Interview › Security & DevSecOps
What is admission control in Kubernetes, and how do OPA Gatekeeper or Kyverno use it? [Intermediate]
Answer
Kubernetes admission control intercepts API requests before objects are persisted. OPA Gatekeeper and Kyverno use admission webhooks to validate or mutate resources so policies such as no privileged containers, required labels, allowed registries, and resource limits are enforced centrally.
Technical explanation
Admission control is powerful because it blocks bad configuration at the cluster API boundary.
Gatekeeper uses OPA/Rego with ConstraintTemplates and Constraints; Kyverno uses Kubernetes-native YAML policies.
Policies should be tested in audit mode before enforce mode to avoid breaking teams unexpectedly.
Hands-on example
Hands-on rollout: install Gatekeeper, deploy constraints in dry-run/audit mode for one week, review violations, fix common templates, then enforce restricted policies for production namespaces while allowing controlled exemptions for platform namespaces.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]