Policy Reports
When using the Kubewarden Audit Scanner, the results of the policy scans are stored using the PolicyReport Custom Resource.
Note that the PolicyReport CRDs are under development in the wg-policy
Kubernetes group. Therefore, this documentation can be out of date if a new
version of the CRDs is released.
Check the wg-policy
group
repository for
more information about the CRDs.
These CRDs provide a structured way to store and manage the audit results.
Each namespace scanned by the audit scanner will have a dedicated
PolicyReport
resource defined inside of it.
The results of Cluster wide resources are going to be found inside of a
ClusterPolicyReport
object. There is going to be only one
ClusterPolicyReport
per cluster.
The audit results generated by the scanner includes various information, such as the policy that was evaluated, the resource being scanned, the result of the evaluation (pass, fail, or skip), and a timestamp indicating when the evaluation took place. Additionally, you can optionally define severity and category annotations for your policies.
Operators can access the reports via ordinary kubectl
commands. They can also
leverage the optional UI provided by the
policy-reporter open source
project for monitoring and observability of the PolicyReport CRDs.
Policy Reporter UI
The Policy Reporter is shipped as a subchart of kubewarden-controller
, refer
to the Audit Scanner Installation page for more
info.
The Policy Reporter UI provides a dashboard showcasing all violations from
PolicyReports
and the ClusterPolicyReport
. See the following example:
In addition, it provides a tab for PolicyReports, and a tab for ClusterPolicyReports, with expanded info. See the following example of the PolicyReport results:
Additional features of Policy Reporter include forwarding of results to different clients (like Grafana Loki, Elasticsearch, chat applications), metrics endpoint, etc. Please refer to the policy-reporter's community docs for more info.
Cluster-Wide Audit Results example
In the next example, the audit scanner has evaluated the
cap-testing-cap-policy
on multiple namespaces in the cluster. The results
indicate that all the namespaces passed the policy validation. The summary
section provides a summary of the audit results, showing there were no
errors, failures, or warnings.
apiVersion: wgpolicyk8s.io/v1beta1
kind: ClusterPolicyReport
metadata:
creationTimestamp: "2023-07-10T19:25:40Z"
generation: 1
labels:
app.kubernetes.io/managed-by: kubewarden
...
results:
- policy: cap-testing-cap-policy
...
resourceSelector: {}
resources:
- apiVersion: v1
kind: Namespace
name: kube-system
...
result: pass
rule: testing-cap-policy
source: kubewarden
timestamp:
nanos: 0
seconds: 1689017140
- policy: cap-testing-cap-policy
...
resourceSelector: {}
resources:
- apiVersion: v1
kind: Namespace
name: default
...
result: pass
rule: testing-cap-policy
source: kubewarden
timestamp:
nanos: 0
seconds: 1689017140
...
summary:
error: 0
fail: 0
pass: 6
skip: 0
warn: 0
Namespace-Specific Audit Results example
In this example, the audit scanner has evaluated multiple policies on resources
within the default
namespace. The results indicate that some of the resources
failed the validation for the cap-no-privilege-escalation
policy, while
others passed the validation for the cap-do-not-run-as-root
policy. The
summary
section shows a summary of the audit results, indicating the number
of failures and passes.
apiVersion: wgpolicyk8s.io/v1beta1
kind: PolicyReport
metadata:
creationTimestamp: "2023-07-10T19:28:05Z"
generation: 4
labels:
app.kubernetes.io/managed-by: kubewarden
...
results:
- message: one of the containers has privilege escalation enabled
policy: cap-no-privilege-escalation
...
resourceSelector: {}
resources:
- apiVersion: apps/v1
kind: Deployment
name: nginx-deployment
namespace: default
...
result: fail
rule: no-privilege-escalation
source: kubewarden
timestamp:
nanos: 0
seconds: 1689017383
- policy: cap-do-not-run-as-root
...
resourceSelector: {}
resources:
- apiVersion: apps/v1
kind: Deployment
name: nginx-deployment
namespace: default
...
result: pass
rule: do-not-run-as-root
source: kubewarden
timestamp:
nanos: 0
seconds: 1689017383
...
summary:
error: 0
fail: 8
pass: 10
skip: 0
warn: 0