← KCA hub

KCA — Writing Policies

32% of the KCA exam. Sample questions below; the full library has 38 questions tagged to this domain.

Sample questions on Writing Policies

Writing Policies

Q1. Which annotation on a Kyverno policy controls which Pod controllers autogen applies to?

Reveal answer and explanations
  1. A `pod-policies.kyverno.io/autogen-controllers`

    Correct. The `pod-policies.kyverno.io/autogen-controllers` annotation selects which controllers autogen applies to or disables it with `none`.

  2. B `kyverno.io/disable-autogen`

    Incorrect. That annotation name is not the documented one.

  3. C `autogen.policies.kyverno.io/enabled` (the deprecated v1alpha2 path)

    Incorrect. There is no `autogen.policies.kyverno.io/enabled` annotation.

  4. D `kyverno.io/controllers-skip`

    Incorrect. `kyverno.io/controllers-skip` is not a real Kyverno annotation.

Writing Policies

Q2. Which CEL snippet inside a `validate.cel` block rejects a Pod that runs as root?

Reveal answer and explanations
  1. A `expression: "request.object.runAsNonRoot"` — the legacy `request.object` shape predates ValidatingAdmissionPolicy and is no longer recommended

    Incorrect. `request.object.runAsNonRoot` is not the correct path; the field is under `securityContext`.

  2. B `expression: "spec.runAsUser != 0"`

    Incorrect. The expression omits the `object.` prefix, so CEL cannot resolve it.

  3. C ```yaml validate: cel: expressions: - expression: "object.spec.securityContext.runAsNonRoot == true" ```

    Correct. CEL inside Kyverno's `validate.cel.expressions` references `object` (the incoming resource) and asserts `runAsNonRoot == true` on `spec.securityContext`.

  4. D `expression: "!object.runAsRoot"`

    Incorrect. There is no `object.runAsRoot` field in PodSpec.

Writing Policies

Q3. Which resource type lets Kyverno automatically clean up Kubernetes resources on a TTL or schedule?

Reveal answer and explanations
  1. A `ClusterPolicy` with `rules[].cleanup`

    Incorrect. `rules[].cleanup` is not how cleanup is authored; it is a dedicated CRD.

  2. B `CleanupPolicy` / `ClusterCleanupPolicy`

    Correct. Kyverno ships `CleanupPolicy` (namespaced) and `ClusterCleanupPolicy` (cluster-scoped) for scheduled resource cleanup.

  3. C `PolicyReport` with `cleanup: true`

    Incorrect. `PolicyReport` is read-only evaluation data; it does not drive cleanup.

  4. D `UpdateRequest` with `ttlSecondsAfterFinished`

    Incorrect. `UpdateRequest` is an internal generate-rule helper, not a cleanup mechanism.

Writing Policies

Q4. Which statement about CEL support in Kyverno is most accurate?

Reveal answer and explanations
  1. A CEL works under `validate.cel` and `preconditions`, with `object`/`oldObject`/`request` access, like K8s ValidatingAdmissionPolicy.

    Correct. Kyverno exposes CEL under `validate.cel` (with `expressions`, `paramRef`, `auditAnnotations`) and `cel.preconditions`, consistent with upstream `ValidatingAdmissionPolicy` semantics.

  2. B CEL is only usable in `generate` rules as of v1.11.

    Incorrect. CEL is centered on validation, not generate.

  3. C CEL replaces JMESPath entirely in current Kyverno versions.

    Incorrect. JMESPath remains supported and is still the default for many rule types.

  4. D CEL is a Kyverno fork of Rego and is unrelated to Kubernetes CEL.

    Incorrect. It is the same CEL used in Kubernetes, not Rego.

Writing Policies

Q5. Which Kyverno construct applies a JSON Patch (RFC 6902) transformation inside a mutate rule?

Reveal answer and explanations
  1. A `patchesJson6902`

    Correct. Kyverno uses `patchesJson6902` as the field name for RFC 6902 JSON Patches inside mutate rules.

  2. B `jsonPatch` field

    Incorrect. `jsonPatch` is not the Kyverno field name; the field is `patchesJson6902`.

  3. C `jsonMerge` field

    Incorrect. `jsonMerge` is not a Kyverno field; strategic merge is under `patchStrategicMerge`.

  4. D `jmesPatch` field

    Incorrect. `jmesPatch` is not a valid field name.

Drill Writing Policies with the full bankDomain Drill mode targets your weak areas — paid feature

How this domain is tested

Writing Policies accounts for 32% of the KCA exam. Expect questions that test recall of terminology and the ability to read short scenarios — not deep configuration. Use the sample questions above as difficulty calibration; if any feel hard, the rest of our 38-question domain bank will close those gaps.