10% of the KCA exam. Sample questions below; the full library has 12 questions tagged to this domain.
Sample questions on Policy Management
Policy Management
Q1. Which of these is a common Prometheus alerting use case built on Kyverno metrics?
Reveal answer and explanations
AAlerting when `kyverno_admission_review_duration_seconds` p99 crosses an SLO.
Correct. Webhook latency is a typical SLO and `kyverno_admission_review_duration_seconds` is the canonical histogram exposed by Kyverno for this purpose.
BAlerting when a Pod's `spec.nodeName` changes unexpectedly.
Incorrect. Node reassignment is unrelated to Kyverno metrics.
CAlerting when the kernel version on worker nodes is older than the control plane.
Incorrect. Kernel version drift is a node-level concern, not a Kyverno policy concern.
DAlerting when an `EtcdDefrag` CronJob has not completed for 24 hours.
Incorrect. Etcd defrag is unrelated to Kyverno policy metrics.
Policy Management
Q2. An operator wants to know how many admission requests Kyverno is processing per second, broken down by request operation (CREATE/UPDATE/DELETE). Which label on which metric is most appropriate?
Reveal answer and explanations
A`policy_type` on `kyverno_policy_results_total` (the policy_type label)
Incorrect. `policy_type` differentiates validate/mutate/etc., not admission operations.
B`request_operation` on `kyverno_admission_requests_total`
Correct. `kyverno_admission_requests_total` is the request counter and exposes `request_operation` so a `rate()` grouped by that label gives ops/sec by operation.
C`rule_type` on `kyverno_policy_rule_info_total`
Incorrect. `kyverno_policy_rule_info_total` describes policies/rules metadata, not request rates.
D`resource_kind` on `kyverno_policy_changes_total`
Incorrect. `kyverno_policy_changes_total` tracks policy edits, not admission requests.
Policy Management
Q3. Which command lists all namespaced policy reports in the cluster?
Reveal answer and explanations
A`kubectl get policyreports -A`
Correct. `PolicyReport` is a standard CRD; listing across namespaces uses `kubectl get policyreports -A`.
B`kyverno list reports --all`
Incorrect. The CLI has no `kyverno list reports` subcommand.
C`kubectl kyverno reports show`
Incorrect. `kubectl kyverno reports show` is not a real command.
Q4. A `PolicyReport` in namespace `prod` lists 12 failing results from policy `require-labels`. Which controller is responsible for producing and updating this object?
Reveal answer and explanations
A`admission-controller`
Incorrect. The admission controller emits per-request results but does not aggregate reports.
B`reports-controller`
Correct. The reports controller consumes `AdmissionReport` and `BackgroundScanReport` objects and aggregates them into `PolicyReport`/`ClusterPolicyReport`.
C`background-controller`
Incorrect. The background controller runs scans but does not own the reports CRD aggregation.
D`cleanup-controller`
Incorrect. The cleanup controller handles `CleanupPolicy`, not reports.
Policy Management
Q5. Which best describes the purpose of a `PolicyException`?
Reveal answer and explanations
ATo exempt specific resources from policy rules without changing the policy.
Correct. `PolicyException` resources exempt specified resources from listed policy rules, which avoids weakening the policy itself.
BTo mark a policy as deprecated cluster-wide.
Incorrect. Exceptions do not mark policies as deprecated.
CTo delete historical `PolicyReport` objects matching a selector.
Incorrect. Exceptions do not delete `PolicyReport` objects.
DTo increase webhook timeouts for noisy policies.
Incorrect. Webhook timeouts are configured via controller flags, not exceptions.
Policy Management accounts for 10% of the KCA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 12-question domain bank will close those gaps.