Example Scenarios

Follow along scenarios for creating and viewing your first policy reports.

Example: Trigger a PolicyReport

A PolicyReport object (Namespaced) is created in the same Namespace where resources apply to one or more Kyverno policies. Cluster wide resources will generate ClusterPolicyReport resources at the cluster level.

A single Kyverno ClusterPolicy exists with a single rule which ensures Pods cannot mount Secrets as environment variables.

1apiVersion: kyverno.io/v1 2kind: ClusterPolicy 3metadata: 4 name: secrets-not-from-env-vars 5spec: 6 background: true 7 validationFailureAction: Audit 8 rules: 9 - name: secrets-not-from-env-vars 10 match: 11 any: 12 - resources: 13 kinds: 14 - Pod 15 validate: 16 message: "Secrets must be mounted as volumes, not as environment variables." 17 pattern: 18 spec: 19 containers: 20 - name: "*" 21 =(env): 22 - =(valueFrom): 23 X(secretKeyRef): "null"
yaml

Creating a Pod in this Namespace which does not use any Secrets (and thereby does not violate the secrets-not-from-env-vars rule in the ClusterPolicy) will generate the first entry in the PolicyReport, but listed as a PASS.

1$ kubectl run busybox --image busybox:1.28 -- sleep 9999 2pod/busybox created 3 4$ kubectl get po 5NAME READY STATUS RESTARTS AGE 6busybox 1/1 Running 0 66s 7 8$ kubectl get polr -o wide 9NAME KIND NAME PASS FAIL WARN ERROR SKIP AGE 1089044d72-8a1e-4af0-877b-9be727dc3ec4 Pod busybox 1 0 0 0 0 15s
bash

Inspect the PolicyReport in the default Namespace to view its contents. Notice that the rule secrets-not-from-env-vars is listed as having passed.

1$ kubectl get polr 89044d72-8a1e-4af0-877b-9be727dc3ec4 -o yaml 2 3<snipped> 4results: 5- message: validation rule 'secrets-not-from-env-vars' passed. 6 policy: secrets-not-from-env-vars 7 result: pass 8 rule: secrets-not-from-env-vars 9 scored: true 10 source: kyverno 11 timestamp: 12 nanos: 0 13 seconds: 1666097147 14summary: 15 error: 0 16 fail: 0 17 pass: 1 18 skip: 0 19 warn: 0
bash

Create another Pod which violates the rule in the sample policy. Because the rule is written with validationFailureAction: Audit, resources are allowed to be created which violate the rule. If this occurs, another entry will be created in the PolicyReport which denotes this condition as a FAIL. By contrast, if validationFailureAction: Enforce and an offending resource was attempted creation, it would be immediately blocked and therefore would not generate another entry in the report. However, if the resource passed then a PASS result would be created in the report.

1apiVersion: v1 2kind: Pod 3metadata: 4 name: secret-pod 5spec: 6 containers: 7 - name: busybox 8 image: busybox:1.28 9 env: 10 - name: SECRET_STUFF 11 valueFrom: 12 secretKeyRef: 13 name: mysecret 14 key: mysecretname
yaml

Since the above Pod spec was allowed and it violated the rule, there should now be a failure entry in the PolicyReport in the default Namespace.

1$ kubectl get polr -o wide 2NAME KIND NAME PASS FAIL WARN ERROR SKIP AGE 39eb8c5c0-fe5c-4c7d-96c3-3ff65c361f4f Pod secret-pod 0 1 0 0 0 15s 4 5$ kubectl get polr 9eb8c5c0-fe5c-4c7d-96c3-3ff65c361f4f -o yaml 6 7<snipped> 8- message: 'validation error: Secrets must be mounted as volumes, not as environment 9 variables. rule secrets-not-from-env-vars failed at path /spec/containers/0/env/0/valueFrom/secretKeyRef/' 10 policy: secrets-not-from-env-vars 11 result: fail 12 rule: secrets-not-from-env-vars 13 scored: true 14 source: kyverno 15 timestamp: 16 nanos: 0 17 seconds: 1666098438 18summary: 19 error: 0 20 fail: 1 21 pass: 1 22 skip: 0 23 warn: 0
bash

Lastly, delete the Pod called secret-pod and check that the PolicyReport object was also deleted.

1$ kubectl delete po secret-pod 2pod "secret-pod" deleted 3 4$ kubectl get polr -o wide 5NAME KIND NAME PASS FAIL WARN ERROR SKIP AGE
bash

Last modified December 11, 2023 at 5:06 PM PST: fix: update reports docs (cherry-pick #1045) (#1048) (0d81053)