High-level controller responsibilities
- Admission Controller — the synchronous gatekeeper for API requests.
- Reports Controller — collects evaluation results and produces policy reports.
- Background Controller — executes deferred generate and mutate tasks asynchronously.
- Cleanup Controller — removes temporary or stale resources according to cleanup policies.
Admission Controller
Think of the Admission Controller as the cluster’s front‑door security guard. It intercepts Create, Update, and Delete requests from the Kubernetes API server and performs synchronous policy checks and modifications before the objects are persisted. When processing an admission request, the Admission Controller:- Validates resources using
validaterules (deny non-compliant resources). - Applies
mutaterules to inject defaults, labels, annotations, or sidecar changes. - Verifies container images using
verifyImagesrules (ensure trusted registries and signatures). - Validates policy and exception resources themselves to ensure they are well‑formed.
- Dynamically manages webhook registration and TLS certificates for secure, automated integration with the API server.
The Admission Controller handles synchronous checks and short mutations. For longer-running or cluster-wide changes (generate/mutate of existing resources, report aggregation), rely on Kyverno’s background controllers—these operate asynchronously to preserve admission performance.

Reports Controller
The Reports Controller acts as the cluster’s compliance accountant. It collects the immediate results produced by admission events and augments them with its own background scans across the cluster to produce up‑to‑date policy reports. Key behaviors:- Consumes admission event tickets emitted by the Admission Controller.
- Performs periodic/background scans of cluster resources that predate policies (drift detection).
- Aggregates and stores findings into PolicyReports and ClusterPolicyReports for monitoring and auditability.

Background Controller
The Background Controller processes work items that should not block the initial API admission path. When the Admission Controller defers an action—such as generating resources or mutating objects already in the cluster—it emits a ticket that the Background Controller consumes. Typical responsibilities:- Generate rules: create new resources in response to triggers (for example, automatically creating a default
NetworkPolicywhen aNamespaceis created). - Mutate rules: backfill or modify existing resources (for example, add labels or annotations to all Deployments that were created before a new policy).
Generate and background mutate operations are asynchronous. Do not assume immediate, synchronous results from background work—tests and controllers should account for eventual consistency.

Cleanup Controller
The Cleanup Controller is responsible for removing temporary, obsolete, or otherwise unwanted resources according to cleanup policies. Cleanup policies are custom resources that define what to delete and on what schedule. How it works:- Reads CleanupPolicy resources that specify targets and schedules.
- Schedules cleanup jobs (via Kubernetes CronJobs or internal scheduling).
- Executes the cleanup tasks according to the configured schedule (hourly, daily, weekly, etc.).

How the pieces fit together — API request flow
- A request arrives from the Kubernetes API server and is sent to Kyverno’s Admission Controller.
- The Admission Controller performs synchronous validations, mutations, and image verifications.
- If follow-up work is required (generate/mutate existing resources, report generation), the Admission Controller creates work tickets.
- Background Controller: picks up generate and mutate tickets to create or modify resources asynchronously.
- Reports Controller: consumes admission event tickets and combines them with its background scans to produce PolicyReport objects.
- Cleanup Controller: executes scheduled cleanup tasks defined by cleanup policies.

Controller summary and quick reference
Links and references
- Kyverno documentation: https://kyverno.io
- Kubernetes admission controllers and webhooks: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
- PolicyReport API (Kubernetes): https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#policyreport-v1alpha2-reporting
- Admission Controller: synchronous gatekeeper—validates, mutates, and verifies images; manages webhooks and certificates.
- Reports Controller: aggregates admission results and background scans into policy reports.
- Background Controller: executes generate and mutate rules asynchronously for cluster-wide or pre-existing resources.
- Cleanup Controller: schedules and runs cleanup jobs to remove stale or temporary resources.