12% of the KCA exam. Sample questions below; the full library has 14 questions tagged to this domain.
Sample questions on Kyverno CLI
Kyverno CLI
Q1. Which flag tells `kyverno apply` to generate a policy report YAML for evaluated resources?
Reveal answer and explanations
A`--policy-report`
Correct. `kyverno apply --policy-report` emits a `PolicyReport` alongside the normal output for the evaluated resources.
B`--report-file`
Incorrect. `--report-file` is not the documented flag for this purpose.
C`--generate-report`
Incorrect. `--generate-report` is not a Kyverno CLI flag.
D`--output report`
Incorrect. `--output report` is not a supported value for the output flag.
Kyverno CLI
Q2. Which `kyverno apply` invocation is most appropriate inside a pull-request CI job that checks new manifests in `./manifests` against policies in `./policies`, exiting non-zero on any failure?
Incorrect. `--cluster` ties the job to whatever cluster credentials the runner has; for PR validation, offline evaluation is preferred.
B`kyverno apply./policies --resource./manifests`
Correct. `kyverno apply` with `--resource` (or a directory) evaluates the manifests offline against the given policies and returns a non-zero exit on failures.
C`kyverno test./manifests --policy./policies`
Incorrect. `kyverno test` requires a declarative test definition (`kyverno-test.yaml`), not loose manifests.
D`kyverno jp query./manifests --policy./policies`
Incorrect. `kyverno jp` is for JMESPath expressions, not for running policies.
Kyverno CLI
Q3. A developer installed Kyverno CLI on macOS via Homebrew. Which command would you expect them to have run?
Reveal answer and explanations
A`brew tap kyverno && brew install kyverno`
Incorrect. The Homebrew formula for Kyverno does not require a custom tap; a simple `brew install kyverno` works.
B`brew install kyverno/tap/cli`
Incorrect. `kyverno/tap/cli` is not the correct tap/formula path for the CLI.
C`brew install kyverno`
Correct. The Kyverno CLI is available in the default Homebrew formulae and is installed with `brew install kyverno`.
D`brew cask install kyverno-cli`
Incorrect. Casks are for GUI applications, and Kyverno CLI is not distributed that way.
Kyverno CLI
Q4. Which statement about variables in `kyverno apply` is correct?
Reveal answer and explanations
AVariables must be hardcoded in the policy; `kyverno apply` will reject any policy that uses variables.
Incorrect. Variables are first-class; the CLI supports them.
BThe CLI fetches variables from the cluster even without `--cluster`, based on the current kubeconfig.
Incorrect. The CLI only reaches out to the cluster when `--cluster` is set.
C`request.*` variables are automatically populated from the resource's YAML fields.
Incorrect. `request.*` are admission-time fields and must be supplied in the CLI; they are not inferred from the manifest.
DVariables like `{{ request.userInfo }}` can be supplied via `--variables` so offline runs match admission.
Correct. A `--variables` YAML/JSON file lets you supply `request.*` and custom variable values, enabling realistic offline evaluation.
Kyverno CLI
Q5. Which command installs the Kyverno CLI using the Krew kubectl plugin manager?
Reveal answer and explanations
A`kubectl krew install kyverno`
Correct. Krew installs the Kyverno CLI via `kubectl krew install kyverno`, after which it is invoked as `kubectl kyverno`.
B`kubectl plugin add kyverno-cli`
Incorrect. `kubectl plugin add` is not a real command.
C`krew get kyverno`
Incorrect. The Krew subcommand is `install`, not `get`.
D`helm install kyverno-cli kyverno/cli`
Incorrect. The CLI is not installed via Helm; Helm installs the cluster controllers.
Kyverno CLI accounts for 12% of the KCA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 14-question domain bank will close those gaps.