Audit Scanner installation
Beginning with version
v1.7.0, Kubewarden has a new feature called "Audit Scanner".
A new component, called "audit-scanner", constantly checks the resources declared in the
cluster, flagging the ones that do not adhere with the deployed Kubewarden policies.
Policies evolve over the time: new ones are deployed and the existing ones can be updated, both in terms of version and configuration settings. This can lead to situations where resources already inside of the cluster are no longer compliant.
The audit scanner feature provides Kubernetes administrators with a tool to consistently verify the compliance state of their clusters.
The audit scanner component is available since Kubewarden
make sure you are installing the Helm chart with app version
kubewarden-crdsHelm chart. The chart install the needed
PolicyReportCRDs by default.
helm install kubewarden-crds kubewarden/kubewarden-crdscaution
To store the results of policy reports, you need to have the PolicyReport Custom Resource Definitions (CRDs) available. If the necessary PolicyReport CRDs are already in the cluster, you cannot install them using the kubewarden-crds chart. In such case, you can disable the installation of PolicyReport CRDs by setting
falsein the chart. This means that the Kubewarden stack will not manage those CRDs, and the responsibility will be with the administrator.
See more info about the CRDs at the policy work group repository
helm install kubewarden-controller kubewarden/kubewarden-controllernote
The audit scanner is enabled by default. If you want to disable it, set the
For more information about the installation of Kubewarden see the Quick Start guide
By default, the Audit Scanner is implemented as a Cronjob that will be triggered every 60 minutes. You can adjust this and other audit scanner settings by changing the kubewarden-controller chart values.yaml.
See here more information about the Audit Scanner.
Optional: Installation of Policy Reporter UI
kubewarden-controller chart comes with a subchart of the Policy Reporter.
It is disabled by default, and can be enabled by setting
The values of the Policy Reporter subchart are exposed under the
policyReporter key of
This will install only part of the Policy Reporter upstream chart, the UI, which provides a visualization of the PolicyReports and ClusterPolicyReports in cluster. See here more information about the Policy Reporter UI.
By default, the Policy Reporter UI is only exposed as a ClusterIP service with
kubewarden-controller-ui in the namespace where the
kubewarden-controller chart was installed.
Users can provide their own Ingress configuration, or enable an Ingress via the subchart configuration (see the
config of the UI subchart
See this example of an Ingress configuration via the subchart:
policy-reporter: # subchart values settings
- host: "*.local"
- path: /ui
For a quick look or debugging, one can setup a port-forwarding to the service with:
kubectl port-forward service/kubewarden-controller-ui 8082:8080 -n kubewarden
Which will make the Policy Reporter UI available at http://localhost:8082.