Check kyverno policies status in CI
What does this MR do and why?
Draft MR to open the discussion. this is a very small shell script that will find any PolicyReport or ClusterPolicyReport whith a status different from PASS or SKIP and log them into a file before exiting in error.
Output example (done on a dev env with an audit policy):
ClusterPolicyReport 700668da-69c8-4d96-94e4-8a757cc23ebb was in FAIL/WARN/ERROR
{
"message": "All Namespaces must have a NetworkPolicy.",
"policy": "namespace-needs-networkpolicy",
"result": "fail",
"rule": "namespace-needs-networkpolicy",
"scored": true,
"source": "kyverno",
"timestamp": {
"nanos": 0,
"seconds": 1715089581
}
}
ClusterPolicyReport 7e908588-d406-483e-8bff-1e70d831f814 was in FAIL/WARN/ERROR
{
"message": "All Namespaces must have a NetworkPolicy.",
"policy": "namespace-needs-networkpolicy",
"result": "fail",
"rule": "namespace-needs-networkpolicy",
"scored": true,
"source": "kyverno",
"timestamp": {
"nanos": 0,
"seconds": 1715089582
}
}
ClusterPolicyReport 83df0210-fc36-4714-b8df-31529334b8c5 was in FAIL/WARN/ERROR
{
"message": "All Namespaces must have a NetworkPolicy.",
"policy": "namespace-needs-networkpolicy",
"result": "fail",
"rule": "namespace-needs-networkpolicy",
"scored": true,
"source": "kyverno",
"timestamp": {
"nanos": 0,
"seconds": 1715089582
}
}I also see that a tool, kyverno-reporter exist: https://kyverno.github.io/policy-reporter , https://github.com/kyverno/policy-reporter and provide a way to monitor the policies violation and display it via an UI and/or send notification via some exporter (slack, mail etc...)
I haven't test it but maybe it can be interesting for the monitoring and day to day operation?
Related reference(s)
close #1205 (closed)