Policy Reports

Manage policy results.

Kyverno policy reports provide information about policy execution and violations. Kyverno creates policy reports for each namespace and a single cluster-level report for cluster resources.

Kyverno uses the policy report schema published by the Kubernetes Policy WG which proposes a common policy report format across Kubernetes tools.

Note

Policy reports are available in Kyverno 1.3.0+. If you are using an older version you can view policy violations using: kubectl get polv -A

Viewing policy report summaries

You can view a summary of the namespaced policy report using the following command:

kubectl get policyreport -A

Tip

polr is the short name for policyreport.

For example, here are the policy reports for a small test cluster:

λ kubectl get polr -A
NAMESPACE     NAME                  PASS   FAIL   WARN   ERROR   SKIP   AGE
default       polr-ns-default       338    2      0      0       0      28h
flux-system   polr-ns-flux-system   135    5      0      0       0      28h

Similarly, you can view the cluster-wide report using:

kubectl get clusterpolicyreport -A

Tip

cpolr is the short name for clusterpolicyreport.

Viewing policy violations

Since the report provides information on all rule and resource execution, finding policy violations requires an additional filter.

Here is a command to view policy violations for the default namespace:

kubectl describe polr polr-ns-default | grep "Status: \+fail" -B10

Running this in the test cluster shows two containers without runAsNotRoot: true.

λ kubectl describe polr polr-ns-default | grep "Status: \+fail" -B10
  Message:        validation error: Running as root is not allowed. The fields spec.securityContext.runAsNonRoot, spec.containers[*].securityContext.runAsNonRoot, and spec.initContainers[*].securityContext.runAsNonRoot must be `true`. Rule check-containers[0] failed at path /spec/securityContext/runAsNonRoot/. Rule check-containers[1] failed at path /spec/containers/0/securityContext/.
  Policy:         require-run-as-non-root
  Resources:
    API Version:  v1
    Kind:         Pod
    Name:         add-capabilities-init-containers
    Namespace:    default
    UID:          1caec743-faed-4d5a-90f7-5f4630febd58
  Rule:           check-containers
  Scored:         true
  Status:         fail
--
  Message:        validation error: Running as root is not allowed. The fields spec.securityContext.runAsNonRoot, spec.containers[*].securityContext.runAsNonRoot, and spec.initContainers[*].securityContext.runAsNonRoot must be `true`. Rule check-containers[0] failed at path /spec/securityContext/runAsNonRoot/. Rule check-containers[1] failed at path /spec/containers/0/securityContext/.
  Policy:         require-run-as-non-root
  Resources:
    API Version:  v1
    Kind:         Pod
    Name:         sysctls
    Namespace:    default
    UID:          b98bdfb7-10e0-467f-a51c-ac8b75dc2e95
  Rule:           check-containers
  Scored:         true
  Status:         fail

To view all namespaced violations in a cluster use:

kubectl describe polr -A | grep -i "status: \+fail" -B10

Last modified January 7, 2021: fixes (c0a66a3)