Applying Policies Questions

A Kyverno validate policy has `failureAction: Audit` and `background: true`. A resource exists in the cluster that violates this policy. Where will th...

A Kyverno ClusterPolicy has a rule with no `match.resources.operations` field specified. To which operations will this rule apply by default?

A policy has `applyRules: One` set. A resource matches three rules in that policy. What happens?

Which of the following resource kinds CANNOT be used with wildcard kinds (`'*'`) in a Kyverno rule's match block when running in background mode?

Why must a policy have `background: false` when it uses `subjects` or `clusterRoles` in its `match` block?

In a Kyverno `match.any` block, how are peer conditions inside a single `resources` entry evaluated?

A policy wants to target only the `scale` subresource for Deployments. Why is an explicit parent-and-subresource match recommended?

A team wants one rule to apply only to Pods in namespaces labeled `organization=engineering`. Which matching feature is designed for that requirement?

A platform team writes a wildcard policy that matches all kinds in the cluster and wants to validate deep `spec` fields on every resource. What is the...

A policy already narrows `match` to Pods in `prod-*` namespaces, and the author wants to omit only `prod-alpha`. What should be true about the `exclud...

How are Kyverno `match` and `exclude` blocks combined for a rule?

A rule should match the Pod status subresource explicitly. Which syntax is supported by Kyverno?

A policy author tries to use `{{ request.object.kind }}` inside `match.resources.kinds`. What does the documentation say?

If policy match and exclude blocks do not specify operations, what default webhook operations does Kyverno use for validating versus mutating resource...

A team wants label-based matching with wildcard patterns in `matchLabels`. What is true about selector wildcard support?