# [Public] Structured Kyverno Events
## List of scenarios that generate events
The event will be created in the following scenarios:
1. when a generate policy fails to apply (when Kyverno fails to fetch the policy/UR, cannot load context, etc), **source: kyverno-generate**
2. when a mutate existing policy applies, **source: kyverno-mutate**
3. when a policy gets reconciled in the background by the reports controller (failure only), **source: kyverno-scan**
a. An Event is created for the Policy
b. An Event is created for the failing resource
4. or, followed by 3, when an exception applies in the background, **source: kyverno-scan**
a. one added for the policy
b. the other one added for the policy exception
5. when an imageVerification policy applies, **source: kyverno-admission**
a. When a resource passes, an event is associated with the policy
b. when a resource fails, an event is associated with the Pod
6. when a mutate policy applies, **source: kyverno-admission**
7. when the admission controller fails to create a UR, **source: kyverno-generate**
a. fail to create the UR upon trigger's operation
b. fail to create the UR upon non-trigger's operation
8. when a validate policy applies, **source: kyverno-admission**
a. policy violation and the resource is blocked, an event is created for the policy
b. policy violation and the resource is NOT blocked, an event is created for the policy
c. policy violation and the resource is NOT blocked, an event is created for the resource
d. a policy is skipped due to policy exception, and the resource is not blocked, event created on policy exception
e. a policy is skipped due to policy exception, and the resource is not blocked, event created on policy
f. a policy applied event created for the policy when a resource passes
9. when a clean up policy applies, either fail or success, **source: kyverno-cleanup**
a. when the policy applies, it is with the event type Normal and the reason PolicyApplied, created on the policy
b. when the policy fails to apply, it is with the event type Warning and the reason PolicyError
## Existing Events References
1. *Generate Policy fails to apply*
```yaml=
apiVersion: v1
count: 25
eventTime: null
firstTimestamp: "2023-06-05T12:41:40Z"
involvedObject:
apiVersion: v1
kind: Namespace
name: jabby
resourceVersion: "1302796"
uid: 39ca92fa-c993-45e8-989a-bdb3a71cfcf7
kind: Event
lastTimestamp: "2023-06-05T12:42:06Z"
message: 'policy sync-secrets/ error: failed to resolve myfoo.data.foo at path /generate/namespace:
failed to retrieve config map for context entry myfoo: failed to get configmap default/asdf
: configmaps "asdf" not found'
metadata:
creationTimestamp: "2023-06-05T12:41:40Z"
name: jabby.1765c3c83e0c712c
namespace: default
resourceVersion: "1303009"
uid: cbeb2dba-2b13-4b63-bc50-636ad148c87d
reason: PolicyError
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-generate
type: Warning
```
2. *Mutate Existing Policies*
Implementation: https://github.com/kyverno/kyverno/blob/863ed5c384ea3914ffd9551b77d97d51b819bccd/pkg/event/events.go#L107-L124
```yaml=
apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2023-06-06T07:41:33Z"
involvedObject:
apiVersion: v1
kind: Secret
name: secret-1
namespace: staging
resourceVersion: "6985"
uid: 7ccaf08e-4c8b-4bec-9391-388f9a8b633a
kind: Event
lastTimestamp: "2023-06-06T07:41:33Z"
message: policy mutate-existing-secret/mutate-secret-on-configmap-event applied
metadata:
creationTimestamp: "2023-06-06T07:41:33Z"
name: secret-1.176601fc6270224b
namespace: staging
resourceVersion: "6987"
uid: 7700b175-137b-40e8-877b-49a119659459
reason: PolicyApplied
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-mutate
type: Normal
```
3a. Event on a ClusterPolicy when applying to a cluster in Enforce and background enabled and an existing resource violates a rule in the policy.
```yaml=
apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2023-06-06T12:46:45Z"
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: require-labels
resourceVersion: "1455985"
uid: f630d8dc-cd22-4d27-97ef-dbefa36ef6ca
kind: Event
lastTimestamp: "2023-06-06T12:46:45Z"
message: 'ConfigMap kube-system/extension-apiserver-authentication: [check-for-labels]
fail; validation error: The label `team` is required. rule check-for-labels failed
at path /metadata/labels/'
metadata:
creationTimestamp: "2023-06-06T12:46:45Z"
name: require-labels.176612a3f599e430
namespace: default
resourceVersion: "1455988"
uid: 2d061131-f8f7-46aa-9e3a-d455792aac4c
reason: PolicyViolation
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-scan
type: Warning
```
3b. Event on a violating (existing) resource when applying a ClusterPolicy in Enforce and background enabled.
```yaml=
apiVersion: v1
count: 6
eventTime: null
firstTimestamp: "2023-06-05T21:46:22Z"
involvedObject:
apiVersion: v1
kind: ConfigMap
name: extension-apiserver-authentication
namespace: kube-system
resourceVersion: "25"
uid: 725fb208-7b49-4e42-b44e-65ded5c2bac6
kind: Event
lastTimestamp: "2023-06-06T12:46:45Z"
message: 'policy require-labels/check-for-labels fail: validation error: The label
`team` is required. rule check-for-labels failed at path /metadata/labels/'
metadata:
creationTimestamp: "2023-06-06T12:46:45Z"
name: extension-apiserver-authentication.1765e181bc8b9d1c
namespace: kube-system
resourceVersion: "1455991"
uid: ea0a51db-a486-4363-b46e-4ad48cc782a9
reason: PolicyViolation
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-scan
type: Warning
```
4a. when an exception applies in the background, on the policy itself
```yaml=
apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2023-06-08T15:02:43Z"
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: require-labels
resourceVersion: "1902212"
uid: bb4e6303-8d33-498b-8449-7f810d8647d4
kind: Event
lastTimestamp: "2023-06-08T15:02:43Z"
message: resource ConfigMap/default/chiptesting was skipped from rule check-for-labels
due to policy exception default/eventpolex
metadata:
creationTimestamp: "2023-06-08T15:02:43Z"
name: require-labels.1766b73861c83a4c
namespace: default
resourceVersion: "1902361"
uid: df7a429d-08ca-485b-91bc-b0b46eb74794
reason: PolicySkipped
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-scan
type: Normal
```
4b. when an exception applies in the background, on the policy exception
```yaml=
apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2023-06-08T15:02:43Z"
involvedObject:
apiVersion: kyverno.io/v2alpha1
kind: PolicyException
name: eventpolex
namespace: default
resourceVersion: "1902305"
uid: a9d8c6ed-62ff-4675-b7d3-585daee45a32
kind: Event
lastTimestamp: "2023-06-08T15:02:43Z"
message: resource ConfigMap/default/chiptesting was skipped from policy rule require-labels/check-for-labels
metadata:
creationTimestamp: "2023-06-08T15:02:43Z"
name: eventpolex.1766b73862424864
namespace: default
resourceVersion: "1902362"
uid: e8762ecf-e76a-4c49-95da-4aebc4aa7c1b
reason: PolicySkipped
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-scan
type: Normal
```
5a. when a verifyImages policy applies, an event is associated with the policy
```yaml=
apiVersion: v1
count: 2
eventTime: null
firstTimestamp: "2023-06-08T15:08:52Z"
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: keyless-mutatedigest-verifydigest-required
resourceVersion: "1903231"
uid: 783b0761-1ec5-47a1-aeac-a90f733169c6
kind: Event
lastTimestamp: "2023-06-08T15:08:52Z"
message: 'Pod default/zulu: pass'
metadata:
creationTimestamp: "2023-06-08T15:08:52Z"
name: keyless-mutatedigest-verifydigest-required.1766b78e6bd65cfc
namespace: default
resourceVersion: "1903283"
uid: b525f508-fd27-4164-a1f7-92a2499353be
reason: PolicyApplied
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-admission
type: Normal
```
5b. when a verifyImages policy applies and fails for a resource, an event is associated with the resource
```yaml=
apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2023-06-08T15:11:17Z"
involvedObject:
apiVersion: v1
kind: Pod
name: zulu
namespace: default
resourceVersion: "1903748"
uid: 0d3b93c3-f4e7-4037-aec1-6bbe88e0c3d7
kind: Event
lastTimestamp: "2023-06-08T15:11:17Z"
message: 'policy keyless-mutatedigest-verifydigest-required/check-builder-id-keyless
fail: missing digest for ghcr.io/chipzoller/zulu:v0.0.14'
metadata:
creationTimestamp: "2023-06-08T15:11:17Z"
name: zulu.1766b7b02c748b5c
namespace: default
resourceVersion: "1903752"
uid: 7370b552-020f-45ca-83ff-3d9a7a7a7bc0
reason: PolicyViolation
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-admission
type: Warning
```
6. when a mutation policy applies to a resource, an event is associated with the policy
```yaml=
apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2023-06-11T13:28:41Z"
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: add-labels
resourceVersion: "2540526"
uid: 70b2fc81-64b5-404e-810b-288fa1f32769
kind: Event
lastTimestamp: "2023-06-11T13:28:41Z"
message: 'ConfigMap default/mytest: pass'
metadata:
creationTimestamp: "2023-06-11T13:28:41Z"
name: add-labels.17679dd47216ebf4
namespace: default
resourceVersion: "2540549"
uid: d092594e-fdb1-4c1e-a73a-5a409791717e
reason: PolicyApplied
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-admission
type: Normal
```
7b. a clone source cannot be found when a trigger occurs
```yaml=
apiVersion: v1
count: 10
eventTime: null
firstTimestamp: "2023-06-22T14:40:26Z"
involvedObject:
apiVersion: v1
kind: ConfigMap
name: trigger2
namespace: default
resourceVersion: "5412539"
uid: cff79453-8ae8-4ef3-931f-c5631deffad9
kind: Event
lastTimestamp: "2023-06-22T14:40:35Z"
message: 'policy cpol-clone-sync-delete-trigger-policy/ error: source resource v1
Secret/default/ghcr-login-secret not found. secrets "ghcr-login-secret" not found'
metadata:
creationTimestamp: "2023-06-22T14:40:26Z"
name: trigger2.176b02210a087028
namespace: default
resourceVersion: "5412600"
uid: 1359a0f1-0f54-4f32-90f2-c81f3a68bb56
reason: PolicyError
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-generate
type: Warning
```
8a. policy violation and the resource is blocked, an event is created for the policy
Implementation: https://github.com/kyverno/kyverno/blob/5d5011d5d90b7476eba39dd97596ac18f7e1c3f9/pkg/event/events.go#L23-L41
```yaml=
apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2023-05-23T12:58:12Z"
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-latest-tag-custom
resourceVersion: "1645"
uid: 44c24622-bf9a-458d-af6b-52acbd8e13d5
kind: Event
lastTimestamp: "2023-05-23T12:58:12Z"
message: 'Pod default/nginx: [validate-image-tag] fail (blocked); validation error:
Using a mutable image tag e.g. ''latest'' is not allowed. rule validate-image-tag
failed at path /spec/containers/0/image/'
metadata:
creationTimestamp: "2023-05-23T12:58:12Z"
name: disallow-latest-tag-custom.1761c723cb4621ba
namespace: default
resourceVersion: "1715"
uid: fe3fb06e-0cd8-49bf-9ba3-96cc702fdab5
reason: PolicyViolation
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-admission
type: Warning
```
8b. policy violation and the resource is NOT blocked, an event is created for the policy
```yaml=
apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2023-06-06T13:14:03Z"
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: require-labels
resourceVersion: "1460091"
uid: f630d8dc-cd22-4d27-97ef-dbefa36ef6ca
kind: Event
lastTimestamp: "2023-06-06T13:14:03Z"
message: 'ConfigMap default/chiptesting: [check-for-labels] fail; validation error:
The label `team` is required. rule check-for-labels failed at path /metadata/labels/team/'
metadata:
creationTimestamp: "2023-06-06T13:14:03Z"
name: require-labels.176614212643ff48
namespace: default
resourceVersion: "1460206"
uid: 8eb33f69-779e-43d7-93d6-236b04836dfd
reason: PolicyViolation
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-admission
type: Warning
```
8c. policy violation and the resource is NOT blocked, an event is created for the resource
```yaml=
apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2023-06-06T13:14:03Z"
involvedObject:
apiVersion: v1
kind: ConfigMap
name: chiptesting
namespace: default
resourceVersion: "1460205"
uid: 506a6f6a-de9e-4865-a3f0-ef874181112b
kind: Event
lastTimestamp: "2023-06-06T13:14:03Z"
message: 'policy require-labels/check-for-labels fail: validation error: The label
`team` is required. rule check-for-labels failed at path /metadata/labels/team/'
metadata:
creationTimestamp: "2023-06-06T13:14:03Z"
name: chiptesting.1766142127770fe0
namespace: default
resourceVersion: "1460208"
uid: 86112f51-8409-43dc-bd09-d209bd705aac
reason: PolicyViolation
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-admission
type: Warning
```
8d. a policy is skipped due to policy exception, and the resource is not blocked, event created on policy exception
```yaml=
apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2023-06-06T13:26:45Z"
involvedObject:
apiVersion: kyverno.io/v2alpha1
kind: PolicyException
name: eventpolex
namespace: default
resourceVersion: "1462115"
uid: 62730ab8-9d26-48ca-9d70-09165510bf52
kind: Event
lastTimestamp: "2023-06-06T13:26:45Z"
message: resource ConfigMap/default/chiptesting was skipped from policy rule require-labels/check-for-labels
metadata:
creationTimestamp: "2023-06-06T13:26:45Z"
name: eventpolex.176614d29ba5b004
namespace: default
resourceVersion: "1462134"
uid: d809069d-8ea6-479d-94a2-45a4d0df393c
reason: PolicySkipped
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-admission
type: Normal
```
8e. a policy is skipped due to policy exception, and the resource is not blocked, event created on policy
```yaml=
apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2023-06-06T13:26:45Z"
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: require-labels
resourceVersion: "1460091"
uid: f630d8dc-cd22-4d27-97ef-dbefa36ef6ca
kind: Event
lastTimestamp: "2023-06-06T13:26:45Z"
message: resource ConfigMap/default/chiptesting was skipped from rule check-for-labels
due to policy exception default/eventpolex
metadata:
creationTimestamp: "2023-06-06T13:26:45Z"
name: require-labels.176614d29a30f8c8
namespace: default
resourceVersion: "1462133"
uid: efbea4e3-cf94-4b9a-ba0b-ac67b41021c2
reason: PolicySkipped
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-admission
type: Normal
```
8f. a policy applied event created for the policy when a resource passes
```yaml=
apiVersion: v1
count: 2
eventTime: null
firstTimestamp: "2023-06-06T13:22:15Z"
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: require-labels
resourceVersion: "1460091"
uid: f630d8dc-cd22-4d27-97ef-dbefa36ef6ca
kind: Event
lastTimestamp: "2023-06-06T13:22:33Z"
message: 'ConfigMap default/chiptesting: pass'
metadata:
creationTimestamp: "2023-06-06T13:22:15Z"
name: require-labels.17661493d24ca3cc
namespace: default
resourceVersion: "1461509"
uid: 9246252d-0ee6-4273-9269-0735aaadf1a1
reason: PolicyApplied
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-admission
type: Normal
```
9a. when a cleanup policy successfully applies (cleans up a resource), an event is associated with the policy
```yaml=
apiVersion: v1
count: 1
eventTime: null
firstTimestamp: "2023-06-08T15:55:03Z"
involvedObject:
apiVersion: kyverno.io/v2alpha1
kind: ClusterCleanupPolicy
name: clean-bare-pods
resourceVersion: "1910099"
uid: 4998b3b9-2f38-4059-aaa5-f08a06e09e7f
kind: Event
lastTimestamp: "2023-06-08T15:55:03Z"
message: successfully cleaned up the target resource Pod/default/busybox
metadata:
creationTimestamp: "2023-06-08T15:55:03Z"
name: clean-bare-pods.1766ba139ba4fccc
namespace: default
resourceVersion: "1910577"
uid: 720a1e24-28ad-45f0-9b7c-bd36d608fcf2
reason: PolicyApplied
reportingComponent: ""
reportingInstance: ""
source:
component: kyverno-cleanup
type: Normal
```
## New Events
Google Drive
Gist
Clipboard
Sign in with Wallet
