add support for ValidatingAdmissionPolicy reports #1230
Description
The Problem
Kubernetes 1.26+ shipped with ValidatingAdmissionPolicy as a native way to write admission policies without needing external controllers. The problem is that Policy Reporter can't show warnings or audit results from these policies, which makes them pretty useless in a Flux/GitOps setup where you don't see the kubectl output.
Right now if I use validationActions: ["Warn", "Audit"], those warnings just disappear into audit logs. There's no way to see them in Policy Reporter's UI or get Slack notifications about violations.
What I'm Looking For
I'd like Policy Reporter to:
- Pick up ValidatingAdmissionPolicy warnings and audit annotations
- Show them in the UI alongside Kyverno/OPA results
- Send notifications when policies are violated
- Export metrics to Prometheus
Basically treat them like any other policy source.
Why This Matters
We're using Flux for deployments and want to catch configuration issues (like missing readiness probes) without blocking deployments entirely. ValidatingAdmissionPolicy is perfect for this - it's built into Kubernetes, uses CEL like everything else now, and doesn't require running another controller.
But without visibility into the warnings, it's kind of pointless. We end up either:
- Switching policies to "Deny" which is too strict
- Running Kyverno just for the reporting, which feels wasteful
- Writing custom scripts to parse audit logs
Why Not Just Use Kyverno Policies?
- Zero operational overhead (no controller to manage)
- Extremely lightweight
- Same CEL expressions as Kubernetes validation rules
- One less dependency to manage
For simple checks like "does this have a readiness probe", running a full policy engine feels like overkill.
Current Workarounds
- Parsing audit logs with bash scripts and CronJobs
- Giving up and switching to Kyverno policies
- Making everything deny which breaks our workflow
Would love to see this supported ❤️