
- Background scanning is the periodic evaluation of stored cluster resources against your policies to generate reports for resources that were created before your policies existed.
- It runs independently of admission requests and produces the same type of reporting output used for admission-time evaluations.

- Each policy has a
spec.backgroundfield. When set totrue, the policy participates in background scans. - The default is
true, so policies you create will be evaluated during background scans unless you explicitly opt out.
spec.background: false to prevent it from being evaluated by the Reports Controller.

- Audit pre-existing resources to find violations that occurred before policy rollout.
- Test new policies in
auditmode: leave the policy in audit mode and let the background scan evaluate the cluster. The resulting reports show what would be blocked if the policy were enforced — without disrupting running workloads.

- Understanding which component does what helps you configure and interpret background scanning and reports correctly.
Use backticks for rule names and fields when referencing them in text (e.g.,
validate, mutateExisting, spec.background).

- The Reports Controller wakes on a configurable schedule (default: once per hour).
- It scans resources across the cluster against policies that have
spec.background: true. - For each evaluated resource, the Reports Controller produces an internal ephemeral report —
EphemeralReportorClusterEphemeralReport. - The controller immediately processes and aggregates these ephemeral results into durable
PolicyReportorClusterPolicyReportobjects.

Prior to Kyverno v1.12 the temporary reports were named
BackgroundReport / ClusterBackgroundReport. These were unified into EphemeralReport and ClusterEphemeralReport to simplify reporting semantics.- Background scans evaluate stored resources (data from etcd). Because they are not tied to an admission request, request-scoped context is unavailable.
- Do not rely on user identity or request-specific variables in policies that you want to run in the background.
- Matching on user/subject information such as Roles/ClusterRoles or
subjects. - Request-specific variables like
request.userInfo.
- Fields that reflect the stored resource state, e.g.,
request.objectandrequest.namespace, effectively map to the current stored resource when evaluated in background.

If your policy uses
request.userInfo or matches on subjects, set spec.background: false to prevent background-evaluation errors.- The Reports Controller background scan interval is configurable with the controller flag
--background-scan-interval. - Example (operator or deployment arguments): set the scan interval to 30 minutes:
- Background scanning audits resources that predate your policies and fills the visibility gap left by admission-only reporting.
spec.backgroundcontrols whether a policy participates in background scans (default:true).- The Reports Controller periodically wakes, evaluates resources, produces ephemeral reports, and aggregates them into durable
PolicyReport/ClusterPolicyReportobjects. - Avoid using admission-time data (e.g.,
request.userInfo) in policies you expect to run during background scans.

- Kyverno documentation: https://kyverno.io/
- Kubernetes API concepts: https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/
- Kyverno GitHub: https://github.com/kyverno/kyverno