← KCA hub

KCA — Fundamentals of Kyverno

18% of the KCA exam. Sample questions below; the full library has 22 questions tagged to this domain.

Sample questions on Fundamentals of Kyverno

Fundamentals of Kyverno

Q1. Which statement best describes what Kyverno is?

Reveal answer and explanations
  1. A A general-purpose WebAssembly runtime used to sandbox Kubernetes workloads at the node level.

    Incorrect. Kyverno is not a WebAssembly runtime; it is a policy engine built around Kubernetes resources.

  2. B A container image build system that produces OCI-compliant artifacts from Dockerfiles.

    Incorrect. Kyverno does not build container images; it validates, mutates, generates, and verifies Kubernetes resources.

  3. C A service mesh proxy that enforces mutual TLS between pods using envoy sidecars.

    Incorrect. Service-mesh functionality like mTLS is handled by meshes such as Istio or Linkerd, not by Kyverno.

  4. D A Kubernetes-native policy engine that uses YAML manifests as policies.

    Correct. Kyverno is a Kubernetes-native policy engine whose policies are themselves Kubernetes resources written in YAML, enforced via dynamic admission controllers.

Fundamentals of Kyverno

Q2. A team writes a `Policy` (namespaced) that uses `generate` with `synchronize: true` to clone a `ConfigMap` from another namespace. The policy is admitted but generation fails for every matched `Namespace`. Which constraint best explains why a namespaced `Policy` is the wrong choice here?

Reveal answer and explanations
  1. A `Policy` resources cannot declare `synchronize: true`; only the default `false` is allowed.

    Incorrect. `synchronize` is a valid field on `generate` rules regardless of policy scope.

  2. B Namespaced `Policy` objects ignore `generate` rules unless `background: true` is also set on the rule.

    Incorrect. `background: true` controls background scanning, not generate admission behavior.

  3. C `generate` rules are only permitted in a `ClusterPolicy` (trigger and target may cross namespaces).

    Correct. `generate` rules that create or clone resources across namespaces are only supported in a `ClusterPolicy`; a namespaced `Policy` cannot reference resources outside its own namespace.

  4. D `Policy` resources require `validationFailureAction: Enforce` before any `generate` rule can fire.

    Incorrect. `validationFailureAction` governs validate rules, not generate rules.

Fundamentals of Kyverno

Q3. Which benefit does Kyverno's YAML-based policy language offer compared to general-purpose programming languages?

Reveal answer and explanations
  1. A It provides a Turing-complete language with full loops and I/O for admission webhooks.

    Incorrect. Kyverno policies are declarative YAML, not a Turing-complete language.

  2. B It embeds a JVM so Java libraries can be used from within policies.

    Incorrect. Kyverno does not embed a JVM or support Java libraries.

  3. C It automatically transpiles policies to eBPF programs at runtime.

    Incorrect. Kyverno does not transpile to eBPF.

  4. D It reduces the learning curve: policies look like standard Kubernetes manifests.

    Correct. Because policies are Kubernetes resources written in YAML, operators already familiar with manifests can author and review them without learning a new DSL.

Fundamentals of Kyverno

Q4. A user asks whether Kyverno policies can run against arbitrary YAML files on disk, without a cluster. Which statement is true?

Reveal answer and explanations
  1. A No; Kyverno only evaluates resources the apiserver passes in `AdmissionReview` requests.

    Incorrect. The Kyverno CLI supports offline evaluation.

  2. B Only with an experimental build-time plugin that disables all runtime controllers.

    Incorrect. The CLI is a standard shipped binary, not experimental.

  3. C Yes, but only `verifyImages` rules can run outside a cluster.

    Incorrect. Validate, mutate, and generate also run in the CLI.

  4. D Yes, via `kyverno apply`, which evaluates policies against manifests offline.

    Correct. `kyverno apply` can load policies and resource manifests from disk and run validation, mutation, generation, and verifyImages checks without a cluster.

Fundamentals of Kyverno

Q5. A `Policy` resource is applied in the `team-a` namespace. Which resources can its rules evaluate?

Reveal answer and explanations
  1. A Only resources inside the `team-a` namespace.

    Correct. A namespaced `Policy` only evaluates resources in its own namespace; use `ClusterPolicy` for cluster-wide scope.

  2. B Any resource across the cluster, because all Kyverno policies are cluster-scoped.

    Incorrect. `Policy` is namespaced, not cluster-scoped; only `ClusterPolicy` applies cluster-wide.

  3. C Only cluster-scoped resources such as `Node` and `ClusterRole`.

    Incorrect. Cluster-scoped resources are managed by `ClusterPolicy`, not by a namespaced `Policy`.

  4. D Resources in `team-a` and any namespace that contains a matching label selector.

    Incorrect. A `Policy` cannot reach outside of its own namespace regardless of labels.

Drill Fundamentals of Kyverno with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Fundamentals of Kyverno accounts for 18% of the KCA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 22-question domain bank will close those gaps.