← KCA hub

KCA — Applying Policies

10% of the KCA exam. Sample questions below; the full library has 12 questions tagged to this domain.

Sample questions on Applying Policies

Applying Policies

Q1. Which statement about the order of `match` and `exclude` processing in a Kyverno rule is correct?

Reveal answer and explanations
  1. A `exclude` is evaluated first, then `match` decides final applicability.

    Incorrect. The evaluation order is match then exclude, not the other way around.

  2. B `match` defines the candidate set; `exclude` removes resources from it.

    Correct. Kyverno first computes candidates via `match`, then removes any that also satisfy `exclude`.

  3. C Both are unioned; any resource matching either set is in scope.

    Incorrect. The behaviour is intersection minus exclude, not a union.

  4. D `match` is ignored if `exclude` is present.

    Incorrect. `match` is always required and is never ignored.

Applying Policies

Q2. Which statement about `background: true` on a rule is correct?

Reveal answer and explanations
  1. A Runs against existing resources in background scans and appears in `PolicyReport`; admission-only variables need `background: false`.

    Correct. Background scans evaluate existing resources, but they lack admission-time context like `request.userInfo`; rules that depend on such variables must disable background or be restructured.

  2. B `background: true` causes the rule to skip admission evaluation and only run on a schedule.

    Incorrect. `background: true` adds background scanning; it does not remove admission evaluation.

  3. C `background: true` requires `validationFailureAction: Enforce` to have any effect.

    Incorrect. Background scanning works with either `Enforce` or `Audit`.

  4. D Background scanning is implemented as a `CronJob` in the `kyverno` namespace; disabling that CronJob turns background off globally.

    Incorrect. The background controller is a Deployment, not a CronJob.

Applying Policies

Q3. You want a validate rule to apply only to resources that have the annotation `policy.example.com/enforced: "true"`. Which construct fits best?

Reveal answer and explanations
  1. A A `preconditions.all` expression comparing the annotation value.

    Correct. `preconditions` let a rule narrow evaluation based on arbitrary JMESPath/CEL expressions like annotation values.

  2. B A global Helm flag that filters resources before they reach the webhook.

    Incorrect. Helm flags do not provide per-resource annotation filtering.

  3. C An admission webhook `objectSelector`, but only matched by name.

    Incorrect. `objectSelector` matches labels, not annotations, and is less expressive than preconditions.

  4. D A `PolicyException` covering every other resource in the cluster.

    Incorrect. Creating `PolicyException`s for every other resource is not a scalable or idiomatic pattern.

Applying Policies

Q4. Which `match` selector pair is functionally equivalent to the other?

Reveal answer and explanations
  1. A `match.any.resources.kinds: ["Pod"]` and `match.all.resources.kinds: ["Pod"]`.

    Correct. With a single selector inside it, `any` and `all` collapse to the same thing — both require that one selector to match.

  2. B `match.any.resources.namespaceSelector` and `exclude.any.resources.namespaceSelector`.

    Incorrect. `match` and `exclude` are opposites, not equivalent.

  3. C `match.any.resources.names: ["nginx-*"]` and `match.any.resources.selector.matchLabels: {name: nginx}`.

    Incorrect. A glob on `names` is not the same as a label selector.

  4. D `match.any.resources.kinds: ["Pod/*"]` and `match.any.resources.subresources: ["*"]`.

    Incorrect. Subresource globbing is a different surface than Pod subresources.

Applying Policies

Q5. Which Kyverno selector configuration matches Pods in any namespace except `kube-system`?

Reveal answer and explanations
  1. A ```yaml match: any: - resources: kinds: [Pod] exclude: any: - resources: namespaces: [kube-system] ```

    Correct. Kyverno uses `match` to include and `exclude` to remove resources; combining them is the canonical way to exempt `kube-system`.

  2. B ```yaml match: resources: kinds: [Pod] namespaceSelector: not: kube-system ``` # (note: requires the deprecated `policy.k8s.io` shorthand to be enabled)

    Incorrect. `namespaceSelector.not` is not a valid Kyverno field.

  3. C ```yaml match: kinds: [Pod] notNamespace: kube-system ```

    Incorrect. There is no `notNamespace` field; scoped exclusion goes in the `exclude` block.

  4. D ```yaml match: any: - resources: kinds: [Pod] notNamespaces: [kube-system] ```

    Incorrect. Kyverno does not support a `notNamespaces` field inside `resources`.

Drill Applying Policies with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Applying Policies accounts for 10% of the KCA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 12-question domain bank will close those gaps.