Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-14724

UI support for Kyverno policies

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Major Major
    • ACM 2.13.0
    • None
    • GRC
    • None
    • False
    • None
    • False
    • Not Selected
    • 0% To Do, 100% In Progress, 0% Done

      Feature Overview

      Display policies in the RHACM user experience from Kyverno

      Important:  This issue does not mean that RH is downstreaming, productizing, or supporting Kyverno as a run-time policy engine; this is just for displaying Kyverno policies in UI similar to how ACM displays Flux CD applications without RH actually having productized it.

      Goals

      This Section: Provide high-level goal statement, providing user context
      and expected user outcome(s) for this feature

      • Some RHACM users have an existing investment in Kyverno or generally prefer it as a policy engine over other tools like Gatekeeper; we want to meet customers where they are at and minimize change as much as possible on their end.
      • Support both the ClusterPolicy and Policy (Namespace-scoped) Kyverno policy types

      Requirements

      This Section: A list of specific needs or objectives that a Feature must
      deliver to satisfy the Feature.. Some requirements will be flagged as MVP.
      If an MVP gets shifted, the feature shifts. If a non MVP requirement slips,
      it does not shift the feature.

      Requirement Notes isMvp?
      CI - MUST be running successfully with test automation This is a
      requirement for ALL features.
      YES
      Release Technical Enablement Provide necessary release enablement details
      and documents.
      YES

      (Optional) Use Cases

      This Section:

      • As a Kyverno policy user, I can go to the Discovered policies dashboard and view the Kyverno policies I have deployed across the fleet
        • Name
        • Engine - Kyverno (w/ icon)
        • Kind - ClusterPolicy / Policy
        • Response action - spec.validationFailureAction (Enforce/Audit)
        • Source
        • Severity (same as how Gatekeeper works)
        • Cluster violations (from Cluster/PolicyReport) (# of clusters violating the policy)
      • As a Kyverno policy user, I can drill into a given policy and view the related clusters that have it deployed (same as Gatekeeper)
        • Cluster name
        • Severity
        • Source
        • Violations (# of violation instances on the cluster)
      • As a Kyverno policy user, I can drill into a given policy instance on a cluster to view more details
      • As a Kyverno policy user, I can understand the relationship between a Kyverno policy that delegates to a ValidatingAdmissionPolicy and the VAP instance itself

      Questions to answer

      • Complexities in using Search as a back-end for Kyverno, given that Kyverno results are stored in a separate Cluster/PolicyReport CR?
      • How to handle Kyverno-VAP relationship in the UX?

      Out of Scope

      • No support for Kyverno as a run-time policy engine, limited to just displaying data from Kyverno

      Background, and strategic fit

      This Section: What does the person writing code, testing, documenting
      need to know? What context can be provided to frame this feature?

      Assumptions

      • ...

      Customer Considerations

      • ...

      Documentation Considerations

      Questions to be addressed:

      • What educational or reference material (docs) is required to support this
        product feature? For users/admins? Other functions (security officers, etc)?
      • Does this feature have a doc impact?
      • New Content, Updates to existing content, Release Note, or No Doc Impact
      • If unsure and no Technical Writer is available, please contact Content
        Strategy.
      • What concepts do customers need to understand to be successful in
        [action]?
      • How do we expect customers will use the feature? For what purpose(s)?
      • What reference material might a customer want/need to complete [action]?
      • Is there source material that can be used as reference for the Technical
        Writer in writing the content? If yes, please link if available.
      • What is the doc impact (New Content, Updates to existing content, or
        Release Note)?

              yikim@redhat.com Yi Rae Kim
              showeimer Sho Weimer
              Luke Bainbridge Luke Bainbridge
              Matthew Prahl Matthew Prahl
              Derek Ho Derek Ho
              Gus Parvin Gus Parvin
              Sho Weimer Sho Weimer
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: