Installing Policy Reporter

Policy Reporter is designed for working with Kyverno policy results: PolicyReports. It also supports such tools as Falco, jsPolicy, Kube Bench, and Trivy. Policy Reporter provides graphical visualization of results. For long-term storage or further uploading to the SIEM system, results can be exported to external storage, e.g., Yandex Object Storage (S3) or Yandex Data Streams.

Getting startedGetting started

1. If you do not have the Yandex Cloud CLI yet, install and initialize it.

   The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

2. Make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.

   Warning

   The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

3. To export policy results, set up external storage:

   • Object Storage

     1. Create a service account with the storage.uploader role. You need it to access Object Storage.

     2. Create a static access key for the service account in JSON format and save it to the sa-key.json file:

        yc iam access-key create \
          --service-account-name=<service_account_name> \
          --format=json > sa-key.json
        

     3. Create a bucket with restricted access in Object Storage.

   • Data Streams

     Create a data stream.

Installation using Yandex Cloud MarketplaceInstallation using Yandex Cloud Marketplace

1. Navigate to the folder dashboard and select Managed Service for Kubernetes.
2. Click the name of the Managed Service for Kubernetes cluster you need and select the Marketplace tab.
3. Under Application available for installation, select Policy Reporter and click Go to install.
4. Configure the application:
   • Namespace: Create a new namespace, e.g., policy-reporter-space. If you leave the default namespace, Policy Reporter may work incorrectly.
   • Application name: Specify the application name.
   • Cluster ID: Select the desired Managed Service for Kubernetes cluster from the list.
   • Install Policy Reporter UI: Enable to install the Policy Reporter UI component for displaying results in a graphical view.
   • Export to Object Storage: Enable this option to export results to Object Storage. You also need to fill in the additional fields:
     • Object Storage bucket name: Specify the name of the bucket in Object Storage.
     • Object Storage static access key: Copy the contents of the sa-key.json file or create a new access key for the service account. The service account must have the storage.uploader role.
   • Export to YDS: Enable this option to export results to Data Streams. You also need to fill in the additional fields:
     • Endpoint YDS: Specify the Data Streams stream endpoint.
     • YDS stream name: Specify the Data Streams stream name.
5. Click Install.
6. Wait for the application to change its status to Deployed.

Installation using a Helm chartInstallation using a Helm chart

1. Install Helm v3.8.0 or higher.

2. Install kubect and configure it to work with the new cluster.

3. To install a Helm chart with Policy Reporter, run the following command, specifying the parameters of the resources you created earlier:

   helm pull oci://cr.yandex/yc-marketplace/policy-reporter \
     --version 2.13.11 \
     --untar && \
   helm upgrade --install \
     --namespace <namespace> \
     --create-namespace \
     --set clusterId=<cluster_ID> \
     --set ui.enabled=<enable_Policy_Reporter_UI> \
     --set target.s3.enabled=<export_to_Object_Storage> \
     --set target.s3.bucket=<Object_Storage_bucket_name> \
     --set-file serviceaccountawskeyvalue=<path_to_static_key_file_of_service_account> \
     --set target.kinesis.enabled=<export_to_Data_Streams> \
     --set target.kinesis.endpoint=<Data_Streams_stream_endpoint> \
     --set target.kinesis.streamName=<Data_Streams_stream_name> \
     policy-reporter ./policy-reporter/
   

   If you set namespace to the default namespace, Policy Reporter may work incorrectly. We recommend that you specify a value different from all existing namespaces (e.g., policy-reporter-space).

   Note

   If you are using a Helm version below 3.8.0, append the export HELM_EXPERIMENTAL_OCI=1 && \ string to the command to enable Open Container Initiative (OCI) support in the Helm client.

   Command parameters:

   • ui.enabled: Enabling Policy Reporter UI. The possible values are true or false.
   • target.s3.enabled: Exporting to Object Storage. The possible values are true or false.
   • target.kinesis.enabled: Exporting to Data Streams. The possible values are true or false.

   The target.s3.bucket and serviceaccountawskeyvalue parameters are only required if export to Object Storage is enabled (target.s3.enabled=true), while the target.kinesis.endpoint and target.kinesis.streamName parameters, if export to Data Streams is enabled (target.kinesis.enabled=true).

Testing the appTesting the app

1. Set up the Kyverno Application & Kyverno Policies app in the Managed Service for Kubernetes cluster and follow this guide to create a test policy.
2. Connect to the Policy Reporter UI to analyze and visualize PolicyReports or ensure that data is received by Object Storage or Data Streams.

Use casesUse cases

• Setting up Kyverno & Kyverno Policies
• Signing and verifying Yandex Container Registry Docker images in Managed Service for Kubernetes

See alsoSee also

• Policy Reporter documentation.
• Example in the Yandex Cloud Solution Library: Analyzing Kubernetes security logs in ELK.