Comments (7)
Sigh, and I realise having written this we're actually not on the latest helm chart, so I'll go and upgrade that and see if that happens to fix things
from policy-reporter.
Upgraded to latest chart (2.24.0
), which gives image version ghcr.io/kyverno/policy-reporter:2.20.0
- same issue
from policy-reporter.
So you mean its not showing all namespaces at the beginning but after some time the list is complete? Or the list is never fully complete?
In general means ready that the listener starts working, all information including namespaces comes from PolicyReports and PolicyReporter needs to process all existing PolicyReports before all data is available.
I never have an indicator when all at start time existing reports are processed because they come one by one from the listener. Also depending on cluster, amount of policies and resources, the time to process everything is very different.
from policy-reporter.
After some time the list is complete.
It's being particularly noticeable right now on our sbx environment, because it only has one replica and it keeps being restarted by the VPA controller when the resource estimate changes, and each time the UI stops being accurate for 5-10 minutes.
The issue I have is I want to be able to point our users at this as a tool to look at the state of their apps - but it's tricky when the data may be inaccurate, but presented as if it's accurate. So for my use-case, I'd prefer it not be available until it's ready, rather than responding with missing data.
I've seen other projects have similar requirements, e.g. kubernetes/kubernetes#113763 & https://github.com/istio/istio/blob/master/pkg/kube/kclient/client.go#L190-L203
from policy-reporter.
So you would prefer that policy reporter needs 5 to 10 minutes to be marked as running?
I am not sure if your example hits this situation. HasSynced is already used as indicator for readiness:
https://github.com/kyverno/policy-reporter/blob/main/pkg/api/handler.go#L32
But this dosn't mean that everything is processed. The API is based on an internal Database, which will be filled after the sync by processing each PR one by one. The API does not get its data directly from the K8s API. And this process takes time depending on the amount of reports and results.
I have no way to know or to check if all initial reports are processed at least once.
from policy-reporter.
So you would prefer that policy reporter needs 5 to 10 minutes to be marked as running?
Tbh, yes - I'd like the option for that at least. My perspective is unavailable and inaccurate are both bad. (Though I suppose available but with a warning saying it's incomplete would also work)
I am not sure if your example hits this situation. HasSynced is already used as indicator for readiness:
🤔 Hmm, I know that things like istio do this somehow (e.g. you don't want to start allowing traffic before you know you've processed all AuthorizationPolicy)
I'm happy to take a look at trying to achieve this.
I guess my question is - is this something you'd be interested in accepting as a PR? (Possibly as an option?)
from policy-reporter.
As an Option sure, maybe one way could be to use an external DB, which is already possible and improve the behavior after a restart. So it keeps already existing data, only updates changes and remove no longer existing information (which is the hardest part).
I need to focus on the UI for now, so if you would like to take a look, I am happy about each contribution.
from policy-reporter.
Related Issues (20)
- [DOCS] The external-cluster section needs to mention that rest.enabled: true is required HOT 1
- Policy Reporter Targets as CRDs HOT 4
- Include the timestamp HOT 7
- Policy Reporter not aligned with Kyverno HOT 5
- Helm chart won't start due to "Error: unknown flag: --template-dir" HOT 2
- Kyverno Policy Reporter writes extensively on node disk storage in certain ocassions. HOT 2
- strange S3 config error when using SecurityHub as target HOT 3
- Helm: Ingress template has wrong selection for pathType
- Allow for not rendering a Kubernetes Secret HOT 2
- Slack Channel Override does not work HOT 4
- Support for new reports.x-k8s.io reports group
- Support for multicluster HOT 1
- Loki not receiving/showing logs HOT 6
- Wrong key "label" instead of "labels" in redis mainfest file HOT 1
- The Secrets do not have the namespace in manifests HOT 1
- Question: Integration with Security Hub HOT 6
- CrashLoopBackOff policy-reporter-kyverno-plugin when deploying the manifest HOT 1
- Prometheus: Out-of-order samples HOT 4
- Feature request: Support IAM role for service accounts for AWS Security Hub integration HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policy-reporter.