๐ค OPA / Gatekeeper Mock Interview Pack
Intro: This pack is designed for hands-on interview practice. The goal is not to recite what Rego is, but to reason through rollout strategy, failure modes, and safe policy enforcement in real Kubernetes environments.
Question 1 โ What problem does OPA solve?
A strong answer should explain that OPA separates policy decisions from application code and can be used for admission, CI policy checks, authorization, and config validation.
Question 2 โ Why does Gatekeeper exist if Kubernetes already has Pod Security Admission?
A strong answer should explain scope:
Reveal the deeper answer
- Pod Security Admission is built-in and standard for pod hardening levels
- Gatekeeper is broader and more customizable
- Gatekeeper handles organization-specific rules and reusable constraints
Question 3 โ How would you roll out Gatekeeper safely?
Expected points:
Reveal the deeper answer
- start in audit mode
- measure violation volume
- tune constraints
- document exceptions
- only then enforce selected policies
Question 4 โ Give an example of a bad policy rollout
Examples:
Reveal the deeper answer
- blocking all images not from an allowlist before platform teams have a usable internal registry
- enforcing non-root on workloads that were never designed for it
- no exception path for regulated or legacy workloads
Question 5 โ How do you manage policy exceptions?
Expected points:
Reveal the deeper answer
- time-bound
- owner
- reason
- periodic review
- visible in reporting
Quick coding prompt
Write a policy that rejects pods using :latest tags.
package k8sdenyimages
violation[{"msg": msg}] {
input.review.kind.kind == "Pod"
container := input.review.object.spec.containers[_]
endswith(container.image, ":latest")
msg := sprintf("container %s uses a latest tag", [container.name])
}
Interviewer notes
Look for candidates who can explain tradeoffs, not only syntax.