mirrors/policy-reporter
1
0
Fork 0
mirror of https://github.com/kyverno/policy-reporter.git synced 2024-12-14 11:57:32 +00:00
Code Activity
Monitoring and Observability Tool for the PolicyReport CRD with an optional UI.
62 commits 3 branches 359 tags 34 MiB
Go 88.2%
HTML 8.8%
Smarty 2%
Makefile 0.9%
Dockerfile 0.1%
Find a file
Frank Jogeleit 9e80f3cd5e
Manage PolicyPriorities with Helm (#17) 
* Manage PolicyPriorities with Helm
2021-03-17 11:51:44 +01:00
.github Manage PolicyPriorities with Helm (#17) 2021-03-17 11:51:44 +01:00
charts/policy-reporter Manage PolicyPriorities with Helm (#17) 2021-03-17 11:51:44 +01:00
cmd Development (#12) 2021-03-13 19:56:38 +01:00
docs/images reorganize monitoring (#10) 2021-03-03 14:04:34 +01:00
pkg Development (#12) 2021-03-13 19:56:38 +01:00
.dockerignore Add concurrency to metrics and loki client 2021-02-20 11:00:10 +01:00
.gitignore Helm Improvements (#16) 2021-03-17 01:54:49 +01:00
CHANGELOG.md Development (#12) 2021-03-13 19:56:38 +01:00
Dockerfile remove labels from deleted reports and rules 2021-02-23 10:26:00 +01:00
go.mod Development (#11) 2021-03-05 14:26:47 +01:00
go.sum Development (#11) 2021-03-05 14:26:47 +01:00
LICENSE.md init 2021-02-20 00:58:01 +01:00
main.go init 2021-02-20 00:58:01 +01:00
Makefile Development (#11) 2021-03-05 14:26:47 +01:00
README.md Manage PolicyPriorities with Helm (#17) 2021-03-17 11:51:44 +01:00

README.md

PolicyReporter

CI Go Report Card Coverage Status

Motivation

Kyverno ships with two types of validation. You can either enforce a rule or audit it. If you don't want to block developers or if you want to try out a new rule, you can use the audit functionality. The audit configuration creates PolicyReports which you can access with kubectl. Because I can't find a simple solution to get a general overview of this PolicyReports and PolicyReportResults, I created this tool to send information from PolicyReports to different targets like Grafana Loki, Elasticsearch or Slack. This tool provides by default an HTTP server with Prometheus Metrics on http://localhost:2112/metrics about ReportPolicy Summaries and ReportPolicyRules.

This project is in an early stage. Please let me know if anything did not work as expected or if you want to send your audits to other targets then Loki.

Getting Started

Installation with Helm v3

Installation via Helm Repository

Add the Helm repository

helm repo add policy-reporter https://fjogeleit.github.io/policy-reporter
helm repo update

Basic Installation - Provides Prometheus Metrics

helm install policy-reporter policy-reporter/policy-reporter -n policy-reporter --create-namespace

Example

Prometheus Metrics

Installation with Loki

helm install policy-reporter policy-reporter/policy-reporter --set target.loki.host=http://loki:3100 -n policy-reporter --create-namespace

Additional configurations for Loki

  • Configure target.loki.minimumPriority to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error)
  • Configure target.loki.skipExistingOnStartup to skip all results who already existed before the PolicyReporter started (default: true).
target:
  loki:
    host: ""
    minimumPriority: ""
    skipExistingOnStartup: true

Example

Grafana Loki

Installation with Elasticsearch

helm install policy-reporter policy-reporter/policy-reporter --set target.elasticsearch.host=http://elasticsearch:3100 -n policy-reporter --create-namespace

Additional configurations for Elasticsearch

  • Configure target.elasticsearch.index to customize the elasticsearch index.
  • Configure target.elasticsearch.rotation is added as suffix to the index. Possible values are daily, monthly, annually and none.
  • Configure target.elasticsearch.minimumPriority to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error)
  • Configure target.elasticsearch.skipExistingOnStartup to skip all results who already existed before the PolicyReporter started (default: true).
target:
  elasticsearch:
    host: ""
    index: "policy-reporter"
    rotation: "daily"
    minimumPriority: ""
    skipExistingOnStartup: true

Example

Elasticsearch

Installation with Slack

helm install policy-reporter policy-reporter/policy-reporter --set target.slack.webhook=http://hook.slack -n policy-reporter --create-namespace

Additional configurations for Slack

  • Configure target.slack.minimumPriority to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error)
  • Configure target.slack.skipExistingOnStartup to skip all results who already existed before the PolicyReporter started (default: true).
target:
  slack:
    webhook: ""
    minimumPriority: ""
    skipExistingOnStartup: true

Example

Slack

Installation with Discord

helm install policy-reporter policy-reporter/policy-reporter --set target.discord.webhook=http://hook.discord -n policy-reporter --create-namespace

Additional configurations for Discord

  • Configure target.discord.minimumPriority to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error)
  • Configure target.discord.skipExistingOnStartup to skip all results who already existed before the PolicyReporter started (default: true).
target:
  discord:
    webhook: ""
    minimumPriority: ""
    skipExistingOnStartup: true

Example

Discord

Customization

You can combine multiple targets by setting the required host or webhook configuration for your targets of choice. For all possible configurations checkout the ./charts/policy-reporter/values.yaml to change any available configuration.

Configure Policy Priorities

By default kyverno PolicyReports has no priority or severity for policies. So every passed rule validation will be processed as notice, a failed validation is processed as error. To customize this you can configure a mapping from policies to fail priorities. So you can send them as debug, info or warnings instead of errors.

A special Policyname default is supported. The default configuration can be used to set a global default priority instead of error.

Configure with Helm

You can configure the Policy Priorities with Helm. Configure mapping under policyPriorities with a map of Policyname and Priority pairs, like below.

policyPriorities:
  enabled: true
  mapping:
    default: warning
    require-ns-labels: error

Self managed ConfigMap

To configure the priority ConfigMap on your own, enable the required Role and RoleBinding by setting policyPriorities.enabled to true and create a ConfigMap in your Release Namespace with the name policy-reporter-priorities. Configure each priority as value with the Policyname as key and the Priority as value. This Configuration is loaded and synchronized during runtime. Any change to this configmap will automaticly synchronized, no new deployment needed.

Enable the required Role and RoleBinding

helm install policy-reporter policy-reporter/policy-reporter --set policyPriorities.enabled=true -n policy-reporter --create-namespace

Create the ConfigMap

kubectl create configmap policy-reporter-priorities --from-literal check-label-app=warning --from-literal require-ns-labels=warning -n policy-reporter

apiVersion: v1
kind: ConfigMap
metadata:
  name: policy-reporter-priorities
  namespace: policy-reporter
data:
  default: debug
  check-label-app: warning
  require-ns-labels: warning

Monitoring

The Helm Chart includes optional Sub Chart for the MonitoringStack. The provided Dashboards working without Loki and are only based on the Prometheus Metrics.

  • Enable the Monitoring by setting monitoring.enabled to true.
    • Change the namespace to your required monitoring namespace by changing monitoring.namespace (default: cattle-dashboards)
    • With monitoring.serviceMonitor.labels you can add additional labels to the ServiceMonitor. This helps to match the serviceMonitorSelector configuration of your Prometheus resource

Example Installation

helm install policy-reporter policy-reporter/policy-reporter --set monitoring.enabled=true --set monitoring.namespace=cattle-dashboards -n policy-reporter --create-namespace

Customized Dashboards

The Monitoring Subchart offers several values for changing the height or disabling different components of the individual dashboards.

To change a value of this subchart you have to prefix each option with monitoring.

Example

helm install policy-reporter policy-reporter/policy-reporter --set monitoring.enabled=true --set monitoring.policyReportDetails.secondStatusRow.enabled=false -n policy-reporter --create-namespace

PolicyReport Details Dashboard

Value Default
policyReportDetails.firstStatusRow.height 6
policyReportDetails.secondStatusRow.enabled true
policyReportDetails.secondStatusRow.height 2
policyReportDetails.statusTimeline.enabled true
policyReportDetails.statusTimeline.height 8
policyReportDetails.passTable.enabled true
policyReportDetails.passTable.height 8
policyReportDetails.failTable.enabled true
policyReportDetails.failTable.height 8
policyReportDetails.warningTable.enabled true
policyReportDetails.warningTable.height 4
policyReportDetails.errorTable.enabled true
policyReportDetails.errorTable.height 4

ClusterPolicyReport Details Dashboard

Value Default
clusterPolicyReportDetails.statusRow.height 6
clusterPolicyReportDetails.statusTimeline.enabled true
clusterPolicyReportDetails.statusTimeline.height 8
clusterPolicyReportDetails.passTable.enabled true
clusterPolicyReportDetails.passTable.height 8
clusterPolicyReportDetails.failTable.enabled true
clusterPolicyReportDetails.failTable.height 8
clusterPolicyReportDetails.warningTable.enabled true
clusterPolicyReportDetails.warningTable.height 4
clusterPolicyReportDetails.errorTable.enabled true
clusterPolicyReportDetails.errorTable.height 4

PolicyReport Overview Dashboard

Value Default
policyReportOverview.failingSummaryRow.height 8
policyReportOverview.failingTimeline.height 10
policyReportOverview.failingPolicyRuleTable.height 10
policyReportOverview.failingClusterPolicyRuleTable.height 10

Grafana Dashboard Import

If you are not using the MonitoringStack you can import the dashboards from Grafana

Dashboard Preview

PolicyReporter Grafana Dashboard

PolicyReporter Details Grafana Dashboard

ClusterPolicyReporter Details Grafana Dashboard

Policy Report UI

If you don't have any supported Monitoring solution running, you can use the standalone Policy Report UI.

The UI is provided as optional Helm Sub Chart and can be enabled by setting ui.enabled to true.

Installation

helm install policy-reporter policy-reporter/policy-reporter --set ui.enabled=true -n policy-reporter --create-namespace

Access it with Port Forward on localhost

kubectl port-forward service/policy-reporter-ui 8082:8080 -n policy-reporter

Open http://localhost:8082/ in your browser.

Example

The UI is an optional application and provides three different views with informations about the validation status of your audit policies.

Dashboard

Policy Reports

ClusterPolicyReports

Example Helm values.yaml

Example Helm values.yaml with the integrated Policy Reporter UI, Loki as target and customized Grafana Dashboards enabled.

ui:
  enabled: true

policyPriorities:
  enabled: true
  mapping:
    default: warning
    require-ns-labels: error

target:
  loki:
    host: "http://loki.loki-stack.svc.cluster.local:3100"
    minimumPriority: "warning"
    skipExistingOnStartup: true

monitoring:
  enabled: true

  policyReportDetails:
    firstStatusRow:
      height: 6
    secondStatusRow:
      enabled: false
      height: 2
    statusTimeline:
      enabled: true
      height: 8
    passTable:
      enabled: true
      height: 8
    failTable:
      enabled: true
      height: 8
    warningTable:
      enabled: false
      height: 4
    errorTable:
      enabled: false
      height: 4

  clusterPolicyReportDetails:
    statusRow:
      height: 6
    statusTimeline:
      enabled: true
      height: 8
    passTable:
      enabled: true
      height: 8
    failTable:
      enabled: true
      height: 8
    warningTable:
      enabled: false
      height: 4
    errorTable:
      enabled: false
      height: 4

  policyReportOverview:
    failingSummaryRow:
      height: 8
    failingTimeline:
      height: 10
    failingPolicyRuleTable:
      height: 10
    failingClusterPolicyRuleTable:
      height: 10

Todos

  • Support for ClusterPolicyReports
  • Additional Targets
  • Filter