policy-reporter icon indicating copy to clipboard operation
policy-reporter copied to clipboard

Published 20 hours ago verified publisher icon kyverno

[Improvement] Enable enforce violation policyreports events requires kyverno is supported but not highlighted in helm chart

Open vponoikoait opened this issue 1 year ago • 4 comments

As there's a guide on the documentation side, it wasn't actually clear if that's still supported in helm chart itself. https://kyverno.github.io/policy-reporter/guide/helm-chart-core#enable-enforce-violation-policyreports-requires-kyverno-170 Lack of presence for the following in commented ( Unless it's experimental ) may lead to conclusion that it's not actually supported or not safe to use. It would be nice to have it in repository.

vponoikoait avatar Jan 30 '24 14:01 vponoikoait

I would've gladly create one, but at current state I may assume it's not already fully working as potentially desired, as I have raised issue for corresponding - https://github.com/kyverno/kyverno/issues/9565 In current implementation for PolicyReporter it may mean that events can be scrapped only from single namespace (it seems as well that wildcard ain't supported ), which may lead for additional reporting issues for other people if they're using combination of Policy & ClusterPolicy resources, as these write events to different namespaces. Generally speaking, it would be nice to have list of namespaces rather than single namespace possible to be specified considering that most likely design assumes that these should be resource-namespace related.

vponoikoait avatar Jan 30 '24 14:01 vponoikoait

You can set the eventNamespace to an empty string to watch over all namespaces. The default namespace is set as default because the most people using mainly ClusterPolicies and watching for events in all namespaces can have a performance impact.

From the SDK side its hard to achieve watching over a subset of namespaces, so its not supported right now.

fjogeleit avatar Jan 30 '24 14:01 fjogeleit

According to https://github.com/kyverno/kyverno/issues/9565#issuecomment-1917044300 Actually for ClusterPolicies are always put to the default namespace, though in this case, events for the Policies can't be captured unless list option or wildcard specification may be supported for the

...
    # namespace where kyverno events are created
    eventNamespace: default
...

vponoikoait avatar Jan 30 '24 14:01 vponoikoait

@fjogeleit thanks a lot for the clarifications. It would be nice to have these highlighted inside of documentation itself. I will create issue later for it and in case and may be will be able to contribute by myself.

vponoikoait avatar Jan 30 '24 14:01 vponoikoait