-
Feature
-
Resolution: Unresolved
-
Major
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
0% To Do, 100% In Progress, 0% Done
Feature Overview
Display policies in the RHACM user experience from Kyverno
Important: This issue does not mean that RH is downstreaming, productizing, or supporting Kyverno as a run-time policy engine; this is just for displaying Kyverno policies in UI similar to how ACM displays Flux CD applications without RH actually having productized it.
Goals
This Section: Provide high-level goal statement, providing user context
and expected user outcome(s) for this feature
- Some RHACM users have an existing investment in Kyverno or generally prefer it as a policy engine over other tools like Gatekeeper; we want to meet customers where they are at and minimize change as much as possible on their end.
- Support both the ClusterPolicy and Policy (Namespace-scoped) Kyverno policy types
Requirements
This Section: A list of specific needs or objectives that a Feature must
deliver to satisfy the Feature.. Some requirements will be flagged as MVP.
If an MVP gets shifted, the feature shifts. If a non MVP requirement slips,
it does not shift the feature.
| Requirement | Notes | isMvp? |
|---|---|---|
| CI - MUST be running successfully with test automation | This is a requirement for ALL features. |
YES |
| Release Technical Enablement | Provide necessary release enablement details and documents. |
YES |
(Optional) Use Cases
This Section:
- As a Kyverno policy user, I can go to the Discovered policies dashboard and view the Kyverno policies I have deployed across the fleet
- Name
- Engine - Kyverno (w/ icon)
- Kind - ClusterPolicy / Policy
- Response action - spec.validationFailureAction (Enforce/Audit)
- Source
- Severity (same as how Gatekeeper works)
- Cluster violations (from Cluster/PolicyReport) (# of clusters violating the policy)
- As a Kyverno policy user, I can drill into a given policy and view the related clusters that have it deployed (same as Gatekeeper)
- Cluster name
- Severity
- Source
- Violations (# of violation instances on the cluster)
- As a Kyverno policy user, I can drill into a given policy instance on a cluster to view more details
- As a Kyverno policy user, I can understand the relationship between a Kyverno policy that delegates to a ValidatingAdmissionPolicy and the VAP instance itself
Questions to answer
- Complexities in using Search as a back-end for Kyverno, given that Kyverno results are stored in a separate Cluster/PolicyReport CR?
- How to handle Kyverno-VAP relationship in the UX?
Out of Scope
- No support for Kyverno as a run-time policy engine, limited to just displaying data from Kyverno
Background, and strategic fit
This Section: What does the person writing code, testing, documenting
need to know? What context can be provided to frame this feature?
Assumptions
- ...
Customer Considerations
- ...
Documentation Considerations
Questions to be addressed:
- What educational or reference material (docs) is required to support this
product feature? For users/admins? Other functions (security officers, etc)? - Does this feature have a doc impact?
- New Content, Updates to existing content, Release Note, or No Doc Impact
- If unsure and no Technical Writer is available, please contact Content
Strategy. - What concepts do customers need to understand to be successful in
[action]? - How do we expect customers will use the feature? For what purpose(s)?
- What reference material might a customer want/need to complete [action]?
- Is there source material that can be used as reference for the Technical
Writer in writing the content? If yes, please link if available. - What is the doc impact (New Content, Updates to existing content, or
Release Note)?
- is related to
-
ACM-14829 Investigate how to add Kyverno policy results in search
-
- Closed
-