ValidatingAdmissionPolicy Reports

Generate Policy Reports for ValidatingAdmissionPolicies and their bindings.

Kyverno can generate reports for ValidatingAdmissionPolicies and their bindings. These reports provide information about the resources that are validated by the policies and the results of the validation. They can be used to monitor the health of the cluster and to ensure that the policies are being enforced as expected.

To configure Kyverno to generate reports for ValidatingAdmissionPolicies, set the --validatingAdmissionPolicyReports flag to true in the reports controller. This flag is set to false by default.

Example: Trigger a PolicyReport

Create a ValidatingAdmissionPolicy that checks the Deployment replicas and a ValidatingAdmissionPolicyBinding that binds the policy to a namespace whose labels set to environment: staging.

 1apiVersion: admissionregistration.k8s.io/v1beta1
 2kind: ValidatingAdmissionPolicy
 3metadata:
 4  name: "check-deployment-replicas"
 5spec:
 6  matchConstraints:
 7    resourceRules:
 8    - apiGroups:
 9      - apps
10      apiVersions:
11      - v1
12      operations:
13      - CREATE
14      - UPDATE
15      resources:
16      - deployments
17  validations:
18  - expression: object.spec.replicas <= 5
19---
20apiVersion: admissionregistration.k8s.io/v1beta1
21kind: ValidatingAdmissionPolicyBinding
22metadata:
23  name: "check-deployment-replicas-binding"
24spec:
25  policyName: "check-deployment-replicas"
26  validationActions: [Deny]
27  matchResources:
28    namespaceSelector:
29      matchLabels:
30        environment: staging

Create a Namespace with the label environment: staging:

1kubectl create ns staging
2kubectl label ns staging environment=staging

Create the following Deployments:

A Deployment with 7 replicas in the default namespace.

1kubectl create deployment deployment-1 --image=nginx --replicas=7

A Deployment with 3 replicas in the default namespace.

1kubectl create deployment deployment-2 --image=nginx --replicas=3

A Deployment with 7 replicas in the staging namespace.

1kubectl create deployment deployment-3 --image=nginx --replicas=7 -n staging

A Deployment with 3 replicas in the staging namespace.

1kubectl create deployment deployment-4 --image=nginx --replicas=3 -n staging

PolicyReports are generated in the same namespace as the resources that are validated. The PolicyReports for the above example are generated in the default and staging namespaces.

1kubectl get polr -n default
2
3No resources found in default namespace.

 1kubectl get polr -n staging -o yaml
 2
 3apiVersion: v1
 4items:
 5- apiVersion: wgpolicyk8s.io/v1alpha2
 6  kind: PolicyReport
 7  metadata:
 8    creationTimestamp: "2024-01-25T11:55:33Z"
 9    generation: 1
10    labels:
11      app.kubernetes.io/managed-by: kyverno
12    name: 0b2d730e-cbc3-4eab-8f3b-ad106ea5d559
13    namespace: staging-ns
14    ownerReferences:
15    - apiVersion: apps/v1
16      kind: Deployment
17      name: deployment-3
18      uid: 0b2d730e-cbc3-4eab-8f3b-ad106ea5d559
19    resourceVersion: "83693"
20    uid: 90ab79b4-fc0b-41bc-b8d0-da021c02ee9d
21  results:
22  - message: 'failed expression: object.spec.replicas <= 5'
23    policy: check-deployment-replicas
24    properties:
25      binding: check-deployment-replicas-binding
26    result: fail
27    source: ValidatingAdmissionPolicy
28    timestamp:
29      nanos: 0
30      seconds: 1706183723
31  scope:
32    apiVersion: apps/v1
33    kind: Deployment
34    name: deployment-3
35    namespace: staging-ns
36    uid: 0b2d730e-cbc3-4eab-8f3b-ad106ea5d559
37  summary:
38    error: 0
39    fail: 1
40    pass: 0
41    skip: 0
42    warn: 0
43- apiVersion: wgpolicyk8s.io/v1alpha2
44  kind: PolicyReport
45  metadata:
46    creationTimestamp: "2024-01-25T11:55:33Z"
47    generation: 1
48    labels:
49      app.kubernetes.io/managed-by: kyverno
50    name: c1e28ad7-b5c9-4f5c-9b77-8d4278df9fc4
51    namespace: staging-ns
52    ownerReferences:
53    - apiVersion: apps/v1
54      kind: Deployment
55      name: deployment-4
56      uid: c1e28ad7-b5c9-4f5c-9b77-8d4278df9fc4
57    resourceVersion: "83694"
58    uid: 8e19960d-969d-4e4c-a7d7-480fff15df6d
59  results:
60  - policy: check-deployment-replicas
61    properties:
62      binding: check-deployment-replicas-binding
63    result: pass
64    source: ValidatingAdmissionPolicy
65    timestamp:
66      nanos: 0
67      seconds: 1706183723
68  scope:
69    apiVersion: apps/v1
70    kind: Deployment
71    name: deployment-4
72    namespace: staging-ns
73    uid: c1e28ad7-b5c9-4f5c-9b77-8d4278df9fc4
74  summary:
75    error: 0
76    fail: 0
77    pass: 1
78    skip: 0
79    warn: 0
80kind: List
81metadata:
82  resourceVersion: ""

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified April 08, 2024 at 8:29 AM PST: Refactor links (#1205) (5060f3d)