Motivation

Policy Reporter was created to make the results of your Kyverno validation policies more visible and observable. By default, Kyverno provides the option to create your validation policies in audit or enforce mode. While enforce blocks to applying a manifests that violate the given policy, audit creates PolicyReports that provide information about all resources that pass or fail your policies. Because Policy Reports are simple Custom Resource Definitions you can access them with kubectl get/describe.

The disadvantages of these PolicyReports are that the results of a policy can be spread across multiple namespaces and both, the passed and failed results of multiple policies, are combined into one PolicyReport. This makes it difficult to find all failed results of a single ClusterPolicy. Since a PolicyReport contains all the results of a namespace, it is also difficult to check for new violations by new policies or resources.

Policy Reporter helps with this problems by providing different features based on PolicyReports:

  • New violations can be send to different clients like Grafana Loki, Elasticsearch, Slack, Discord or MS Teams
  • The optional metrics endpoint can be used to observe violations in monitoring tools like Grafana
  • Policy Reporter provides also a standalone Dashboard to get a graphical overview of all results with filter and an optional Kyverno Plugin to get also information about your Kyverno policies.

Use cases

Due to the work of the Kubernetes Policy Working Group and Community, the adoption of the PolicyReport and ClusterPolicyReport CRDs for different apps is increasing. This enables Policy Reporter to be used with other tools such as Kube Bench, Trivy, jsPolicy or Falco.

Screenshots

Policy Reporter UI

Dashboard light Dashboard dark

Grafana

Grafana: Policy Report Details

Discord

Discord: Policy Report Alert

Resources

Videos




Blogs

Table of Contents