Creates Prometheus Metrics for PolicyReports and ClusterPolicyReports. It also sends PolicyReportResults to different Targets like Grafana Loki or Slack

PolicyReporter

CI Go Report Card Coverage Status

Motivation

Kyverno ships with two types of validation. You can either enforce a rule or audit it. If you don't want to block developers or if you want to try out a new rule, you can use the audit functionality. The audit configuration creates PolicyReports which you can access with kubectl. Because I can't find a simple solution to get a general overview of this PolicyReports and PolicyReportResults, I created this tool to send information from PolicyReports to different targets like Grafana Loki, Elasticsearch or Slack. This tool provides by default an HTTP server with Prometheus Metrics on http://localhost:2112/metrics about ReportPolicy Summaries and ReportPolicyRules.

This project is in an early stage. Please let me know if anything did not work as expected or if you want to send your audits to other targets then Loki.

Getting Started

Installation with Helm v3

Installation via Helm Repository

Add the Helm repository

helm repo add policy-reporter https://fjogeleit.github.io/policy-reporter
helm repo update

Basic Installation - Provides Prometheus Metrics

helm install policy-reporter policy-reporter/policy-reporter -n policy-reporter --create-namespace

Example

Prometheus Metrics

Installation with Loki

helm install policy-reporter policy-reporter/policy-reporter --set loki.host=http://loki:3100 -n policy-reporter --create-namespace

Additional configurations for Loki

  • Configure loki.minimumPriority to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error)
  • Configure loki.skipExistingOnStartup to skip all results who already existed before the PolicyReporter started (default: true).
loki:
  host: ""
  minimumPriority: ""
  skipExistingOnStartup: true

Example

Grafana Loki

Installation with Elasticsearch

helm install policy-reporter policy-reporter/policy-reporter --set elasticsearch.host=http://elasticsearch:3100 -n policy-reporter --create-namespace

Additional configurations for Elasticsearch

  • Configure elasticsearch.index to customize the elasticsearch index.
  • Configure elasticsearch.rotation is added as suffix to the index. Possible values are daily, monthly, annually and none.
  • Configure elasticsearch.minimumPriority to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error)
  • Configure elasticsearch.skipExistingOnStartup to skip all results who already existed before the PolicyReporter started (default: true).
elasticsearch:
  host: ""
  index: "policy-reporter"
  rotation: "daily"
  minimumPriority: ""
  skipExistingOnStartup: true

Example

Elasticsearch

Installation with Slack

helm install policy-reporter policy-reporter/policy-reporter --set slack.webhook=http://hook.slack -n policy-reporter --create-namespace

Additional configurations for Slack

  • Configure slack.minimumPriority to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error)
  • Configure slack.skipExistingOnStartup to skip all results who already existed before the PolicyReporter started (default: true).
slack:
  webhook: ""
  minimumPriority: ""
  skipExistingOnStartup: true

Example

Slack

Installation with Discord

helm install policy-reporter policy-reporter/policy-reporter --set discord.webhook=http://hook.discord -n policy-reporter --create-namespace

Additional configurations for Discord

  • Configure discord.minimumPriority to send only results with the configured minimumPriority or above, empty means all results. (info < warning < error)
  • Configure discord.skipExistingOnStartup to skip all results who already existed before the PolicyReporter started (default: true).
discord:
  webhook: ""
  minimumPriority: ""
  skipExistingOnStartup: true

Example

Discord

Customization

You can combine multiple targets by setting the required host or webhook configuration for your targets of choice. For all possible configurations checkout the ./charts/policy-reporter/values.yaml to change any available configuration.

Configure Policy Priorities

By default kyverno PolicyReports has no priority or severity for policies. So every passed rule validation will be processed as notice, a failed validation is processed as error. To customize this you can configure a mapping from policies to fail priorities. So you can send them as debug, info or warnings instead of errors. To configure the priorities create a ConfigMap in the policy-reporter namespace with the name policy-reporter-priorities. Configure each priority as value with the Policyname as key and the Priority as value. This Configuration is loaded and synchronized during runtime. Any change to this configmap will automaticly synchronized, no new deployment needed.

A special Policyname default is supported. The default configuration can be used to set a global default priority instead of error.

kubectl create configmap policy-reporter-priorities --from-literal check-label-app=warning --from-literal require-ns-labels=warning -n policy-reporter
apiVersion: v1
kind: ConfigMap
metadata:
  name: policy-reporter-priorities
  namespace: policy-reporter
data:
  default: debug
  check-label-app: warning
  require-ns-labels: warning

Monitoring

The Helm Chart includes optional Manifests for the MonitoringStack. The provided Dashboard works without Loki

  • Enable a ServiceMonitor by setting metrics.serviceMonitor.enabled to true.
    • With metrics.serviceMonitor.labels you can add additional labels to the ServiceMonitor. This helps to match the serviceMonitorSelector configuration of your Prometheus resource
  • Enable a basic Dashboard as ConfigMap by setting metrics.dashboard.enabled to true.
    • Change the namespace to your required monitoring namespace by changing metrics.dashboard.namespace (default: cattle-dashboards)

If you are not using the MonitoringStack you can import the dashboard from Grafana

Example Installation

helm install policy-reporter policy-reporter/policy-reporter --set metrics.serviceMonitor=true --set metrics.dashboard.enabled=true -n policy-reporter --create-namespace

Dashboard Preview

PolicyReporter Grafana Dashboard

Todos

  • Support for ClusterPolicyReports
  • Additional Targets
  • Filter
Owner
Frank Jogeleit
Software Engineer @move-elevator
Frank Jogeleit
Similar Resources

An application written in Go to generate fractals like the Mandelbrot set and the Julia set.

An application written in Go to generate fractals like the Mandelbrot set and the Julia set.

Fractals An application written in Go to generate fractals like the Mandelbrot set and the Julia set. Screenshots Mandelbrot set Julia set Prerequisit

May 9, 2022

Golang source code parsing, usage like reflect package

gotype Golang source code parsing, usage like reflect package English įŽ€äŊ“中文 Usage API Documentation Examples License Pouch is licensed under the MIT Li

Dec 9, 2022

A super simple Lodash like utility library with essential functions that empowers the development in Go

A super simple Lodash like utility library with essential functions that empowers the development in Go

A simple Utility library for Go Go does not provide many essential built in functions when it comes to the data structure such as slice and map. This

Jan 4, 2023

Helpfully Functional Go like underscore.js

/\ \ __ __ ___ \_\ \ __ _ __ ____ ___ ___ _ __ __ __ __

Dec 22, 2022

Go Stream, like Java 8 Stream.

Go Stream, like Java 8 Stream.

Dec 1, 2022

🔍 A jq-like tool that queries files via glob.

🔍 fq A jq-like tool that queries files via glob. ✅ Prerequisites Go 1.17+ jq (installed and on PATH) đŸ“Ļ Installation $ go get github.com/siketyan/fq

Dec 22, 2021

A fully Go userland with Linux bootloaders! u-root can create a one-binary root file system (initramfs) containing a busybox-like set of tools written in Go.

u-root Description u-root embodies four different projects. Go versions of many standard Linux tools, such as ls, cp, or shutdown. See cmds/core for m

Dec 29, 2022

Like tools/cmd/stringer with bitmask features

Bitmasker Bitmasker is a tool used to automate the creation of helper methods when dealing with bitmask-type constant flags. Given the name of an unsi

Nov 25, 2021

Experimenting with golang generics to implement functional favorites like filter, map, && reduce.

funcy Experimenting with golang generics to implement functional favorites like filter, map, && reduce. 2021-12 To run the tests, you need to install

Dec 29, 2021
subtraction operations and also parentheses to indicate order of operations

basic parsing expose a Calculate method that accepts a string of addition / subtraction operations and also parentheses to indicate order of operation

Feb 22, 2022
Cell is a Go package that creates new instances by string in running time.

Cell Cell is a Go package that creates new instances by string in running time. Getting Started Installing To start using CELL, install Go and run go

Dec 20, 2021
ms - 'my story' creates a secure password string which can be memorized with a technique shared by Max.

On 23.12.21 20:22, Stefan Claas wrote: [...] > > Yes, I am aware of that, but how can one memorize a key when traveling > and not taking any devices

Dec 24, 2021
Automatically creates & tiles .tmx format maps from a world map interface
Automatically creates & tiles .tmx format maps from a world map interface

Autotile Create tiled maps for an arbitrarily large world space from a simple interface, then add larger objects randomly with simple rules (eg. place

Aug 19, 2022
This project contains an example that showcases different features from the official Go Client for Elasticsearch
This project contains an example that showcases different features from the official Go Client for Elasticsearch

Elasticsearch for Gophers This project contains an example that showcases different features from the official Go Client for Elasticsearch that you ca

Oct 12, 2022
Perforator is a tool for recording performance metrics over subregions of a program using the Linux "perf" interface.

Perforator Perforator is a tool for recording performance metrics over subregions of a program (e.g., functions) using the Linux "perf" interface.

Dec 15, 2022
Prometheus exporter for APC UPSes controlled by apcupsd

Prometheus exporter for APC UPSes controlled by apcupsd

Jun 19, 2022
prometheus rule distributor, distribute rule to path
prometheus rule distributor, distribute rule to path

prometheus rule distributor, distribute rule to path.Support add/remove/delete/list app rule. Rule group by appID

Nov 3, 2021
generate random data like name, email, uuid, address, images and etc.

gg-rand generate random data like name, email, uuid, address, images and etc. build and install: make run: gg-rand $ gg-rand SillyName : Knavesa

Nov 16, 2022
CDN-like in-memory cache with shielding, and Go 1.18 Generics

cache CDN-like, middleware memory cache for Go applications with integrated shielding and Go 1.18 Generics. Usage package main import ( "context" "

Apr 26, 2022