Example Scenarios

Follow along scenarios for creating and viewing your first policy reports.

Example: Trigger a PolicyReport

A PolicyReport object (Namespaced) is created in the same Namespace where resources apply to one or more Kyverno policies. Cluster wide resources will generate ClusterPolicyReport resources at the cluster level.

A single Kyverno ClusterPolicy exists with a single rule which ensures Pods cannot mount Secrets as environment variables.

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 4  name: secrets-not-from-env-vars
 6  background: true
 7  validationFailureAction: Audit
 8  rules:
 9  - name: secrets-not-from-env-vars
10    match:
11      any:
12      - resources:
13          kinds:
14          - Pod
15    validate:
16      message: "Secrets must be mounted as volumes, not as environment variables."
17      pattern:
18        spec:
19          containers:
20          - name: "*"
21            =(env):
22            - =(valueFrom):
23                X(secretKeyRef): "null"

Creating a Pod in this Namespace which does not use any Secrets (and thereby does not violate the secrets-not-from-env-vars rule in the ClusterPolicy) will generate the first entry in the PolicyReport, but listed as a PASS.

 1$ kubectl run busybox --image busybox:1.28 -- sleep 9999
 2pod/busybox created
 4$ kubectl get po
 6busybox   1/1     Running   0          66s
 8$ kubectl get polr -o wide
 9NAME                                   KIND         NAME                                         PASS   FAIL   WARN   ERROR   SKIP   AGE
1089044d72-8a1e-4af0-877b-9be727dc3ec4   Pod          busybox                                      1      0      0      0       0      15s

Inspect the PolicyReport in the default Namespace to view its contents. Notice that the rule secrets-not-from-env-vars is listed as having passed.

 1$ kubectl get polr 89044d72-8a1e-4af0-877b-9be727dc3ec4 -o yaml
 5- message: validation rule 'secrets-not-from-env-vars' passed.
 6  policy: secrets-not-from-env-vars
 7  result: pass
 8  rule: secrets-not-from-env-vars
 9  scored: true
10  source: kyverno
11  timestamp:
12    nanos: 0
13    seconds: 1666097147
15  error: 0
16  fail: 0
17  pass: 1
18  skip: 0
19  warn: 0

Create another Pod which violates the rule in the sample policy. Because the rule is written with validationFailureAction: Audit, resources are allowed to be created which violate the rule. If this occurs, another entry will be created in the PolicyReport which denotes this condition as a FAIL. By contrast, if validationFailureAction: Enforce and an offending resource was attempted creation, it would be immediately blocked and therefore would not generate another entry in the report. However, if the resource passed then a PASS result would be created in the report.

 1apiVersion: v1
 2kind: Pod
 4  name: secret-pod
 6  containers:
 7  - name: busybox
 8    image: busybox:1.28
 9    env:
10    - name: SECRET_STUFF
11      valueFrom:
12        secretKeyRef:
13          name: mysecret
14          key: mysecretname

Since the above Pod spec was allowed and it violated the rule, there should now be a failure entry in the PolicyReport in the default Namespace.

 1$ kubectl get polr -o wide
 2NAME                                   KIND         NAME                                         PASS   FAIL   WARN   ERROR   SKIP   AGE
 39eb8c5c0-fe5c-4c7d-96c3-3ff65c361f4f   Pod          secret-pod                                   0      1      0      0       0      15s
 5$ kubectl get polr 9eb8c5c0-fe5c-4c7d-96c3-3ff65c361f4f -o yaml
 8- message: 'validation error: Secrets must be mounted as volumes, not as environment
 9    variables. rule secrets-not-from-env-vars failed at path /spec/containers/0/env/0/valueFrom/secretKeyRef/'
10  policy: secrets-not-from-env-vars
11  result: fail
12  rule: secrets-not-from-env-vars
13  scored: true
14  source: kyverno
15  timestamp:
16    nanos: 0
17    seconds: 1666098438
19  error: 0
20  fail: 1
21  pass: 1
22  skip: 0
23  warn: 0

Lastly, delete the Pod called secret-pod and check that the PolicyReport object was also deleted.

1$ kubectl delete po secret-pod
2pod "secret-pod" deleted
4$ kubectl get polr -o wide
5NAME                                   KIND         NAME                                         PASS   FAIL   WARN   ERROR   SKIP   AGE

Last modified April 08, 2024 at 8:29 AM PST: Refactor links (#1205) (5060f3d)