Feature request, get result for specific user policy via CLI
iamraj007 opened this issue · comments
Can we get something like this, get result based on single cli which take my policy name and show output for those policy only
Like below command
$ kubectl polr results search --category 'require-read-only-root-filesystem'
Sample policy running as of now, exp
NAMESPACE KIND NAME POLICY RULE RESULT
default Deployment deploynginx restrict-custom-runtime autogen-restrict-seccomp fail
default Deployment deploynginx restrict-default-namespace validate-podcontroller-namespace fail
default Pod deploynginx-xxxxx-n4r2k require-read-only-root-filesystem validate-readOnlyRootFilesystem fail
I have added a flag to filter by policy name. You can filter for one or multiple policy name
Example would be:
kubectl polr results list --source kyverno -A --policy disallow-host-ports
and
kubectl polr results search --source kyverno -A --policy disallow-host-ports
It is released as version v0.4.0
Appreciate your quick response to feature request, but i see some issue here
wget policy-reporter-cli_0.4.0_Linux_x86_64.tar.gz (10.6 MB 15 minutes ago )
[ policy-reporterv4]$ ls -l
total 10808
-rw-r--r-- 1 root root 11067138 Sep 5 16:55 policy-reporter-cli_0.4.0_Linux_x86_64.tar.gz
[ policy-reporterv4]$ tar -xvf policy-reporter-cli_0.4.0_Linux_x86_64.tar.gz
LICENSE.md
README.md
polr
[ policy-reporterv4]$ ll
total 43568
-rw-r--r-- 1 dev 121 1071 Sep 5 16:45 LICENSE.md
-rw-r--r-- 1 root root 11067138 Sep 5 16:55 policy-reporter-cli_0.4.0_Linux_x86_64.tar.gz
-rwxr-xr-x 1 dev 121 33533952 Sep 5 16:48 polr
-rw-r--r-- 1 dev 121 7532 Sep 5 16:45 README.md
[ policy-reporterv4]$ ./polr version
Client Version: 0.3.0
$ md5sum polr
c8ab2dd56e5421a15834d2ab6406f57c polr
The version should be 0.4.0 ?
Was a mistake from my side. Did not dump the version.
so the flag should be available only the version is wrong. I will fix this
I released v0.4.1 to sync the version and automate it. Thanks for your request and trying this tool out. Any feedback Is ver welcome, let me know if you are missing more features.
Thanks for the awesome addition. 👍
I accept that as a valid fix and addition to code.
one observation though, does the plugin polr get result from live data like query api-server ..?
Fail Policy Results
NAMESPACE KIND NAME POLICY RULE RESULT
ph Deployment apigateway restrict-custom-runtime autogen-restrict-seccomp fail
ph Pod apigateway-6647cb86dd-ktnnh require-read-only-root-filesystem validate-readOnlyRootFilesystem fail
ph Pod apigateway-6647cb86dd-ktnnh require-run-as-non-root check-containers fail
ph Pod apigateway-6647cb86dd-ktnnh restrict-image-registries validate-registries fail
ph Pod apigateway-6647cb86dd-sgk4s require-read-only-root-filesystem validate-readOnlyRootFilesystem fail
ph Pod apigateway-6647cb86dd-sgk4s require-run-as-non-root check-containers fail
ph Pod apigateway-6647cb86dd-sgk4s restrict-image-registries validate-registries fail
ph Pod apigateway-6647cb86dd-znmfg require-read-only-root-filesystem validate-readOnlyRootFilesystem fail
ph Pod apigateway-6647cb86dd-znmfg require-run-as-non-root check-containers fail
ph Pod apigateway-6647cb86dd-znmfg restrict-image-registries validate-registries fail
As of now only one pod with this name in this or all nameapsce
$ kubectl get all -A | grep -i apigateway | grep pod
ph pod/apigateway-6647cb86dd-ktnnh 0/1 Running 1 (3m19s ago) 8m19s
as you can see there are 3 Pod's shown there, though only one of them there now, rest two deleted with past deployment
So as of now pod ending -ktnnh is there but no -sgk4s and -znmfg any more (see above output)
This is just a small question fell free to ignore if irreverent. (The issue stand ass close as of now, thx)
It is not the same as query the API Server, the data comes from the REST API of policy-reporter which reflects the value of your PolicyReports.
So if you delete a resource but your PolicyReports still includes results to this resource, it will still be in the output of the CLI.
But after removing a resource, Kyverno should update the PolicyReport in its namespace and remove all results related to this resource as well.
So, can you check if this resources are still part of the PolicyReport in this namespace? If so you could delete the PolicyReport and Kyverno will recreate it without this resources.