API Reference

Reference of all available HTTP endpoints provided by Policy Reporter.

Core APIs

Healthz API

MethodAPIDescriptionCodes
GET/healthzReturns if the app is healthy and required CRDs are installed200, 503

Example

curl -X GET "http://localhost:8080/healthz"
  • Response 200
{}
  • Response 503
{ "error": "No Kyverno CRDs found" }

Readiness API

MethodAPIDescriptionCodes
GET/readyReturns if the app is up and running200

Example

curl -X GET "http://localhost:8080/ready"
  • Response 200
{}

CRD APIs

Policies API

MethodAPIDescriptionCodes
GET/policiesList of all available Policies and ClusterPolicies200, 500

Example

curl -X GET "http://localhost:8080/policies"
  • Response 200
[   {      "kind":"ClusterPolicy",      "name":"deny-privilege-escalation",      "autogenControllers":[         "DaemonSet",         "Deployment",         "Job",         "StatefulSet",         "CronJob"      ],      "validationFailureAction":"audit",      "background":true,      "rules":[         {            "message":"Privilege escalation is disallowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation, and spec.initContainers[*].securityContext.allowPrivilegeEscalation must be undefined or set to `false`.",            "name":"deny-privilege-escalation",            "type":"validation"         },         {            "message":"Privilege escalation is disallowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation, and spec.initContainers[*].securityContext.allowPrivilegeEscalation must be undefined or set to `false`.",            "name":"autogen-deny-privilege-escalation",            "type":"validation"         },         {            "message":"Privilege escalation is disallowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation, and spec.initContainers[*].securityContext.allowPrivilegeEscalation must be undefined or set to `false`.",            "name":"autogen-cronjob-deny-privilege-escalation",            "type":"validation"         }      ],      "category":"Pod Security Standards (Restricted)",      "description":"Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.",      "severity":"medium",      "creationTimestamp":"2021-11-07T18:32:40Z",      "uid":"7cabc2f3-0e9b-4d1e-a434-a19275a54d29",      "content":"apiVersion: kyverno.io/v1\nkind: ClusterPolicy\nmetadata:\n  annotations:\n    pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,Job,StatefulSet,CronJob\n    policies.kyverno.io/category: Pod Security Standards (Restricted)\n    policies.kyverno.io/description: Privilege escalation, such as via set-user-ID\n      or set-group-ID file mode, should not be allowed.\n    policies.kyverno.io/severity: medium\n  creationTimestamp: \"2021-11-07T18:32:40Z\"\n  generation: 16\n  labels:\n    app: kyverno\n    app.kubernetes.io/component: kyverno\n    app.kubernetes.io/instance: kyverno-policies\n    app.kubernetes.io/managed-by: Helm\n    app.kubernetes.io/name: kyverno-policies\n    app.kubernetes.io/part-of: kyverno-policies\n    app.kubernetes.io/version: v2.1.3\n    argocd.argoproj.io/instance: kyverno-policies\n    helm.sh/chart: kyverno-policies-v2.1.3\n  name: deny-privilege-escalation\n  resourceVersion: \"1742766\"\n  uid: 7cabc2f3-0e9b-4d1e-a434-a19275a54d29\nspec:\n  background: true\n  failurePolicy: Fail\n  rules:\n  - exclude:\n      resources: {}\n    generate:\n      clone: {}\n    match:\n      resources:\n        kinds:\n        - Pod\n    mutate: {}\n    name: deny-privilege-escalation\n    validate:\n      message: Privilege escalation is disallowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation,\n        and spec.initContainers[*].securityContext.allowPrivilegeEscalation must be\n        undefined or set to `false`.\n      pattern:\n        spec:\n          =(initContainers):\n          - =(securityContext):\n              =(allowPrivilegeEscalation): \"false\"\n          containers:\n          - =(securityContext):\n              =(allowPrivilegeEscalation): \"false\"\n  - exclude:\n      resources: {}\n    generate:\n      clone: {}\n    match:\n      resources:\n        kinds:\n        - DaemonSet\n        - Deployment\n        - Job\n        - StatefulSet\n    mutate: {}\n    name: autogen-deny-privilege-escalation\n    validate:\n      message: Privilege escalation is disallowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation,\n        and spec.initContainers[*].securityContext.allowPrivilegeEscalation must be\n        undefined or set to `false`.\n      pattern:\n        spec:\n          template:\n            spec:\n              =(initContainers):\n              - =(securityContext):\n                  =(allowPrivilegeEscalation): \"false\"\n              containers:\n              - =(securityContext):\n                  =(allowPrivilegeEscalation): \"false\"\n  - exclude:\n      resources: {}\n    generate:\n      clone: {}\n    match:\n      resources:\n        kinds:\n        - CronJob\n    mutate: {}\n    name: autogen-cronjob-deny-privilege-escalation\n    validate:\n      message: Privilege escalation is disallowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation,\n        and spec.initContainers[*].securityContext.allowPrivilegeEscalation must be\n        undefined or set to `false`.\n      pattern:\n        spec:\n          jobTemplate:\n            spec:\n              template:\n                spec:\n                  =(initContainers):\n                  - =(securityContext):\n                      =(allowPrivilegeEscalation): \"false\"\n                  containers:\n                  - =(securityContext):\n                      =(allowPrivilegeEscalation): \"false\"\n  validationFailureAction: audit\n"   }]
  • Response 500
{ "message": "Error Message" }

VerifyImage Rules API

MethodAPIDescriptionCodes
GET/verify-image-rulesList of all VerifyImages rules applied to the cluster200, 500

Example

curl -X GET "http://localhost:8080/verify-image-rules"
  • Response 200
[    {        "policy": {            "name": "check-image",            "uid": "b623d896-cfdb-4926-86c8-1bddaf93371f"        },        "rule": "check-image",        "repository": "registry.io/signatures",        "image": "ghcr.io/kyverno/test-verify-image:*",        "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END PUBLIC KEY-----",        "attestations": "attestations:\n- conditions:\n  - all:\n    - key: '{{ repo.uri }}'\n      operator: Equals\n      value: https://git-repo.com/org/app\n    - key: '{{ repo.branch }}'\n      operator: Equals\n      value: main\n    - key: '{{ reviewers }}'\n      operator: In\n      value:\n      - ana@example.com\n      - bob@example.com\n  predicateType: https://example.com/CodeReview/v1\n"    }]
  • Response 500
{ "message": "Error Message" }

Metrics

MethodAPIDescriptionCodes
GET/metricsPrometheus Metrics API200

kyverno_policy

Gauge: One entry represents one Rule of a Policy or ClusterPolicy. Deleted policies and rules will also be removed from the metrics.

LabelDescription
backgroundBackground scan enabled or disabled
categoryCategory of the policy
kindPolicy or ClusterPolicy
namespaceNamespace of the policy
policyName of the policy
ruleName of the rule within the policy
ruleRule of the result
severitySeverity of the policy
typeType of the rule: validation / mutation / generation
validationFailureActionvalidationFailureAction of the rule: audit / enforce

Example

curl -X GET "http://localhost:8080/metrics"
  • Response 200
# HELP policy_report_kyverno_policy List of all Policies
# TYPE policy_report_kyverno_policy gauge
kyverno_policy{background="true",category="",kind="ClusterPolicy",namespace="",policy="require-ns-labels",rule="check-for-labels-on-namespace",severity="",type="validation",validationFailureAction="audit"} 1
kyverno_policy{background="true",category="Pod Security Standards (Default)",kind="ClusterPolicy",namespace="",policy="disallow-add-capabilities",rule="autogen-capabilities",severity="medium",type="validation",validationFailureAction="audit"} 1
kyverno_policy{background="true",category="Pod Security Standards (Default)",kind="ClusterPolicy",namespace="",policy="disallow-add-capabilities",rule="autogen-cronjob-capabilities",severity="medium",type="validation",validationFailureAction="audit"} 1
Table of Contents