charts/policy-reporter | ||
cmd | ||
docs/images | ||
pkg | ||
.dockerignore | ||
.gitignore | ||
config.example.yaml | ||
Dockerfile | ||
go.mod | ||
go.sum | ||
LICENSE.md | ||
main.go | ||
Makefile | ||
README.md |
PolicyReporter
Motivation
Kyverno ships with two types of validation. You can either enforce a rule or audit it. If you don't want to block developers or if you want to try out a new rule, you can use the audit functionality. The audit configuration creates PolicyReports which you can access with kubectl
. Because I can't find a simple solution to get a general overview of this PolicyReports and PolicyReportResults, I created this tool to send information from PolicyReports to Grafana Loki. As additional feature this tool provides an http server with Prometheus Metrics about ReportPolicy Summaries and ReportPolicyRules.
This project is in an early stage. Please let me know if anything did not work as expected or if you want so send your audits to other targets then Loki.
Installation with Helm v3
Clone the repository and use the following command:
git clone https://github.com/fjogeleit/policy-reporter.git
cd policy-reporter
helm install policy-reporter ./charts/policy-reporter --set loki=http://lokihost:3100 -n policy-reporter --create-namespace
You can also customize the ./charts/policy-reporter/values.yaml
to change the default configurations.
Configure policyPriorities
By default kyverno PolicyReports has no priority or severity for policies. So every passed rule validation will be processed as notice, a failed validation is processed as error. To customize this you can configure a mapping from policies to fail priorities. So you can send them as warnings instead of errors. To configure the priorities create a ConfigMap in the policy-reporter
namespace with the name policy-reporter-config
. This ConfigMap have to have a property config.yaml
with the map as YAML content. See the Example for Detailes.
Example
# config.yaml
policy_priorities:
check-label-app: warning
require-ns-labels: warning
kubectl create configmap policy-reporter-config --from-file=config.yaml -n policy-reporter
Example Outputs
Todos
Support for ClusterPolicyReports- Additional Targets