1
0
Fork 0
mirror of https://github.com/kyverno/policy-reporter.git synced 2024-12-14 11:57:32 +00:00
Monitoring and Observability Tool for the PolicyReport CRD with an optional UI.
Find a file
Frank Jogeleit 2872a259ec
Development (#7)
* Implement elasticsearch
* Update deployment
* Add Changelog
2021-02-27 19:11:49 +01:00
.github/workflows Prepare new Helm Release 2021-02-24 01:15:40 +01:00
charts/policy-reporter Development (#7) 2021-02-27 19:11:49 +01:00
cmd Development (#7) 2021-02-27 19:11:49 +01:00
docs/images Update Screens 2021-02-25 11:00:04 +01:00
pkg Development (#7) 2021-02-27 19:11:49 +01:00
.dockerignore Add concurrency to metrics and loki client 2021-02-20 11:00:10 +01:00
.gitignore add .deploy to .gitignore 2021-02-21 09:44:27 +01:00
CHANGELOG.md Development (#7) 2021-02-27 19:11:49 +01:00
Dockerfile remove labels from deleted reports and rules 2021-02-23 10:26:00 +01:00
go.mod Improved Error handling with errorgroups 2021-02-22 21:18:39 +01:00
go.sum Improved Error handling with errorgroups 2021-02-22 21:18:39 +01:00
LICENSE.md init 2021-02-20 00:58:01 +01:00
main.go init 2021-02-20 00:58:01 +01:00
Makefile Improve CI 2021-02-24 01:06:58 +01:00
README.md Development (#7) 2021-02-27 19:11:49 +01:00

PolicyReporter

CI Go Report Card Coverage Status

Motivation

Kyverno ships with two types of validation. You can either enforce a rule or audit it. If you don't want to block developers or if you want to try out a new rule, you can use the audit functionality. The audit configuration creates PolicyReports which you can access with kubectl. Because I can't find a simple solution to get a general overview of this PolicyReports and PolicyReportResults, I created this tool to send information from PolicyReports to different targets like Grafana Loki. This tool provides by default an HTTP server with Prometheus Metrics on http://localhost:2112/metrics about ReportPolicy Summaries and ReportPolicyRules.

This project is in an early stage. Please let me know if anything did not work as expected or if you want to send your audits to other targets then Loki.

Installation with Helm v3

Installation via Helm Repository

Add the Helm repository

helm repo add policy-reporter https://fjogeleit.github.io/policy-reporter

Basic Installation - Provides Prometheus Metrics

helm install policy-reporter policy-reporter/policy-reporter -n policy-reporter --create-namespace

Installation with Loki

helm install policy-reporter policy-reporter/policy-reporter --set loki.host=http://loki:3100 -n policy-reporter --create-namespace

Installation with Elasticsearch

helm install policy-reporter policy-reporter/policy-reporter --set elasticsearch.host=http://elasticsearch:3100 -n policy-reporter --create-namespace

You can also customize the ./charts/policy-reporter/values.yaml to change the default configurations.

Additional configurations for Loki

  • Configure loki.minimumPriority to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error)
  • Configure loki.skipExistingOnStartup to skip all results who already existed before the PolicyReporter started (default: true).
loki:
  minimumPriority: ""
  skipExistingOnStartup: true

Additional configurations for Elasticsearch

  • Configure elasticsearch.index to customize the elasticsearch index.
  • Configure elasticsearch.rotation is added as suffix to the index. Possible values are daily, monthly, annually and none.
  • Configure elasticsearch.minimumPriority to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error)
  • Configure elasticsearch.skipExistingOnStartup to skip all results who already existed before the PolicyReporter started (default: true).
elasticsearch:
  index: "policy-reporter"
  rotation: "daily"
  minimumPriority: ""
  skipExistingOnStartup: true

Configure Policy Priorities

By default kyverno PolicyReports has no priority or severity for policies. So every passed rule validation will be processed as notice, a failed validation is processed as error. To customize this you can configure a mapping from policies to fail priorities. So you can send them as warnings instead of errors. To configure the priorities create a ConfigMap in the policy-reporter namespace with the name policy-reporter-priorities. Configure each priority as value with the Policyname as key and the Priority as value. This Configuration is loaded and synchronized during runtime. Any change to this configmap will automaticly synchronized, no new deployment needed.

Example

kubectl create configmap policy-reporter-priorities --from-literal check-label-app=warning --from-literal require-ns-labels=warning -n policy-reporter

Monitoring

The Helm Chart includes optional Manifests for the MonitoringStack. The provided Dashboard works without Loki

  • Enable a ServiceMonitor by setting metrics.serviceMonitor to true.
  • Enable a basic Dashboard as ConfigMap by setting metrics.dashboard.enabled to true.
    • Change the namespace to your required monitoring namespace by changing metrics.dashboard.namespace (default: cattle-dashboards)

If you are not using the MonitoringStack you can import the dashboard from Grafana

Example Installation

helm install policy-reporter policy-reporter/policy-reporter --set metrics.serviceMonitor=true --set metrics.dashboard.enabled=true -n policy-reporter --create-namespace

Dashboard Preview

PolicyReporter Grafana Dashboard

Example Outputs

Grafana Loki

Prometheus Metrics

Todos

  • Support for ClusterPolicyReports
  • Additional Targets