Policy Reporter

A Kyverno policy compliance dashboard for Kubernetes.

Policy Reporter is a tool that reads Kubernetes PolicyReport and ClusterPolicyReport resources (generated by Kyverno) and provides a web UI dashboard and metrics for visualizing policy compliance across the cluster. Self-hosting this alongside Kyverno gives visibility into which workloads violate policies without external tooling.

Alternatives considered

Self Hosted

Tool	Open Source	Full Features	Notes
OPA/Gatekeeper	Yes	Yes	OPA-based policies instead of Kyverno

Installation

Architecture

HelmRelease: Deployed via the policy-reporter Helm chart with UI and Kyverno plugin enabled
Config: ui.enabled: true, plugin.kyverno.enabled: true, metrics.enabled: true in ConfigMap values
Networking: HTTPRoute to internal gateway; no public exposure
Storage: No persistent storage — reads live from the Kubernetes API

Security

No container-level securityContext visible in kustomize output (managed by Helm chart defaults). SOPS-encrypted tofu-encryption secret present in namespace.

Updates

Managed by Renovate.

Data Management

No persistent data. All data is read live from Kubernetes PolicyReport and ClusterPolicyReport resources. No backup needed.

User Management

No OIDC configured. Access restricted to internal network via HTTPRoute.

Configuration Management

Helm chart values in ConfigMap (UI, Kyverno plugin, and metrics settings)
tofu-encryption secret from SOPS-encrypted source

Administration

Usage

Access the web UI to view policy compliance reports across namespaces. Filter by policy, resource, or result status (pass/fail/warn). Metrics are scraped by the monitoring stack for alerting on policy violations. The Kyverno plugin provides additional report enrichment.

Cluster-specific deviations from the above live in the per-cluster README — see k8s/apps/talos/policy-reporter/README.md.

Cluster Deployment

App URLs

policy-reporter.talos.int.kueber.eu

Depends on

Envoy Gateway

Policy Reporter — Talos cluster

Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/apps/policy-reporter.mdx.

Deviations from defaults

Defaults live in docusaurus/docs/apps/policy-reporter.mdx — document anything this cluster does differently here, with a one-line reason.

Kubernetes Metadata

HelmRelease: policy-reporter@3.7.4
HelmRepo: policy-reporter (https://kyverno.github.io/policy-reporter)

Rendered manifests (kustomize build)

apiVersion: v1
data:
  values.yaml: |
    ui:
      enabled: true

    plugin:
      kyverno:
        enabled: true

    metrics:
      enabled: true
kind: ConfigMap
metadata:
  name: policy-reporter-values-4f5chdkmc8
  namespace: policy-reporter

Alternatives considered​

Installation​

Architecture​

Security​

Updates​

Data Management​

User Management​

Configuration Management​

Administration​

Usage​

Cluster Deployment​

Deviations from defaults​