Comments (8)
fjogeleit
commented on July 1, 2024
hey, thanks a lot. Currently there are no plans in this section.
About the Notification Part, would something help like different notification channels for different namespaces or a set of policies?
Different access in the UI could be difficult because the UI has no User / Authentication or Authorization concept. The UI should be a simple solution for smaller Clusters. If you have a monitoring solution like Grafana it could be possible to create different Dashboards with team specific selectors and information. You could also handle the access level with Grafana Users.
from policy-reporter.
taislapta
commented on July 1, 2024
thanks, that's good point. I have already Prometheus operator stack , I will have a look on documentation how to integrate and this make absolutely sense.
Regards different notification channels. I think different namespace is the case. I have Alertmanagerconfig crd for namespace with specific alert receiver like slack . Alerts from namespace with label matching it get pushed trough it. If report data will be loaded in to Prometheus that would be just thing of alert rules. Or any other options are welcome.
from policy-reporter.
fjogeleit
commented on July 1, 2024
Okay, great. Policy Reporter has an integrated SubChart for the kube-prometheus-stack. You can checkout the Rawkode Live: Hands on Policy Reporter Video where we integrate Policy Reporter into this stack step by step.
This should also help you with notifications over AlertManager. Policy Reporter has by default an metrics endpoint with all violations. You can check this metrics with:
kubectl port-forward service/policy-reporter 2112:2112/metrics -n policy-reporterA possible feature in the future could be to support multiple targets of the same type for different namespaces. I will consider this.
from policy-reporter.
taislapta
commented on July 1, 2024
awesome, I see all this good stuff in Prometheus now.
extra 2 cents to add in general:
- UI is good option as well but everyone like to click on fail policy listed in the table> I suppose would be great to get description visible on mouse cursor or expand on click as example :
policies.kyverno.io/description: >-
Kubernetes automatically mounts service account credentials in each pod.
The service account may be assigned roles allowing pods to access API resources.
To restrict access, opt out of auto-mounting tokens by setting
automountServiceAccountToken to false.
- target just flooding my slack very hour with same stuff . I disabled it and suppose alert rules and alert-manager will add there some management. If someone not use prom-stack extra vars would be appreciated.
from policy-reporter.
fjogeleit
commented on July 1, 2024
Okay, thats a good hint. I have a look if I can get access to this information in the policy report CRD and if not if its possible to add it. But I can already add the rule message from a result. You can test it with the newest version 1.3.3
To the second, do you use the latest version 1.3.2? There were problems with the reconciles of Policy Reports. Kyverno clears Policy Reports in an interval and refill them. This led to the resending of already existing events. I added a debounce mechanism for clear events. I tested it with Loki in my cluster and it worked so far.
from policy-reporter.
taislapta
commented on July 1, 2024
great will get 1.3.3.
current I use
fjogeleit/policy-reporter:1.3.2
fjogeleit/policy-reporter-ui:0.8.0
ghcr.io/kyverno/kyverno:v1.3.5
from policy-reporter.
fjogeleit
commented on July 1, 2024
Okay, thank you. I will take a closer look at the repeated notifications. It's possible that the debounce time is too short because the policy report reconcile time of Kyverno depends on the amount of validated objects and policies.
I will make the debounce time configurable over the Helm Chart. You can try if this is working for you. Regardless, I will take another look at the issue.
from policy-reporter.
fjogeleit
commented on July 1, 2024
I increased the debounceTime to 20s and added a new Configuration in the Helm Values cleanupDebounceTime to increase this value.
You can check if this stops the problem with resending existing violations. I will observe my clusters to validate the expected behavior. Please let me know if you miss anything else and thank you for your feedback.
from policy-reporter.
Related Issues (20)
- Cant' access ui dashboard using ingress path /ui HOT 5
- [bug] missing name and kind in email violations report
- [Bug] .Values.target.webhook.headers ignored in values.yaml (and maybe other values) HOT 2
- Problem with sending messages to Telegram HOT 2
- [UI] Standalone UI HOT 56
- Add ability to set request headers in Loki target HOT 2
- Download report html via api HOT 6
- Policy Reporter no longer working after kyverno 1.11.0 upgrade HOT 2
- Cant work with Workload Identity HOT 15
- Splunk as a target HOT 1
- [DOCS] The external-cluster section needs to mention that rest.enabled: true is required HOT 1
- Policy Reporter Targets as CRDs HOT 1
- Include the timestamp HOT 4
- Policy Reporter not aligned with Kyverno HOT 5
- Helm chart won't start due to "Error: unknown flag: --template-dir" HOT 2
- Kyverno Policy Reporter writes extensively on node disk storage in certain ocassions. HOT 1
- strange S3 config error when using SecurityHub as target HOT 3
- Helm: Ingress template has wrong selection for pathType
- Allow for not rendering a Kubernetes Secret HOT 2
- policy-reporter presents incomplete results HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policy-reporter.