Kubernetes policy management with Kyverno. Free practice questions sampled from our full 120-question bank, with detailed explanations for every option.
Format
multi-choice
Duration
90 min
Pass mark
75%
Study time
1–6 wks
Mocks here
2
What the KCA exam tests
The Kyverno Certified Associate exam is structured around 6 weighted domains. Each domain link below opens a focused practice page with sample questions from that area.
One representative question per domain, drawn from the 120-question pool. Click "Reveal answer" to see the correct option plus explanations for every distractor.
Fundamentals of Kyverno
Q1. Which pattern value matches any non-empty string in a Kyverno validate rule?
Reveal answer and explanations
A`*`
Incorrect. A single `*` matches zero or more characters, so it also matches empty strings.
B`!?`
Incorrect. `!?` is not a valid Kyverno wildcard expression for non-empty values.
C`.+`
Incorrect. Kyverno patterns are not POSIX regular expressions; `.+` is not the idiomatic way to require non-empty.
D`?*`
Correct. The wildcard `?*` requires at least one character followed by any remaining characters, matching a non-empty string.
Installation, Configuration, and Upgrades
Q2. A platform team wants PolicyReports and background scans to scale independently from the admission controller. Which Helm chart values layout best achieves this?
Reveal answer and explanations
ASet `admissionController.replicas` high and leave all other controllers at zero replicas.
Incorrect. Setting other controllers to zero replicas would stop reports and background scans from working.
BIncrease `admissionController.resources.cpu` only; the other controllers scale automatically.
Incorrect. Raising CPU on admission does not affect the capacity of the other controllers.
CSet replicas per controller block in the chart values.
Correct. Kyverno's split architecture exposes per-controller replica settings in the Helm chart, letting each controller scale independently.
DDisable the HorizontalPodAutoscaler so the Deployments use cluster-wide autoscaling instead.
Incorrect. Disabling HPA does not enable per-controller scaling; per-controller replicas do.
Kyverno CLI
Q3. Running `kyverno test.` reports: > 1 test passed, 1 test failed Which is the MOST likely immediate next step for the policy author?
Reveal answer and explanations
ADelete the failing test file so the CI pipeline turns green.
Incorrect. Deleting tests to hide failures removes the signal the CLI is providing.
BRe-run with `--force` to skip assertions and mark the test as passed.
Incorrect. `kyverno test` has no `--force` flag to mask assertion failures.
CInspect per-resource output to determine whether policy or expectation is wrong.
Correct. The expected workflow is to read the per-resource output to decide whether the policy, the resource, or the test expectation is wrong and then fix it.
DIgnore the failure because `kyverno test` failures do not block admission in-cluster.
Incorrect. The point of running `kyverno test` in CI is to catch regressions before rollout.
Applying Policies
Q4. You want a validate rule to apply only to resources that have the annotation `policy.example.com/enforced: "true"`. Which construct fits best?
Reveal answer and explanations
AA `preconditions.all` expression comparing the annotation value.
Correct. `preconditions` let a rule narrow evaluation based on arbitrary JMESPath/CEL expressions like annotation values.
BA global Helm flag that filters resources before they reach the webhook.
Incorrect. Helm flags do not provide per-resource annotation filtering.
CAn admission webhook `objectSelector`, but only matched by name.
Incorrect. `objectSelector` matches labels, not annotations, and is less expressive than preconditions.
DA `PolicyException` covering every other resource in the cluster.
Incorrect. Creating `PolicyException`s for every other resource is not a scalable or idiomatic pattern.
Writing Policies
Q5. Which rule type automatically adds or modifies fields on a Kubernetes resource?
Reveal answer and explanations
A`validate`
Incorrect. `validate` rules accept or deny resources; they do not change them.
B`mutate`
Correct. `mutate` rules modify incoming resources, for example by adding labels, annotations, or default fields.
C`generate`
Incorrect. `generate` rules create new resources rather than modifying the triggering one.
D`verifyImages`
Incorrect. `verifyImages` validates image signatures; it does not mutate other fields.
Policy Management
Q6. Which of these is a common Prometheus alerting use case built on Kyverno metrics?
Reveal answer and explanations
AAlerting when `kyverno_admission_review_duration_seconds` p99 crosses an SLO.
Correct. Webhook latency is a typical SLO and `kyverno_admission_review_duration_seconds` is the canonical histogram exposed by Kyverno for this purpose.
BAlerting when a Pod's `spec.nodeName` changes unexpectedly.
Incorrect. Node reassignment is unrelated to Kyverno metrics.
CAlerting when the kernel version on worker nodes is older than the control plane.
Incorrect. Kernel version drift is a node-level concern, not a Kyverno policy concern.
DAlerting when an `EtcdDefrag` CronJob has not completed for 24 hours.
Incorrect. Etcd defrag is unrelated to Kyverno policy metrics.
Roughly 1–6 weeks of focused study, but it depends heavily on what you already know. Engineers with hands-on production Kubernetes (or Cilium / Argo / OTel / etc. for project-specific certs) can compress this to a week or two of mocks; people coming in cold should expect the upper end. The exam is multi-choice and recall-heavy — practice exams matter more than reading documentation cover to cover. Aim for 85%+ on full timed mocks before booking the real exam.
Why this practice library
This library was built by a Platform Engineer chasing Golden Kubestronaut who got frustrated by the lack of decent practice material for the associate-tier CNCF exams. Question banks track curriculum updates from CNCF and Linux Foundation.