From 0b6e2cac63af2ff5b9457f2818ef2b63b993b7b7 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Fri, 25 Oct 2024 13:50:20 +0530 Subject: [PATCH] feat: add documentation for new reporting configuration changes (#1389) Signed-off-by: Vishal Choudhary Co-authored-by: shuting --- content/en/docs/installation/customization.md | 1 + content/en/docs/policy-reports/_index.md | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/content/en/docs/installation/customization.md b/content/en/docs/installation/customization.md index e1747030f..a610105d6 100644 --- a/content/en/docs/installation/customization.md +++ b/content/en/docs/installation/customization.md @@ -372,6 +372,7 @@ The following flags can be used to control the advanced behavior of the various | `enableConfigMapCaching` (ABR) | true | Enables the ConfigMap caching feature. | | `enableDeferredLoading` (A) | true | Enables deferred (lazy) loading of variables (1.10.1+). Set to `false` to disable deferred loading of variables which was the default behavior in versions < 1.10.0. | | `enablePolicyException` (ABR) | true | Set to `true` to enable the [PolicyException capability](../writing-policies/exceptions.md). | +| `enableReporting` (ABCR) | validate,mutate,mutateExisting,generate,imageVerify | Comma separated list to enables reporting for different rule types. (validate,mutate,mutateExisting,generate,imageVerify) | | `enableTracing` (ABCR) | false | Set to enable exposing traces. | | `enableTuf` (AR) | | Enable tuf for private sigstore deployments. | | `exceptionNamespace` (ABR) | | Set to the name of a Namespace where [PolicyExceptions](../writing-policies/exceptions.md) will only be permitted. PolicyExceptions created in any other Namespace will throw a warning. If not set, PolicyExceptions from all Namespaces will be considered. Implies the `enablePolicyException` flag is set to `true`. Neither wildcards nor multiple Namespaces are currently accepted. | diff --git a/content/en/docs/policy-reports/_index.md b/content/en/docs/policy-reports/_index.md index 04db46c78..51382bc27 100644 --- a/content/en/docs/policy-reports/_index.md +++ b/content/en/docs/policy-reports/_index.md @@ -5,7 +5,7 @@ description: > weight: 60 --- -Policy reports are Kubernetes Custom Resources, generated and managed automatically by Kyverno, which contain the results of applying matching Kubernetes resources to Kyverno ClusterPolicy or Policy resources. They are created for `validate` and `verifyImages` rules when a resource is matched by one or more rules according to the policy definition. If resources violate multiple rules, there will be multiple entries. When resources are deleted, their entry will be removed from the report. Reports, therefore, always represent the current state of the cluster and do not record historical information. +Policy reports are Kubernetes Custom Resources, generated and managed automatically by Kyverno, which contain the results of applying matching Kubernetes resources to Kyverno ClusterPolicy or Policy resources. They are created for `validate`, `mutate`, `generate` and `verifyImages` rules when a resource is matched by one or more rules according to the policy definition. If resources violate multiple rules, there will be multiple entries. When resources are deleted, their entry will be removed from the report. Reports, therefore, always represent the current state of the cluster and do not record historical information. For example, if a validate policy in `Audit` mode exists containing a single rule which requires that all resources set the label `team` and a user creates a Pod which does not set the `team` label, Kyverno will allow the Pod's creation but record it as a `fail` result in a policy report due to the Pod being in violation of the policy and rule. Policies configured with `spec.validationFailureAction: Enforce` immediately block violating resources and results will only be reported for `pass` evaluations. Policy reports are an ideal way to observe the impact a Kyverno policy may have in a cluster without causing disruption. The insights gained from these policy reports may be used to provide valuable feedback to both users/developers so they may take appropriate action to bring offending resources into alignment, and to policy authors or cluster operators to help them refine policies prior to changing them to `Enforce` mode. Because reports are decoupled from policies, standard Kubernetes RBAC can then be applied to separate those who can see and manipulate policies from those who can view reports. @@ -86,6 +86,10 @@ Policy reports created from background scans are not subject to the configuratio To configure Kyverno to generate reports for Kubernetes ValidatingAdmissionPolicies enable the `--validatingAdmissionPolicyReports` flag in the reports controller. {{% /alert %}} +{{% alert title="Note" color="info" %}} +Reporting can be enabled or disabled for rule types by modifying the value of the flag `--enableReporting=validate,mutate,mutateExisting,generate,imageVerify`. +{{% /alert %}} + ## Report result logic Entries in a policy report contain a `result` field which can be either `pass`, `skip`, `warn`, `error`, or `fail`.