Advanced Track Do this after finishing Chapters 01-14.

Estimated Time

Reading: 30-40 min
Lab: 60-90 min
Quiz: 15-20 min

Prerequisites

Core track (Chapters 01-14) completed.
GitOps promotion and observability workflows available.

Artifacts

What You Will Produce

A go/no-go evidence package: rollout results, remediation notes, and explicit rollback conditions.

Quiz: Chapter 16 (Admission Policy Guardrails)

Questions

Why is admission policy called the “last safety gate”?
What is the safest rollout order for new blocking policies?
What does validationFailureAction: Audit do?
What does validationFailureAction: Enforce do?
Which statement is correct?

A) If pre-commit passes, admission control is unnecessary.
B) Admission control can still block risky manifests after merge.
C) Fastest fix is always disabling policy engine.

Name two risky patterns from Chapter 16 starter pack.
What minimum metadata must every break-glass exception include?
During incident, a deny blocks rollout. Best first move:

A) disable Kyverno deployment
B) read deny reason and fix manifest or apply scoped time-bound exception
C) grant permanent namespace bypass

Why are permanent exceptions an anti-pattern?
Complete the guardrail:

A) no evidence, no policy bypass
B) exceptions do not need expiry
C) policy mode can change directly in production without audit phase

Answer Key (Short)

It is the final runtime control before workload admission.
Audit in non-production, then selective Enforce, then gradual promotion.
It records violations but does not block admission.
It blocks violating resources at admission.
B
Example: :latest tags, missing securityContext, missing requests/limits.
Owner, reason, scope, expiry, and incident/approval reference.
B
They create unmanaged risk and normalize unsafe drift.
A