RedHat Red Hat Certified Specialist in OpenShift Advanced Cluster Management - EX432 Exam Questions
QUESTION NO: 1
Create a PolicySet and include multiple policies for a baseline
Create a PolicySet and include multiple policies for a baseline
Correct Answer:
See the solution below in Explanation.
Explanation:
* Create PolicySet referencing existing policies:
cat < < 'EOF' | oc apply -f -
apiVersion: policy.open-cluster-management.io/v1beta1
kind: PolicySet
metadata:
name: baseline-dev
namespace: team-dev
spec:
policies:
- policy-ensure-audit-namespace
# Add more policies here as you create them
EOF
* Verify:
oc get policyset -n team-dev
Why this matters:
PolicySets group policies to apply/track as a unit-common governance practice.
Explanation:
* Create PolicySet referencing existing policies:
cat < < 'EOF' | oc apply -f -
apiVersion: policy.open-cluster-management.io/v1beta1
kind: PolicySet
metadata:
name: baseline-dev
namespace: team-dev
spec:
policies:
- policy-ensure-audit-namespace
# Add more policies here as you create them
EOF
* Verify:
oc get policyset -n team-dev
Why this matters:
PolicySets group policies to apply/track as a unit-common governance practice.
QUESTION NO: 2
Grant Admin Access to User A (ClusterSet admin for production)
Grant Admin Access to User A (ClusterSet admin for production)
Correct Answer:
See the solution below in Explanation.
Explanation:
* Grant the role:
* oc adm policy add-cluster-role-to-user open-cluster-management:managedclusterset:admin:production user-a
* Confirm the binding:
* oc get clusterrolebinding | grep -i production | grep -i user-a
Why this matters:
* ACM provides ClusterSet-scoped roles. This grants admin permissions limited to the production ClusterSet (instead of full cluster-admin).
Explanation:
* Grant the role:
* oc adm policy add-cluster-role-to-user open-cluster-management:managedclusterset:admin:production user-a
* Confirm the binding:
* oc get clusterrolebinding | grep -i production | grep -i user-a
Why this matters:
* ACM provides ClusterSet-scoped roles. This grants admin permissions limited to the production ClusterSet (instead of full cluster-admin).
QUESTION NO: 3
Create a "deny" baseline policy: ensure a prohibited Namespace does NOT exist
Create a "deny" baseline policy: ensure a prohibited Namespace does NOT exist
Correct Answer:
See the solution below in Explanation.
* Create a ConfigurationPolicy using mustnothave complianceType (common policy pattern).
* Bind to placement.
* Confirm noncompliance if the namespace exists; enforce removes it if remediation is enforce.
* Create a ConfigurationPolicy using mustnothave complianceType (common policy pattern).
* Bind to placement.
* Confirm noncompliance if the namespace exists; enforce removes it if remediation is enforce.
QUESTION NO: 4
Create a namespace for a team and bind a ManagedClusterSet to that namespace
Create a namespace for a team and bind a ManagedClusterSet to that namespace
Correct Answer:
See the solution below in Explanation.
Explanation:
* Create a namespace for the team:
oc new-project team-dev
* Create ManagedClusterSetBinding to bind ClusterSet development into team-dev:
cat < < 'EOF' | oc apply -f -
apiVersion: cluster.open-cluster-management.io/v1beta2
kind: ManagedClusterSetBinding
metadata:
name: development
namespace: team-dev
spec:
clusterSet: development
EOF
* Verify:
oc get managedclustersetbinding -n team-dev
Why this matters:
ClusterSet binding is foundational for scoping access and enabling teams to work only with clusters in their set.
Explanation:
* Create a namespace for the team:
oc new-project team-dev
* Create ManagedClusterSetBinding to bind ClusterSet development into team-dev:
cat < < 'EOF' | oc apply -f -
apiVersion: cluster.open-cluster-management.io/v1beta2
kind: ManagedClusterSetBinding
metadata:
name: development
namespace: team-dev
spec:
clusterSet: development
EOF
* Verify:
oc get managedclustersetbinding -n team-dev
Why this matters:
ClusterSet binding is foundational for scoping access and enabling teams to work only with clusters in their set.
QUESTION NO: 5
Create a Placement that selects clusters by label (environment=dev)
Create a Placement that selects clusters by label (environment=dev)
Correct Answer:
See the solution below in Explanation.
Explanation:
* Create Placement in team-dev:
cat < < 'EOF' | oc apply -f -
apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
name: dev-clusters
namespace: team-dev
spec:
predicates:
- requiredClusterSelector:
labelSelector:
matchExpressions:
- key: environment
operator: In
values: ["dev"]
EOF
* Verify placement decisions:
oc get placement -n team-dev
oc get placementdecision -n team-dev
Why this matters:
Placement is used broadly for policy targeting and multi-cluster app rollout .
Explanation:
* Create Placement in team-dev:
cat < < 'EOF' | oc apply -f -
apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
name: dev-clusters
namespace: team-dev
spec:
predicates:
- requiredClusterSelector:
labelSelector:
matchExpressions:
- key: environment
operator: In
values: ["dev"]
EOF
* Verify placement decisions:
oc get placement -n team-dev
oc get placementdecision -n team-dev
Why this matters:
Placement is used broadly for policy targeting and multi-cluster app rollout .
