policy-reporter/README.md

# PolicyReporter

## Motivation

Kyverno ships with two types of validation. You can either enforce a rule or audit it. If you don't want to block developers or if you want to try out a new rule, you can use the audit functionality. The audit configuration creates [PolicyReports](https://kyverno.io/docs/policy-reports/) which you can access with `kubectl`. Because I can't find a simple solution to get a general overview of this PolicyReports and PolicyReportResults, I created this tool to send information from PolicyReports to [Grafana Loki](https://grafana.com/oss/loki/). As additional feature this tool provides an http server with Prometheus Metrics about ReportPolicy Summaries and ReportPolicyRules.

This project is in an early stage. Please let me know if anything did not work as expected or if you want so send your audits to other targets then Loki.

## Installation with Helm v3

Clone the repository and use the following command:

```bash
git clone https://github.com/fjogeleit/policy-reporter.git

cd policy-reporter

helm install policy-reporter ./charts/policy-reporter --set loki=http://lokihost:3100 -n policy-reporter --create-namespace
```
You can also customize the `./charts/policy-reporter/values.yaml` to change the default configurations.

### Configure policyPriorities

By default kyverno PolicyReports has no priority or severity for policies. So every passed rule validation will be processed as notice, a failed validation is processed as error. To customize this you can configure a mapping from policies to fail priorities. So you can send them as warnings instead of errors. To configure the priorities create a ConfigMap in the `policy-reporter` namespace with the name `policy-reporter-config`. This ConfigMap have to have a property `config.yaml` with the map as YAML content. See the Example for Detailes.

#### Example

```yaml
# config.yaml
policy_priorities:
  check-label-app: warning
  require-ns-labels: warning
```

```bash
kubectl create configmap policy-reporter-config --from-file=config.yaml -n policy-reporter
```

## Example Outputs

![Grafana Loki](https://github.com/fjogeleit/policy-reporter/blob/main/docs/images/grafana-loki.png?raw=true)

![Prometheus Metrics](https://github.com/fjogeleit/policy-reporter/blob/main/docs/images/prometheus.png?raw=true)

# Todos
* ~~Support for ClusterPolicyReports~~
* Additional Targets
init 2021-02-19 23:58:01 +00:00			`# PolicyReporter`

Add concurrency to metrics and loki client 2021-02-20 10:00:10 +00:00			`## Motivation`
init 2021-02-19 23:58:01 +00:00
Update README 2021-02-20 11:25:41 +00:00			Kyverno ships with two types of validation. You can either enforce a rule or audit it. If you don't want to block developers or if you want to try out a new rule, you can use the audit functionality. The audit configuration creates [PolicyReports](https://kyverno.io/docs/policy-reports/) which you can access with `kubectl`. Because I can't find a simple solution to get a general overview of this PolicyReports and PolicyReportResults, I created this tool to send information from PolicyReports to [Grafana Loki](https://grafana.com/oss/loki/). As additional feature this tool provides an http server with Prometheus Metrics about ReportPolicy Summaries and ReportPolicyRules.
Update README 2021-02-20 11:16:25 +00:00
			`This project is in an early stage. Please let me know if anything did not work as expected or if you want so send your audits to other targets then Loki.`
update readme 2021-02-20 00:16:18 +00:00
			`## Installation with Helm v3`

			`Clone the repository and use the following command:`

			```bash
update readme 2021-02-20 00:31:59 +00:00			`git clone https://github.com/fjogeleit/policy-reporter.git`

			`cd policy-reporter`

update readme 2021-02-20 00:16:18 +00:00			`helm install policy-reporter ./charts/policy-reporter --set loki=http://lokihost:3100 -n policy-reporter --create-namespace`
			```
update readme 2021-02-20 00:31:59 +00:00			You can also customize the `./charts/policy-reporter/values.yaml` to change the default configurations.
update readme 2021-02-20 00:16:18 +00:00
			`### Configure policyPriorities`

Configuration Improvements 2021-02-20 18:20:34 +00:00			By default kyverno PolicyReports has no priority or severity for policies. So every passed rule validation will be processed as notice, a failed validation is processed as error. To customize this you can configure a mapping from policies to fail priorities. So you can send them as warnings instead of errors. To configure the priorities create a ConfigMap in the `policy-reporter` namespace with the name `policy-reporter-config`. This ConfigMap have to have a property `config.yaml` with the map as YAML content. See the Example for Detailes.

			`#### Example`
update readme 2021-02-20 00:16:18 +00:00
			```yaml
Configuration Improvements 2021-02-20 18:20:34 +00:00			`# config.yaml`
			`policy_priorities:`
			`check-label-app: warning`
			`require-ns-labels: warning`
			```
update readme 2021-02-20 00:16:18 +00:00
Configuration Improvements 2021-02-20 18:20:34 +00:00			```bash
			`kubectl create configmap policy-reporter-config --from-file=config.yaml -n policy-reporter`
update readme 2021-02-20 00:16:18 +00:00			```

			`## Example Outputs`

			`![Grafana Loki](https://github.com/fjogeleit/policy-reporter/blob/main/docs/images/grafana-loki.png?raw=true)`

			`![Prometheus Metrics](https://github.com/fjogeleit/policy-reporter/blob/main/docs/images/prometheus.png?raw=true)`
Add concurrency to metrics and loki client 2021-02-20 10:00:10 +00:00
			`# Todos`
feat(Support ClusterPolicy) 2021-02-20 12:54:02 +00:00			`* ~~Support for ClusterPolicyReports~~`
Add concurrency to metrics and loki client 2021-02-20 10:00:10 +00:00			`* Additional Targets`