- Policy Reporter
- Policy Reporter UI
- Container signing and SBOM generation
- New config
api.overwriteHost
to control the proxy host behavior
-
Signed Helm Chart
-
Policy Reporter
- New
channel
property for Slack targets to define the Slack channel to send the results too - New
mountedSecret
property to read target configs from a mounted secret [#282 by rromic] - AWS KMS support for S3 target with new properties
bucketKeyEnabled
,kmsKeyId
andserverSideEncryption
[#281 by rromic]- Mountet secret needs to be in json format with keys defined in kubernetes/secrets Values struct.
- New
-
Monitoring
- Add
namespaceSelector
toserviceMonitor
values
- Add
- Policy Reporter
- Improved logging configuration
- Support JSON logging
- Support log level
- optional API access logging with
api.logging
set totrue
- New aggregation table for API performance improvements
- Helm Ingress template
- New Google Cloud Storage Target
- Requires
credentials
as JSON String and thebucket
name - Added in the helm valus under
target.gcs
- Requires
- Improved logging configuration
- Policy Reporter KyvernoPlugin
- Helm Ingress template
- Improved logging configuration
- Support JSON logging
- Support log level
- Policy Reporter UI
- Improved logging configuration
- Support JSON logging
- Support log level
- Proxy Logging
- Improved logging configuration
- Policy Reporter
- Use metaclient to reduce informer memory usage
- Use workerqueue to control concurrent processing of PolicyReports
- Remove internal PolicyReport structures
- Make sqlite volume configurable [#255 by monotek]
- use defer to unlock when possible [#259 by eddycharly]
- Policy Reporter UI
- New SSL configs for external clusters
skipTLS
to disable SSL verificationcertificate
to configure a path to a custom CA for self signed URLs
- New Helm values
ui.volumes
andui.volumeMounts
to add your custom CAs as mounts to the UI deployment.
- New SSL configs for external clusters
- Add values to configure
topologySpreadConstraints
for all components [#241 by Kostavro] - Fixing comment formats and deprecations [#250 by fengshunli]
- Add new APIs for PolicyReport and ClusterPolicyReport metadata (
/v1/policy-reports
,/v1/cluster-policy-reports
) [#251 search
filter also checks the resource kind- Use correct probes in core deployment [#236 by rgarcia89]
- Add source to PolicyReport Table and improve report-label API [#252
- Policy Reporter
- Fix generate multiple custom metrics
- Policy Reporter
- Persist also PolicyReport labels
- API
- New API to get available labels for PolicyReports:
/v1/namespaced-resources/report-labels
- New API to get available labels for ClusterPolicyReports:
/v1/cluster-resources/report-labels
- New API to get available labels for PolicyReports:
- Metrics
- special syntax to add report labels to metric labels:
label:report-label-name
, special characters like-
,/
,.
,:
will be transformed to_
in metrics
- special syntax to add report labels to metric labels:
- New Target Filter
reportLabel
to, filter results based on labels of the related (Cluster)PolicyReport
- Monitoring
- New values to disable dedicated Grafana Dashboards:
grafana.dashboards.enable.overview
, defaulttrue
grafana.dashboards.enable.policyReportDetails
, defaulttrue
grafana.dashboards.enable.clusterPolicyReportDetails
, defaulttrue
- New values to configure the Grafana Dashboard datasource label, pluginName, pluginId
grafana.datasource.label
, defaultPrometheus
grafana.datasource.pluginName
, defaultPrometheus
grafana.datasource.pluginId
, defaultprometheus
- New value
grafana.dashboards.labelFilter
to add custom report labels as dashboard filter, default[]
. Label has to be a valid prometheus label, e.g.created-by
=>created_by
. - New values
grafana.dashboards.multicluster.enabled
andgrafana.dashboards.multicluster.label
to add an optionalcluster
label.
- New values to disable dedicated Grafana Dashboards:
- Kyverno Plugin
- New HTML Compliance Reports
- Grouped by Policy with Details per Namespace and Resource
- Grouped by Namespace with Details per Policy and Resource
- Go update to 1.19
- New HTML Compliance Reports
- UI
- Integrate new Compliance Reports
- New PolicyReport label based filter, use
ui.labelFilter
to define a list of labels to add - Go update to 1.19
- Add configuration
target.s3.pathStyle
for theS3
output
- Fix
customFields
mapping in TargetFactory
- Fix
customFields
property in values.yaml - Fix PolicyReporter
image.tag
version
- Policy Reporter
- Add
customFields
property to missing targets:Elasticsearch
,S3
,Webhook
,Kinesis
- Add
- Policy Reporter UI
- Create Links out of URL property values
- Monitoring
- Policy Reporter
- Fix persist error for duplicated IDs
- Disable UI SA automount
- Policy Reporter
- New
certificate
config forloki
,elasticsearch
,teams
,webhook
andui
, to set the path to your custom certificate for the related client. - New
skipTLS
config forloki
,elasticsearch
,teams
,webhook
andui
, to skip tls if needed for the given target. - New
secretRef
for targets to reference a secret with the relatedusername
,password
,webhook
,host
,accessKeyID
,secretAccessKey
information of the given target, instead of configure your credentials directly.
- New
- Policy Reporter UI
- New value
refreshInterval
to configure the default refresh interval for API polling. Set0
to disable polling.
- New value
- Policy Reporter Kyverno Plugin
- Fix the creation of duplicated results for PolicyReportResults.
- Policy Reporter
- New Helm Chart value to add extra volumes to PolicyReporter deployment [#186 by preved911]
- HTTP Basic authentication for Elasticsearch targets with
username
andpassword
configuration fields target.slack.customFields
map property for Slack pushes to add additional metadata to notifications like clustername- Add timestamp to Result REST APIs
- Overwrite the installation target namespace via the new
global.namespace
value.
- Policy Reporter
- New
emailReports.smtp.secret
configuration to use an existing external secret to configure your SMTP connection- You can set all or a subset of the available keys in your secret:
host
,port
,username
,password
,from
,encryption
- Keys available in your secret have a higher priority as your Helm release values.
- You can set all or a subset of the available keys in your secret:
- New
- Policy Reporter
- Add new Severity values
info
andcritical
- Update PolicyReport ID generierung
- Add new Severity values
- Policy Reporter UI
- Fix Grouping by Policy and Categories
- Fix ReverseProxy RequestHost
- New configuration
ui.clusterName
which is used in the ClusterSelect, if you configure additional Clusters
- Policy Reporter Kyverno Plugin
- Add
time
property to PolicyReportResults
- Add
- Policy Reporter
- Policy Reporter UI
- Fix API Proxy for APIs behind ReverseProxy (like NGINX Ingress)
-
Policy Reporter
- High Availability support with leaderelection for necessary features like target pushes, to avoid duplicated pushes by multiple instances
- Add new
role
androlebinding
to manage lease objects if leaderelection is enabled
- Add new
- Add redis configuration to the Helm Chart for external cache storage
- Add PodDisruptionBudget for HA Deployments (replicaCount > 1)
- Add
skipTLS
configuration for MS Teams Webhook
- High Availability support with leaderelection for necessary features like target pushes, to avoid duplicated pushes by multiple instances
-
Policy Reporter KyvernoPlugin
- High Availability support with leaderelection for necessary features like PolicyReport management for blocked resources
- Add new
role
androlebinding
to manage lease objects if leaderelection is enabled
- Add new
- Add PodDisruptionBudget for HA Deployments (replicaCount > 1)
- Internal refactoring for better CRD management
- High Availability support with leaderelection for necessary features like PolicyReport management for blocked resources
-
Policy Reporter UI
- Add redis as possible log storage to support high availability deployments
- Add PodDisruptionBudget for HA Deployments (replicaCount > 1)
- Policy Reporter
- Add new config
target.loki.path
to overwrite the deprected prom push API
- Add new config
- Policy Reporter UI
- New option
ui.clusters
makes it possible to configure additional external Policy Reporter APIs (details) - General UI improvements for loading state and error handling
- New option
- Monitoring
- Fix Datasource for Metrics and Filters in the preconfigured Dashboards
- Add Datasource as additional Select to the preconfigured Dashboards
- Policy Reporter
- Email Reports
- Send Summary Reports over SMTP to different E-Mails
- Supports channels and filters to send different subsets of Namespaces or Sources to dedicated E-Mails
- Reports are generated and send over dedicated CronJobs, this makes it easy to send the reports as often as needed
- Currently a basic summary and a more detailed violation report is available and can be separatly enabled and configured
- Metrics
- Add
metrics.mode
for less or custom metric values, to reduce cardinality
- Add
- Monitoring
- Fix Source Column for result tables
- Fix Warn counter for ClusterPolicyReport Details
- Email Reports
- Fix Policy Reporter Version in the Helm Chart values.yaml
- Policy Reporter
- Add AWS Kinesis compatible target
- Add new Helm value
profiling.enabled
to enable pprof profiling, disabled by default - Improved Informer handling
- Policy Reporter
- Fix
grafana.dashboards.value
type conversion [fix #158]
- Fix
- Policy Reporter
- Policy Reporter
- Name Configuration for Target (Channels) to customize UI Labels
- Policy Reporter UI
- Fix table on chip selection
- Order labels
- Return 404 Status Code for non existing URL paths
- Policy Reporter
- New configuration to use Redis as external result caching store
- SQLite Improvement: Use batch insertion for PolicyReportResults
- PolicyReport Informer Update: Use typed informer to improve performance and memory usage
- Drop support for
v1alpha1
of the PolicyReport CRD - Serverside Pagination for better Dashboard performance
- Concurrent PolicyReport processing
- Policy Reporter UI
- Serverside Pagination support
- Dynamic Chart sizes
- Policy Reporter Kyverno Plugin
- Generate Policy Reports for enforcement violations
- Policy Reporter
- New target filter and channels to define multiple configurations of the same target
- Filter target results by exclude and include rules for namesapces, priorities and policies
- Support wildcards for policies and namespaces
- New webhook target
- this target is a simple way to send notifications to custom tools and APIs
- results are send as POST requests with a JSON representation of the result
- the headers properties allows you to send custom header with the request to allow for example authentication
- New target filter and channels to define multiple configurations of the same target
- Policy Reporter
- Add Resource APIVersion to the Results REST APIs
- Policy Reporter
- PolicyReport Filter:
- PolicyReporter CRD Filter by Namespaces
- Disable ClusterPolicyReport CRD processing
- PolicyReport Filter:
- Policy Reporter
- Fix Debouncer has wrong reference to OldPolicyReport when a result was cached.
-
Policy Reporter
- Update Go to 1.17.8
- Add
serviceMonitor.relabelings
andserviceMonitor.metricRelabelings
for ServiceMonitor configuration in themonitoring
Subchart. - Add
kyverno.serviceMonitor.relabelings
andkyverno.serviceMonitor.metricRelabelings
for the KyvernoPlugin ServiceMonitor configuration in themonitoring
Subchart.
-
Policy Reporter UI
- Update Go to 1.17.8
-
Policy Reporter KyvernoPlugin
- Update Go to 1.17.8
- Update Policy Reporter UI to v1.3.2
- Support access over Subpaths, e.g. Rancher Reverse Proxy
- Update Policy Reporter Monitoring to v2.1.0
- Fix Failing ClusterPolicyRules Columns of the PolicyReports Dashboard
- Add Filter to the PolicyReports Dashboard
- Add seccomp profile support [#120 by eddycharly]
- New Policy Reporter API to get a list of available resources
- New Filter for Policies, Kinds, Categories and Results APIs
- Policy Reporter
- Add Support for custom Loki labels
-
Policy Reporter
-
Policy Reporter UI
-
Policy Reporter KyvernoPlugin
-
Policy Reporter
- Update Go to 1.17.6 [#110 by realshuting]
- Update Helm Chart with new component versions
- Update dependencies
-
Policy Reporter UI
- Update Go to 1.17.6 [#93 by realshuting]
- Update dependencies
-
Policy Reporter KyvernoPlugin
- Update Go to 1.17.6 [#12 by realshuting]
- Fix PolicyReport Napper - string casting
- Fix Helm Chart uihost template function.
- Fix Helm Chart
values.yaml
. Cleanup unused default configurations. [#103 by AndersBennedsgaard]
- Fix Typo in values.yaml [#102 by christophefromparis]
- Policy Reporter UI v1.2.0
- New configurations to customize the dashboard by disable PolicyReport- or ClusterPolicyReport information
- Fix KyvernoPlugin Metrics ServiceMonitor Port [#96 by z0rc]
- Remove unused Port from KyvernoPlugin Deployment and Service
- KyvernoPlugin v1.1.0
- New KyvernoPlugin API - VerifyImages Rules (details)
- Policy Reporter UI v1.1.0
- New Kyverno VerifyImages view in Policy Reporter UI
- New configurations to disable views (details)
- Remove NetworkPolicy ingress rule for UI if not enabled
- Update Policy Reporter UI
- Fix: Show PolicyReportResult Properties in Tables
- Removed deprecated values
crdVersion
,cleanupDebounceTime
- Simplify
policyPriorities
,policyPriorities.enabled
was removed along with the watch feature- Priority determined mainly over severity
- Add
sources
filter to target configurations - Improved
NetworkPolicy
configuration for all components - Metrics now an optional feature
- Each component expose a single Port
8080
See Migration Docs for details
- modular functions for separate activation/deactivation
- REST API
- Metrics API
- Target pushes
- PolicyReports are now stored in an internal SQLite
- extended REST API based on the new SQLite DB for filters and grouping of data
- metrics API is now optional
- metrics and REST API using the same HTTP Server (were separated before)
- improved CRD watch logic with Kubernetes client informer
Yandex
changed to a generalS3
target.
- Rewrite with NuxtJS
- Simplified Proxy
- Improved SPA file handling
- modular functions for separate activation/deactivation
- REST API
- Metrics API
- metrics and REST API using the same HTTP Server (were separated before)
- improved CRD watch logic with Kubernetes client informer
- Update Go Base Image for all Components
- Policy Reporter [#90 by fjogeleit]
- Policy Reporter UI [#11 by realshuting]
- Policy Reporter Kyverno Plugin [#9 by realshuting]
- Dependency Update
- Fix policy-reporter-ui ServiceName function [#87 by m-yosefpor]
- Fix policy-reporter-ui backend name [#85 by m-yosefpor]
- Fix CRD registration for PolicyReport and ClusterPolicyReport
- Add Yandex as new Target for Policy Reporter
- Add Yandex as new Target for Policy Reporter
- Update Policy Reporter UI to v0.15.0
- Add Filters as Query Parameters, make them shareable over links
- Hosting all new Images on the GitHub Container Registry instead of DockerHub
- Go Version updates to Go 1.17 of all components
- Fix loki target messages for labels with dots
- Add additional egress rules to kyvernoPlugin and UI subchart with
networkPolicy.egress
- Configure the Kubernetes API Port for NetworkPolicy with
networkPolicy.kubernetesApiPort
- Implement NetworkPolicy for Policy Reporter and related Components [#68 by windowsrefund]
- Customize liveness- and readinessProbe for Policy Reporter [#67 by windowsrefund]
- Fix ServiceMonitor Namespace overwrite with
monitoring.serviceMonitor.namespace
instead ofmonitoring.namespace
- Ensure Backward Compatibility for
monitoring.namespace
configuration
- Optional Namespace Configuration for Monitoring ServiceMonitor
- Separat Namespace Configuration for Monitoring ConfigMaps with
monitoring.grafana.namespace
- Update Policy Reporter UI to 0.14.0
- Colored Diagrams
- Suppport SubPath Configuration
- Restart CRD Watches when no CRDs are found
- Fix Ingress Resource in the UI Subchart
- Allow to override namespace for serviceMonitor [#57 by Issif]
- Update Policy Reporter UI to 0.13.1
- Hide Rule Chips if rule name is empty
- Update Policy Reporter Kyvern Plugin to 0.3.2
- Improved LivenessProbe, checks now if Kyverno CRDs are available
- Update Policy Reporter to 1.8.4
- Improved LivenessProbe, checks now if any PolicyReport CRD is available
- Changed Organization
- Update Policy Reporter UI to 0.13.0
- Change Result Grouping between by Status and by Category
- Add source filter to ClusterPolicyReports
- Fix
scored
mapping forv1alpha2/policyreports
- Disable KyvernPlugin as default as expected
- Support
source
andproperties
forpolicyreports/v1alpha2
in Policy Reporter UI- Update Policy Reporter UI to
0.12.0
- Update Policy Reporter UI to
- Customize label and annotation for Grafana dashboards [#43 by nlamirault]
- ARM64 Support for all Components
- Update Policy Reporter - Kyverno Plugin to 0.2.0
- New APIs for Liveness and Readiness Probes
- Update Policy Reporter - Kyverno Plugin to 0.1.2
- Fix Handling of Validations with empty messages
- Fix HelmChart - Deployment Probes for Policy Reporter
- Enable REST API by default
- Add
/healthz
and/ready
APIs as new endpoints for readinessProbe and livenessProbe
- Add
- Helm Chart Updates
- Add
global.labels
to addlabels
on every resource created - Add default labels on every resource
- Add
- Increase Result Caching Time to handle Kyverno issues with Policy reconcilation Issue
- Fix golint errors
- Add .global.fullnameOverride as new configuration for Policy Reporter Helm Chart
- Add static manifests to install Policy Reporter without Helm or Kustomize
- Internal refactoring
- Unification of PolicyReports and ClusterPolicyReports processing, APIs still stable
- DEPRECETED
crdVersion
, Policy Reporter handels now both versions by default - DEPRECETED
cleanupDebounceTime
, new internal caching replaced the debounce mechanism, debounce still exist with a fixed period to improve stable metric values.
- Support multiple Resources for a single Result
- Mapping Result with multiple Resources in multiple Results with a single Resource
- Upate UI handling with Results without Resources
- Update Kyverno Plugin
- Fix Rule Type mapping
- Update Policy Reporter UI
- Fix Chart rerender when values are the same
- Add Kyverno Plugins to the Helm Chart
- Configure Debounce Time in seconds for Cleanup Events over Helm Chart
- Helm Value
cleanupDebounceTime
- default: 20
- Helm Value
- Improved securityContext defaults
- Update Policy Reporter UI to v0.9.0
- expand Tables with Validation Message
- Reduce log messages
- Compress REST API with GZIP
- Update Policy Reporter UI to 0.8.0
- Support for GZIP Responses
- Debounce reconcile modification events for 10s to prevent resending violations
- New Helm Configuration
crdVersion
changes the version of the PolicyReporter CRD - v1alpha1 is the current default
- Fix resend violations after KubeAPI reconnect
- Fix PolicyReportResult.timestamp parsing
- Support PolicyReportResult.status as well as PolicyReportResult.result for newer CRD versions
- Support for (Cluster)PolicyReport CRD Properties in Target Output
- Support for (Cluster)PolicyReport CRD Timestamp in Target Output
- Fix resend violations after Kyverno Cleanup with ResultHashes
- Added PolicyReport Category to Metrics
- New (Cluster)PolicyReport filter for Grafana Dashboards
- Add All Selection for Policy Filter
- Category Filter
- Severity Filter
- Kind Filter
- Namespacefilter (PolicyReports only)
- New (Cluster)PolicyReport filter for Policy Reporter UI
- Category Filter
- Severity Filter
- Kind Filter
- Support Priority by Severity
- high -> critical
- medium -> warning
- low -> information
- Severity is added as label to result metrics
- Severity is added in Policy Reporter UI tables
- Add "Critical" as new Priority to differ between Errored Policies and Failed priorities with High Severity
- Use "Warning" as new default Priority instead of Error which should now used for Policies in Error Status
- New Target Policy Reporter UI
- New Log View in the Policy Reporter UI to see the latest log entries
- Default: latest 200 logs with priority >= warning
- New Target MS Teams
- Policy Reporter UI update
- Select All option for Policy Filter
- New Namespace Filter for PolicyReport View
- [Breaking Change] rename policy-reporter-ui Subchart to ui
- Simplify the customization by configure all PolicyReporter UI values under
ui
- Simplify the customization by configure all PolicyReporter UI values under
- PolicyResult Priority mapping is now configurable over the Helm Chart
- Helm Chart updates #16 fixes #14
- Target Configuration are now configured under
target
in the HelmChartvalues.yaml
- config.yaml are now deployed as Secret with encoded data body (plain stringData before)
- Target Configuration are now configured under
- New Helm Linting Workflow by kolikons #15
- Improved Helm Chart by kolikons #13
- More configuration possibilities like UI Ingress, ReplicaCount
- Role and RoleBindings for ConfigMaps are now optional (required for Priority configuration)
- New Optional REST API
- New Optional Policy Reporter UI Helm SubChart
- Add a checksum for the target configuration secret to the deployment. This enforces a pod recreation when the configuration changed by a Helm upgrade.
- Customizable Dashboards via new Helm values for the Monitoring Subchart.
- Internal refactoring
- Improved test coverage
- Removed duplicated caching
- Updated Dashboard
- Filter zero values from Policy Report Detail after Policies / Resources are deleted
- Split the Monitoring out in a Sub Helm chart
- Changed naming from
metrics
tomonitoring
- Changed naming from
- Make Annotations for the Deployment configurable
- Add two new Grafana Dashboard (PolicyReport Details, ClusterPolicyReport Details)
- Add support for a special
default
key in the Policy Priority. Thedefault
key can be used to configure a global default priority instead oferror
- Use a Secret instead of ConfigMap to persist target configurations
- Helm Chart Value
metrics.serviceMonitor
changed tometrics.serviceMonitor.enabled
- New Helm Chart Value
metrics.serviceMonitor.labels
can be used to add additionallabels
to theSeriveMonitor
. This helps to fullfil theserviceMonitorSelector
of thePrometheus
Resource in the MonitoringStack.
- Implement Discord as Target for PolicyReportResults
- Implement Slack as Target for PolicyReportResults
- Implement Elasticsearch as Target for PolicyReportResults
- Replace CLI flags with a single
config.yaml
to manage target-configurations as separateConfigMap
- Set
loki.skipExistingOnStartup
default value totrue