fix split policyreport name with background scan (#4237) (#4245)

- fix split policyreport name with background scan - fix the label selector initialising - refactor the generatePolicyName func Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2022-07-21 15:19:24 +05:30 · 2022-07-21 15:19:24 +05:30 · 886cb6effe
commit 886cb6effe
parent d1ec34b97f
8 changed files with 143 additions and 87 deletions
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@ -373,6 +373,8 @@ func removePolicyReport(client client.Interface, kind string) error {
 	return nil
 }

+// Deprecated: New ClusterPolicyReports already has required labels, will be removed in
+// 1.8.0 version
 func addClusterPolicyReportSelectorLabel(client client.Interface) {
 	logger := log.Log.WithName("addClusterPolicyReportSelectorLabel")

@ -383,12 +385,14 @@ func addClusterPolicyReportSelectorLabel(client client.Interface) {
 	}

 	for _, cpolr := range cpolrs.Items {
-		if cpolr.GetName() == policyreport.GeneratePolicyReportName("") {
+		if cpolr.GetName() == policyreport.GeneratePolicyReportName("", "") {
 			addSelectorLabel(client, cpolr.GetAPIVersion(), cpolr.GetKind(), "", cpolr.GetName())
 		}
 	}
 }

+// Deprecated: New PolicyReports already has required labels, will be removed in
+// 1.8.0 version
 func addPolicyReportSelectorLabel(client client.Interface) {
 	logger := log.Log.WithName("addPolicyReportSelectorLabel")

@ -399,7 +403,7 @@ func addPolicyReportSelectorLabel(client client.Interface) {
 	}

 	for _, polr := range polrs.Items {
-		if polr.GetName() == policyreport.GeneratePolicyReportName(polr.GetNamespace()) {
+		if polr.GetName() == policyreport.GeneratePolicyReportName(polr.GetNamespace(), "") {
 			addSelectorLabel(client, polr.GetAPIVersion(), polr.GetKind(), polr.GetNamespace(), polr.GetName())
 		}
 	}
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -68,7 +68,6 @@ var (
 	clientRateLimitQPS           float64
 	clientRateLimitBurst         int
 	changeRequestLimit           int
-	splitPolicyReport            bool
 	webhookRegistrationTimeout   time.Duration
 	setupLog                     = log.Log.WithName("setup")
 )
@ -93,7 +92,7 @@ func main() {
 	flag.Func(toggle.AutogenInternalsFlagName, toggle.AutogenInternalsDescription, toggle.AutogenInternalsFlag)
 	flag.DurationVar(&webhookRegistrationTimeout, "webhookRegistrationTimeout", 120*time.Second, "Timeout for webhook registration, e.g., 30s, 1m, 5m.")
 	flag.IntVar(&changeRequestLimit, "maxReportChangeRequests", 1000, "Maximum pending report change requests per namespace or for the cluster-wide policy report.")
-	flag.BoolVar(&splitPolicyReport, "splitPolicyReport", false, "Set the flag to 'true', to enable the split-up PolicyReports per policy.")
+	flag.Func(toggle.SplitPolicyReportFlagName, "Set the flag to 'true', to enable the split-up PolicyReports per policy.", toggle.SplitPolicyReportFlag)
 	if err := flag.Set("v", "2"); err != nil {
 		setupLog.Error(err, "failed to set log level")
 		os.Exit(1)
@ -187,7 +186,6 @@ func main() {
 		kyvernoV1.ClusterPolicies(),
 		kyvernoV1.Policies(),
 		changeRequestLimit,
-		splitPolicyReport,
 		log.Log.WithName("ReportChangeRequestGenerator"),
 	)

@ -200,7 +198,6 @@ func main() {
 		kyvernoV1alpha2.ClusterReportChangeRequests(),
 		kubeInformer.Core().V1().Namespaces(),
 		reportReqGen.CleanupChangeRequest,
-		splitPolicyReport,
 		log.Log.WithName("PolicyReportGenerator"),
 	)
 	if err != nil {
--- a/pkg/policy/report.go
+++ b/pkg/policy/report.go
@ -15,6 +15,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/policyreport"
+	"github.com/kyverno/kyverno/pkg/toggle"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 )
@ -95,9 +96,9 @@ func (pc *PolicyController) forceReconciliation(reconcileCh <-chan bool, cleanup
 			changeRequestMapperNamespace[ns] = false

 			if err := pc.policyReportEraser.EraseResultEntries(eraseResultEntries, info.Namespace); err != nil {
-				logger.Error(err, "failed to erase result entries for the report", "report", policyreport.GeneratePolicyReportName(ns))
+				logger.Error(err, "failed to erase result entries for the report", "report", policyreport.GeneratePolicyReportName(ns, ""))
 			} else {
-				logger.V(3).Info("wiped out result entries for the report", "report", policyreport.GeneratePolicyReportName(ns))
+				logger.V(3).Info("wiped out result entries for the report", "report", policyreport.GeneratePolicyReportName(ns, ""))
 			}

 			if info.MapperInactive {
@ -113,22 +114,19 @@ func (pc *PolicyController) forceReconciliation(reconcileCh <-chan bool, cleanup
 	}
 }

-func cleanupReportChangeRequests(pclient kyvernoclient.Interface, rcrLister kyvernov1alpha2listers.ReportChangeRequestLister, crcrLister kyvernov1alpha2listers.ClusterReportChangeRequestLister, labels map[string]string) error {
+func cleanupReportChangeRequests(pclient kyvernoclient.Interface, rcrLister kyvernov1alpha2listers.ReportChangeRequestLister, crcrLister kyvernov1alpha2listers.ClusterReportChangeRequestLister, nslabels map[string]string) error {
 	var errors []string
-
 	var gracePeriod int64 = 0
 	deleteOptions := metav1.DeleteOptions{GracePeriodSeconds: &gracePeriod}

-	selector := &metav1.LabelSelector{
-		MatchLabels: labels,
-	}
+	selector := labels.SelectorFromSet(labels.Set(nslabels))

-	err := pclient.KyvernoV1alpha2().ClusterReportChangeRequests().DeleteCollection(context.TODO(), deleteOptions, metav1.ListOptions{LabelSelector: metav1.FormatLabelSelector(selector)})
+	err := pclient.KyvernoV1alpha2().ClusterReportChangeRequests().DeleteCollection(context.TODO(), deleteOptions, metav1.ListOptions{LabelSelector: selector.String()})
 	if err != nil {
 		errors = append(errors, err.Error())
 	}

-	err = pclient.KyvernoV1alpha2().ReportChangeRequests(config.KyvernoNamespace).DeleteCollection(context.TODO(), deleteOptions, metav1.ListOptions{LabelSelector: metav1.FormatLabelSelector(selector)})
+	err = pclient.KyvernoV1alpha2().ReportChangeRequests(config.KyvernoNamespace).DeleteCollection(context.TODO(), deleteOptions, metav1.ListOptions{LabelSelector: selector.String()})
 	if err != nil {
 		errors = append(errors, err.Error())
 	}
@ -150,31 +148,37 @@ func eraseResultEntries(pclient kyvernoclient.Interface, reportLister policyrepo
 	var polrName string

 	if ns != nil {
-		polrName = policyreport.GeneratePolicyReportName(*ns)
-		if polrName != "" {
-			polr, err := reportLister.PolicyReports(*ns).Get(polrName)
+		if toggle.SplitPolicyReport() {
+			err = eraseSplitResultEntries(pclient, ns, selector)
 			if err != nil {
-				return fmt.Errorf("failed to erase results entries for PolicyReport %s: %v", polrName, err)
-			}
-
-			polr.Results = []v1alpha2.PolicyReportResult{}
-			polr.Summary = v1alpha2.PolicyReportSummary{}
-			if _, err = pclient.Wgpolicyk8sV1alpha2().PolicyReports(polr.GetNamespace()).Update(context.TODO(), polr, metav1.UpdateOptions{}); err != nil {
-				errors = append(errors, fmt.Sprintf("%s/%s/%s: %v", polr.Kind, polr.Namespace, polr.Name, err))
+				errors = append(errors, fmt.Sprintf("%v", err))
 			}
 		} else {
-			cpolr, err := clusterReportLister.Get(polrName)
-			if err != nil {
-				errors = append(errors, err.Error())
-			}
+			polrName = policyreport.GeneratePolicyReportName(*ns, "")
+			if polrName != "" {
+				polr, err := reportLister.PolicyReports(*ns).Get(polrName)
+				if err != nil {
+					return fmt.Errorf("failed to erase results entries for PolicyReport %s: %v", polrName, err)
+				}

-			cpolr.Results = []v1alpha2.PolicyReportResult{}
-			cpolr.Summary = v1alpha2.PolicyReportSummary{}
-			if _, err = pclient.Wgpolicyk8sV1alpha2().ClusterPolicyReports().Update(context.TODO(), cpolr, metav1.UpdateOptions{}); err != nil {
-				return fmt.Errorf("failed to erase results entries for ClusterPolicyReport %s: %v", polrName, err)
+				polr.Results = []v1alpha2.PolicyReportResult{}
+				polr.Summary = v1alpha2.PolicyReportSummary{}
+				if _, err = pclient.Wgpolicyk8sV1alpha2().PolicyReports(polr.GetNamespace()).Update(context.TODO(), polr, metav1.UpdateOptions{}); err != nil {
+					errors = append(errors, fmt.Sprintf("%s/%s/%s: %v", polr.Kind, polr.Namespace, polr.Name, err))
+				}
+			} else {
+				cpolr, err := clusterReportLister.Get(policyreport.GeneratePolicyReportName(*ns, ""))
+				if err != nil {
+					errors = append(errors, err.Error())
+				}
+
+				cpolr.Results = []v1alpha2.PolicyReportResult{}
+				cpolr.Summary = v1alpha2.PolicyReportSummary{}
+				if _, err = pclient.Wgpolicyk8sV1alpha2().ClusterPolicyReports().Update(context.TODO(), cpolr, metav1.UpdateOptions{}); err != nil {
+					return fmt.Errorf("failed to erase results entries for ClusterPolicyReport %s: %v", polrName, err)
+				}
 			}
 		}
-
 		if len(errors) == 0 {
 			return nil
 		}
@ -213,6 +217,44 @@ func eraseResultEntries(pclient kyvernoclient.Interface, reportLister policyrepo
 	return fmt.Errorf("failed to erase results entries %v", strings.Join(errors, ";"))
 }

+func eraseSplitResultEntries(pclient kyvernoclient.Interface, ns *string, selector labels.Selector) error {
+	var errors []string
+
+	if ns != nil {
+		if *ns != "" {
+			polrs, err := pclient.Wgpolicyk8sV1alpha2().PolicyReports(*ns).List(context.TODO(), metav1.ListOptions{LabelSelector: selector.String()})
+			if err != nil {
+				return fmt.Errorf("failed to list PolicyReports for given namespace %s : %v", *ns, err)
+			}
+			for _, polr := range polrs.Items {
+				polr := polr
+				polr.Results = []v1alpha2.PolicyReportResult{}
+				polr.Summary = v1alpha2.PolicyReportSummary{}
+				if _, err := pclient.Wgpolicyk8sV1alpha2().PolicyReports(polr.GetNamespace()).Update(context.TODO(), &polr, metav1.UpdateOptions{}); err != nil {
+					errors = append(errors, fmt.Sprintf("%s/%s/%s: %v", polr.Kind, polr.Namespace, polr.Name, err))
+				}
+			}
+		} else {
+			cpolrs, err := pclient.Wgpolicyk8sV1alpha2().ClusterPolicyReports().List(context.TODO(), metav1.ListOptions{LabelSelector: selector.String()})
+			if err != nil {
+				return fmt.Errorf("failed to list ClusterPolicyReports : %v", err)
+			}
+			for _, cpolr := range cpolrs.Items {
+				cpolr := cpolr
+				cpolr.Results = []v1alpha2.PolicyReportResult{}
+				cpolr.Summary = v1alpha2.PolicyReportSummary{}
+				if _, err := pclient.Wgpolicyk8sV1alpha2().ClusterPolicyReports().Update(context.TODO(), &cpolr, metav1.UpdateOptions{}); err != nil {
+					errors = append(errors, fmt.Sprintf("%s/%s/%s: %v", cpolr.Kind, cpolr.Namespace, cpolr.Name, err))
+				}
+			}
+		}
+		if len(errors) == 0 {
+			return nil
+		}
+	}
+	return fmt.Errorf("failed to erase results entries for split reports in namespace %s: %v", *ns, strings.Join(errors, ";"))
+}
+
 func (pc *PolicyController) requeuePolicies() {
 	logger := pc.log.WithName("requeuePolicies")
 	if cpols, err := pc.pLister.List(labels.Everything()); err == nil {
--- a/pkg/policyreport/builder.go
+++ b/pkg/policyreport/builder.go
@ -14,6 +14,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/response"
+	"github.com/kyverno/kyverno/pkg/toggle"
 	"github.com/kyverno/kyverno/pkg/version"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -44,12 +45,20 @@ const (
 	SourceValue = "Kyverno"
 )

-func GeneratePolicyReportName(ns string) string {
+func GeneratePolicyReportName(ns, policyName string) string {
 	if ns == "" {
+		if toggle.SplitPolicyReport() {
+			return TrimmedName(clusterpolicyreport + "-" + policyName)
+		}
 		return clusterpolicyreport
 	}

-	name := fmt.Sprintf("polr-ns-%s", ns)
+	var name string
+	if toggle.SplitPolicyReport() {
+		name = fmt.Sprintf("polr-ns-%s-%s", ns, policyName)
+	} else {
+		name = fmt.Sprintf("polr-ns-%s", ns)
+	}
 	if len(name) > 63 {
 		return name[:63]
 	}
--- a/pkg/policyreport/changerequestcreator.go
+++ b/pkg/policyreport/changerequestcreator.go
@ -9,8 +9,10 @@ import (
 	"time"

 	"github.com/go-logr/logr"
+	kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	policyreportclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	"github.com/kyverno/kyverno/pkg/config"
+	"github.com/kyverno/kyverno/pkg/toggle"
 	"github.com/patrickmn/go-cache"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@ -44,15 +46,14 @@ type changeRequestCreator struct {
 	log logr.Logger
 }

-func newChangeRequestCreator(client policyreportclient.Interface, tickerInterval time.Duration, splitPolicyReport bool, log logr.Logger) creator {
+func newChangeRequestCreator(client kyvernoclient.Interface, tickerInterval time.Duration, log logr.Logger) creator {
 	return &changeRequestCreator{
-		client:            client,
-		RCRCache:          cache.New(0, 24*time.Hour),
-		CRCRCache:         cache.New(0, 24*time.Hour),
-		queue:             []string{},
-		tickerInterval:    tickerInterval,
-		splitPolicyReport: splitPolicyReport,
-		log:               log,
+		client:         client,
+		RCRCache:       cache.New(0, 24*time.Hour),
+		CRCRCache:      cache.New(0, 24*time.Hour),
+		queue:          []string{},
+		tickerInterval: tickerInterval,
+		log:            log,
 	}
 }

@ -114,7 +115,7 @@ func (c *changeRequestCreator) run(stopChan <-chan struct{}) {
 	ticker := time.NewTicker(c.tickerInterval)
 	defer ticker.Stop()

-	if c.splitPolicyReport {
+	if toggle.SplitPolicyReport() {
 		err := CleanupPolicyReport(c.client)
 		if err != nil {
 			c.log.Error(err, "failed to delete old reports")
--- a/pkg/policyreport/reportcontroller.go
+++ b/pkg/policyreport/reportcontroller.go
@ -17,6 +17,7 @@ import (
 	policyreportv1alpha2listers "github.com/kyverno/kyverno/pkg/client/listers/policyreport/v1alpha2"
 	"github.com/kyverno/kyverno/pkg/config"
 	dclient "github.com/kyverno/kyverno/pkg/dclient"
+	"github.com/kyverno/kyverno/pkg/toggle"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	"github.com/kyverno/kyverno/pkg/version"
 	v1 "k8s.io/api/core/v1"
@ -67,9 +68,8 @@ type ReportGenerator struct {
 	reportChangeRequestLister        kyvernov1alpha2listers.ReportChangeRequestLister
 	clusterReportChangeRequestLister kyvernov1alpha2listers.ClusterReportChangeRequestLister
 	nsLister                         corev1listers.NamespaceLister
-	// splitPolicyReport enable/disable the PolicyReport split-up per policy feature
-	splitPolicyReport bool
-	informersSynced   []cache.InformerSynced
+
+	informersSynced []cache.InformerSynced

 	queue workqueue.RateLimitingInterface

@ -92,7 +92,6 @@ func NewReportGenerator(
 	clusterReportReqInformer kyvernov1alpha2informers.ClusterReportChangeRequestInformer,
 	namespace corev1informers.NamespaceInformer,
 	cleanupChangeRequest chan<- ReconcileInfo,
-	splitPolicyReport bool,
 	log logr.Logger,
 ) (*ReportGenerator, error) {
 	gen := &ReportGenerator{
@ -103,7 +102,6 @@ func NewReportGenerator(
 		reportReqInformer:        reportReqInformer,
 		clusterReportReqInformer: clusterReportReqInformer,
 		queue:                    workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), prWorkQueueName),
-		splitPolicyReport:        splitPolicyReport,
 		ReconcileCh:              make(chan bool, 10),
 		cleanupChangeRequest:     cleanupChangeRequest,
 		log:                      log,
@ -137,7 +135,7 @@ func (g *ReportGenerator) generateCacheKey(changeRequest interface{}) string {
 		if ns == "" {
 			ns = "default"
 		}
-		if g.splitPolicyReport {
+		if toggle.SplitPolicyReport() {
 			policy = label[policyLabel]
 			return strings.Join([]string{ns, policy}, "/")
 		} else {
@ -150,7 +148,7 @@ func (g *ReportGenerator) generateCacheKey(changeRequest interface{}) string {
 		if rule != "" || policy != "" {
 			return strings.Join([]string{deletedPolicyKey, policy, rule}, "/")
 		}
-		if g.splitPolicyReport {
+		if toggle.SplitPolicyReport() {
 			policy = label[policyLabel]
 			return strings.Join([]string{"", policy}, "/")
 		} else {
@ -344,7 +342,7 @@ func (g *ReportGenerator) syncHandler(key string) (aggregatedRequests interface{
 		return g.removePolicyEntryFromReport(policy, rule)
 	}
 	var namespace, policyName string
-	if g.splitPolicyReport {
+	if toggle.SplitPolicyReport() {
 		namespace = strings.Split(key, "/")[0]
 		policyName = strings.Split(key, "/")[1]
 	} else {
@ -355,7 +353,7 @@ func (g *ReportGenerator) syncHandler(key string) (aggregatedRequests interface{
 		return aggregatedRequests, fmt.Errorf("failed to aggregate reportChangeRequest results %v", err)
 	}

-	if g.splitPolicyReport {
+	if toggle.SplitPolicyReport() {
 		deleteResources := getDeletedResources(aggregatedRequests)
 		if len(deleteResources) != 0 {
 			for _, dr := range deleteResources {
@ -367,11 +365,7 @@ func (g *ReportGenerator) syncHandler(key string) (aggregatedRequests interface{
 	}

 	var report *policyreportv1alpha2.PolicyReport
-	if g.splitPolicyReport {
-		report, err = g.reportLister.PolicyReports(namespace).Get(TrimmedName(GeneratePolicyReportName(namespace) + "-" + policyName))
-	} else {
-		report, err = g.reportLister.PolicyReports(namespace).Get(GeneratePolicyReportName(namespace))
-	}
+	report, err = g.reportLister.PolicyReports(namespace).Get(GeneratePolicyReportName(namespace, policyName))
 	if err == nil {
 		if val, ok := report.GetLabels()[inactiveLabelKey]; ok && val == inactiveLabelVal {
 			g.log.Info("got resourceExhausted error, please opt-in via \"splitPolicyReport\" to generate report per policy")
@ -423,11 +417,7 @@ func (g *ReportGenerator) createReportIfNotPresent(namespace, policyName string,
 			return nil, nil
 		}

-		if g.splitPolicyReport {
-			report, err = g.reportLister.PolicyReports(namespace).Get(TrimmedName(GeneratePolicyReportName(namespace) + "-" + policyName))
-		} else {
-			report, err = g.reportLister.PolicyReports(namespace).Get(GeneratePolicyReportName(namespace))
-		}
+		report, err = g.reportLister.PolicyReports(namespace).Get(GeneratePolicyReportName(namespace, policyName))
 		if err != nil {
 			if apierrors.IsNotFound(err) && new != nil {
 				polr, err := convertToPolr(new)
@ -447,12 +437,7 @@ func (g *ReportGenerator) createReportIfNotPresent(namespace, policyName string,
 			return nil, fmt.Errorf("unable to get policyReport: %v", err)
 		}
 	} else {
-
-		if g.splitPolicyReport {
-			report, err = g.clusterReportLister.Get(TrimmedName(GeneratePolicyReportName(namespace) + "-" + policyName))
-		} else {
-			report, err = g.clusterReportLister.Get(GeneratePolicyReportName(namespace))
-		}
+		report, err = g.clusterReportLister.Get(GeneratePolicyReportName(namespace, policyName))
 		if err != nil {
 			if apierrors.IsNotFound(err) {
 				if new != nil {
@ -514,7 +499,7 @@ func (g *ReportGenerator) removeFromClusterPolicyReport(policyName, ruleName str
 			if ruleName != "" && result.Rule == ruleName && result.Policy == policyName {
 				continue
 			} else if ruleName == "" && result.Policy == policyName {
-				if g.splitPolicyReport {
+				if toggle.SplitPolicyReport() {
 					if err := g.pclient.Wgpolicyk8sV1alpha2().ClusterPolicyReports().Delete(context.TODO(), cpolr.GetName(), metav1.DeleteOptions{}); err != nil {
 						if apierrors.IsNotFound(err) {
 							return nil
@ -566,7 +551,7 @@ func (g *ReportGenerator) removeFromPolicyReport(policyName, ruleName string) er
 			if ruleName != "" && result.Rule == ruleName && result.Policy == policyName {
 				continue
 			} else if ruleName == "" && result.Policy == policyName {
-				if g.splitPolicyReport {
+				if toggle.SplitPolicyReport() {
 					if err := g.pclient.Wgpolicyk8sV1alpha2().PolicyReports(r.GetNamespace()).Delete(context.TODO(), r.GetName(), metav1.DeleteOptions{}); err != nil {
 						if apierrors.IsNotFound(err) {
 							return nil
@ -607,7 +592,7 @@ func (g *ReportGenerator) aggregateReports(namespace, policyName string) (

 	selector := labels.NewSelector()
 	if namespace == "" {
-		if g.splitPolicyReport {
+		if toggle.SplitPolicyReport() {
 			selector = labels.SelectorFromSet(labels.Set(map[string]string{appVersion: version.BuildVersion, policyLabel: TrimmedName(policyName)}))
 		} else {
 			selector = labels.SelectorFromSet(labels.Set(map[string]string{appVersion: version.BuildVersion}))
@ -633,7 +618,7 @@ func (g *ReportGenerator) aggregateReports(namespace, policyName string) (
 			ns.SetDeletionTimestamp(&now)
 		}

-		if g.splitPolicyReport {
+		if toggle.SplitPolicyReport() {
 			selector = labels.SelectorFromSet(labels.Set(map[string]string{appVersion: version.BuildVersion, ResourceLabelNamespace: namespace, policyLabel: TrimmedName(policyName)}))
 		} else {
 			selector = labels.SelectorFromSet(labels.Set(map[string]string{appVersion: version.BuildVersion, ResourceLabelNamespace: namespace}))
@ -733,20 +718,12 @@ func (g *ReportGenerator) setReport(reportUnstructured *unstructured.Unstructure
 	}

 	if ns == nil {
-		if g.splitPolicyReport {
-			reportUnstructured.SetName(TrimmedName(GeneratePolicyReportName("") + "-" + policyname))
-		} else {
-			reportUnstructured.SetName(GeneratePolicyReportName(""))
-		}
+		reportUnstructured.SetName(GeneratePolicyReportName("", policyname))
 		reportUnstructured.SetKind("ClusterPolicyReport")
 		return
 	}

-	if g.splitPolicyReport {
-		reportUnstructured.SetName(TrimmedName(GeneratePolicyReportName(ns.GetName()) + "-" + policyname))
-	} else {
-		reportUnstructured.SetName(GeneratePolicyReportName(ns.GetName()))
-	}
+	reportUnstructured.SetName(GeneratePolicyReportName(ns.GetName(), policyname))
 	reportUnstructured.SetNamespace(ns.GetName())
 	reportUnstructured.SetKind("PolicyReport")
 }
--- a/pkg/policyreport/reportrequest.go
+++ b/pkg/policyreport/reportrequest.go
@ -68,7 +68,6 @@ func NewReportChangeRequestGenerator(client policyreportclient.Interface,
 	cpolInformer kyvernov1informers.ClusterPolicyInformer,
 	polInformer kyvernov1informers.PolicyInformer,
 	changeRequestLimit int,
-	splitPolicyReport bool,
 	log logr.Logger,
 ) *Generator {
 	gen := Generator{
@ -82,7 +81,7 @@ func NewReportChangeRequestGenerator(client policyreportclient.Interface,
 		dataStore:                        newDataStore(),
 		changeRequestLimit:               changeRequestLimit,
 		CleanupChangeRequest:             make(chan ReconcileInfo, 10),
-		requestCreator:                   newChangeRequestCreator(client, 3*time.Second, splitPolicyReport, log.WithName("requestCreator")),
+		requestCreator:                   newChangeRequestCreator(client, 3*time.Second, log.WithName("requestCreator")),
 		log:                              log,
 	}

--- a/pkg/toggle/toggle.go
+++ b/pkg/toggle/toggle.go
@ -10,9 +10,17 @@ const (
 	AutogenInternalsDescription = "Enables autogen internal policies. When this is 'true' policy rules should not be mutated."
 	AutogenInternalsEnvVar      = "FLAG_AUTOGEN_INTERNALS"
 	DefaultAutogenInternals     = false
+
+	// split policy report ...
+	SplitPolicyReportFlagName = "splitPolicyReport"
+	SplitPolicyReportEnvVar   = "FLAG_SPLIT_POLICY_REPORT"
+	DefaultSplitPolicyReport  = false
 )

-var autogenInternals *bool
+var (
+	autogenInternals  *bool
+	splitPolicyReport *bool
+)

 func getBool(in string) (*bool, error) {
 	if in == "" {
@ -43,3 +51,22 @@ func AutogenInternals() bool {
 	}
 	return DefaultAutogenInternals
 }
+
+func SplitPolicyReportFlag(in string) error {
+	if value, err := getBool(in); err != nil {
+		return err
+	} else {
+		splitPolicyReport = value
+		return nil
+	}
+}
+
+func SplitPolicyReport() bool {
+	if splitPolicyReport != nil {
+		return *splitPolicyReport
+	}
+	if value, err := getBool(os.Getenv(SplitPolicyReportEnvVar)); err == nil && value != nil {
+		return *value
+	}
+	return DefaultSplitPolicyReport
+}