ValidatingAdmissionPolicy Reports
Kyverno can generate reports for ValidatingAdmissionPolicies and their bindings. These reports provide information about the resources that are validated by the policies and the results of the validation. They can be used to monitor the health of the cluster and to ensure that the policies are being enforced as expected.
To configure Kyverno to generate reports for ValidatingAdmissionPolicies, set the --validatingAdmissionPolicyReports flag to true in the reports controller. This flag is set to false by default.
Example: Trigger a PolicyReport
Create a ValidatingAdmissionPolicy that checks the Deployment replicas and a ValidatingAdmissionPolicyBinding that binds the policy to a namespace whose labels set to environment: staging.
1apiVersion: admissionregistration.k8s.io/v1
2kind: ValidatingAdmissionPolicy
3metadata:
4 name: "check-deployment-replicas"
5spec:
6 matchConstraints:
7 resourceRules:
8 - apiGroups:
9 - apps
10 apiVersions:
11 - v1
12 operations:
13 - CREATE
14 - UPDATE
15 resources:
16 - deployments
17 validations:
18 - expression: object.spec.replicas <= 5
19---
20apiVersion: admissionregistration.k8s.io/v1
21kind: ValidatingAdmissionPolicyBinding
22metadata:
23 name: "check-deployment-replicas-binding"
24spec:
25 policyName: "check-deployment-replicas"
26 validationActions: [Deny]
27 matchResources:
28 namespaceSelector:
29 matchLabels:
30 environment: staging
Create a Namespace with the label environment: staging:
Create the following Deployments:
- A Deployment with 7 replicas in the
defaultnamespace.
- A Deployment with 3 replicas in the
defaultnamespace.
- A Deployment with 7 replicas in the
stagingnamespace.
- A Deployment with 3 replicas in the
stagingnamespace.
PolicyReports are generated in the same namespace as the resources that are validated. The PolicyReports for the above example are generated in the default and staging namespaces.
1kubectl get polr -n staging -o yaml
2
3apiVersion: v1
4items:
5- apiVersion: wgpolicyk8s.io/v1alpha2
6 kind: PolicyReport
7 metadata:
8 creationTimestamp: "2024-01-25T11:55:33Z"
9 generation: 1
10 labels:
11 app.kubernetes.io/managed-by: kyverno
12 name: 0b2d730e-cbc3-4eab-8f3b-ad106ea5d559
13 namespace: staging-ns
14 ownerReferences:
15 - apiVersion: apps/v1
16 kind: Deployment
17 name: deployment-3
18 uid: 0b2d730e-cbc3-4eab-8f3b-ad106ea5d559
19 resourceVersion: "83693"
20 uid: 90ab79b4-fc0b-41bc-b8d0-da021c02ee9d
21 results:
22 - message: 'failed expression: object.spec.replicas <= 5'
23 policy: check-deployment-replicas
24 properties:
25 binding: check-deployment-replicas-binding
26 result: fail
27 source: ValidatingAdmissionPolicy
28 timestamp:
29 nanos: 0
30 seconds: 1706183723
31 scope:
32 apiVersion: apps/v1
33 kind: Deployment
34 name: deployment-3
35 namespace: staging-ns
36 uid: 0b2d730e-cbc3-4eab-8f3b-ad106ea5d559
37 summary:
38 error: 0
39 fail: 1
40 pass: 0
41 skip: 0
42 warn: 0
43- apiVersion: wgpolicyk8s.io/v1alpha2
44 kind: PolicyReport
45 metadata:
46 creationTimestamp: "2024-01-25T11:55:33Z"
47 generation: 1
48 labels:
49 app.kubernetes.io/managed-by: kyverno
50 name: c1e28ad7-b5c9-4f5c-9b77-8d4278df9fc4
51 namespace: staging-ns
52 ownerReferences:
53 - apiVersion: apps/v1
54 kind: Deployment
55 name: deployment-4
56 uid: c1e28ad7-b5c9-4f5c-9b77-8d4278df9fc4
57 resourceVersion: "83694"
58 uid: 8e19960d-969d-4e4c-a7d7-480fff15df6d
59 results:
60 - policy: check-deployment-replicas
61 properties:
62 binding: check-deployment-replicas-binding
63 result: pass
64 source: ValidatingAdmissionPolicy
65 timestamp:
66 nanos: 0
67 seconds: 1706183723
68 scope:
69 apiVersion: apps/v1
70 kind: Deployment
71 name: deployment-4
72 namespace: staging-ns
73 uid: c1e28ad7-b5c9-4f5c-9b77-8d4278df9fc4
74 summary:
75 error: 0
76 fail: 0
77 pass: 1
78 skip: 0
79 warn: 0
80kind: List
81metadata:
82 resourceVersion: ""
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.