OpenReports Integration

Use openreports.io/v1alpha1 for policy reporting in Kyverno.

Note: OpenReports integration is available as of Kyverno 1.15. The feature is in ALPHA status

Kyverno supports reporting policy results using the openreports.io/v1alpha1 API as an alternative to the default wgpolicyk8s reporting. This can be enabled using the --openreportsEnabled flag in the Kyverno controller.

This is an initial step to eventually deprecate wgpolicyk8s and fully depend on openreports.io as the API group for permanent reports

Enabling OpenReports

To enable OpenReports integration, add the --openreportsEnabled flag to the Kyverno reports controller.

If you are deploying Kyverno using Helm, setting the chart value openreports.enabled=true will automatically add the --openreportsEnabled flag to the reports controller deployment.

Example: Enforcing an ‘app’ Label

Below is an example Kyverno policy that enforces the presence of an app label on all Pods. When this policy is applied and OpenReports integration is enabled, Kyverno will generate reports in the openreports.io/v1alpha1 API group.

Policy Example

 1apiVersion: kyverno.io/v1
 2kind: Policy
 3metadata:
 4  name: require-app-label
 5  namespace: default
 6spec:
 7  admission: true
 8  background: true
 9  rules:
10  - match:
11      resources:
12        kinds:
13        - Pod
14    name: check-app-label
15    skipBackgroundRequests: true
16    validate: 
17      message: Pods must have an 'app' label.
18      pattern:
19        metadata:
20          labels:
21            app: ?*
22  validationFailureAction: enforce

Example OpenReports Output

You can view the reports as follows:

1$ kubectl get reports -A -o yaml

 1apiVersion: v1
 2items:
 3- apiVersion: openreports.io/v1alpha1
 4  kind: Report
 5  metadata:
 6    labels:
 7      app.kubernetes.io/managed-by: kyverno
 8    name: 7d23ea02-1526-4a4f-ba14-49665adf55e
 9  results:
10  - message: "validation error: Pods must have an 'app' label. rule check-app-label failed at path /metadata/labels/app/"
11    policy: default/require-app-label
12    properties:
13      process: background scan
14    result: fail
15    rule: check-app-label
16    scored: true
17    source: kyverno
18    timestamp:
19      nanos: 0
20      seconds: 1849050397
21  scope:
22    apiVersion: v1
23    kind: Pod
24    name: example-deployment-c94dc9f47-dfq6l
25    namespace: default
26    uid: dcd32da4-8539-4636-bba5-fd2cc3a6aaff
27  summary:
28    error: 0
29    fail: 1
30    pass: 0
31    skip: 0
32    warn: 0
33kind: List
34metadata: {}

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified July 21, 2025 at 6:32 PM PST: add openreports docs to website (#1606) (aa0d60d)