All Practice Exams
100+ Free Kyverno Certified Associate Practice Questions
Kyverno Certified Associate (KCA) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
Which two validationFailureAction (failureAction) values determine whether a failed validation blocks the resource or only reports it?
A
B
C
D
to track
Same family resources
Explore More Linux Foundation Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: Kyverno Certified Associate Exam
$250
Exam Fee (USD, includes one free retake)
CNCF
90 minutes
Exam Duration
CNCF
6 domains
Curriculum Areas (Writing Policies is 32%)
CNCF open source curriculum
2 years
Credential Validity
The Linux Foundation
No prerequisites
Eligibility
CNCF
Multiple-choice
Online Proctored Format
CNCF
The Kyverno Certified Associate (KCA) is a CNCF/Linux Foundation exam costing $250 USD with one free retake. It is an online, proctored, multiple-choice exam lasting 90 minutes, with no prerequisites and a two-year validity. The six domains are Fundamentals of Kyverno (18%), Installation, Configuration and Upgrades (18%), Kyverno CLI (12%), Applying Policies (10%), Writing Policies (32%), and Policy Management (10%). CNCF does not publish the passing score or exact question count.
Sample Kyverno Certified Associate Practice Questions
Try these sample questions to test your Kyverno Certified Associate exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1What is the primary function of Kyverno within a Kubernetes cluster?
A.It is a policy engine that runs as a dynamic admission controller to validate, mutate, generate, and verify images for Kubernetes resources
B.It is a container runtime that replaces containerd for running policy-managed workloads
C.It is a service mesh that encrypts traffic between pods based on policy
D.It is a CNI plugin that enforces network segmentation through NetworkPolicies
Explanation: Kyverno is a Kubernetes-native policy engine that runs as a dynamic admission controller, receiving validating and mutating webhook callbacks from the kube-apiserver. It can validate, mutate, generate resources, and verify container image signatures. Policies are managed as Kubernetes custom resources rather than requiring a separate language.
2Which two Kubernetes admission webhook types does Kyverno register with the kube-apiserver to apply its policies?
A.AuthenticationWebhook and AuthorizationWebhook
B.ConversionWebhook and DefaultingWebhook
C.ValidatingWebhookConfiguration and MutatingWebhookConfiguration
D.SchedulingWebhook and BindingWebhook
Explanation: Kyverno operates by registering a ValidatingWebhookConfiguration and a MutatingWebhookConfiguration with the kube-apiserver. These are the two dynamic admission webhook types in Kubernetes, allowing Kyverno to intercept AdmissionReview requests to mutate or validate resources during admission control.
3What is the difference between a Kyverno ClusterPolicy and a Policy resource?
A.A ClusterPolicy can only contain validate rules while a Policy can contain all rule types
B.A ClusterPolicy is deprecated in favor of the namespaced Policy resource
C.A ClusterPolicy is read-only and used for reporting, while a Policy can block resources
D.A ClusterPolicy applies to matching resources across all namespaces, while a Policy is namespaced and applies only to resources within its own namespace
Explanation: A ClusterPolicy is a cluster-scoped resource that applies to matching resources across all namespaces, while a Policy is a namespaced resource that applies only to resources within the namespace in which it is defined. Apart from scope, there is no functional difference between the two; both support the same rule types.
4A single rule within a Kyverno policy may contain how many of the rule-type declarations validate, mutate, generate, or verifyImages?
A.Up to two rule-type declarations per rule
B.Exactly one rule-type declaration per rule
C.Any combination of all four in a single rule
D.At least two, since validate and mutate are always paired
Explanation: Each Kyverno rule consists of a match declaration, an optional exclude declaration, and exactly one of validate, mutate, generate, or verifyImages. A rule can contain only a single rule-type child declaration. To apply multiple behaviors you write multiple rules within the policy's rules list.
5During admission control with Kyverno, in what order are mutation and validation rules applied?
A.Mutation rules are applied before validation rules, so validation sees the mutated resource
B.Validation rules run first so that invalid resources are rejected before any mutation
C.Mutation and validation run in parallel with no defined ordering
D.Generation rules run first, followed by validation, then mutation
Explanation: During admission control, all mutation rules are applied before any validation rules across all policies. This allows validation to evaluate the resource after mutations have been applied, ensuring changes made during mutation are themselves validated.
6Which of the following best describes a Kyverno verifyImages rule?
A.It scans container images for known CVEs using an embedded vulnerability database
B.It rebuilds images from source to ensure reproducibility
C.It checks container image signatures and attestations, commonly using Sigstore Cosign, for software supply chain security
D.It pulls images to a local cache to speed up pod startup
Explanation: A verifyImages rule verifies container image signatures and attestations, with support for Sigstore Cosign and Notary attestors. It is used for software supply chain security, ensuring that only images signed by trusted authorities are admitted to the cluster.
7In which YAML format are Kyverno policies authored and managed?
A.A proprietary domain-specific language compiled to WebAssembly
B.HCL, the same configuration language used by Terraform
C.Rego, the same language used by Open Policy Agent Gatekeeper
D.Standard Kubernetes custom resource manifests (YAML/JSON) managed with kubectl, Git, and Kustomize
Explanation: Kyverno policies are declared as standard Kubernetes custom resources in YAML or JSON. Because they are native Kubernetes resources, they can be managed with familiar tools such as kubectl, Git, and Kustomize, avoiding the need to learn a new programming language.
8What does it mean that Kyverno validation rules can only extend the fail condition set and cannot override one another?
A.A later policy can change a prior policy's pass result to a fail, allowing namespaced policies to relax cluster policies
B.Validation rules are written as pass or fail conditions, so a namespaced policy cannot override or relax behavior defined by a cluster-wide policy
C.Only the first matching validation rule is evaluated and the rest are ignored
D.Validation rules must all pass simultaneously or the entire cluster is locked down
Explanation: Because validation rules are written as pass or fail conditions, rules cannot override other rules and can only extend the set of fail conditions. Consequently, a namespaced Policy cannot override or relax behaviors described by a cluster-wide ClusterPolicy; all matching validation rules are additive.
9Which mandatory element must every Kyverno rule contain to select the resources it applies to?
A.A match declaration
B.A status block listing affected resources
C.A generate block
D.An anchors section
Explanation: Every Kyverno rule must contain a match declaration that selects the resources the rule applies to. The match block can select resources by kind, name, namespace, label selectors, operations, and subject information. An exclude declaration is optional and narrows the selection.
10Which tool's sub-project does Kyverno integrate with by default to verify container image signatures?
A.Trivy
B.Falco
C.Sigstore Cosign
D.Clair
Explanation: Kyverno's verifyImages rules integrate with Sigstore's Cosign sub-project to verify container image signatures and attestations. Cosign supports public keys, certificates, and keyless (identity-based) attestors. Notary is also supported as an alternative signature type.
About the Kyverno Certified Associate Practice Questions
Verified exam format metadata for Kyverno Certified Associate (KCA) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.