From dbd426919876cff8860ae439d4964e979ee7fea1 Mon Sep 17 00:00:00 2001 From: Sander Rodenhuis Date: Tue, 10 Dec 2024 10:42:56 +0100 Subject: [PATCH 01/13] fix: kyverno metrics --- values/kyverno/kyverno.gotmpl | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/values/kyverno/kyverno.gotmpl b/values/kyverno/kyverno.gotmpl index 7cc6cb53ed..114d8a8163 100644 --- a/values/kyverno/kyverno.gotmpl +++ b/values/kyverno/kyverno.gotmpl @@ -39,6 +39,10 @@ cleanupController: replicas: 3 {{- end }} resources: {{- $kv.resources.cleanupController | toYaml | nindent 4 }} + serviceMonitor: + enabled: true + additionalLabels: + prometheus: systen backgroundController: {{- if eq $kv.mode "DevTest" }} @@ -61,6 +65,10 @@ reportsController: replicas: 2 {{- end }} resources: {{- $kv.resources.reportsController | toYaml | nindent 4 }} + serviceMonitor: + enabled: true + additionalLabels: + prometheus: systen features: logging: @@ -74,4 +82,12 @@ config: # -- Exclude Kyverno namespace # Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters # required for nodeAffinity (alse force kyverno to disired nodes) - excludeKyvernoNamespace: true \ No newline at end of file + excludeKyvernoNamespace: true + +metricsConfig: + namespaces: + include: + {{- range $id, $team := $v.teamConfig }} + - {{ $id }} + {{- end }} + \ No newline at end of file From 7acfb4e1531da41cf782f93a4602c75893ef064c Mon Sep 17 00:00:00 2001 From: Sander Rodenhuis Date: Tue, 10 Dec 2024 11:14:38 +0100 Subject: [PATCH 02/13] fix: labels --- values/kyverno/kyverno.gotmpl | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/values/kyverno/kyverno.gotmpl b/values/kyverno/kyverno.gotmpl index 114d8a8163..97843fabad 100644 --- a/values/kyverno/kyverno.gotmpl +++ b/values/kyverno/kyverno.gotmpl @@ -27,7 +27,7 @@ admissionController: serviceMonitor: enabled: true additionalLabels: - prometheus: systen + prometheus: system container: resources: {{- $kv.resources.admissionController | toYaml | nindent 6 }} @@ -42,7 +42,7 @@ cleanupController: serviceMonitor: enabled: true additionalLabels: - prometheus: systen + prometheus: system backgroundController: {{- if eq $kv.mode "DevTest" }} @@ -55,7 +55,7 @@ backgroundController: serviceMonitor: enabled: true additionalLabels: - prometheus: systen + prometheus: system reportsController: {{- if eq $kv.mode "DevTest" }} @@ -68,7 +68,7 @@ reportsController: serviceMonitor: enabled: true additionalLabels: - prometheus: systen + prometheus: system features: logging: @@ -88,6 +88,6 @@ metricsConfig: namespaces: include: {{- range $id, $team := $v.teamConfig }} - - {{ $id }} + - team-{{ $id }} {{- end }} \ No newline at end of file From add077168f2b4b0915caae4cbeec7cd31e29fab2 Mon Sep 17 00:00:00 2001 From: Sander Rodenhuis Date: Tue, 10 Dec 2024 14:50:16 +0100 Subject: [PATCH 03/13] fix: add team policy dashboard --- .../kyverno-teams/kyverno-teams.json | 590 ++++++++++++++++++ .../best-practice/allowed-image-repos.yaml | 18 + 2 files changed, 608 insertions(+) create mode 100644 charts/grafana-dashboards/kyverno-teams/kyverno-teams.json diff --git a/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json new file mode 100644 index 0000000000..b58f422b1b --- /dev/null +++ b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json @@ -0,0 +1,590 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "$datasource" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "Dashboard to view kyverno published metrics", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 1, + "id": 7, + "links": [], + "liveNow": false, + "panels": [ + { + "collapsed": false, + "datasource": { + "type": "datasource", + "uid": "$datasource" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 43, + "panels": [], + "targets": [ + { + "datasource": { + "type": "datasource", + "uid": "$datasource" + }, + "refId": "A" + } + ], + "title": "Summary of security policies", + "type": "row" + }, + { + "datasource": { + "default": false, + "type": "prometheus", + "uid": "$datasource" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "blue", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 0, + "y": 1 + }, + "id": 60, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "count by(resource_namespace) (kyverno_policy_results_total{rule_result=\"pass\"})", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A", + "useBackend": false + } + ], + "title": "Compliant", + "type": "stat" + }, + { + "datasource": { + "default": false, + "type": "prometheus", + "uid": "$datasource" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "yellow", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 4, + "y": 1 + }, + "id": 49, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "editorMode": "code", + "exemplar": false, + "expr": "count by(resource_namespace) (kyverno_policy_results_total{rule_result=\"skip\"})", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "Skipped", + "type": "stat" + }, + { + "datasource": { + "default": false, + "type": "prometheus", + "uid": "$datasource" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "orange", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 8, + "y": 1 + }, + "id": 50, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "editorMode": "code", + "exemplar": false, + "expr": "count by(resource_namespace) (kyverno_policy_results_total{rule_result=\"warn\"})", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "WARNING", + "type": "stat" + }, + { + "datasource": { + "default": false, + "type": "prometheus", + "uid": "$datasource" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 12, + "y": 1 + }, + "id": 51, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "editorMode": "code", + "exemplar": false, + "expr": "count by(resource_namespace) (kyverno_policy_results_total{rule_result=\"fail\"})", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "Not Compliant", + "type": "stat" + }, + { + "datasource": { + "default": false, + "type": "prometheus", + "uid": "$datasource" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "purple", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 16, + "y": 1 + }, + "id": 52, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "editorMode": "code", + "exemplar": false, + "expr": "count by(resource_namespace) (kyverno_policy_results_total{rule_result=\"error\"})", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "UNKNOWN", + "type": "stat" + }, + { + "datasource": { + "default": false, + "type": "prometheus", + "uid": "$datasource" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 15, + "gradientMode": "opacity", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 2, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "blue", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 13, + "w": 24, + "x": 0, + "y": 5 + }, + "id": 61, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "editorMode": "code", + "exemplar": false, + "expr": "count(kyverno_policy_results_total{rule_result=\"fail\"}) by (policy_name)", + "instant": false, + "interval": "$__interval", + "legendFormat": "{{severity}}", + "range": true, + "refId": "A" + } + ], + "title": "All non-compliant security policies by policy name", + "type": "timeseries" + } + ], + "refresh": "30s", + "schemaVersion": 39, + "tags": [ + "kyverno", + "security" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "default", + "value": "default" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "default", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": false, + "text": "team-demo", + "value": "team-demo" + }, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(namespace)", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "namespace", + "options": [], + "query": { + "query": "label_values(namespace)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "/(.*team\\-#TEAM#.*)/", + "skipUrlSync": false, + "sort": 1, + "type": "query" + } + ] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Policy compliance", + "uid": "kyverno", + "version": 1, + "weekStart": "" + } \ No newline at end of file diff --git a/charts/team-ns/templates/policies/best-practice/allowed-image-repos.yaml b/charts/team-ns/templates/policies/best-practice/allowed-image-repos.yaml index 0422295070..b794ba85e7 100644 --- a/charts/team-ns/templates/policies/best-practice/allowed-image-repos.yaml +++ b/charts/team-ns/templates/policies/best-practice/allowed-image-repos.yaml @@ -40,6 +40,24 @@ spec: - resources: annotations: tekton.dev/tags: git + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- From fc4e5c6521fda1223529220880f370b1261923ea Mon Sep 17 00:00:00 2001 From: Sander Rodenhuis Date: Tue, 10 Dec 2024 14:52:50 +0100 Subject: [PATCH 04/13] fix: enable dashboard --- helmfile.d/helmfile-60.teams.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/helmfile.d/helmfile-60.teams.yaml b/helmfile.d/helmfile-60.teams.yaml index 5727d96c68..2657d8262a 100644 --- a/helmfile.d/helmfile-60.teams.yaml +++ b/helmfile.d/helmfile-60.teams.yaml @@ -233,6 +233,9 @@ releases: {{- if $v.apps.trivy.enabled }} - trivy-teams {{- end }} + {{- if $v.apps.kyverno.enabled }} + - kyverno-teams + {{- end }} - name: team-ns-{{ $teamId }} installed: true namespace: team-{{ $teamId }} From c0ecdb58083303a6640b0a1c090c8d4e9b817446 Mon Sep 17 00:00:00 2001 From: Sander Rodenhuis Date: Tue, 10 Dec 2024 15:32:23 +0100 Subject: [PATCH 05/13] fix: dashboard values --- charts/grafana-dashboards/kyverno-teams/kyverno-teams.json | 6 +----- charts/grafana-dashboards/values.yaml | 1 + helmfile.d/helmfile-60.teams.yaml | 3 --- 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json index b58f422b1b..7960a93156 100644 --- a/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json +++ b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json @@ -550,11 +550,7 @@ "type": "datasource" }, { - "current": { - "selected": false, - "text": "team-demo", - "value": "team-demo" - }, + "current": {}, "datasource": { "type": "prometheus", "uid": "$datasource" diff --git a/charts/grafana-dashboards/values.yaml b/charts/grafana-dashboards/values.yaml index 9796b7c496..3e61aa872f 100644 --- a/charts/grafana-dashboards/values.yaml +++ b/charts/grafana-dashboards/values.yaml @@ -11,6 +11,7 @@ folders: - trivy - trivy-teams - velero + - kyverno-teams sidecar: dashboards: diff --git a/helmfile.d/helmfile-60.teams.yaml b/helmfile.d/helmfile-60.teams.yaml index 2657d8262a..33ad5091a8 100644 --- a/helmfile.d/helmfile-60.teams.yaml +++ b/helmfile.d/helmfile-60.teams.yaml @@ -227,9 +227,6 @@ releases: {{- if $v.apps.falco.enabled }} - falco-teams {{- end }} - {{- if and (eq $v.cluster.provider "azure") ($team | get "azureMonitor" ($v | get "azure.monitor" nil)) }} - - azure - {{- end }} {{- if $v.apps.trivy.enabled }} - trivy-teams {{- end }} From e37f9d9a10abb4d44dbcd6bf751fe33f54bdefec Mon Sep 17 00:00:00 2001 From: Sander Rodenhuis Date: Tue, 10 Dec 2024 16:06:32 +0100 Subject: [PATCH 06/13] fix: improve dashboard --- .../kyverno-teams/kyverno-teams.json | 1078 ++++++++--------- 1 file changed, 539 insertions(+), 539 deletions(-) diff --git a/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json index 7960a93156..30a28b537f 100644 --- a/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json +++ b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json @@ -1,586 +1,586 @@ { - "annotations": { - "list": [ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "$datasource" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "Dashboard to view kyverno published metrics", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 1, + "id": 5, + "links": [], + "liveNow": false, + "panels": [ + { + "collapsed": false, + "datasource": { + "type": "datasource", + "uid": "$datasource" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 43, + "panels": [], + "targets": [ { - "builtIn": 1, "datasource": { "type": "datasource", "uid": "$datasource" }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "target": { - "limit": 100, - "matchAny": false, - "tags": [], - "type": "dashboard" - }, - "type": "dashboard" + "refId": "A" } - ] + ], + "title": "Summary of security policy compliance", + "type": "row" }, - "description": "Dashboard to view kyverno published metrics", - "editable": true, - "fiscalYearStartMonth": 0, - "graphTooltip": 1, - "id": 7, - "links": [], - "liveNow": false, - "panels": [ - { - "collapsed": false, - "datasource": { - "type": "datasource", - "uid": "$datasource" - }, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 43, - "panels": [], - "targets": [ - { - "datasource": { - "type": "datasource", - "uid": "$datasource" - }, - "refId": "A" - } - ], - "title": "Summary of security policies", - "type": "row" + { + "datasource": { + "default": false, + "type": "prometheus", + "uid": "$datasource" }, - { - "datasource": { - "default": false, - "type": "prometheus", - "uid": "$datasource" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "blue", - "value": 1 - } - ] - }, - "unit": "none" + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 0, - "y": 1 - }, - "id": 60, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "percentChangeColorMode": "standard", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "blue", + "value": 1 + } + ] }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true + "unit": "none" }, - "pluginVersion": "11.2.2", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "$datasource" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": false, - "expr": "count by(resource_namespace) (kyverno_policy_results_total{rule_result=\"pass\"})", - "fullMetaSearch": false, - "includeNullMetadata": true, - "instant": true, - "interval": "$__interval", - "legendFormat": "__auto", - "refId": "A", - "useBackend": false - } - ], - "title": "Compliant", - "type": "stat" + "overrides": [] }, - { - "datasource": { - "default": false, - "type": "prometheus", - "uid": "$datasource" + "gridPos": { + "h": 4, + "w": 4, + "x": 0, + "y": 1 + }, + "id": 60, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "yellow", - "value": 1 - } - ] - }, - "unit": "none" + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 4, - "y": 1 - }, - "id": 49, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "percentChangeColorMode": "standard", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "count(kyverno_policy_results_total{rule_result=\"pass\", resource_namespace=\"$namespace\"})", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A", + "useBackend": false + } + ], + "title": "PASS", + "type": "stat" + }, + { + "datasource": { + "default": false, + "type": "prometheus", + "uid": "$datasource" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "yellow", + "value": 1 + } + ] }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true + "unit": "none" }, - "pluginVersion": "11.2.2", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "$datasource" - }, - "editorMode": "code", - "exemplar": false, - "expr": "count by(resource_namespace) (kyverno_policy_results_total{rule_result=\"skip\"})", - "instant": true, - "interval": "$__interval", - "legendFormat": "__auto", - "refId": "A" - } - ], - "title": "Skipped", - "type": "stat" + "overrides": [] }, - { - "datasource": { - "default": false, - "type": "prometheus", - "uid": "$datasource" + "gridPos": { + "h": 4, + "w": 4, + "x": 4, + "y": 1 + }, + "id": 49, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "noValue": "0", - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "orange", - "value": 1 - } - ] - }, - "unit": "none" + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 8, - "y": 1 - }, - "id": 50, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "percentChangeColorMode": "standard", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false + "editorMode": "code", + "exemplar": false, + "expr": "count(kyverno_policy_results_total{rule_result=\"skip\", resource_namespace=\"$namespace\"})", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "SKIP", + "type": "stat" + }, + { + "datasource": { + "default": false, + "type": "prometheus", + "uid": "$datasource" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "orange", + "value": 0 + } + ] }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true + "unit": "none" }, - "pluginVersion": "11.2.2", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "$datasource" - }, - "editorMode": "code", - "exemplar": false, - "expr": "count by(resource_namespace) (kyverno_policy_results_total{rule_result=\"warn\"})", - "instant": true, - "interval": "$__interval", - "legendFormat": "__auto", - "refId": "A" - } - ], - "title": "WARNING", - "type": "stat" + "overrides": [] }, - { - "datasource": { - "default": false, - "type": "prometheus", - "uid": "$datasource" + "gridPos": { + "h": 4, + "w": 4, + "x": 8, + "y": 1 + }, + "id": 50, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 1 - } - ] - }, - "unit": "none" + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 12, - "y": 1 - }, - "id": 51, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "percentChangeColorMode": "standard", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false + "editorMode": "code", + "exemplar": false, + "expr": "count(kyverno_policy_results_total{rule_result=\"warn\", resource_namespace=\"$namespace\"})", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "WARN", + "type": "stat" + }, + { + "datasource": { + "default": false, + "type": "prometheus", + "uid": "$datasource" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + }, + "unit": "none" }, - "pluginVersion": "11.2.2", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "$datasource" - }, - "editorMode": "code", - "exemplar": false, - "expr": "count by(resource_namespace) (kyverno_policy_results_total{rule_result=\"fail\"})", - "instant": true, - "interval": "$__interval", - "legendFormat": "__auto", - "refId": "A" - } - ], - "title": "Not Compliant", - "type": "stat" + "overrides": [] }, - { - "datasource": { - "default": false, - "type": "prometheus", - "uid": "$datasource" + "gridPos": { + "h": 4, + "w": 4, + "x": 12, + "y": 1 + }, + "id": 51, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "noValue": "0", - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "purple", - "value": 1 - } - ] - }, - "unit": "none" + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 8, - "x": 16, - "y": 1 - }, - "id": 52, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "percentChangeColorMode": "standard", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false + "editorMode": "code", + "exemplar": false, + "expr": "count(kyverno_policy_results_total{rule_result=\"fail\", resource_namespace=\"$namespace\"})", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "FAIL", + "type": "stat" + }, + { + "datasource": { + "default": false, + "type": "prometheus", + "uid": "$datasource" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "fixed" }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "purple", + "value": 1 + } + ] + }, + "unit": "none" }, - "pluginVersion": "11.2.2", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "$datasource" - }, - "editorMode": "code", - "exemplar": false, - "expr": "count by(resource_namespace) (kyverno_policy_results_total{rule_result=\"error\"})", - "instant": true, - "interval": "$__interval", - "legendFormat": "__auto", - "refId": "A" - } - ], - "title": "UNKNOWN", - "type": "stat" + "overrides": [] }, - { - "datasource": { - "default": false, - "type": "prometheus", - "uid": "$datasource" + "gridPos": { + "h": 4, + "w": 8, + "x": 16, + "y": 1 + }, + "id": 52, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "editorMode": "code", + "exemplar": false, + "expr": "count(kyverno_policy_results_total{rule_result=\"unknown\", resource_namespace=\"$namespace\"})", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "ERROR", + "type": "stat" + }, + { + "datasource": { + "default": false, + "type": "prometheus", + "uid": "$datasource" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 15, + "gradientMode": "opacity", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "barWidthFactor": 0.6, - "drawStyle": "line", - "fillOpacity": 15, - "gradientMode": "opacity", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 2, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 2, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "blue", - "value": 1 - } - ] + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" }, - "unit": "none" + "thresholdsStyle": { + "mode": "off" + } }, - "overrides": [] - }, - "gridPos": { - "h": 13, - "w": 24, - "x": 0, - "y": 5 - }, - "id": 61, - "options": { - "legend": { - "calcs": [], - "displayMode": "table", - "placement": "right", - "showLegend": true + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "blue", + "value": 1 + } + ] }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } + "unit": "none" }, - "pluginVersion": "8.5.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "$datasource" - }, - "editorMode": "code", - "exemplar": false, - "expr": "count(kyverno_policy_results_total{rule_result=\"fail\"}) by (policy_name)", - "instant": false, - "interval": "$__interval", - "legendFormat": "{{severity}}", - "range": true, - "refId": "A" - } - ], - "title": "All non-compliant security policies by policy name", - "type": "timeseries" - } - ], - "refresh": "30s", - "schemaVersion": 39, - "tags": [ - "kyverno", - "security" - ], - "templating": { - "list": [ - { - "current": { - "selected": false, - "text": "default", - "value": "default" - }, - "hide": 0, - "includeAll": false, - "multi": false, - "name": "datasource", - "options": [], - "query": "prometheus", - "queryValue": "", - "refresh": 1, - "regex": "default", - "skipUrlSync": false, - "type": "datasource" + "overrides": [] + }, + "gridPos": { + "h": 13, + "w": 24, + "x": 0, + "y": 5 + }, + "id": 61, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "8.5.0", + "targets": [ { - "current": {}, "datasource": { "type": "prometheus", "uid": "$datasource" }, - "definition": "label_values(namespace)", - "hide": 0, - "includeAll": false, - "multi": false, - "name": "namespace", - "options": [], - "query": { - "query": "label_values(namespace)", - "refId": "StandardVariableQuery" - }, - "refresh": 1, - "regex": "/(.*team\\-#TEAM#.*)/", - "skipUrlSync": false, - "sort": 1, - "type": "query" + "editorMode": "code", + "exemplar": false, + "expr": "count(kyverno_policy_results_total{rule_result=\"fail\"}) by (policy_name)", + "instant": false, + "interval": "$__interval", + "legendFormat": "{{severity}}", + "range": true, + "refId": "A" } - ] - }, - "time": { - "from": "now-24h", - "to": "now" - }, - "timepicker": {}, - "timezone": "", - "title": "Policy compliance", - "uid": "kyverno", - "version": 1, - "weekStart": "" - } \ No newline at end of file + ], + "title": "All non-compliant security policies by policy name", + "type": "timeseries" + } + ], + "refresh": "30s", + "schemaVersion": 39, + "tags": [ + "kyverno", + "security" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "default", + "value": "default" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "default", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "$datasource" + }, + "definition": "label_values(namespace)", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "namespace", + "options": [], + "query": { + "query": "label_values(namespace)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "/(.*team\\-#TEAM#.*)/", + "skipUrlSync": false, + "sort": 1, + "type": "query" + } + ] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Policy compliance", + "uid": "kyverno", + "version": 1, + "weekStart": "" +} \ No newline at end of file From 5c4f0079164cad79085365a99a7c90231ff379a3 Mon Sep 17 00:00:00 2001 From: Sander Rodenhuis Date: Tue, 10 Dec 2024 21:08:33 +0100 Subject: [PATCH 07/13] feat: improve dashboard --- .../kyverno-teams/kyverno-teams.json | 25 +++++++++++++------ versions.yaml | 2 +- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json index 30a28b537f..181ffb4d66 100644 --- a/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json +++ b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json @@ -64,9 +64,11 @@ "fieldConfig": { "defaults": { "color": { - "mode": "thresholds" + "fixedColor": "green", + "mode": "fixed" }, "mappings": [], + "noValue": "0", "thresholds": { "mode": "absolute", "steps": [ @@ -140,9 +142,11 @@ "fieldConfig": { "defaults": { "color": { - "mode": "thresholds" + "fixedColor": "yellow", + "mode": "fixed" }, "mappings": [], + "noValue": "0", "thresholds": { "mode": "absolute", "steps": [ @@ -212,7 +216,8 @@ "fieldConfig": { "defaults": { "color": { - "mode": "thresholds" + "fixedColor": "orange", + "mode": "fixed" }, "mappings": [], "noValue": "0", @@ -285,9 +290,11 @@ "fieldConfig": { "defaults": { "color": { - "mode": "thresholds" + "fixedColor": "red", + "mode": "fixed" }, "mappings": [], + "noValue": "0", "thresholds": { "mode": "absolute", "steps": [ @@ -550,7 +557,11 @@ "type": "datasource" }, { - "current": {}, + "current": { + "selected": false, + "text": "team-demo", + "value": "team-demo" + }, "datasource": { "type": "prometheus", "uid": "$datasource" @@ -574,13 +585,13 @@ ] }, "time": { - "from": "now-24h", + "from": "now-30m", "to": "now" }, "timepicker": {}, "timezone": "", "title": "Policy compliance", "uid": "kyverno", - "version": 1, + "version": 2, "weekStart": "" } \ No newline at end of file diff --git a/versions.yaml b/versions.yaml index 2be9bf10a7..55514f2de2 100644 --- a/versions.yaml +++ b/versions.yaml @@ -1,5 +1,5 @@ api: 3.4.0 -console: 3.3.1 +console: APL-453 consoleLogin: v3.0.0 tasks: 3.4.0 tools: 2.7.0 From 4172cbc8db482f45e30c5b887d80780681dca175 Mon Sep 17 00:00:00 2001 From: Sander Rodenhuis Date: Thu, 12 Dec 2024 09:06:30 +0100 Subject: [PATCH 08/13] fix: excludes --- .../baseline/disallow-capabilities.yaml | 20 ++++++++++ .../baseline/disallow-host-namespaces.yaml | 20 ++++++++++ .../policies/baseline/disallow-host-path.yaml | 20 ++++++++++ .../baseline/disallow-host-ports.yaml | 20 ++++++++++ .../baseline/disallow-host-process.yaml | 20 ++++++++++ .../disallow-privileged-containers.yaml | 20 ++++++++++ .../baseline/disallow-proc-mount.yaml | 20 ++++++++++ .../policies/baseline/disallow-selinux.yaml | 20 ++++++++++ .../baseline/restrict-apparmor-profiles.yaml | 20 ++++++++++ .../policies/baseline/restrict-seccomp.yaml | 20 ++++++++++ .../policies/baseline/restrict-sysctls.yaml | 20 ++++++++++ .../best-practice/disallow-latest-tag.yaml | 38 +++++++++++++++++++ .../best-practice/require-limits.yaml | 20 ++++++++++ .../require-pod-liveness-probe.yaml | 18 +++++++++ .../require-pod-readiness-probe.yaml | 18 +++++++++ .../require-pod-startup-probe.yaml | 18 +++++++++ .../best-practice/require-requests.yaml | 29 ++++++++++++++ .../other/require-non-root-groups.yaml | 18 +++++++++ .../policies/other/required-label.yaml | 18 +++++++++ .../disallow-capabilities-strict.yaml | 18 +++++++++ .../disallow-privilege-escalation.yaml | 18 +++++++++ .../require-run-as-non-root-user.yaml | 18 +++++++++ .../restricted/require-run-as-nonroot.yaml | 18 +++++++++ .../restricted/restrict-seccomp-strict.yaml | 18 +++++++++ .../restricted/restrict-volume-types.yaml | 20 ++++++++++ 25 files changed, 507 insertions(+) diff --git a/charts/team-ns/templates/policies/baseline/disallow-capabilities.yaml b/charts/team-ns/templates/policies/baseline/disallow-capabilities.yaml index 80ad630cf3..1c59b640e5 100644 --- a/charts/team-ns/templates/policies/baseline/disallow-capabilities.yaml +++ b/charts/team-ns/templates/policies/baseline/disallow-capabilities.yaml @@ -25,6 +25,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} preconditions: all: - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}" diff --git a/charts/team-ns/templates/policies/baseline/disallow-host-namespaces.yaml b/charts/team-ns/templates/policies/baseline/disallow-host-namespaces.yaml index 4713bfa8d5..2f1dd5de83 100644 --- a/charts/team-ns/templates/policies/baseline/disallow-host-namespaces.yaml +++ b/charts/team-ns/templates/policies/baseline/disallow-host-namespaces.yaml @@ -28,6 +28,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/baseline/disallow-host-path.yaml b/charts/team-ns/templates/policies/baseline/disallow-host-path.yaml index 72f8959c8a..9c79918544 100644 --- a/charts/team-ns/templates/policies/baseline/disallow-host-path.yaml +++ b/charts/team-ns/templates/policies/baseline/disallow-host-path.yaml @@ -28,6 +28,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/baseline/disallow-host-ports.yaml b/charts/team-ns/templates/policies/baseline/disallow-host-ports.yaml index 6b9a2c71b5..8c97223c27 100644 --- a/charts/team-ns/templates/policies/baseline/disallow-host-ports.yaml +++ b/charts/team-ns/templates/policies/baseline/disallow-host-ports.yaml @@ -29,6 +29,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/baseline/disallow-host-process.yaml b/charts/team-ns/templates/policies/baseline/disallow-host-process.yaml index fe5116ff91..1ebcac62bd 100644 --- a/charts/team-ns/templates/policies/baseline/disallow-host-process.yaml +++ b/charts/team-ns/templates/policies/baseline/disallow-host-process.yaml @@ -29,6 +29,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/baseline/disallow-privileged-containers.yaml b/charts/team-ns/templates/policies/baseline/disallow-privileged-containers.yaml index 1286ef44fc..50500702f5 100644 --- a/charts/team-ns/templates/policies/baseline/disallow-privileged-containers.yaml +++ b/charts/team-ns/templates/policies/baseline/disallow-privileged-containers.yaml @@ -28,6 +28,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/baseline/disallow-proc-mount.yaml b/charts/team-ns/templates/policies/baseline/disallow-proc-mount.yaml index ab9b854cfd..15570f0a2e 100644 --- a/charts/team-ns/templates/policies/baseline/disallow-proc-mount.yaml +++ b/charts/team-ns/templates/policies/baseline/disallow-proc-mount.yaml @@ -29,6 +29,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/baseline/disallow-selinux.yaml b/charts/team-ns/templates/policies/baseline/disallow-selinux.yaml index 8c9ba3f4e9..91b5d5e137 100644 --- a/charts/team-ns/templates/policies/baseline/disallow-selinux.yaml +++ b/charts/team-ns/templates/policies/baseline/disallow-selinux.yaml @@ -27,6 +27,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/baseline/restrict-apparmor-profiles.yaml b/charts/team-ns/templates/policies/baseline/restrict-apparmor-profiles.yaml index 63f10fb2d8..f9b7c3e618 100644 --- a/charts/team-ns/templates/policies/baseline/restrict-apparmor-profiles.yaml +++ b/charts/team-ns/templates/policies/baseline/restrict-apparmor-profiles.yaml @@ -31,6 +31,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/baseline/restrict-seccomp.yaml b/charts/team-ns/templates/policies/baseline/restrict-seccomp.yaml index 1f30b52bb9..d91c65854b 100644 --- a/charts/team-ns/templates/policies/baseline/restrict-seccomp.yaml +++ b/charts/team-ns/templates/policies/baseline/restrict-seccomp.yaml @@ -29,6 +29,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/baseline/restrict-sysctls.yaml b/charts/team-ns/templates/policies/baseline/restrict-sysctls.yaml index dffb55329c..3138570675 100644 --- a/charts/team-ns/templates/policies/baseline/restrict-sysctls.yaml +++ b/charts/team-ns/templates/policies/baseline/restrict-sysctls.yaml @@ -31,6 +31,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/best-practice/disallow-latest-tag.yaml b/charts/team-ns/templates/policies/best-practice/disallow-latest-tag.yaml index 5cdb8eb342..99b312218f 100644 --- a/charts/team-ns/templates/policies/best-practice/disallow-latest-tag.yaml +++ b/charts/team-ns/templates/policies/best-practice/disallow-latest-tag.yaml @@ -29,6 +29,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: "An image tag is required." @@ -47,6 +67,24 @@ spec: - resources: annotations: policy.otomi.io/ignore: banned-image-tags + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: "Using a mutable image tag e.g. 'latest' is not allowed." diff --git a/charts/team-ns/templates/policies/best-practice/require-limits.yaml b/charts/team-ns/templates/policies/best-practice/require-limits.yaml index d9210c749f..5212f88e3e 100644 --- a/charts/team-ns/templates/policies/best-practice/require-limits.yaml +++ b/charts/team-ns/templates/policies/best-practice/require-limits.yaml @@ -31,6 +31,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: "CPU and memory resource requests and limits are required." diff --git a/charts/team-ns/templates/policies/best-practice/require-pod-liveness-probe.yaml b/charts/team-ns/templates/policies/best-practice/require-pod-liveness-probe.yaml index b4f9173172..fbcd25fdd5 100644 --- a/charts/team-ns/templates/policies/best-practice/require-pod-liveness-probe.yaml +++ b/charts/team-ns/templates/policies/best-practice/require-pod-liveness-probe.yaml @@ -40,6 +40,24 @@ spec: - resources: annotations: tekton.dev/tags: git + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} preconditions: all: - key: "{{`{{request.operation || 'BACKGROUND'}}`}}" diff --git a/charts/team-ns/templates/policies/best-practice/require-pod-readiness-probe.yaml b/charts/team-ns/templates/policies/best-practice/require-pod-readiness-probe.yaml index bbfcdacec5..ec68b4b21a 100644 --- a/charts/team-ns/templates/policies/best-practice/require-pod-readiness-probe.yaml +++ b/charts/team-ns/templates/policies/best-practice/require-pod-readiness-probe.yaml @@ -40,6 +40,24 @@ spec: - resources: annotations: tekton.dev/tags: git + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} preconditions: all: - key: "{{`{{request.operation || 'BACKGROUND'}}`}}" diff --git a/charts/team-ns/templates/policies/best-practice/require-pod-startup-probe.yaml b/charts/team-ns/templates/policies/best-practice/require-pod-startup-probe.yaml index f987d3e915..697d5c0ff7 100644 --- a/charts/team-ns/templates/policies/best-practice/require-pod-startup-probe.yaml +++ b/charts/team-ns/templates/policies/best-practice/require-pod-startup-probe.yaml @@ -43,6 +43,24 @@ spec: - resources: annotations: tekton.dev/tags: git + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} preconditions: all: - key: "{{`{{request.operation || 'BACKGROUND'}}`}}" diff --git a/charts/team-ns/templates/policies/best-practice/require-requests.yaml b/charts/team-ns/templates/policies/best-practice/require-requests.yaml index 8c132407e6..87feb01a5a 100644 --- a/charts/team-ns/templates/policies/best-practice/require-requests.yaml +++ b/charts/team-ns/templates/policies/best-practice/require-requests.yaml @@ -31,6 +31,35 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + annotations: + tekton.dev/tags: image-build + - resources: + annotations: + tekton.dev/tags: CLI, grype + - resources: + annotations: + tekton.dev/tags: git + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: "CPU and memory resource requests and limits are required." diff --git a/charts/team-ns/templates/policies/other/require-non-root-groups.yaml b/charts/team-ns/templates/policies/other/require-non-root-groups.yaml index 9bfd3b1bcb..0f45917528 100644 --- a/charts/team-ns/templates/policies/other/require-non-root-groups.yaml +++ b/charts/team-ns/templates/policies/other/require-non-root-groups.yaml @@ -40,6 +40,24 @@ spec: - resources: annotations: tekton.dev/tags: 'CLI, grype' + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/other/required-label.yaml b/charts/team-ns/templates/policies/other/required-label.yaml index fc9bac192a..567e434eb9 100644 --- a/charts/team-ns/templates/policies/other/required-label.yaml +++ b/charts/team-ns/templates/policies/other/required-label.yaml @@ -37,6 +37,24 @@ spec: - resources: annotations: tekton.dev/tags: git + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: "Setting an app label is required for the workload." diff --git a/charts/team-ns/templates/policies/restricted/disallow-capabilities-strict.yaml b/charts/team-ns/templates/policies/restricted/disallow-capabilities-strict.yaml index aa0f90e8ce..1981cae5ac 100644 --- a/charts/team-ns/templates/policies/restricted/disallow-capabilities-strict.yaml +++ b/charts/team-ns/templates/policies/restricted/disallow-capabilities-strict.yaml @@ -39,6 +39,24 @@ spec: - resources: annotations: tekton.dev/tags: 'CLI, grype' + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} preconditions: all: - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}" diff --git a/charts/team-ns/templates/policies/restricted/disallow-privilege-escalation.yaml b/charts/team-ns/templates/policies/restricted/disallow-privilege-escalation.yaml index 89157e2b42..4b45bfd5ef 100644 --- a/charts/team-ns/templates/policies/restricted/disallow-privilege-escalation.yaml +++ b/charts/team-ns/templates/policies/restricted/disallow-privilege-escalation.yaml @@ -38,6 +38,24 @@ spec: - resources: annotations: tekton.dev/tags: 'CLI, grype' + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/restricted/require-run-as-non-root-user.yaml b/charts/team-ns/templates/policies/restricted/require-run-as-non-root-user.yaml index 82e0a09324..7577081243 100644 --- a/charts/team-ns/templates/policies/restricted/require-run-as-non-root-user.yaml +++ b/charts/team-ns/templates/policies/restricted/require-run-as-non-root-user.yaml @@ -38,6 +38,24 @@ spec: - resources: annotations: tekton.dev/tags: 'CLI, grype' + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/restricted/require-run-as-nonroot.yaml b/charts/team-ns/templates/policies/restricted/require-run-as-nonroot.yaml index 2334ab548b..a19a3c3ac0 100644 --- a/charts/team-ns/templates/policies/restricted/require-run-as-nonroot.yaml +++ b/charts/team-ns/templates/policies/restricted/require-run-as-nonroot.yaml @@ -37,6 +37,24 @@ spec: - resources: annotations: tekton.dev/tags: 'CLI, grype' + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/restricted/restrict-seccomp-strict.yaml b/charts/team-ns/templates/policies/restricted/restrict-seccomp-strict.yaml index 4fcb580a47..378964e77d 100644 --- a/charts/team-ns/templates/policies/restricted/restrict-seccomp-strict.yaml +++ b/charts/team-ns/templates/policies/restricted/restrict-seccomp-strict.yaml @@ -41,6 +41,24 @@ spec: - resources: annotations: tekton.dev/tags: 'CLI, grype' + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/restricted/restrict-volume-types.yaml b/charts/team-ns/templates/policies/restricted/restrict-volume-types.yaml index b80747466f..c8bada759c 100644 --- a/charts/team-ns/templates/policies/restricted/restrict-volume-types.yaml +++ b/charts/team-ns/templates/policies/restricted/restrict-volume-types.yaml @@ -29,6 +29,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} preconditions: all: - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}" From 040a2cc9720b759e9ef1110f100433d27d5d5dce Mon Sep 17 00:00:00 2001 From: Sander Rodenhuis Date: Thu, 12 Dec 2024 10:33:22 +0100 Subject: [PATCH 09/13] fix: exclude tag indent --- .../best-practice/disallow-latest-tag.yaml | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/charts/team-ns/templates/policies/best-practice/disallow-latest-tag.yaml b/charts/team-ns/templates/policies/best-practice/disallow-latest-tag.yaml index 99b312218f..b6971afb73 100644 --- a/charts/team-ns/templates/policies/best-practice/disallow-latest-tag.yaml +++ b/charts/team-ns/templates/policies/best-practice/disallow-latest-tag.yaml @@ -29,26 +29,26 @@ spec: - resources: kinds: - Pod - exclude: - any: - - resources: - kinds: - - Pod - selector: - matchLabels: - app.kubernetes.io/instance: prometheus-{{ $v.teamId }} - - resources: - kinds: - - Pod - selector: - matchLabels: - app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager - - resources: - kinds: - - Pod - selector: - matchLabels: - app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: "An image tag is required." From f69d8c1fe63703009c1729a12a6535a4c2e7f456 Mon Sep 17 00:00:00 2001 From: Sander Rodenhuis Date: Thu, 12 Dec 2024 10:43:52 +0100 Subject: [PATCH 10/13] fix: add excludes --- .../policies/baseline/disallow-selinux.yaml | 20 ++++++++++ .../other/require-non-root-groups.yaml | 40 +++++++++++++++++++ .../disallow-capabilities-strict.yaml | 20 ++++++++++ 3 files changed, 80 insertions(+) diff --git a/charts/team-ns/templates/policies/baseline/disallow-selinux.yaml b/charts/team-ns/templates/policies/baseline/disallow-selinux.yaml index 91b5d5e137..90b1deb7b2 100644 --- a/charts/team-ns/templates/policies/baseline/disallow-selinux.yaml +++ b/charts/team-ns/templates/policies/baseline/disallow-selinux.yaml @@ -77,6 +77,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/other/require-non-root-groups.yaml b/charts/team-ns/templates/policies/other/require-non-root-groups.yaml index 0f45917528..d0b3c2edca 100644 --- a/charts/team-ns/templates/policies/other/require-non-root-groups.yaml +++ b/charts/team-ns/templates/policies/other/require-non-root-groups.yaml @@ -87,6 +87,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- @@ -103,6 +123,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- diff --git a/charts/team-ns/templates/policies/restricted/disallow-capabilities-strict.yaml b/charts/team-ns/templates/policies/restricted/disallow-capabilities-strict.yaml index 1981cae5ac..0162f73f1f 100644 --- a/charts/team-ns/templates/policies/restricted/disallow-capabilities-strict.yaml +++ b/charts/team-ns/templates/policies/restricted/disallow-capabilities-strict.yaml @@ -87,6 +87,26 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: prometheus-{{ $v.teamId }} + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: {{ $v.teamId }}-po-alertmanager + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/instance: tekton-dashboard-{{ $v.teamId }} skipBackgroundRequests: true validate: message: >- From 68db2ac3cb87e42ff389244e0c203f5ed7cb06d1 Mon Sep 17 00:00:00 2001 From: Sander Rodenhuis Date: Thu, 12 Dec 2024 17:34:57 +0100 Subject: [PATCH 11/13] fix: add kyverno db platform --- .../kyverno-teams/kyverno-teams.json | 18 +- .../grafana-dashboards/kyverno/kyverno.json | 4342 +++++++++++++++++ charts/grafana-dashboards/values.yaml | 1 + .../grafana-dashboards.gotmpl | 3 + 4 files changed, 4355 insertions(+), 9 deletions(-) create mode 100644 charts/grafana-dashboards/kyverno/kyverno.json diff --git a/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json index 181ffb4d66..e914c3253a 100644 --- a/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json +++ b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json @@ -25,7 +25,7 @@ "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 1, - "id": 5, + "id": 4, "links": [], "liveNow": false, "panels": [ @@ -120,7 +120,7 @@ "disableTextWrap": false, "editorMode": "code", "exemplar": false, - "expr": "count(kyverno_policy_results_total{rule_result=\"pass\", resource_namespace=\"$namespace\"})", + "expr": "round(sum(increase(kyverno_policy_results_total{rule_result=\"pass\", resource_namespace=\"$namespace\"}[$__range])))", "fullMetaSearch": false, "includeNullMetadata": true, "instant": true, @@ -197,7 +197,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "count(kyverno_policy_results_total{rule_result=\"skip\", resource_namespace=\"$namespace\"})", + "expr": "round(sum(increase(kyverno_policy_results_total{rule_result=\"skip\", resource_namespace=\"$namespace\"}[$__range])))", "instant": true, "interval": "$__interval", "legendFormat": "__auto", @@ -271,7 +271,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "count(kyverno_policy_results_total{rule_result=\"warn\", resource_namespace=\"$namespace\"})", + "expr": "round(sum(increase(kyverno_policy_results_total{rule_result=\"warn\", resource_namespace=\"$namespace\"}[$__range])))", "instant": true, "interval": "$__interval", "legendFormat": "__auto", @@ -345,7 +345,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "count(kyverno_policy_results_total{rule_result=\"fail\", resource_namespace=\"$namespace\"})", + "expr": "round(sum(increase(kyverno_policy_results_total{rule_result=\"fail\", resource_namespace=\"$namespace\"}[$__range])))", "instant": true, "interval": "$__interval", "legendFormat": "__auto", @@ -418,7 +418,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "count(kyverno_policy_results_total{rule_result=\"unknown\", resource_namespace=\"$namespace\"})", + "expr": "round(sum(increase(kyverno_policy_results_total{rule_result=\"unknown\", resource_namespace=\"$namespace\"}[$__range])))", "instant": true, "interval": "$__interval", "legendFormat": "__auto", @@ -518,7 +518,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "count(kyverno_policy_results_total{rule_result=\"fail\"}) by (policy_name)", + "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", resource_namespace=\"$namespace\"}[$__range])) by (policy_name)", "instant": false, "interval": "$__interval", "legendFormat": "{{severity}}", @@ -585,13 +585,13 @@ ] }, "time": { - "from": "now-30m", + "from": "now-1h", "to": "now" }, "timepicker": {}, "timezone": "", "title": "Policy compliance", "uid": "kyverno", - "version": 2, + "version": 1, "weekStart": "" } \ No newline at end of file diff --git a/charts/grafana-dashboards/kyverno/kyverno.json b/charts/grafana-dashboards/kyverno/kyverno.json new file mode 100644 index 0000000000..fc7f53944b --- /dev/null +++ b/charts/grafana-dashboards/kyverno/kyverno.json @@ -0,0 +1,4342 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 15987, + "graphTooltip": 0, + "id": 24, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "gridPos": { + "h": 6, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 42, + "options": { + "code": { + "language": "plaintext", + "showLineNumbers": false, + "showMiniMap": false + }, + "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights which can be extracted and made well use of from a cluster with Kyverno in action.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/)", + "mode": "markdown" + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "refId": "A" + } + ], + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 6 + }, + "id": 12, + "panels": [], + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "refId": "A" + } + ], + "title": "Latest Status", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "red", + "value": 50 + }, + { + "color": "#EAB839", + "value": 75 + }, + { + "color": "green", + "value": 100 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 29, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "sizing": "auto", + "text": {} + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(kyverno_policy_results_total{rule_result=\"pass\"})*100/sum(kyverno_policy_results_total{})", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Rule Execution Success Rate", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 4, + "x": 8, + "y": 7 + }, + "id": 2, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"cluster\"}==1) by (policy_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Cluster Policies", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 4, + "x": 12, + "y": 7 + }, + "id": 3, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"namespaced\"}==1) by (policy_name))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Policies", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "red", + "value": 50 + }, + { + "color": "#EAB839", + "value": 75 + }, + { + "color": "green", + "value": 100 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 28, + "options": { + "minVizHeight": 75, + "minVizWidth": 75, + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "sizing": "auto", + "text": {} + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(kyverno_policy_results_total{rule_result=\"pass\", policy_background_mode=\"true\"})*100/sum(kyverno_policy_results_total{policy_background_mode=\"true\"})", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Background Scans Success Rate", + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 6, + "y": 12 + }, + "id": 4, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "count(kyverno_policy_rule_info_total{rule_type=\"validate\"}==1)", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Validate Rules", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 10, + "y": 12 + }, + "id": 23, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "count(kyverno_policy_rule_info_total{rule_type=\"mutate\"}==1)", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Mutate Rules", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 14, + "y": 12 + }, + "id": 6, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "count(kyverno_policy_rule_info_total{rule_type=\"generate\"}==1)", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Generate Rules", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 3, + "y": 16 + }, + "id": 59, + "interval": "1m", + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": false, + "expr": "sum(node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate{namespace=\"$kyvernoNS\"}) / sum(kube_pod_container_resource_requests{job=\"kube-state-metrics\", namespace=\"$kyvernoNS\", resource=\"cpu\"})", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "A" + } + ], + "title": "CPU Utilisation (from requests)", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 7, + "y": 16 + }, + "id": 61, + "interval": "1m", + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": false, + "expr": "sum(node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate{namespace=\"$kyvernoNS\"}) / sum(kube_pod_container_resource_limits{job=\"kube-state-metrics\", namespace=\"$kyvernoNS\", resource=\"cpu\"})", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "A" + } + ], + "title": "CPU Utilisation (from limits)", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 11, + "y": 16 + }, + "id": 63, + "interval": "1m", + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": false, + "expr": "sum(container_memory_working_set_bytes{job=\"kubelet\", metrics_path=\"/metrics/cadvisor\", namespace=\"$kyvernoNS\",container!=\"\", image!=\"\"}) / sum(kube_pod_container_resource_requests{job=\"kube-state-metrics\", namespace=\"$kyvernoNS\", resource=\"memory\"})", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "A" + } + ], + "title": "Memory Utilisation (from requests)", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 15, + "y": 16 + }, + "id": 65, + "interval": "1m", + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": false, + "expr": "sum(container_memory_working_set_bytes{job=\"kubelet\", metrics_path=\"/metrics/cadvisor\", namespace=\"$kyvernoNS\",container!=\"\", image!=\"\"}) / sum(kube_pod_container_resource_limits{job=\"kube-state-metrics\", namespace=\"$kyvernoNS\", resource=\"memory\"})", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "A" + } + ], + "title": "Memory Utilisation (from limits)", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 0, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "quota - requests" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + }, + { + "id": "custom.fillOpacity", + "value": 0 + }, + { + "id": "custom.lineWidth", + "value": 2 + }, + { + "id": "custom.stacking", + "value": { + "group": "A", + "mode": "none" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "quota - limits" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#FF9830", + "mode": "fixed" + } + }, + { + "id": "custom.fillOpacity", + "value": 0 + }, + { + "id": "custom.lineWidth", + "value": 2 + }, + { + "id": "custom.stacking", + "value": { + "group": "A", + "mode": "none" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + } + ] + }, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 19 + }, + "id": 67, + "interval": "1m", + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate{namespace=\"$kyvernoNS\"}) by (pod)", + "format": "time_series", + "interval": "", + "intervalFactor": 2, + "legendFormat": "{{ pod }}", + "refId": "A", + "step": 10 + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "scalar(kube_resourcequota{namespace=\"$kyvernoNS\", type=\"hard\",resource=\"requests.cpu\"})", + "format": "time_series", + "interval": "", + "intervalFactor": 2, + "legendFormat": "quota - requests", + "refId": "B", + "step": 10 + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "scalar(kube_resourcequota{namespace=\"$kyvernoNS\", type=\"hard\",resource=\"limits.cpu\"})", + "format": "time_series", + "interval": "", + "intervalFactor": 2, + "legendFormat": "quota - limits", + "refId": "C", + "step": 10 + } + ], + "title": "CPU Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 0, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "quota - requests" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + }, + { + "id": "custom.fillOpacity", + "value": 0 + }, + { + "id": "custom.lineWidth", + "value": 2 + }, + { + "id": "custom.stacking", + "value": { + "group": "A", + "mode": "none" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "quota - limits" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#FF9830", + "mode": "fixed" + } + }, + { + "id": "custom.fillOpacity", + "value": 0 + }, + { + "id": "custom.lineWidth", + "value": 2 + }, + { + "id": "custom.stacking", + "value": { + "group": "A", + "mode": "none" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + } + ] + }, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 19 + }, + "id": 69, + "interval": "1m", + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(container_memory_working_set_bytes{job=\"kubelet\", metrics_path=\"/metrics/cadvisor\", namespace=\"$kyvernoNS\", container!=\"\", image!=\"\"}) by (pod)", + "format": "time_series", + "interval": "", + "intervalFactor": 2, + "legendFormat": "{{pod}}", + "refId": "A", + "step": 10 + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "scalar(kube_resourcequota{namespace=\"$kyvernoNS\", type=\"hard\",resource=\"requests.memory\"})", + "format": "time_series", + "interval": "", + "intervalFactor": 2, + "legendFormat": "quota - requests", + "refId": "B", + "step": 10 + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "scalar(kube_resourcequota{namespace=\"$kyvernoNS\", type=\"hard\",resource=\"limits.memory\"})", + "format": "time_series", + "interval": "", + "intervalFactor": 2, + "legendFormat": "quota - limits", + "refId": "C", + "step": 10 + } + ], + "title": "Memory Usage (w/o cache)", + "type": "timeseries" + }, + { + "collapsed": false, + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 25 + }, + "id": 26, + "panels": [], + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "refId": "A" + } + ], + "title": "Policy-Rule Results", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "pass" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 219, 23)", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fail" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 26 + }, + "id": 15, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(kyverno_policy_results_total{rule_execution_cause=\"admission_request\"}) by (rule_result)", + "interval": "", + "legendFormat": "{{rule_result}}", + "refId": "A" + } + ], + "title": "Admission Review Results (per-rule)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "pass" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 219, 23)", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fail" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 26 + }, + "id": 17, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(kyverno_policy_results_total{rule_execution_cause=\"background_scan\"}) by (rule_result)", + "interval": "", + "legendFormat": "{{rule_result}}", + "refId": "A" + } + ], + "title": "Background Scan Results (per-rule)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "namespaced" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "__systemRef": "hideSeriesFrom", + "matcher": { + "id": "byNames", + "options": { + "mode": "exclude", + "names": [ + "namespaced" + ], + "prefix": "All except:", + "readOnly": true + } + }, + "properties": [ + { + "id": "custom.hideFrom", + "value": { + "legend": false, + "tooltip": false, + "viz": true + } + } + ] + } + ] + }, + "gridPos": { + "h": 16, + "w": 8, + "x": 16, + "y": 26 + }, + "id": 30, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(sum(kyverno_policy_results_total{rule_result=\"fail\"}) by (policy_name, policy_type)) by (policy_type)", + "interval": "", + "legendFormat": "{{policy_type}}", + "refId": "A" + } + ], + "title": "Policy Failures", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "pass" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 219, 23)", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fail" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 34 + }, + "id": 31, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(sum(kyverno_policy_results_total{rule_execution_cause=\"admission_request\"}) by (policy_name, rule_result)) by (rule_result)", + "interval": "", + "legendFormat": "{{rule_result}}", + "refId": "A" + } + ], + "title": "Admission Review Results (per-policy)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "pass" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 219, 23)", + "mode": "fixed" + } + }, + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fail" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 34 + }, + "id": 32, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(sum(kyverno_policy_results_total{rule_execution_cause=\"background_scan\"}) by (policy_name, rule_result)) by (rule_result)", + "interval": "", + "legendFormat": "{{rule_result}}", + "refId": "A" + } + ], + "title": "Background Scan Results (per-policy)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisGridShow": true, + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 8, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 24, + "x": 0, + "y": 42 + }, + "id": 57, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "count(kyverno_policy_results_total{rule_result=\"fail\"}) by (resource_namespace,policy_name)", + "interval": "", + "legendFormat": "Policy={{ policy_name }}, Namespace={{ resource_namespace }}", + "refId": "A" + } + ], + "title": "Cluster Policies and Namespaces w/Failed", + "type": "timeseries" + }, + { + "collapsed": false, + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 48 + }, + "id": 19, + "panels": [], + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "refId": "A" + } + ], + "title": "Policy-Rule Info", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "namespaced" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#FF7383", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 49 + }, + "id": 16, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{}==1) by (policy_name, policy_type)) by (policy_type)", + "interval": "", + "legendFormat": "{{policy_type}}", + "refId": "A" + } + ], + "title": "Active Policies (by policy type)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "audit" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#37872D", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "enforce" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#FF9830", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 49 + }, + "id": 20, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{}==1) by (policy_name, policy_validation_mode)) by (policy_validation_mode)", + "interval": "", + "legendFormat": "audit", + "refId": "A" + } + ], + "title": "Active Policies (by policy validation action)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#B877D9", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 49 + }, + "id": 24, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_background_mode=\"true\"}==1) by (policy_name, policy_type)) by (policy_type)", + "interval": "", + "legendFormat": "{{policy_type}}", + "refId": "A" + } + ], + "title": "Active Policies running in background mode", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 57 + }, + "id": 21, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "count(count(kyverno_policy_rule_info_total{policy_namespace!=\"-\"}==1) by (policy_name, policy_namespace)) by (policy_namespace)", + "interval": "", + "legendFormat": "{{policy_namespace}}", + "refId": "A" + } + ], + "title": "Active Namespaced Policies (by namespaces)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "mutate" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(169, 58, 227)", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "validate" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(255, 232, 0)", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 10, + "x": 8, + "y": 57 + }, + "id": 14, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "count(kyverno_policy_rule_info_total{}==1) by (rule_type)", + "interval": "", + "legendFormat": "{{rule_type}}", + "refId": "A" + } + ], + "title": "Active Rules (by rule type)", + "type": "timeseries" + }, + { + "collapsed": false, + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 65 + }, + "id": 34, + "panels": [], + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "refId": "A" + } + ], + "title": "Policy-Rule Execution Latency", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 66 + }, + "id": 36, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "avg(kyverno_policy_execution_duration_seconds_sum{}) by (rule_type)", + "interval": "", + "legendFormat": "{{rule_type}}", + "refId": "A" + } + ], + "title": "Average Rule Execution Latency", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "clocks" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "namespaced" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 66 + }, + "id": 37, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "avg(sum(kyverno_policy_execution_duration_seconds_sum{}) by (policy_name, policy_type)) by (policy_type)", + "interval": "", + "legendFormat": "{{policy_type}}", + "refId": "A" + } + ], + "title": "Average Policy Execution Latency", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "purple", + "value": null + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 66 + }, + "id": 39, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "avg(kyverno_policy_execution_duration_seconds_sum{})", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Overall Average Rule Execution Latency", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 70 + }, + "id": 40, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "avg(sum(kyverno_policy_execution_duration_seconds_sum{}) by (policy_name, policy_type))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Overall Average Policy Execution Latency", + "type": "stat" + }, + { + "collapsed": false, + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 74 + }, + "id": 52, + "panels": [], + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "refId": "A" + } + ], + "title": "Admission Review Latency", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 75 + }, + "id": 53, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "avg(kyverno_admission_requests_total{}) by (resource_request_operation)", + "interval": "", + "legendFormat": "Resource Operation: {{resource_request_operation}}", + "refId": "A" + } + ], + "title": "Avg - Admission Review Duration (by operation)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 75 + }, + "id": 54, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(kyverno_admission_requests_total{}) by (resource_kind)", + "interval": "", + "legendFormat": "Resource Kind: {{resource_kind}}", + "refId": "A" + } + ], + "title": "Avg - Admission Review Duration (by resource kind)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 75 + }, + "id": 50, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(rate(kyverno_admission_requests_total{}[5m]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Rate - Incoming Admission Requests (last 5m)", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "purple", + "value": null + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 79 + }, + "id": 55, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "avg(kyverno_admission_review_duration_seconds_sum{})", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Avg - Overall Admission Review Duration", + "type": "stat" + }, + { + "collapsed": false, + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 83 + }, + "id": 8, + "panels": [], + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "refId": "A" + } + ], + "title": "Policy Changes", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Change type: created" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 84 + }, + "id": 10, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(kyverno_policy_changes_total{}) by (policy_change_type)", + "interval": "", + "legendFormat": "Change type: {{policy_change_type}}", + "refId": "A" + } + ], + "title": "Policy Changes (by change type)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "cluster" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#F2495C", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 84 + }, + "id": 13, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(kyverno_policy_changes_total{}) by (policy_type)", + "interval": "", + "legendFormat": "{{policy_type}}", + "refId": "A" + } + ], + "title": "Policy Changes (by policy type)", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "orange", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 84 + }, + "id": 49, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(kyverno_policy_changes_total{})", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Total Policy Changes", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 88 + }, + "id": 48, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(rate(kyverno_admission_requests_total{}[5m]))", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Rate - Policy Changes Happening (last 5m)", + "type": "stat" + }, + { + "collapsed": false, + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 92 + }, + "id": 44, + "panels": [], + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "refId": "A" + } + ], + "title": "Admission Requests", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Change type: created" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 0, + "y": 93 + }, + "id": 45, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(kyverno_admission_requests_total{}) by (resource_request_operation)", + "interval": "", + "legendFormat": "Resource Operation: {{resource_request_operation}}", + "refId": "A" + } + ], + "title": "Admission Requests (by operation)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 10, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Change type: created" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#5794F2", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 9, + "x": 9, + "y": 93 + }, + "id": 46, + "options": { + "legend": { + "calcs": [ + "lastNotNull", + "max", + "min" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "8.4.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(kyverno_admission_requests_total{}) by (resource_kind)", + "interval": "", + "legendFormat": "Resource Kind: {{resource_kind}}", + "refId": "A" + } + ], + "title": "Admission Requests (by resource kind)", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "semi-dark-green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 6, + "x": 18, + "y": 93 + }, + "id": 47, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.2.2", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "exemplar": true, + "expr": "sum(kyverno_admission_requests_total{})", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Total Admission Requests", + "type": "stat" + } + ], + "refresh": "5s", + "schemaVersion": 39, + "tags": [ + "kyverno", + "security" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "kyverno", + "value": "kyverno" + }, + "datasource": { + "type": "prometheus", + "uid": "P98FD586FDD5909DA" + }, + "definition": "label_values(kube_namespace_status_phase{job=\"kube-state-metrics\",}, namespace)", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "kyvernoNS", + "options": [], + "query": { + "query": "label_values(kube_namespace_status_phase{job=\"kube-state-metrics\",}, namespace)", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "^kyverno$", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": { + "selected": true, + "text": "default", + "value": "default" + }, + "hide": 0, + "includeAll": false, + "label": "Datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + } + ] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Kyverno", + "uid": "Rg8lWBG7k", + "version": 1, + "weekStart": "" + } \ No newline at end of file diff --git a/charts/grafana-dashboards/values.yaml b/charts/grafana-dashboards/values.yaml index 3e61aa872f..97d327cf25 100644 --- a/charts/grafana-dashboards/values.yaml +++ b/charts/grafana-dashboards/values.yaml @@ -12,6 +12,7 @@ folders: - trivy-teams - velero - kyverno-teams + - kyverno sidecar: dashboards: diff --git a/values/grafana-dashboards/grafana-dashboards.gotmpl b/values/grafana-dashboards/grafana-dashboards.gotmpl index 1c4c261e80..a3e3323cb7 100644 --- a/values/grafana-dashboards/grafana-dashboards.gotmpl +++ b/values/grafana-dashboards/grafana-dashboards.gotmpl @@ -27,3 +27,6 @@ folders: {{- if $v.apps.thanos.enabled }} - thanos {{- end }} + {{- if $v.apps.kyverno.enabled }} + - kyverno + {{- end }} \ No newline at end of file From 56a10c54a6be9aaa4b2f80617c6f1f59b5cc9dab Mon Sep 17 00:00:00 2001 From: Sander Rodenhuis Date: Fri, 13 Dec 2024 16:32:01 +0100 Subject: [PATCH 12/13] fix: dashboard queries --- .../kyverno-teams/kyverno-teams.json | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json index e914c3253a..807739f3c4 100644 --- a/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json +++ b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json @@ -52,7 +52,7 @@ "refId": "A" } ], - "title": "Summary of security policy compliance", + "title": "Summary of security policy rule compliance", "type": "row" }, { @@ -120,7 +120,7 @@ "disableTextWrap": false, "editorMode": "code", "exemplar": false, - "expr": "round(sum(increase(kyverno_policy_results_total{rule_result=\"pass\", resource_namespace=\"$namespace\"}[$__range])))", + "expr": "count (count by (policy_name) (kyverno_policy_results_total{rule_result=\"pass\", policy_namespace=\"$namespace\"}))", "fullMetaSearch": false, "includeNullMetadata": true, "instant": true, @@ -197,7 +197,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "round(sum(increase(kyverno_policy_results_total{rule_result=\"skip\", resource_namespace=\"$namespace\"}[$__range])))", + "expr": "count (count by (policy_name) (kyverno_policy_results_total{rule_result=\"skip\", policy_namespace=\"$namespace\"}))", "instant": true, "interval": "$__interval", "legendFormat": "__auto", @@ -271,7 +271,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "round(sum(increase(kyverno_policy_results_total{rule_result=\"warn\", resource_namespace=\"$namespace\"}[$__range])))", + "expr": "count (count by (policy_name) (kyverno_policy_results_total{rule_result=\"warn\", policy_namespace=\"$namespace\"}))", "instant": true, "interval": "$__interval", "legendFormat": "__auto", @@ -345,7 +345,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "round(sum(increase(kyverno_policy_results_total{rule_result=\"fail\", resource_namespace=\"$namespace\"}[$__range])))", + "expr": "count (count by (policy_name) (kyverno_policy_results_total{rule_result=\"fail\", policy_namespace=\"$namespace\"}))", "instant": true, "interval": "$__interval", "legendFormat": "__auto", @@ -518,7 +518,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", resource_namespace=\"$namespace\"}[$__range])) by (policy_name)", + "expr": "count (count by (policy_name) (kyverno_policy_results_total{rule_result=\"fail\", policy_namespace=\"$namespace\"})) by (policy_name)", "instant": false, "interval": "$__interval", "legendFormat": "{{severity}}", @@ -526,7 +526,7 @@ "refId": "A" } ], - "title": "All non-compliant security policies by policy name", + "title": "Non-compliant rules by policy name", "type": "timeseries" } ], @@ -559,8 +559,8 @@ { "current": { "selected": false, - "text": "team-demo", - "value": "team-demo" + "text": "team-test", + "value": "team-test" }, "datasource": { "type": "prometheus", @@ -585,13 +585,13 @@ ] }, "time": { - "from": "now-1h", + "from": "now-12h", "to": "now" }, "timepicker": {}, "timezone": "", "title": "Policy compliance", "uid": "kyverno", - "version": 1, + "version": 2, "weekStart": "" } \ No newline at end of file From baae580af41e7dc2e09db10bfa3b10695e7bf5cc Mon Sep 17 00:00:00 2001 From: Sander Rodenhuis Date: Tue, 17 Dec 2024 09:27:06 +0100 Subject: [PATCH 13/13] fix: prom queries --- .../kyverno-teams/kyverno-teams.json | 20 ++++++++----------- 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json index 807739f3c4..e77afcaf58 100644 --- a/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json +++ b/charts/grafana-dashboards/kyverno-teams/kyverno-teams.json @@ -120,7 +120,7 @@ "disableTextWrap": false, "editorMode": "code", "exemplar": false, - "expr": "count (count by (policy_name) (kyverno_policy_results_total{rule_result=\"pass\", policy_namespace=\"$namespace\"}))", + "expr": "count (count by (rule_name, policy_name) (kyverno_policy_results_total{rule_result=\"pass\", policy_namespace=\"$namespace\"}))", "fullMetaSearch": false, "includeNullMetadata": true, "instant": true, @@ -197,7 +197,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "count (count by (policy_name) (kyverno_policy_results_total{rule_result=\"skip\", policy_namespace=\"$namespace\"}))", + "expr": "count (count by (rule_name, policy_name) (kyverno_policy_results_total{rule_result=\"skip\", policy_namespace=\"$namespace\"}))", "instant": true, "interval": "$__interval", "legendFormat": "__auto", @@ -271,7 +271,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "count (count by (policy_name) (kyverno_policy_results_total{rule_result=\"warn\", policy_namespace=\"$namespace\"}))", + "expr": "count (count by (rule_name, policy_name) (kyverno_policy_results_total{rule_result=\"warn\", policy_namespace=\"$namespace\"}))", "instant": true, "interval": "$__interval", "legendFormat": "__auto", @@ -345,7 +345,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "count (count by (policy_name) (kyverno_policy_results_total{rule_result=\"fail\", policy_namespace=\"$namespace\"}))", + "expr": "count (count by (rule_name, policy_name) (kyverno_policy_results_total{rule_result=\"fail\", policy_namespace=\"$namespace\"}))", "instant": true, "interval": "$__interval", "legendFormat": "__auto", @@ -418,7 +418,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "round(sum(increase(kyverno_policy_results_total{rule_result=\"unknown\", resource_namespace=\"$namespace\"}[$__range])))", + "expr": "count (count by (rule_name, policy_name) (kyverno_policy_results_total{rule_result=\"unknown\", policy_namespace=\"$namespace\"}))", "instant": true, "interval": "$__interval", "legendFormat": "__auto", @@ -518,7 +518,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "count (count by (policy_name) (kyverno_policy_results_total{rule_result=\"fail\", policy_namespace=\"$namespace\"})) by (policy_name)", + "expr": "count (count by (policy_name, rule_name) (kyverno_policy_results_total{rule_result=\"fail\", policy_namespace=\"$namespace\"})) by (policy_name, rule_name)", "instant": false, "interval": "$__interval", "legendFormat": "{{severity}}", @@ -557,11 +557,7 @@ "type": "datasource" }, { - "current": { - "selected": false, - "text": "team-test", - "value": "team-test" - }, + "current": {}, "datasource": { "type": "prometheus", "uid": "$datasource" @@ -592,6 +588,6 @@ "timezone": "", "title": "Policy compliance", "uid": "kyverno", - "version": 2, + "version": 3, "weekStart": "" } \ No newline at end of file