Installing Policy Reporter
Policy Reporter
Warning
To use Policy Reporter, install Kyverno or another product that supports writing results to wg-policy-prototypes
Getting started
To export policy results, set up external storage:
-
Object Storage
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter. -
Create a service account with the
storage.uploader
role. You need it to access Object Storage. -
Create a static access key for the service account in JSON format and save it to the
sa-key.json
file:yc iam access-key create \ --service-account-name=<service_account_name> \ --format=json > sa-key.json
-
Create a bucket with restricted access in Object Storage.
-
-
Data Streams
Installation using Yandex Cloud Marketplace
- Go to the folder page
and select Managed Service for Kubernetes. - Click the Managed Service for Kubernetes cluster name and select the
Marketplace tab. - Under Applications available for installation, select Policy Reporter and click Use.
- Configure the application:
- Namespace: Select or create a namespace for Policy Reporter.
- Application name: Enter a name for the application.
- Cluster ID: Select the desired Managed Service for Kubernetes cluster from the list.
- Install Policy Reporter UI: Enable to install the Policy Reporter UI component for displaying results in a graphical view.
- Export to Object Storage: Enable this option to export results to Object Storage. You also need to fill in the additional fields:
- Object Storage bucket name: Specify the name of the bucket in Object Storage.
- Object Storage static access key: Copy the contents of the
sa-key.json
file or create a new access key for the service account. The service account must have thestorage.uploader
role.
- Export to YDS: Enable this option to export results to Data Streams. You also need to fill in the additional fields:
- Endpoint YDS: Specify the Data Streams stream endpoint.
- YDS stream name: Specify the Data Streams stream name.
- Click Install.
- Wait for the application to change its status to
Deployed
.
Installation using a Helm chart
-
Install Helm
v3.7.0 or higher. -
Install kubectl
and configure it to work with the created cluster. -
To install a Helm chart
with Policy Reporter, run the following command:export HELM_EXPERIMENTAL_OCI=1 && \ helm pull oci://cr.yandex/yc-marketplace/policy-reporter \ --version 2.13.11 \ --untar && \ helm upgrade --install \ --namespace <namespace> \ --create-namespace \ --set clusterId=<cluster_ID> \ --set ui.enabled=<enable_Policy_Reporter_UI> \ --set target.s3.enabled=<export_to_Object_Storage> \ --set target.s3.bucket=<Object_Storage_bucket_name> \ --set-file serviceaccountawskeyvalue=<path_to_service_account_static_key_file> \ --set target.kinesis.enabled=<export_to_Data_Streams> \ --set target.kinesis.endpoint=<Data_Streams_stream_endpoint> \ --set target.kinesis.streamName=<Data_Streams_stream_name> \ policy-reporter ./policy-reporter/
Where:
ui.enabled
: Enabling Policy Reporter UI. It may take either thetrue
orfalse
value.target.s3.enabled
: Export to Object Storage. It may take either thetrue
orfalse
value.target.kinesis.enabled
: Export to Data Streams. It may take either thetrue
orfalse
value.
The
target.s3.bucket
andserviceaccountawskeyvalue
parameters are only required if export to Object Storage is enabled (target.s3.enabled=true
), and thetarget.kinesis.endpoint
andtarget.kinesis.streamName
parameters are required if export to Data Streams is enabled (target.kinesis.enabled=true
).
Testing the app
- Set up the Kyverno Application & Kyverno Policies app in the Managed Service for Kubernetes cluster and follow this guide to create a test policy.
- Connect to the Policy Reporter UI
to analyze and visualize PolicyReports or ensure that data is received by Object Storage or Data Streams.
Use cases
- Setting up Kyverno & Kyverno Policies
- Signing and verifying Yandex Container Registry Docker images in Managed Service for Kubernetes