The Twelve Tables

Beginner

Fix broken Kyverno policies to restore proper admission control.

Mission Objective

All workloads missing the republic.rome/gens label are blocked at admission with a clear policy violation message
All workloads running as privileged containers are blocked at admission with a clear policy violation message
All pods declaring republic.rome/traveler: peregrinus automatically receive the republic.rome/travel-permit: granted label
All other workloads deploy and run successfully in the cluster

Key Learnings

How Kyverno ValidatingPolicy (opens in new tab) resources and CEL validation expressions (opens in new tab) work
The difference between Audit, Deny, and Warn (opens in new tab) validation actions
How to use custom label keys (opens in new tab) to enforce workload identity standards
How Kyverno MutatingPolicy (opens in new tab) resources automatically patch incoming workloads at admission

Best Suited For

Platform engineers, SREs, and developers curious about Kubernetes security — no prior Kyverno experience needed, but familiarity with basic kubectl and YAML will help.

The Story

The Republic's legal scholars have been busy — perhaps too busy. In their haste to codify the Twelve Tables, the foundation of the Republic's legal system, they introduced errors that now threaten the city's order. Workloads that should be blocked are running freely, and workloads that should be allowed are being turned away at the gates.

Another scholar left a note: "I tried to set up policies for privileged containers and required labels, but something's off — I can't figure out why the wrong things are getting through. There was also supposed to be a system for automatically issuing travel permits to foreign visitors, but that one is broken too."

Your mission: investigate the Kyverno policies and restore proper admission control before chaos reaches the city.

Architecture

Workload request flows through Kyverno's admission webhook before reaching the Kubernetes cluster. Two ValidatingPolicy resources block non-compliant workloads, and one MutatingPolicy automatically patches admitted workloads with required labels.

The Twelve Tables enforced Roman law at the gates — before a citizen could act, not after the damage was done. Kyverno works the same way: it intercepts every workload request before it reaches the cluster. A misconfigured policy doesn't just fail to enforce — it fails silently, letting non-compliant workloads slip through while you assume everything is fine.

Your Codespace comes with a Kubernetes cluster and Kyverno pre-installed. Three broken policies are already deployed in manifests/policies/ — two ValidatingPolicy resources and one MutatingPolicy. Edit them directly and re-apply with kubectl. The pods in manifests/pods/ are for reference only — no GitOps, no dashboards.

Ready to start?

Launch in a preconfigured devcontainer

Open in Codespaces

Free GitHub account required

Walkthrough

Open in GitHub Codespaces. The devcontainer is pre-configured and starts automatically. When you push from Codespaces, GitHub forks the repository to your account automatically.

Prefer working locally? Clone the repo and open it in any editor that supports the Dev Containers specification (VS Code, JetBrains IDEs, and others). The devcontainer config will be detected automatically.
When your Codespace is ready, four pods are already running — or trying to. Open a terminal and check what's going on:
```
kubectl get pods
```
Inspect why a pod was blocked or admitted:
```
kubectl describe pod <pod-name>
```
Check the policies that are in place:
```
kubectl get validatingpolicies
kubectl get validatingpolicy require-labels -o yaml
kubectl get validatingpolicy no-privileged-containers -o yaml

kubectl get mutatingpolicies
kubectl get mutatingpolicy stamp-travel-permit -o yaml
```
You can also launch k9s for a terminal UI view of all cluster resources:
```
k9s
```
Navigate to ValidatingPolicy resources with :validatingpolicies and MutatingPolicy resources with :mutatingpolicies to inspect all three policies.
Review the Objective and investigate what's wrong in manifests/policies/.

All three broken policies are in manifests/policies/. Read them carefully — each has a different kind of misconfiguration.

Test Locally with the Kyverno CLI

Before applying to the cluster, you can use the kyverno CLI to test your policy changes locally against the workload manifests:
```
kyverno apply manifests/policies/require-labels.yaml --resource manifests/pods/missing-labels.yaml
kyverno apply manifests/policies/no-privileged-containers.yaml --resource manifests/pods/privileged.yaml
kyverno apply manifests/policies/stamp-travel-permit.yaml --resource manifests/pods/peregrinus.yaml
```
This gives you fast feedback without touching the cluster.

Apply to the Cluster

Once you're happy with your changes, re-apply everything:
```
make apply
```
This re-applies the policies and re-deploys all workloads so you immediately see the effect of your changes.

Complete Your Challenge

When you push from Codespaces, GitHub forks the repository to your account automatically. If you are working locally, fork the repository on GitHub before pushing.
Verify your solution:
```
./verify.sh
```
If it passes, it generates a Certificate of Completion you can paste into the discussion.
Share your solutions in the challenge thread (opens in new tab) on community.offon.dev.

Completed the challenge? Share your achievement on LinkedIn (opens in new tab)

Toolbox

kubectl (opens in new tab) - Apply and inspect cluster resources
kyverno CLI (opens in new tab) - Test and lint policies locally before applying
k9s (opens in new tab) - Explore cluster resources in a terminal UI

Helpful Documentation

Know someone who'd enjoy this?