-
Notifications
You must be signed in to change notification settings - Fork 844
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhance K8s Events for resources "touched" by Kyverno policies #2160
Labels
enhancement
New feature or request
events
issues and enhancements for Kyverno events
stale
Stale issue, may be closed in the near future if nothing happens
Comments
cc @valentinEmpy (because this is related to your past PR here) |
Any comments on this, @JimBugwadia or @realshuting ? |
Agreed, these are important enhancements we should implement. |
This is partially address in #3741. |
2 tasks
Some updates (as of Kyverno 1.10) here since the issue is rather old:
Most important enhancements:
|
Both items under "Most important enhancements" are completed as of Kyverno 1.11. |
dosubot
bot
added
the
stale
Stale issue, may be closed in the near future if nothing happens
label
Sep 8, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
enhancement
New feature or request
events
issues and enhancements for Kyverno events
stale
Stale issue, may be closed in the near future if nothing happens
Is your feature request related to a problem? Please describe.
Kubernetes Events are a very important source of information on a given resource and serve as one of the starting points for any troubleshooting efforts. It's also usually the first stop on the road for any useful information an administrator/user might have to answer questions about a resource's disposition.
Today in Kyverno, Events on resources that are impacted or "touched" by Kyverno aren't given much consideration and are either basic and slightly misleading or nonexistent entirely. (By "touched" I mean resources that were subject to a policy in some way, ex, a Pod which violated a policy in
audit
mode; a Service which was mutated as the result of a policy; or a NetworkPolicy which was generated as a result of a policy.)For example, in the case of a
validate
rule inaudit
mode, a Pod in violation may generate the following Event:A couple problems with this:
From
column isn't very descriptive for users who might not know what produced this. It's an admission controller but which one? Kubernetes clusters these days may have several, not including homegrown ones.audit
mode. The resource didn't "fail" to apply anything, it's just in violation of one or more rules.But on resources that were mutated or generated by Kyverno, there are no events created on those target resources at all. This is especially significant because, unlike
validate
rules placed inaudit
mode which are stored in aPolicyReport
CR, aside from the Kyverno logs there are no pieces of information created outwards in the cluster which tell of those mutations or generations. Without such events, some confusion tends to arise:Describe the solution you'd like
There exists some substantial room for improvement here across the board.
validate
rules to a) state the source as being Kyverno rather than "admission-controller"; b) change the message body itself to say something like "Resource X is currently in violation of rule(s) Y defined in policy Z. This is recorded in the policy report for this Namespace or Cluster."mutate
rule stating something like, "Resource X has been successfully mutated according to rule Y defined in policy Z."generate
rule and state the behavior of that resource according to the type of rule. For example, a resource generated from adata
directive in the policy itself might create an event that reads, "Resource X has been generated according to rule Y defined in policy Z. It may be updated if the source policy changes." And a similar type event may be created that slightly alters the message if the source of the new resource is aclone
directive.Describe alternatives you've considered
validate
results).Additional context
None
The text was updated successfully, but these errors were encountered: