Drill: The Deny Boundary

1. Audit Phase: Apply a policy that requires all pods to have an owner label. Deploy a pod without the label. Verify that the pod runs but a violation appears in kubectl get policyreports.
2. Enforce Phase: Switch the policy to Enforce mode. Try to deploy the same pod again. Verify that the Kubernetes API server rejects the request with a clear error message.
3. Remediation: Fix the deployment manifest in Git by adding the owner label. Verify that Flux successfully reconciles the pod.

Core Exercises (Required)

1. Registry Lock: Create a policy that only allows images from ghcr.io/safeops-course. Try to deploy a pod using an image from docker.io and document the rejection.
2. Security Context Check: Verify that the “Non-Root” policy is active. Attempt to deploy a pod with runAsUser: 0 and capture the failure evidence.
3. Policy Exception: Label a namespace with policy.safeops.io/skip-owner-check=true. Verify that the owner-label policy is correctly bypassed for that namespace.

Challenge Exercise (Optional)

Resource Limits Enforcement Policy: Write a Kyverno ClusterPolicy that blocks any Deployment without explicit CPU and memory resource limits. Test it first in audit mode, review the audit logs, then graduate to enforce mode.

Done When

You have completed this chapter when:

• You can demonstrate the difference between Audit and Enforce policy modes.
• You have successfully blocked a non-compliant pod at the cluster boundary.
• You can find and explain policy violation reports using kubectl.
• You understand why admission control is the final line of defense in SRE.

Knowledge Check

Before finishing this chapter, complete the Quiz to verify your understanding of the guardrail principles.