Example Scenarios

Follow along scenarios for creating and viewing your first policy reports.

Example: Trigger a PolicyReport

A PolicyReport object (Namespaced) is created in the same Namespace where resources apply to one or more Kyverno policies. Cluster wide resources will generate ClusterPolicyReport resources at the cluster level.

A single Kyverno ClusterPolicy exists with a single rule which ensures Pods cannot mount Secrets as environment variables.

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: secrets-not-from-env-vars
 5spec:
 6  background: true
 7  validationFailureAction: Audit
 8  rules:
 9  - name: secrets-not-from-env-vars
10    match:
11      any:
12      - resources:
13          kinds:
14          - Pod
15    validate:
16      message: "Secrets must be mounted as volumes, not as environment variables."
17      pattern:
18        spec:
19          containers:
20          - name: "*"
21            =(env):
22            - =(valueFrom):
23                X(secretKeyRef): "null"

Creating a Pod in this Namespace which does not use any Secrets (and thereby does not violate the secrets-not-from-env-vars rule in the ClusterPolicy) will generate the first entry in the PolicyReport, but listed as a PASS.

 1$ kubectl run busybox --image busybox:1.28 -- sleep 9999
 2pod/busybox created
 3
 4$ kubectl get po
 5NAME      READY   STATUS    RESTARTS   AGE
 6busybox   1/1     Running   0          66s
 7
 8$ kubectl get polr -o wide
 9NAME                                   KIND         NAME                                         PASS   FAIL   WARN   ERROR   SKIP   AGE
1089044d72-8a1e-4af0-877b-9be727dc3ec4   Pod          busybox                                      1      0      0      0       0      15s

Inspect the PolicyReport in the default Namespace to view its contents. Notice that the rule secrets-not-from-env-vars is listed as having passed.

 1$ kubectl get polr 89044d72-8a1e-4af0-877b-9be727dc3ec4 -o yaml
 2
 3<snipped>
 4results:
 5- message: validation rule 'secrets-not-from-env-vars' passed.
 6  policy: secrets-not-from-env-vars
 7  result: pass
 8  rule: secrets-not-from-env-vars
 9  scored: true
10  source: kyverno
11  timestamp:
12    nanos: 0
13    seconds: 1666097147
14summary:
15  error: 0
16  fail: 0
17  pass: 1
18  skip: 0
19  warn: 0

Create another Pod which violates the rule in the sample policy. Because the rule is written with validationFailureAction: Audit, resources are allowed to be created which violate the rule. If this occurs, another entry will be created in the PolicyReport which denotes this condition as a FAIL. By contrast, if validationFailureAction: Enforce and an offending resource was attempted creation, it would be immediately blocked and therefore would not generate another entry in the report. However, if the resource passed then a PASS result would be created in the report.

 1apiVersion: v1
 2kind: Pod
 3metadata:
 4  name: secret-pod
 5spec:
 6  containers:
 7  - name: busybox
 8    image: busybox:1.28
 9    env:
10    - name: SECRET_STUFF
11      valueFrom:
12        secretKeyRef:
13          name: mysecret
14          key: mysecretname

Since the above Pod spec was allowed and it violated the rule, there should now be a failure entry in the PolicyReport in the default Namespace.

 1$ kubectl get polr -o wide
 2NAME                                   KIND         NAME                                         PASS   FAIL   WARN   ERROR   SKIP   AGE
 39eb8c5c0-fe5c-4c7d-96c3-3ff65c361f4f   Pod          secret-pod                                   0      1      0      0       0      15s
 4
 5$ kubectl get polr 9eb8c5c0-fe5c-4c7d-96c3-3ff65c361f4f -o yaml
 6
 7<snipped>
 8- message: 'validation error: Secrets must be mounted as volumes, not as environment
 9    variables. rule secrets-not-from-env-vars failed at path /spec/containers/0/env/0/valueFrom/secretKeyRef/'
10  policy: secrets-not-from-env-vars
11  result: fail
12  rule: secrets-not-from-env-vars
13  scored: true
14  source: kyverno
15  timestamp:
16    nanos: 0
17    seconds: 1666098438
18summary:
19  error: 0
20  fail: 1
21  pass: 1
22  skip: 0
23  warn: 0

Lastly, delete the Pod called secret-pod and check that the PolicyReport object was also deleted.

1$ kubectl delete po secret-pod
2pod "secret-pod" deleted
3
4$ kubectl get polr -o wide
5NAME                                   KIND         NAME                                         PASS   FAIL   WARN   ERROR   SKIP   AGE

Note

Note that a namespaced Policy applies only to namespaced resources and only in the Namespace in which they are created. This example would have been exactly the same if we had used a Policy instead of ClusterPolicy.

For a cluster level resource, a ClusterPolicyReport would have been created at cluster level instead of a namespaced PolicyReport.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified December 11, 2023 at 5:06 PM PST: fix: update reports docs (cherry-pick #1045) (#1048) (0d81053)