feat: make aggregated reports optional (#7475)

* feat: make aggregated reports optional

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* helm

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* changelog

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

CHANGELOG.md

@@ -5,6 +5,7 @@
 ### Note
 
 - Deprecated flag `--imageSignatureRepository`. Will be removed in 1.12. Use per rule configuration `verifyImages.Repository` instead.
+- Added `--aggregateReports` flag to reports controller to enable/disable aggregated reports (default value is `true`).
 
 ## v1.10.0
 

charts/kyverno/README.md

@@ -291,6 +291,7 @@ The chart values are organised per component.
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | features.admissionReports.enabled | bool | `true` | Enables the feature |
+| features.aggregateReports.enabled | bool | `true` | Enables the feature |
 | features.autoUpdateWebhooks.enabled | bool | `true` | Enables the feature |
 | features.backgroundScan.enabled | bool | `true` | Enables the feature |
 | features.backgroundScan.backgroundScanWorkers | int | `2` | Number of background scan workers |

charts/kyverno/templates/_helpers.tpl

@@ -13,6 +13,9 @@
 {{- with .admissionReports -}}
   {{- $flags = append $flags (print "--admissionReports=" .enabled) -}}
 {{- end -}}
+{{- with .aggregateReports -}}
+  {{- $flags = append $flags (print "--aggregateReports=" .enabled) -}}
+{{- end -}}
 {{- with .autoUpdateWebhooks -}}
   {{- $flags = append $flags (print "--autoUpdateWebhooks=" .enabled) -}}
 {{- end -}}

charts/kyverno/templates/reports-controller/deployment.yaml

@@ -109,6 +109,7 @@ spec:
             {{- end }}
             {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.reportsController.featuresOverride)
               "admissionReports"
+              "aggregateReports"
               "backgroundScan"
               "configMapCaching"
               "logging"

charts/kyverno/values.yaml

@@ -327,6 +327,9 @@ features:
   admissionReports:
     # -- Enables the feature
     enabled: true
+  aggregateReports:
+    # -- Enables the feature
+    enabled: true
   autoUpdateWebhooks:
     # -- Enables the feature
     enabled: true

cmd/reports-controller/main.go

@@ -36,6 +36,7 @@ func createReportControllers(
 	eng engineapi.Engine,
 	backgroundScan bool,
 	admissionReports bool,
+	aggregateReports bool,
 	reportsChunkSize int,
 	backgroundScanWorkers int,
 	client dclient.Interface,
@@ -65,18 +66,20 @@ func createReportControllers(
 			resourceReportController,
 			resourcereportcontroller.Workers,
 		))
-		ctrls = append(ctrls, internal.NewController(
-			aggregatereportcontroller.ControllerName,
-			aggregatereportcontroller.NewController(
-				kyvernoClient,
-				metadataFactory,
-				kyvernoV1.Policies(),
-				kyvernoV1.ClusterPolicies(),
-				resourceReportController,
-				reportsChunkSize,
-			),
-			aggregatereportcontroller.Workers,
-		))
+		if aggregateReports {
+			ctrls = append(ctrls, internal.NewController(
+				aggregatereportcontroller.ControllerName,
+				aggregatereportcontroller.NewController(
+					kyvernoClient,
+					metadataFactory,
+					kyvernoV1.Policies(),
+					kyvernoV1.ClusterPolicies(),
+					resourceReportController,
+					reportsChunkSize,
+				),
+				aggregatereportcontroller.Workers,
+			))
+		}
 		if admissionReports {
 			ctrls = append(ctrls, internal.NewController(
 				admissionreportcontroller.ControllerName,
@@ -123,6 +126,7 @@ func createrLeaderControllers(
 	eng engineapi.Engine,
 	backgroundScan bool,
 	admissionReports bool,
+	aggregateReports bool,
 	reportsChunkSize int,
 	backgroundScanWorkers int,
 	kubeInformer kubeinformers.SharedInformerFactory,
@@ -139,6 +143,7 @@ func createrLeaderControllers(
 		eng,
 		backgroundScan,
 		admissionReports,
+		aggregateReports,
 		reportsChunkSize,
 		backgroundScanWorkers,
 		dynamicClient,
@@ -158,6 +163,7 @@ func main() {
 	var (
 		backgroundScan         bool
 		admissionReports       bool
+		aggregateReports       bool
 		reportsChunkSize       int
 		backgroundScanWorkers  int
 		backgroundScanInterval time.Duration
@@ -168,6 +174,7 @@ func main() {
 	flagset := flag.NewFlagSet("reports-controller", flag.ExitOnError)
 	flagset.BoolVar(&backgroundScan, "backgroundScan", true, "Enable or disable backgound scan.")
 	flagset.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
+	flagset.BoolVar(&aggregateReports, "aggregateReports", true, "Enable or disable aggregated policy reports.")
 	flagset.IntVar(&reportsChunkSize, "reportsChunkSize", 1000, "Max number of results in generated reports, reports will be split accordingly if there are more results to be stored.")
 	flagset.IntVar(&backgroundScanWorkers, "backgroundScanWorkers", backgroundscancontroller.Workers, "Configure the number of background scan workers.")
 	flagset.DurationVar(&backgroundScanInterval, "backgroundScanInterval", time.Hour, "Configure background scan interval.")
@@ -259,6 +266,7 @@ func main() {
 				engine,
 				backgroundScan,
 				admissionReports,
+				aggregateReports,
 				reportsChunkSize,
 				backgroundScanWorkers,
 				kubeInformer,

config/install-latest-testing.yaml

@@ -39109,6 +39109,7 @@ spec:
             - --otelConfig=prometheus
             - --metricsPort=8000
             - --admissionReports=true
+            - --aggregateReports=true
             - --backgroundScan=true
             - --backgroundScanWorkers=2
             - --backgroundScanInterval=1h