Currently, only Policy Reports (policyreports.wgpolicyk8s.io) are fetched and displayed when view the compliance reports on any resource list view or detail view, which includes the Compliance column for a resource list and the Compliance tab in a resource's detail view. Cluster Policy Reports (clusterpolicyreports.wgpolicyk8s.io) must also be displayed.
To Test
Create a PSA-label-enforcer ClusterAdmissionPolicy
Re-run audit scanner cronjob
Get ClusterPolicyReports with kubectl get clusterpolicyreports.wgpolicyk8s.io -o wide
Check Project/Namespaces list view for Cluster Policy Report summary
Check Namespace resource Compliance tab in the detail view for the Cluster Policy Reports
Namespace compliance tab (should see passing ClusterPolicyReport)
Additional Info
We should differentiate between Policy Reports and Cluster Policy Reports within the Compliance tab, perhaps using the groupBy property of the SortableTable component that is currently used to display the reports.
Related #659
Currently, only Policy Reports (
policyreports.wgpolicyk8s.io) are fetched and displayed when view the compliance reports on any resource list view or detail view, which includes the Compliance column for a resource list and the Compliance tab in a resource's detail view. Cluster Policy Reports (clusterpolicyreports.wgpolicyk8s.io) must also be displayed.To Test
kubectl get clusterpolicyreports.wgpolicyk8s.io -o wideExample psa-label-enforcer policy config
```yaml apiVersion: policies.kubewarden.io/v1 kind: ClusterAdmissionPolicy metadata: name: psa-enforce spec: backgroundAudit: true mode: monitor module: ghcr.io/kubewarden/policies/psa-label-enforcer:v0.1.3 mutating: true policyServer: default rules: - apiGroups: - '' apiVersions: - v1 operations: - CREATE - UPDATE resources: - namespaces settings: modes: audit: restricted audit-version: v1.27 enforce: baseline enforce-version: latest warn: privileged warn-version: v1.25 ```Returned ClusterPolicyReports
```console $ kubectl get clusterpolicyreports.wgpolicyk8s.io -o wide NAME KIND NAME PASS FAIL WARN ERROR SKIP AGE 22d9da2c-fe1b-434a-9394-2092c468a95b Namespace test-ns-2 1 0 0 0 0 20m 24ea3b5d-c73a-49bb-911f-220ef65dd732 Namespace cattle-fleet-system 1 0 0 0 0 20m 4098203d-fb7c-4428-be7b-001e82676699 Namespace kube-public 1 0 0 0 0 20m 45485952-31e8-4ab8-84b7-1f3eaec03ba5 Namespace default 1 0 0 0 0 20m 4bcf33cf-a242-45c2-9a99-9e982e84e539 Namespace cattle-kubewarden-system 1 0 0 0 0 20m 6426df15-7db9-4ad4-a8fd-3cee4c7a33b0 Namespace kube-node-lease 1 0 0 0 0 20m 6b5efb1b-ac0b-4a95-90c2-9a67f9b2e269 Namespace cattle-dashboards 1 0 0 0 0 20m 877005d7-ba5f-4672-8393-315a9975c72d Namespace cert-manager 1 0 0 0 0 20m 9bbdc144-9e37-4be5-acc3-97315c9a2432 Namespace local 1 0 0 0 0 20m a79185dd-f87b-4868-9f74-fa16bfb2219b Namespace kube-system 1 0 0 0 0 20m a8e10a3c-33c8-4196-94ac-ecebff07ff96 Namespace cattle-neuvector-system 1 0 0 0 0 20m b6a3b5a1-09d0-4b89-913e-8abd3a9d7f76 Namespace test-ns 1 0 0 0 0 20m ccfe3c0b-73ec-4979-9713-029b1fab42f5 Namespace cattle-impersonation-system 1 0 0 0 0 20m cfcd88e2-88a7-4901-b222-c4c0cc8b4ce9 Namespace test-ns-3 1 0 0 0 0 20m e80f72f0-a309-4c69-8e4a-961aa9106786 Namespace cattle-system 1 0 0 0 0 20m f54e200d-a419-4642-afbd-40a79ab12a13 Namespace kyverno 1 0 0 0 0 20m ```Project/Namespaces list view
Namespace compliance tab (should see passing ClusterPolicyReport)
Additional Info
We should differentiate between Policy Reports and Cluster Policy Reports within the Compliance tab, perhaps using the
groupByproperty of theSortableTablecomponent that is currently used to display the reports.