Kyverno ships with two types of validation. You can either enforce a rule or audit it. If you don't want to block developers or if you want to try out a new rule, you can use the audit functionality. The audit configuration creates [PolicyReports](https://kyverno.io/docs/policy-reports/) which you can access with `kubectl`. Because I can't find a simple solution to get a general overview of this PolicyReports and PolicyReportResults, I created this tool to send information from PolicyReports to different targets like [Grafana Loki](https://grafana.com/oss/loki/), [Elasticsearch](https://www.elastic.co/de/elasticsearch/) or [Slack](https://slack.com/). This tool provides by default an HTTP server with Prometheus Metrics on `http://localhost:2112/metrics` about ReportPolicy Summaries and ReportPolicyRules.
This project is in an early stage. Please let me know if anything did not work as expected or if you want to send your audits to other targets then Loki.
* Configure `target.loki.minimumPriority` to send only results with the configured minimumPriority or above, empty means all results. (info <warning<error)
* Configure `target.loki.skipExistingOnStartup` to skip all results who already existed before the PolicyReporter started (default: `true`).
* Configure `target.elasticsearch.index` to customize the elasticsearch index.
* Configure `target.elasticsearch.rotation` is added as suffix to the index. Possible values are `daily`, `monthly`, `annually` and `none`.
* Configure `target.elasticsearch.minimumPriority` to send only results with the configured minimumPriority or above, empty means all results. (info <warning<error)
* Configure `target.elasticsearch.skipExistingOnStartup` to skip all results who already existed before the PolicyReporter started (default: `true`).
* Configure `target.slack.minimumPriority` to send only results with the configured minimumPriority or above, empty means all results. (info <warning<error)
* Configure `target.slack.skipExistingOnStartup` to skip all results who already existed before the PolicyReporter started (default: `true`).
* Configure `target.discord.minimumPriority` to send only results with the configured minimumPriority or above, empty means all results. (info <warning<error)
* Configure `target.discord.skipExistingOnStartup` to skip all results who already existed before the PolicyReporter started (default: `true`).
You can combine multiple targets by setting the required `host` or `webhook` configuration for your targets of choice. For all possible configurations checkout the `./charts/policy-reporter/values.yaml` to change any available configuration.
By default kyverno PolicyReports has no priority or severity for policies. So every passed rule validation will be processed as notice, a failed validation is processed as error. To customize this you can configure a mapping from policies to fail priorities. So you can send them as debug, info or warnings instead of errors.
You can configure the Policy Priorities with Helm. Configure `mapping` under `policyPriorities` with a map of __Policyname__ and __Priority__ pairs, like below.
```yaml
policyPriorities:
enabled: true
mapping:
default: warning
require-ns-labels: error
```
### Self managed ConfigMap
To configure the priority `ConfigMap` on your own, enable the required `Role` and `RoleBinding` by setting `policyPriorities.enabled` to `true` and create a ConfigMap in your Release Namespace with the name `policy-reporter-priorities`. Configure each priority as value with the __Policyname__ as key and the __Priority__ as value. This Configuration is loaded and synchronized during runtime. Any change to this configmap will automaticly synchronized, no new deployment needed.
The Helm Chart includes optional Sub Chart for the [MonitoringStack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack). The provided Dashboards working without Loki and are only based on the Prometheus Metrics.
* Enable the Monitoring by setting `monitoring.enabled` to `true`.
* Change the `namespace` to your required monitoring namespace by changing `monitoring.namespace` (default: `cattle-dashboards`)
* With `monitoring.serviceMonitor.labels` you can add additional labels to the `ServiceMonitor`. This helps to match the `serviceMonitorSelector` configuration of your Prometheus resource
If you don't have any supported Monitoring solution running, you can use the standalone [Policy Report UI](https://github.com/fjogeleit/policy-reporter-ui).
