    input.request.kind.kind == "Pod"
    container := input.request.object.spec.containers[_]
    not container.resources.limits.memory
    msg := sprintf("Container %v has no memory limit", [container.name])
}

Unlike Kyverno, you need to learn a new language, but it allows expressing more complex policy logic.


2. What CRD defines reusable policy templates in Gatekeeper?

  • A) Policy
  • B) ConstraintTemplate
  • C) PolicyTemplate
  • D) GatekeeperPolicy
Show Answer

Answer: B) ConstraintTemplate

Explanation: ConstraintTemplate defines Rego policy logic and parameter schema:

yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        openAPIV3Schema:
          type: object
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg}] {
            # Rego policy logic
        }

Constraints are created based on ConstraintTemplates to apply actual policies.


3. Which value is NOT supported in the enforcementAction field of a Gatekeeper Constraint?

  • A) deny
  • B) dryrun
  • C) warn
  • D) audit
Show Answer

Answer: D) audit

Explanation: Gatekeeper's supported enforcementAction values:

  • deny: Reject request on policy violation
  • dryrun: Record violation but allow request
  • warn: Show warning message, allow request
yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: require-labels
spec:
  enforcementAction: deny  # or dryrun, warn
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]

audit is not an enforcementAction but Gatekeeper's background audit feature.


4. What is the syntax for iterating through all elements of an array in Rego?

  • A) for item in array
  • B) array.forEach(item)
  • C) item := array[_]
  • D) loop array as item
Show Answer

Answer: C) item := array[_]

Explanation: In Rego, [_] means all indices of an array:

rego
# Iterate all containers
container := input.request.object.spec.containers[_]

# Iterate all label keys
label := input.request.object.metadata.labels[_]

# Specific index
first_container := input.request.object.spec.containers[0]

# When both index and value are needed
some i
container := input.request.object.spec.containers[i]

This syntax is a core Rego pattern used when evaluating multiple values within rules.


5. What feature in Gatekeeper checks policy compliance of existing cluster resources?

  • A) Validation
  • B) Mutation
  • C) Audit
  • D) Generation
Show Answer

Answer: C) Audit

Explanation: Gatekeeper Audit feature:

  • Periodically inspects existing resources
  • Records violations in Constraint status
  • Validates existing resources, not just new ones
bash
# Check violations in Constraint
kubectl describe k8srequiredlabels require-labels

# Check violations in Status section:
# Status:
#   Audit Timestamp: 2026-02-21T10:00:00Z
#   Total Violations: 3
#   Violations:
#     - Kind: Pod
#       Name: nginx-without-labels
#       Namespace: default

This allows understanding the impact before applying policies.


6. What CRD is used for automatic resource modification in Gatekeeper v3.10+?

  • A) MutatingPolicy
  • B) Assign / AssignMetadata
  • C) ModifyResource
  • D) ResourceMutator
Show Answer

Answer: B) Assign / AssignMetadata

Explanation: Gatekeeper's Mutation CRDs:

  • AssignMetadata: Add metadata (labels, annotations)
  • Assign: Modify general fields like spec
  • ModifySet: Add/remove values from arrays
yaml
apiVersion: mutations.gatekeeper.sh/v1
kind: AssignMetadata
metadata:
  name: add-owner-label
spec:
  match:
    scope: Namespaced
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  location: "metadata.labels.owner"
  parameters:
    assign:
      value: "platform-team"

Similar to Kyverno's mutate feature.


7. What operator calculates the difference between two sets in Rego?

  • A) difference()
  • B) subtract()
  • C) - (minus)
  • D) diff()
Show Answer

Answer: C) - (minus)

Explanation: Rego set operations:

rego
# Compare required and existing labels
required := {"app", "env", "team"}
provided := {"app", "team"}

# Set difference: find missing labels
missing := required - provided
# Result: {"env"}

# Intersection
common := required & provided
# Result: {"app", "team"}

# Union
all := required | provided

These operations are frequently used for required label validation.


8. What configuration is needed in Gatekeeper to reference resources from other namespaces?

  • A) CrossNamespacePolicy
  • B) Config's sync.syncOnly
  • C) GlobalConstraint
  • D) NamespaceSelector
Show Answer

Answer: B) Config's sync.syncOnly

Explanation: For Gatekeeper to reference external data, sync configuration via Config resource is required:

yaml
apiVersion: config.gatekeeper.sh/v1alpha1
kind: Config
metadata:
  name: config
  namespace: gatekeeper-system
spec:
  sync:
    syncOnly:
      - group: ""
        version: "v1"
        kind: "Namespace"
      - group: "networking.k8s.io"
        version: "v1"
        kind: "Ingress"

Synchronized resources can be accessed in Rego via data.inventory:

rego
other_ingress := data.inventory.namespace[ns]["networking.k8s.io/v1"]["Ingress"][name]

9. What is the official CLI tool for testing Gatekeeper policies?

  • A) opa test
  • B) gatekeeper-cli
  • C) gator
  • D) conftest
Show Answer

Answer: C) gator

Explanation: Gator is the official CLI tool for locally testing Gatekeeper policies:

bash
# Install
go install github.com/open-policy-agent/gatekeeper/cmd/gator@latest

# Validate policies
gator verify ./policies/

# Run test suite
gator test ./tests/

Test suite example:

yaml
kind: Suite
apiVersion: test.gatekeeper.sh/v1alpha1
metadata:
  name: required-labels-test
tests:
  - name: "Pod without labels should fail"
    template: ../templates/k8srequiredlabels.yaml
    constraint: ../constraints/require-labels.yaml
    cases:
      - name: pod-without-labels
        object: fixtures/pod-no-labels.yaml
        assertions:
          - violations: yes

10. What is Gatekeeper's advantage when comparing Gatekeeper and Kyverno?

  • A) Lower learning curve
  • B) YAML native policies
  • C) Resource generation feature
  • D) Complex policy logic expressiveness
Show Answer

Answer: D) Complex policy logic expressiveness

Explanation: Gatekeeper (OPA) vs Kyverno comparison:

FeatureGatekeeperKyverno
Policy LanguageRegoYAML
Learning CurveHighLow
Complex LogicVery FlexibleLimited
Resource GenerationNot SupportedSupported
External DataOPA Bundle SupportAPI Call

Gatekeeper's flexibility with Rego makes it easier to handle:

  • Complex condition combinations
  • Recursive data structure processing
  • Advanced set operations
  • External data integration

11. When multiple violation rules are defined in Rego, how are they evaluated?

  • A) Only first rule is evaluated
  • B) All rules are evaluated as OR
  • C) All rules are evaluated as AND
  • D) One is randomly selected
Show Answer

Answer: B) All rules are evaluated as OR

Explanation: In Rego, multiple rules with the same name are evaluated as OR:

rego
# Rule 1: Check privileged containers
violation[{"msg": msg}] {
    container := input.request.object.spec.containers[_]
    container.securityContext.privileged == true
    msg := "Privileged containers not allowed"
}

# Rule 2: Check root execution
violation[{"msg": msg}] {
    container := input.request.object.spec.containers[_]
    container.securityContext.runAsUser == 0
    msg := "Running as root not allowed"
}

# Violation occurs if either rule is violated

Results from each violation rule are added to a set, and if there's one or more violations, the overall policy fails.


12. What field in Gatekeeper configures a Constraint to apply only to specific namespaces?

  • A) spec.targetNamespaces
  • B) spec.match.namespaces
  • C) spec.scope.namespaces
  • D) spec.selector.namespaces
Show Answer

Answer: B) spec.match.namespaces

Explanation: The match section of a Constraint specifies the application scope:

yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: require-labels-prod
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - production
      - staging
    excludedNamespaces:
      - kube-system
      - gatekeeper-system
    namespaceSelector:
      matchLabels:
        environment: production
  • namespaces: List of namespaces to include
  • excludedNamespaces: List of namespaces to exclude
  • namespaceSelector: Label-based selection

Score Calculation

Calculate 1 point per question.

ScoreRating
11-12Excellent - OPA Gatekeeper expert level
8-10Good - Basic concepts understood, Rego deep dive needed
5-7Average - Additional study recommended
0-4Basic learning needed