Question : validationFailureAction and OpenIDConnect

[jumiring]

Hi. Have you been well?
I have two questions.

1. validationFailureAction
   When creating a policy, setting the validationFailureAction option to enforce does not create a report.
   Do you know how to generate a report even if I set it to enforce?

2. OpenIDConnect
   I want to know if the function I want is theoretically possible.
   Currently, namespace permissions are set for each user in the Keycloak. (Like the bottom)

With this setting, other services linked to Keycloak can only access data for namespaces to which users are authorized.
Is this also possible with this policy-reporter-ui service?

[fjogeleit]

Hey @jumiring,

1. this is not directly possible with kyverno but the Policy Reporter - Kyverno Plugin provides a feature for this, you can check it out here: https://kyverno.github.io/policy-reporter-docs/plugin-system/kyverno-plugin.html#enforce-violation-policyreports

2. unfortunately this is currently not possible. the only workaround would be to create custom boards and make them only available for a user group. you can find details here:

https://kyverno.github.io/policy-reporter-docs/policy-reporter-ui/custom-boards.html
https://kyverno.github.io/policy-reporter-docs/policy-reporter-ui/authentication.html

The schema in your screen would be

{
  "clustername": ["list of namespaces"]
}

correct? You could create a feature request. I can take a look on this when I find some time. I think this could be generic enough to be implemented.

[jumiring]

Thank you for your answer.

1. I'll try it now.

2. Schema is right. You got it right.
   { "clustername": ["list of namespaces"] }
   I will explain the current situation(What you told me) to my boss. If it takes a long time, I may not request it.

[jumiring]

I tried number 1, but it didn't work out the way I wanted it to.
Can you check it for me?
This is the test. (Policies that fail to generate pods without the label 'app')

Helm values.yaml

Policy.yaml

apiVersion: kyverno.io/v1
kind: Policy
metadata:
  annotations:
    policies.kyverno.io/category: kyverno
  labels:
    k8slens-edit-resource-version: v1
  name: require-app-label
  namespace: siri-test
spec:
  background: false
  rules:
    - match:
        resources:
          kinds:
            - Pod
      name: require-app-label
      validate:
        allowExistingViolations: true
        message: All Pods must have the 'app' label.
        pattern:
          metadata:
            labels:
              app: '?*'
  validationFailureAction: enforce

Pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: nginx4
  namespace: siri-test
spec:
  containers:
    - image: nginx
      name: nginx
      resources: {}

Events generated by the above policy

apiVersion: v1
kind: Event
metadata:
  name: require-app-label.1820dbc7bafe0196
  namespace: siri-test
  uid: 5c85906d-9e69-4967-ba93-704dc4207faa
  resourceVersion: '79266943'
  creationTimestamp: '2025-02-04T01:05:07Z'
  managedFields:
    - manager: kyverno
      operation: Update
      apiVersion: events.k8s.io/v1
      time: '2025-02-04T01:05:07Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:action: {}
        f:eventTime: {}
        f:note: {}
        f:reason: {}
        f:regarding: {}
        f:related: {}
        f:reportingController: {}
        f:reportingInstance: {}
        f:type: {}
  selfLink: /api/v1/namespaces/siri-test/events/require-app-label.1820dbc7bafe0196
involvedObject:
  kind: Policy
  namespace: siri-test
  name: require-app-label
  uid: 3f59f7ed-1f53-4580-85c5-76a3fec937ff
  apiVersion: kyverno.io/v1
reason: PolicyViolation
message: >-
  Pod siri-test/nginx4: [require-app-label] fail (blocked); validation error:
  All Pods must have the 'app' label. rule require-app-label failed at path
  /metadata/labels/
source: {}
firstTimestamp: null
lastTimestamp: null
type: Warning
eventTime: '2025-02-04T01:05:07.047194Z'
action: Resource Blocked
related:
  kind: Pod
  namespace: siri-test
  name: nginx4
  uid: 69818873-7a71-4448-ac4a-281875efba9f
  apiVersion: v1
reportingComponent: kyverno-admission
reportingInstance: kyverno-admission-kyverno-admission-controller-5fcbd69f8-pc8p7

But the policy report has not been created.

[fjogeleit]

In your screen blockReports.enabled is false but needs to be true

[jumiring]

ohhh,,,,,
I referred to the official document and it was false, so I did it. I'll try it true and test it again.

[fjogeleit]

Hm sorry, then its an issue in the docs.

[jumiring]

When I set it to true, I confirmed that the report is generated.

But there are two of the same menu.

I guess it's different according to validationFailureAction.

Currently, I create resources so that reports are created and I'm inferring the menu structure through the part that changes on the screen.
As a result, it is difficult to organize the menu in the direction our service will operate.
I know that you have already explained the meaning of the 'Other' menu and the category-based menus in the previous issue.
I also want to know about the other structures.
Can you explain the structure of the menu?

[fjogeleit]

Can you change the source value from Kyverno to lowercase kyverno? Because the source value is case sensitive it switched to a Multi source Dashboard and Splitted Both sources. You might need to delete created Reports from the plugin After this change

[jumiring]

ooooookkkk, I'll try it now!

[jumiring]

I modified the source and it went as I wanted!
Thank you 👍

May I ask you something about the Custom Board as well?
https://kyverno.github.io/policy-reporter-docs/policy-reporter-ui/custom-boards.html
According to the official documentation, the main explanation is about creating custom menus through namespaces. I want to know more diverse methods.

In the explanation about creating menus using 'source', what does 'source' mean?

Is it possible to configure a custom menu using a specific resource?
I want more extensive information.
We are trying to make proper use of your service.

[fjogeleit]

Source relates to the source field of Policy Reports, they are basically the engine which creates the Policy Report.

The intention of Custom Boards are a configurable way to define a Dashboard with only a subset of information in comparison to the global dashboard.

So you can reduce the information to a subset of namespaces by listing all namespaces you want to display or use a namespace label selector instead, for a more dynamic approach.

Sources are only relevant when you use Policy Reporter for multiple tools. E.g. Falco, Trivy and Kyverno. In this scenario you might have a team which is only interested in findings of Kyverno, so you want to create a dashboard which only shows Kyverno results for a subset of namespaces.

Is it possible to configure a custom menu using a specific resource?

Can you give a bit more context to this question? Do you mean if a CRD exists to create a custom board? Or a way to list only specific resources?

[jumiring]

Yes, the latter. For example, configuring a menu to display only Pod resources regardless of the namespace, or filtering all resources based on a specific label. That’s the kind of configuration I’m asking about.

I have another question. I created policies with the same name in different namespaces.

I confirmed that both policies appear in the list as expected. However, when I click on a policy to view its details, the policy name is not displayed. Also, although the policies have the same name, they have different UIDs, meaning they are distinct policies. But on the details page, information from both namespaces is shown.

What I expected was to see only the information related to the namespace each policy belongs to.


Can you provide an answer regarding this issue?

[fjogeleit]

To the first question, a Kind/Resource based filter should be possible. A filter based on resource labels not directly. Policy Reporter / UI uses only the available data of the policy reports to filter and display information. it has no access to the real underlaying resource and its e.g. labels.

To your issue, can you confirm that the URI of the details page has the same schema as:

http://localhost:3000/#/policies/kyverno/payment%2Frequire-labels -> policies/kyverno/{namespace}%2{policy-name}

Can you provide your policy resource, so I can try to reproduce?
Do you use RBAC config provided by the Helm Chart or do you configure it yourself?
What Kyverno version do you using?

I tried to reproduce it but it works at least in my case, so need to find out what the reason could be.

Are the APIVersions in the resource always empty in your dashboards?