Policy Reporter watches for PolicyReport Resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord

Policy Reporter watches for PolicyReport Resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord

Policy Reporter watches for PolicyReport Resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord

Preview Build for the new Policy Reporter UI v2.

Policy Reporter watches for PolicyReport Resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord

Policy Reporter

• Fix ID generation for Policy Reports which using scope as resource reference

Helm Chart

• fix: Add chart parameters for setting revisionHistoryLimit [#363 by bodgit]
• fix: allow not setting .Values.podSecurityContext for kyvernoPlugin [#361 by haraldsk]

Policy Reporter watches for PolicyReport Resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord

Policy Reporter watches for PolicyReport Resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord

• Policy Reporter
  • fix: scope kind mapping
  • feat: add debug http logging [#346 by blakepettersson]
  • build: cache go mod [#345 by blakepettersson]

Policy Reporter

• Support GoogleChat as new notification target
• Support Telegram as new notification target
• Support HTTP BasicAuth for API and metrics
• Go update to v1.21

Policy Reporter UI

• Support HTTP BasicAuth authenticated API calls
• Go update to v1.21

Policy Reporter KyvernoPlugin

• Support HTTP BasicAuth for API and metrics
• Go update to v1.21

BasicAuth Summary:

Configure global HTTP BasicAuthentication via Helm:

• Username/Password can configured directly or as existing secret with username / password keys
• The Authentication is applied to REST APIs and metrics of the Core App and KyvernoPlugin (if enabled)
• The Authorization header will be set in the Policy Reporter UI automatically
  • External Cluster configuration also supports secretRef where you can set username / password as well as the API endpoints (api, kyvernoApi) and ssl configuration (skipTLS, certificate)
• If monitoring enabled the basicAuth configuration will also applied on the ServiceMonitors
  • direct configuration will create a dedicated auth secret for ServiceMonitors
  • secretRef will reuse the existing secret for ServiceMonitors

global:
  basicAuth:
    #https://github.com/kyverno/policy-reporter/releases/tag/policy-reporter-2.20.0 username: "username"
    #password: "password"
    secretRef: auth-secret

Example external cluster:

ui:
  ...
  clusters:
  - name: Minikube
    api: http://policy-reporter:8080
    kyvernoApi: http://policy-reporter-kyverno-plugin:8080
    basicAuth:
      username: user
      password: password
  - name: Secret
    api: http://policy-reporter:8080
    kyvernoApi: http://policy-reporter-kyverno-plugin:8080
    secretRef: auth-secret
  - name: Unauthorized
    api: http://policy-reporter:8080
    kyvernoApi: http://policy-reporter-kyverno-plugin:8080

Policy Reporter watches for PolicyReport Resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord

Policy Reporter watches for PolicyReport Resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord

Policy Reporter watches for PolicyReport Resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord

Policy Reporter watches for PolicyReport Resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord

• Policy Reporter
  • New AWS SecurityHub push target - See values.yaml for available configurations
  • External DB support (PostgreSQL, MySQL, MariaDB) - See values.yaml for available configurations
    • HA Mode support - only leader write into the DB
    • Versioned Schema, autoupdated when another version is detected
    • Configurable over values and secrets
  • Cache improvements to reduce duplicated pushes
  • Split Category API into namespaced scoped and cluster scoped API
  • Support search for contained words in the results API
• Policy Reporter UI
  • Update API requests

• Policy Reporter
  • new value to add priorityClassName to pods [#283 by boniek83]
  • fixed syntax error for policy reporter config.yaml [#295 by nikolay-o]
  • fixed customFields for kinesis targets [#295 by nikolay-o]
  • image signing and sbom generation for new Policy Reporter images

Policy Reporter watches for PolicyReport Resources. It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord

• Policy Reporter

  • New channel property for Slack targets to define the Slack channel to send the results too
  • New mountedSecret property to read target configs from a mounted secret [#282 by rromic]
  • AWS KMS support for S3 target with new properties bucketKeyEnabled, kmsKeyId and serverSideEncryption [#282 by rromic]
    • Mountet secret needs to be in json format with keys defined in kubernetes/secrets Values struct.

• Monitoring

  • Add namespaceSelector to serviceMonitor values

• Policy Reporter
  • Improved logging configuration
    • Support JSON logging
    • Support log level
  • optional API access logging with api.logging set to true
  • New aggregation table for API performance improvements
  • Helm Ingress template
  • New Google Cloud Storage Target
    • Requires credentials as JSON String and the bucket name
    • Added in the helm values under target.gcs
  • Support for property metric labels in custom mode
    • Use the property: prefix in your customLabels list to define a property value as metric label
• Policy Reporter KyvernoPlugin
  • Helm Ingress template
  • Improved logging configuration
    • Support JSON logging
    • Support log level
• Policy Reporter UI
  • Improved logging configuration
    • Support JSON logging
    • Support log level
    • Proxy Logging

2.17.0

• Policy Reporter

  • Use metaclient to reduce informer memory usage
  • Use workerqueue to control concurrent processing of PolicyReports
  • Remove internal PolicyReport structures
  • Make sqlite volume configurable [#255 by monotek]
  • use defer to unlock when possible [#259 by eddycharly]
  • New value workers to define the amount of queue workers for PolicyReport resource processing, default 5
  • Support for global resource definition via the scope property in (Cluster)PolicyReports

• Policy Reporter UI

  • New SSL configs for external clusters
    • skipTLS to disable SSL verification
    • certificate to configure a path to a custom CA for self signed URLs
  • New Helm values ui.volumes and ui.volumeMounts to add your custom CAs as mounts to the UI deployment.