Support Retention/Cleanup for BlockReports (polr-ns-*-blocked)

[sedflix]

Description:

When enabling blockReports in the Kyverno Policy Reporter plugin, the controller creates per-namespace reports named polr-ns-<namespace>-blocked with entries for each denied admission. Currently, these reports accumulate indefinitely because blocked resources never exist, and thus, no “fix” event is emitted. As a result, even when users resubmit corrected manifests, the older blocked entries remain in the report.

This leads to:

• Ever-growing PolicyReport objects with stale data.
• Confusion for users, since resolved issues still appear as “active” in reports.
• Extra noise in dashboards or metrics built on top of these reports.

Current Behavior:

• Each deny event from Kyverno produces a new entry in the same policy.
• results.keepOnlyLatest: true has no effect.
• results.maxPerReport only caps the total count, but does not remove entries once they are outdated or fixed.

Requested Feature(s):

• Retention Policy for BlockReports
  • Allow age-based pruning (e.g., keep only last N days of blocked entries).
  • Alternatively, support a configurable TTL per result.
• Smarter De-duplication
  • Enhance keepOnlyLatest to collapse repeated denies of the same policy/resource/rule combination into a single entry.
    • Example: If different pod of the same replicaset is denied five times for the same violation, only keep the latest attempt.