Should I keep it to 2 years or extend it to the validity period of the CA (10 years)?
yes, that's what *I* would recommend. There is no practical reason to use short certificates for KRA since it doesn't require key exposure (unlike TLS, email or code signing certs) and it is easy to provide same security level like it is done for CA key. Frquent KRA changes will eventually lead to an inability to recover required key and increased maintenance costs. Moreover, you can consider to use a self-signed certificate (which must be trusted by CA server only), so KRA cert isn't tied to CA and doesn't rely on CA revocation information. If there is a need to replace cert -- an admin just replaces KRA cert in CA configuration.
Keep in mind that it is not an industry standard. But my personal experience (10+ years in PKI field) suggests that this is the right way to do this thing.