Giters

fjogeleit / policy-reporter-cli

Policy Reporter CLI

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[WIP] Policy Reporter CLI

Policy Reporter CLI makes it easy to search and filter for PolicyReportResults, generated by tools like Kyverno, in your Kubernetes cluster.

How it works

This CLI interacts with the Policy Reporter REST API via the Kubernetes Port-Forward API. This means it requires Policy Reporter to be installed on your cluster but the API doesn't have to be exposed to the outside world.

Requirements

  • Policy Reporter has to be installed on your cluster with enabled REST API (AppVersion >= v2.4k.1)
  • KubeConfig file with permissions to port-forward to your Policy Reporter Service

Examples

Search namespace scoped PolicyReportResults

asciicast

Search results via interactive selections. It is possible to predefine configurations via flags

CLI example

kubectl polr results search -n default --category 'Pod Security Standards (Restricted)' --result fail --source kyverno

Usage

kubectl polr results search --help             
Search PolicyReportResults

Usage:
  polr results search [flags]

Flags:
  -A, --all-namespaces         If present, search results across all namespaces.
      --category stringArray   Filter PolicyReportResults by category
      --group-by string        Group PolicyReportResults by result, category, resource, none (default "result")
  -h, --help                   help for search
  -k, --kind stringArray       Filter PolicyReportResults by kinds (only fullqualified singular kind names are supported)
  -n, --namespace string       If present, the namespace scope for this CLI request
  -o, --output string          Output format. One of: yaml|json|wide|go-template|jsonpath
      --result stringArray     Filter PolicyReportResults by result
  -s, --source string          Filter PolicyReportResults by source

List namespace scoped PolicyReportResults

List PolicyReportResults without interactions, use flags to set available filter

kubectl polr results list -n default --category 'Pod Security Standards (Restricted)' --result fail --source kyverno --group-by none

NAMESPACE KIND NAME  POLICY                        RULE                 RESULT
default   Pod  nginx require-run-as-nonroot        run-as-non-root      fail
default   Pod  nginx disallow-privilege-escalation privilege-escalation fail
default   Pod  nginx disallow-capabilities-strict  require-drop-all     fail
default   Pod  nginx restrict-seccomp-strict       check-seccomp-strict fail

Usage

kubectl polr results list --help
List PolicyReportResults

Usage:
  polr results list [flags]

Flags:
  -A, --all-namespaces         If present, search results across all namespaces.
      --category stringArray   Filter PolicyReportResults by category
      --group-by string        Group PolicyReportResults by result, category, resource, none (default "result")
  -h, --help                   help for list
  -k, --kind stringArray       Filter PolicyReportResults by kinds (only fullqualified singular kind names are supported)
  -n, --namespace string       If present, the namespace scope for this CLI request
  -o, --output string          Output format. One of: yaml|json|wide|go-template|jsonpath
      --result stringArray     Filter PolicyReportResults by result
  -l, --selector string        Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2)
  -s, --source string          Filter PolicyReportResults by source

Search cluster scoped PolicyReportResults

asciicast

Search results via interactive selections. It is possible to predefine configurations via flags

CLI example

kubectl polr cluster-results search --result fail --source kyverno

Usage

kubectl polr cluster-results search -h                            
Search ClusterPolicyReportResults

Usage:
  polr cluster-results search [flags]

Flags:
      --category stringArray   Filter PolicyReportResults by category
      --group-by string        Group PolicyReportResults by result, category, resource, none (default "result")
  -h, --help                   help for search
  -k, --kind stringArray       Filter PolicyReportResults by kinds (only fullqualified singular kind names are supported)
  -o, --output string          Output format. One of: yaml|json|wide|go-template|jsonpath
      --result stringArray     Filter PolicyReportResults by result
  -s, --source string          Filter PolicyReportResults by source

List cluster scoped PolicyReportResults

List PolicyReportResults without interactions, use flags to set available filter

kubectl polr cluster-results list --result fail --group-by none

KIND      NAME            POLICY            RULE                          RESULT
Namespace default         require-ns-labels check-for-labels-on-namespace fail
Namespace kube-image      require-ns-labels check-for-labels-on-namespace fail
Namespace policy-reporter require-ns-labels check-for-labels-on-namespace fail
Namespace test            require-ns-labels check-for-labels-on-namespace fail

Usage

kubectl polr cluster-results list -h                              
List ClusterPolicyReportResults

Usage:
  polr cluster-results list [flags]

Flags:
      --category stringArray   Filter PolicyReportResults by category
      --group-by string        Group PolicyReportResults by result, category, resource, none (default "result")
  -h, --help                   help for list
  -k, --kind stringArray       Filter PolicyReportResults by kinds (only fullqualified singular kind names are supported)
  -o, --output string          Output format. One of: yaml|json|wide|go-template|jsonpath
      --result stringArray     Filter PolicyReportResults by result
  -l, --selector string        Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2)
  -s, --source string          Filter PolicyReportResults by source

Configuration

By default the CLI trys to connect with the following defaults:

  • ServiceName: policy-reporter
  • Namespace: policy-reporter
  • Port: 8080

This values are the defaults by installing Policy Reporter via Helm. If you have customized values you can change this defaults with env variables:

export POLICY_REPORTER_NAMESPACE="policy-reporter"
export POLICY_REPORTER_SERVICE="policy-reporter"
export POLICY_REPORTER_PORT="8080"

Installation

Pre build binaries are available under Releases for all common operating systems. Move the binary for example under /user/local/bin and rename it to kubectl-polr to use it as kubectl plugin. It also works as standalone CLI as well.

Query information from the kyverno/policy-reporter REST API about (Cluster)PolicyReports

Usage:
  polr [command]

Available Commands:
  cluster-results Interact with the cluster scoped Policy Reporter APIs
  completion      Generate the autocompletion script for the specified shell
  help            Help about any command
  results         Interact with the namespace scoped Policy Reporter APIs
  targets         List configured Policy Reporter Targets
  version         Client version of Policy Reporter CLI

Flags:
  -h, --help   help for pr

Use "polr [command] --help" for more information about a command.

About

Policy Reporter CLI

License:MIT License

Languages

Language:Go 99.4%Language:Makefile 0.6%