Policy Reporter

Kyverno Policy Reporter is designed for working with Kyverno policy results: PolicyReports. It also supports Kube Bench, Trivy, jsPolicy, and Falco. Kyverno Policy Reporter can visualize results in a graphical view. For long-term storage or further uploading to the SIEM system, results can be exported to external storage, such as Yandex Object Storage (S3) or Yandex Data Streams.

To use Kyverno Policy Reporter, install Kyverno or another product that supports writing results to wg-policy-prototypes.

1. To export policy results, set up external storage:

   • Object Storage:

     1. Create a service account with the storage.uploader role required to access Object Storage:

        yc iam service-account create --name <service account name>
        

     2. Create a static access key for the service account in JSON format and save it to the sa-key.json file:

        yc iam access-key create \
           --service-account-name=<service account name> \
           --format=json > sa-key.json
        

     3. Create a bucket in Object Storage.

   • Data Streams:

     Create a data stream.

2. Configure Kyverno Policy Reporter:

   • Namespace: Select a namespace or create a new one.

   • Application name: Enter an application name.

   • Cluster ID: Select a Managed Service for Kubernetes cluster from the list.

   • Install Policy Reporter UI: Enable to install the Policy Reporter UI component for displaying results in a graphical view.

   • Export to Object Storage: Enable to export results to Object Storage. You also need to fill in the additional fields:

     • Object Storage bucket name: Specify the name of the bucket in Object Storage.
     • Object Storage static access key: Copy the contents of the sa-key.json file or create a new access key for the service account. The service account must have the storage.uploader role.

   • Export to Data Streams: Enable to export results to Data Streams. You also need to fill in the additional fields:

     • Stream endpoint: Specify the endpoint of the stream in Data Streams.
     • Stream name: Specify the name of the stream in Data Streams.

3. Click Install.

4. Wait for the application status to change to Deployed.

To check that Kyverno Policy Reporter is working, connect to Policy Reporter UI to analyze and visualize PolicyReports and make sure that data is being received in Object Storage or Data Streams.

• Analyzing and visualizing Policy Reports.
• Auditing Kubernetes security events.

Yandex Cloud technical support is available 24/7 to respond to requests. The types of requests available and their response time depend on your pricing plan. You can enable paid support in the management console. Learn more about requesting technical support.