Q1. Which pattern value matches any non-empty string in a Kyverno validate rule?
Reveal answer and explanations
A`*`
Incorrect. A single `*` matches zero or more characters, so it also matches empty strings.
B`!?`
Incorrect. `!?` is not a valid Kyverno wildcard expression for non-empty values.
C`.+`
Incorrect. Kyverno patterns are not POSIX regular expressions; `.+` is not the idiomatic way to require non-empty.
D`?*`
Correct. The wildcard `?*` requires at least one character followed by any remaining characters, matching a non-empty string.
Installation, Configuration, and Upgrades
Q2. A platform team wants PolicyReports and background scans to scale independently from the admission controller. Which Helm chart values layout best achieves this?
Reveal answer and explanations
ASet `admissionController.replicas` high and leave all other controllers at zero replicas.
Incorrect. Setting other controllers to zero replicas would stop reports and background scans from working.
BIncrease `admissionController.resources.cpu` only; the other controllers scale automatically.
Incorrect. Raising CPU on admission does not affect the capacity of the other controllers.
CSet replicas per controller block in the chart values.
Correct. Kyverno's split architecture exposes per-controller replica settings in the Helm chart, letting each controller scale independently.
DDisable the HorizontalPodAutoscaler so the Deployments use cluster-wide autoscaling instead.
Incorrect. Disabling HPA does not enable per-controller scaling; per-controller replicas do.
Kyverno CLI
Q3. Running `kyverno test .` reports: > 1 test passed, 1 test failed Which is the MOST likely immediate next step for the policy author?
Reveal answer and explanations
ADelete the failing test file so the CI pipeline turns green.
Incorrect. Deleting tests to hide failures removes the signal the CLI is providing.
BRe-run with `--force` to skip assertions and mark the test as passed.
Incorrect. `kyverno test` has no `--force` flag to mask assertion failures.
CInspect per-resource output to determine whether policy or expectation is wrong.
Correct. The expected workflow is to read the per-resource output to decide whether the policy, the resource, or the test expectation is wrong and then fix it.
DIgnore the failure because `kyverno test` failures do not block admission in-cluster.
Incorrect. The point of running `kyverno test` in CI is to catch regressions before rollout.
Applying Policies
Q4. You want a validate rule to apply only to resources that have the annotation `policy.example.com/enforced: "true"`. Which construct fits best?
Reveal answer and explanations
AA `preconditions.all` expression comparing the annotation value.
Correct. `preconditions` let a rule narrow evaluation based on arbitrary JMESPath/CEL expressions like annotation values.
BA global Helm flag that filters resources before they reach the webhook.
Incorrect. Helm flags do not provide per-resource annotation filtering.
CAn admission webhook `objectSelector`, but only matched by name.
Incorrect. `objectSelector` matches labels, not annotations, and is less expressive than preconditions.
DA `PolicyException` covering every other resource in the cluster.
Incorrect. Creating `PolicyException`s for every other resource is not a scalable or idiomatic pattern.
Writing Policies
Q5. Which rule type automatically adds or modifies fields on a Kubernetes resource?
Reveal answer and explanations
A`validate`
Incorrect. `validate` rules accept or deny resources; they do not change them.
B`mutate`
Correct. `mutate` rules modify incoming resources, for example by adding labels, annotations, or default fields.
C`generate`
Incorrect. `generate` rules create new resources rather than modifying the triggering one.
D`verifyImages`
Incorrect. `verifyImages` validates image signatures; it does not mutate other fields.
Policy Management
Q6. Which of these is a common Prometheus alerting use case built on Kyverno metrics?
Reveal answer and explanations
AAlerting when `kyverno_admission_review_duration_seconds` p99 crosses an SLO.
Correct. Webhook latency is a typical SLO and `kyverno_admission_review_duration_seconds` is the canonical histogram exposed by Kyverno for this purpose.
BAlerting when a Pod's `spec.nodeName` changes unexpectedly.
Incorrect. Node reassignment is unrelated to Kyverno metrics.
CAlerting when the kernel version on worker nodes is older than the control plane.
Incorrect. Kernel version drift is a node-level concern, not a Kyverno policy concern.
DAlerting when an `EtcdDefrag` CronJob has not completed for 24 hours.
Incorrect. Etcd defrag is unrelated to Kyverno policy metrics.
90 minutes, multi-choice format. See the official CNCF page for the current question count.
How difficult is the KCA exam?
Rated intermediate. Plan 1–6 weeks depending on your background.
How much does the KCA exam cost?
Pricing changes periodically — check the official CNCF KCA page at https://www.cncf.io/training/certification/kca/.
Are these KCA mock exams free?
Sample questions on this page are free with no account. Full timed KCA mocks require a paid plan.
How is this mock exam different from the real KCA exam?
Original questions written against the official CNCF curriculum — not scraped dumps. Format mirrors the real exam; the real one is proctored, these are self-paced.
What is the best way to study for KCA?
Work through the official curriculum in order of domain weight (heaviest first), then run full timed mocks until you hit 85%+ consistently.