← KCA hub

KCA — Installation, Configuration, and Upgrades

18% of the KCA exam. Sample questions below; the full library has 22 questions tagged to this domain.

Sample questions on Installation, Configuration, and Upgrades

Installation, Configuration, and Upgrades

Q1. You are upgrading Kyverno from 1.9.x to 1.11.x. Which sequence is correct?

Reveal answer and explanations
  1. A Upgrade the CRDs first, then run `helm upgrade`; validate health before removing legacy webhooks.

    Correct. The documented path is to apply the new CRDs, then `helm upgrade` the release, and validate before cleaning up any obsolete webhook configurations.

  2. B Delete the Kyverno namespace first, then install 1.11 from scratch so no legacy resources remain.

    Incorrect. Deleting the namespace would also delete `PolicyReports` and cause gaps in enforcement.

  3. C Skip CRD upgrades because Helm always applies CRDs automatically during `helm upgrade`.

    Incorrect. Helm intentionally does not upgrade CRDs on `helm upgrade`; CRDs must be applied explicitly.

  4. D Downgrade all policies to `validationFailureAction: Audit` first, then uninstall Kyverno and reinstall.

    Incorrect. Uninstalling and reinstalling is disruptive; in-place upgrades are the supported path.

Installation, Configuration, and Upgrades

Q2. On a multi-tenant cluster, the admission controller must not evaluate requests from the `system:nodes` group (kubelet traffic) to reduce load. Which configuration surface is most appropriate?

Reveal answer and explanations
  1. A Delete the validating webhook for every kind kubelet touches.

    Incorrect. Deleting webhooks turns off enforcement entirely; Kyverno also re-reconciles them.

  2. B Add `system:nodes` to the excluded groups in the Kyverno `ConfigMap`.

    Correct. The `kyverno` `ConfigMap` (and equivalent chart values) supports excluding groups, usernames, and resource kinds from admission evaluation.

  3. C Patch every `ClusterPolicy` to use `match.any: []` — an empty list.

    Incorrect. An empty `match.any` does not make the rule skip; it makes the rule invalid.

  4. D Set `--admissionReports=false` on the admission controller.

    Incorrect. `--admissionReports` controls admission report generation, not which users/groups are evaluated.

Installation, Configuration, and Upgrades

Q3. You skipped a minor version when upgrading Kyverno and reports are inconsistent with the new schema. Which CLI command helps migrate older report objects to the current version?

Reveal answer and explanations
  1. A `kyverno apply --migrate`

    Incorrect. `kyverno apply` does not accept a `--migrate` flag.

  2. B `kubectl kyverno repair`

    Incorrect. `kubectl kyverno repair` is not a real command.

  3. C `kyverno migrate`

    Correct. The `kyverno migrate` command migrates existing Kyverno resources (including reports) to the latest API versions.

  4. D `kyverno fix report`

    Incorrect. `kyverno fix` addresses policy formatting issues; it does not migrate report CRs across versions.

Installation, Configuration, and Upgrades

Q4. Which statement about leader election across the split controllers is correct?

Reveal answer and explanations
  1. A Only one admission controller replica serves webhook requests at a time; leader election gates webhook handling.

    Incorrect. All admission controller replicas can serve webhook traffic; the apiserver load-balances via the Service.

  2. B Background/reports/cleanup use leader election; admission replicas all serve webhook traffic.

    Correct. Webhook handling is stateless and horizontally scaled; the background/reports/cleanup workloads use leader election to avoid duplicated effects.

  3. C All four controllers share a single leader-election `Lease` object in the `kube-system` namespace.

    Incorrect. Each controller has its own `Lease` in the Kyverno namespace.

  4. D Leader election is disabled by default and must be enabled via `--leaderElection=true`.

    Incorrect. Leader election is enabled by default for the controllers that need it.

Installation, Configuration, and Upgrades

Q5. A platform team wants PolicyReports and background scans to scale independently from the admission controller. Which Helm chart values layout best achieves this?

Reveal answer and explanations
  1. A Set `admissionController.replicas` high and leave all other controllers at zero replicas.

    Incorrect. Setting other controllers to zero replicas would stop reports and background scans from working.

  2. B Increase `admissionController.resources.cpu` only; the other controllers scale automatically.

    Incorrect. Raising CPU on admission does not affect the capacity of the other controllers.

  3. C Set replicas per controller block in the chart values.

    Correct. Kyverno's split architecture exposes per-controller replica settings in the Helm chart, letting each controller scale independently.

  4. D Disable the HorizontalPodAutoscaler so the Deployments use cluster-wide autoscaling instead.

    Incorrect. Disabling HPA does not enable per-controller scaling; per-controller replicas do.

Drill Installation, Configuration, and Upgrades with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Installation, Configuration, and Upgrades accounts for 18% of the KCA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 22-question domain bank will close those gaps.