Policy Reporter CLI makes it easy to search and filter for PolicyReportResults, generated by tools like Kyverno, in your Kubernetes cluster.
This CLI interacts with the Policy Reporter REST API via the Kubernetes Port-Forward API. This means it requires Policy Reporter to be installed on your cluster but the API doesn't have to be exposed to the outside world.
- Policy Reporter has to be installed on your cluster with enabled REST API (AppVersion >= v2.4k.1)
- KubeConfig file with permissions to port-forward to your Policy Reporter Service
Search results via interactive selections. It is possible to predefine configurations via flags
CLI example
kubectl polr results search -n default --category 'Pod Security Standards (Restricted)' --result fail --source kyvernoUsage
kubectl polr results search --help
Search PolicyReportResults
Usage:
polr results search [flags]
Flags:
-A, --all-namespaces If present, search results across all namespaces.
--category stringArray Filter PolicyReportResults by category
--group-by string Group PolicyReportResults by result, category, resource, none (default "result")
-h, --help help for search
-k, --kind stringArray Filter PolicyReportResults by kinds (only fullqualified singular kind names are supported)
-n, --namespace string If present, the namespace scope for this CLI request
-o, --output string Output format. One of: yaml|json|wide|go-template|jsonpath
--result stringArray Filter PolicyReportResults by result
-s, --source string Filter PolicyReportResults by sourceList PolicyReportResults without interactions, use flags to set available filter
kubectl polr results list -n default --category 'Pod Security Standards (Restricted)' --result fail --source kyverno --group-by none
NAMESPACE KIND NAME POLICY RULE RESULT
default Pod nginx require-run-as-nonroot run-as-non-root fail
default Pod nginx disallow-privilege-escalation privilege-escalation fail
default Pod nginx disallow-capabilities-strict require-drop-all fail
default Pod nginx restrict-seccomp-strict check-seccomp-strict failUsage
kubectl polr results list --help
List PolicyReportResults
Usage:
polr results list [flags]
Flags:
-A, --all-namespaces If present, search results across all namespaces.
--category stringArray Filter PolicyReportResults by category
--group-by string Group PolicyReportResults by result, category, resource, none (default "result")
-h, --help help for list
-k, --kind stringArray Filter PolicyReportResults by kinds (only fullqualified singular kind names are supported)
-n, --namespace string If present, the namespace scope for this CLI request
-o, --output string Output format. One of: yaml|json|wide|go-template|jsonpath
--result stringArray Filter PolicyReportResults by result
-l, --selector string Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2)
-s, --source string Filter PolicyReportResults by source
Search results via interactive selections. It is possible to predefine configurations via flags
CLI example
kubectl polr cluster-results search --result fail --source kyvernoUsage
kubectl polr cluster-results search -h
Search ClusterPolicyReportResults
Usage:
polr cluster-results search [flags]
Flags:
--category stringArray Filter PolicyReportResults by category
--group-by string Group PolicyReportResults by result, category, resource, none (default "result")
-h, --help help for search
-k, --kind stringArray Filter PolicyReportResults by kinds (only fullqualified singular kind names are supported)
-o, --output string Output format. One of: yaml|json|wide|go-template|jsonpath
--result stringArray Filter PolicyReportResults by result
-s, --source string Filter PolicyReportResults by sourceList PolicyReportResults without interactions, use flags to set available filter
kubectl polr cluster-results list --result fail --group-by none
KIND NAME POLICY RULE RESULT
Namespace default require-ns-labels check-for-labels-on-namespace fail
Namespace kube-image require-ns-labels check-for-labels-on-namespace fail
Namespace policy-reporter require-ns-labels check-for-labels-on-namespace fail
Namespace test require-ns-labels check-for-labels-on-namespace failUsage
kubectl polr cluster-results list -h
List ClusterPolicyReportResults
Usage:
polr cluster-results list [flags]
Flags:
--category stringArray Filter PolicyReportResults by category
--group-by string Group PolicyReportResults by result, category, resource, none (default "result")
-h, --help help for list
-k, --kind stringArray Filter PolicyReportResults by kinds (only fullqualified singular kind names are supported)
-o, --output string Output format. One of: yaml|json|wide|go-template|jsonpath
--result stringArray Filter PolicyReportResults by result
-l, --selector string Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2)
-s, --source string Filter PolicyReportResults by sourceBy default the CLI trys to connect with the following defaults:
- ServiceName: policy-reporter
- Namespace: policy-reporter
- Port: 8080
This values are the defaults by installing Policy Reporter via Helm. If you have customized values you can change this defaults with env variables:
export POLICY_REPORTER_NAMESPACE="policy-reporter"
export POLICY_REPORTER_SERVICE="policy-reporter"
export POLICY_REPORTER_PORT="8080"Pre build binaries are available under Releases for all common operating systems. Move the binary for example under /user/local/bin and rename it to kubectl-polr to use it as kubectl plugin. It also works as standalone CLI as well.
Query information from the kyverno/policy-reporter REST API about (Cluster)PolicyReports
Usage:
polr [command]
Available Commands:
cluster-results Interact with the cluster scoped Policy Reporter APIs
completion Generate the autocompletion script for the specified shell
help Help about any command
results Interact with the namespace scoped Policy Reporter APIs
targets List configured Policy Reporter Targets
version Client version of Policy Reporter CLI
Flags:
-h, --help help for pr
Use "polr [command] --help" for more information about a command.