# OPA / Gatekeeper Mock Interview Pack

> **Intro:** This pack is designed for hands-on interview practice. The goal is not to recite what Rego is, but to reason through rollout strategy, failure modes, and safe policy enforcement in real Kubernetes environments.

## Question 1 — What problem does OPA solve?

A strong answer should explain that OPA separates policy decisions from application code and can be used for admission, CI policy checks, authorization, and config validation.

## Question 2 — Why does Gatekeeper exist if Kubernetes already has Pod Security Admission?

A strong answer should explain scope:

<details>

<summary><strong>Reveal the deeper answer</strong></summary>

* Pod Security Admission is built-in and standard for pod hardening levels
* Gatekeeper is broader and more customizable
* Gatekeeper handles organization-specific rules and reusable constraints

</details>

## Question 3 — How would you roll out Gatekeeper safely?

Expected points:

<details>

<summary><strong>Reveal the deeper answer</strong></summary>

* start in audit mode
* measure violation volume
* tune constraints
* document exceptions
* only then enforce selected policies

</details>

## Question 4 — Give an example of a bad policy rollout

Examples:

<details>

<summary><strong>Reveal the deeper answer</strong></summary>

* blocking all images not from an allowlist before platform teams have a usable internal registry
* enforcing non-root on workloads that were never designed for it
* no exception path for regulated or legacy workloads

</details>

## Question 5 — How do you manage policy exceptions?

Expected points:

<details>

<summary><strong>Reveal the deeper answer</strong></summary>

* time-bound
* owner
* reason
* periodic review
* visible in reporting

</details>

## Quick coding prompt

Write a policy that rejects pods using `:latest` tags.

```rego
package k8sdenyimages

violation[{"msg": msg}] {
  input.review.kind.kind == "Pod"
  container := input.review.object.spec.containers[_]
  endswith(container.image, ":latest")
  msg := sprintf("container %s uses a latest tag", [container.name])
}
```

## Interviewer notes

Look for candidates who can explain tradeoffs, not only syntax.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.product-security.expert/cloud-kubernetes-and-infrastructure-security/index-1/opa-gatekeeper-interview-pack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.