Example Scenarios
Example: Trigger a PolicyReport
Section titled “Example: Trigger a PolicyReport”A PolicyReport object (Namespaced) is created in the same Namespace where resources apply to one or more Kyverno policies. Cluster wide resources will generate ClusterPolicyReport resources at the cluster level.
A single Kyverno ClusterPolicy exists with a single rule which ensures Pods cannot mount Secrets as environment variables.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata: name: secrets-not-from-env-varsspec: background: true rules: - name: secrets-not-from-env-vars match: any: - resources: kinds: - Pod validate: failureAction: Audit message: 'Secrets must be mounted as volumes, not as environment variables.' pattern: spec: containers: - name: '*' =(env): - =(valueFrom): X(secretKeyRef): 'null'Creating a Pod in this Namespace which does not use any Secrets (and thereby does not violate the secrets-not-from-env-vars rule in the ClusterPolicy) will generate the first entry in the PolicyReport, but listed as a PASS.
$ kubectl run busybox --image busybox:1.28 -- sleep 9999pod/busybox created
$ kubectl get poNAME READY STATUS RESTARTS AGEbusybox 1/1 Running 0 66s
$ kubectl get polr -o wideNAME KIND NAME PASS FAIL WARN ERROR SKIP AGE89044d72-8a1e-4af0-877b-9be727dc3ec4 Pod busybox 1 0 0 0 0 15sInspect the PolicyReport in the default Namespace to view its contents. Notice that the rule secrets-not-from-env-vars is listed as having passed.
$ kubectl get polr 89044d72-8a1e-4af0-877b-9be727dc3ec4 -o yaml
<snipped>results:- message: validation rule 'secrets-not-from-env-vars' passed. policy: secrets-not-from-env-vars result: pass rule: secrets-not-from-env-vars scored: true source: kyverno timestamp: nanos: 0 seconds: 1666097147summary: error: 0 fail: 0 pass: 1 skip: 0 warn: 0Create another Pod which violates the rule in the sample policy. Because the rule is written with failureAction: Audit, resources are allowed to be created which violate the rule. If this occurs, another entry will be created in the PolicyReport which denotes this condition as a FAIL. By contrast, if failureAction: Enforce and an offending resource was attempted creation, it would be immediately blocked and therefore would not generate another entry in the report. However, if the resource passed then a PASS result would be created in the report.
apiVersion: v1kind: Podmetadata: name: secret-podspec: containers: - name: busybox image: busybox:1.28 env: - name: SECRET_STUFF valueFrom: secretKeyRef: name: mysecret key: mysecretnameSince the above Pod spec was allowed and it violated the rule, there should now be a failure entry in the PolicyReport in the default Namespace.
$ kubectl get polr -o wideNAME KIND NAME PASS FAIL WARN ERROR SKIP AGE9eb8c5c0-fe5c-4c7d-96c3-3ff65c361f4f Pod secret-pod 0 1 0 0 0 15s
$ kubectl get polr 9eb8c5c0-fe5c-4c7d-96c3-3ff65c361f4f -o yaml
<snipped>- message: 'validation error: Secrets must be mounted as volumes, not as environment variables. rule secrets-not-from-env-vars failed at path /spec/containers/0/env/0/valueFrom/secretKeyRef/' policy: secrets-not-from-env-vars result: fail rule: secrets-not-from-env-vars scored: true source: kyverno timestamp: nanos: 0 seconds: 1666098438summary: error: 0 fail: 1 pass: 1 skip: 0 warn: 0Lastly, delete the Pod called secret-pod and check that the PolicyReport object was also deleted.
$ kubectl delete po secret-podpod "secret-pod" deleted
$ kubectl get polr -o wideNAME KIND NAME PASS FAIL WARN ERROR SKIP AGE