Skip to main content

Policy Reports

When using the Kubewarden Audit Scanner, the results of the policy scans are stored using the PolicyReport Custom Resource.

caution

Note that the PolicyReport CRDs are under development in the wg-policy Kubernetes group. Therefore, this documentation can be out of date if a new version of the CRDs is released.

Check the wg-policy group repository for more information about the CRDs.

These CRDs provide a structured way to store and manage the audit results.

Each namespace scanned by the audit scanner will have a dedicated PolicyReport resource defined inside of it.

The results of Cluster wide resources are going to be found inside of a ClusterPolicyReport object. There is going to be only one ClusterPolicyReport per cluster.

The audit results generated by the scanner includes various information, such as the policy that was evaluated, the resource being scanned, the result of the evaluation (pass, fail, or skip), and a timestamp indicating when the evaluation took place. Additionally, you can optionally define severity and category annotations for your policies.

Operators can access the reports via ordinary kubectl commands. They can also leverage the optional UI provided by the policy-reporter open source project for monitoring and observability of the PolicyReport CRDs.

Policy Reporter UI

The Policy Reporter is shipped as a subchart of kubewarden-controller, refer to the Audit Scanner Installation page for more info.

The Policy Reporter UI provides a dashboard showcasing all violations from PolicyReports and the ClusterPolicyReport. See the following example:

Policy Reporter dashboard example

In addition, it provides a tab for PolicyReports, and a tab for ClusterPolicyReports, with expanded info. See the following example of the PolicyReport results:

Policy Reporter PolicyReports example

Additional features of Policy Reporter include forwarding of results to different clients (like Grafana Loki, Elasticsearch, chat applications), metrics endpoint, etc. Please refer to the policy-reporter's community docs for more info.

Cluster-Wide Audit Results example

In the next example, the audit scanner has evaluated the cap-testing-cap-policy on multiple namespaces in the cluster. The results indicate that all the namespaces passed the policy validation. The summary section provides a summary of the audit results, showing there were no errors, failures, or warnings.

apiVersion: wgpolicyk8s.io/v1beta1
kind: ClusterPolicyReport
metadata:
creationTimestamp: "2023-07-10T19:25:40Z"
generation: 1
labels:
app.kubernetes.io/managed-by: kubewarden
...
results:
- policy: cap-testing-cap-policy
...
resourceSelector: {}
resources:
- apiVersion: v1
kind: Namespace
name: kube-system
...
result: pass
rule: testing-cap-policy
source: kubewarden
timestamp:
nanos: 0
seconds: 1689017140
- policy: cap-testing-cap-policy
...
resourceSelector: {}
resources:
- apiVersion: v1
kind: Namespace
name: default
...
result: pass
rule: testing-cap-policy
source: kubewarden
timestamp:
nanos: 0
seconds: 1689017140
...
summary:
error: 0
fail: 0
pass: 6
skip: 0
warn: 0

Namespace-Specific Audit Results example

In this example, the audit scanner has evaluated multiple policies on resources within the default namespace. The results indicate that some of the resources failed the validation for the cap-no-privilege-escalation policy, while others passed the validation for the cap-do-not-run-as-root policy. The summary section shows a summary of the audit results, indicating the number of failures and passes.

apiVersion: wgpolicyk8s.io/v1beta1
kind: PolicyReport
metadata:
creationTimestamp: "2023-07-10T19:28:05Z"
generation: 4
labels:
app.kubernetes.io/managed-by: kubewarden
...
results:
- message: one of the containers has privilege escalation enabled
policy: cap-no-privilege-escalation
...
resourceSelector: {}
resources:
- apiVersion: apps/v1
kind: Deployment
name: nginx-deployment
namespace: default
...
result: fail
rule: no-privilege-escalation
source: kubewarden
timestamp:
nanos: 0
seconds: 1689017383
- policy: cap-do-not-run-as-root
...
resourceSelector: {}
resources:
- apiVersion: apps/v1
kind: Deployment
name: nginx-deployment
namespace: default
...
result: pass
rule: do-not-run-as-root
source: kubewarden
timestamp:
nanos: 0
seconds: 1689017383
...
summary:
error: 0
fail: 8
pass: 10
skip: 0
warn: 0