Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-24871

Integrate Kyverno's PolicyException into RHACM Policy Management

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Major Major
    • ACM 2.16.0
    • None
    • Console, GRC
    • None
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected

      Feature Overview

      This feature integrates the display of Kyverno's native PolicyException resources into the Red Hat Advanced Cluster Management (RHACM) Governance user experience. The goal is to provide visibility into which resources have been deliberately exempted from Kyverno policies, leveraging Search data to ensure accurate violation reporting and filling a critical gap in operational transparency.

      https://release-1-11-0.kyverno.io/docs/writing-policies/exceptions/ 

      Goals

      This Section: Provide high-level goal statement, providing user context
      and expected user outcome(s) for this feature

      • Integrate and display the status of active Kyverno PolicyException resources within the RHACM Governance console.
      • Ensure that status reflects the existence of an exemption (i.e., display that a resource is exempted if a matching PolicyException exists).
      • Provide a more accurate and transparent view of the true compliance posture of managed clusters when Kyverno is used.

      Requirements

      This Section: A list of specific needs or objectives that a Feature must
      deliver to satisfy the Feature.. Some requirements will be flagged as MVP.
      If an MVP gets shifted, the feature shifts. If a non MVP requirement slips,
      it does not shift the feature.

      Requirement Notes isMvp?
      Data Collection Enhancement: The Search collector MUST be enhanced to discover and index Kyverno PolicyException Custom Resources (CRs) from managed clusters.    YES
      Policy Report Integration: ** The Governance UI MUST be updated to accurately reflect when a resource is exempted, based on Kyverno PolicyReport data or the presence of a matching PolicyException indexed by Search. **    YES
      Policy Details View: The Policy Details page for Kyverno policies MUST be updated to display a list or indicator of active PolicyExceptions associated with that policy.    YES
      Violation Details View: When viewing a policy violation for a resource that has an active PolicyException, the UI MUST clearly indicate that the resource is exempted.   YES
      CI - MUST be running successfully with test automation This is a
      requirement for ALL features.      		 YES
      Release Technical Enablement Provide necessary release enablement details
      and documents.      		 YES

      (Optional) Use Cases

      This Section:

      • Main success scenarios - high-level user stories:
        • As an ACM administrator, I want to view a Kyverno policy and immediately see that three namespaces are currently exempted from its enforcement.
        • As an operator, when viewing a non-compliant resource, I want to see a clear flag indicating, "This resource is intentionally exempted by PolicyException exception-name."
        • As an auditor, I want the policy violation dashboard to accurately reflect the true, permitted state of my resources by factoring in active PolicyExceptions.
      • Alternate flow/scenarios - high-level user stories:
        • If a PolicyException is removed from a managed cluster, the RHACM Governance UI should reflect the removal and update the resource's compliance status accordingly.

      Questions to answer

      • ...

      Out of Scope

      • Exception Workflow: This feature will NOT implement any mechanism for requesting, approving, or managing the lifecycle of PolicyExceptions (e.g., no request forms, no approval workflows).
      • Historical Logging: This feature will NOT implement historical logging, auditing, or tracking of PolicyException changes over time.
      • CRUD Operations: Users will NOT be able to create, edit, or delete PolicyExceptions from within the RHACM console.
      • Custom Exception CRD: This feature will NOT implement a custom RHACM exception CRD; it strictly uses the native Kyverno PolicyException resource.

      Background, and strategic fit

      Customers use Kyverno's PolicyException feature to manage necessary, temporary deviations from their enforcement policies. Without visibility into these active exemptions, RHACM's Governance compliance dashboards present an inaccurate and overly strict view of non-compliance, leading to potential "false positive" alerts for policy teams. By integrating the display of these native Kyverno resources, we bridge the gap between policy definition and operational reality. This change is crucial for customers using Kyverno and elevates RHACM's value as a comprehensive and trusted source for multi-cluster compliance reporting.

      Assumptions

      • The Kyverno PolicyException CRD is deployed and in use on relevant managed clusters.
      • The Search Collector can be successfully modified to parse and index the data contained within the PolicyException CR, including its targeted policy and resource scope.
      • The Kyverno PolicyReports either contain explicit data about the exemption or can be correlated with the indexed PolicyException data to derive the correct exempted status.

      Customer Considerations

      • Customers will gain operational clarity and confidence in the accuracy of the RHACM violation reporting.
      • The primary benefit is improved auditability and reduced noise from known, permissible violations.

      Documentation Considerations

      Questions to be addressed:

      • What educational or reference material (docs) is required to support this
        product feature? For users/admins? Other functions (security officers, etc)?
      • Does this feature have a doc impact?
      • New Content, Updates to existing content, Release Note, or No Doc Impact
      • If unsure and no Technical Writer is available, please contact Content
        Strategy.
      • What concepts do customers need to understand to be successful in
        [action]?
        • How RHACM now interprets and displays Kyverno's PolicyException.
        • That all exception creation and approval still occurs within Kyverno's native tools.
      • How do we expect customers will use the feature? For what purpose(s)?
        • To quickly verify if a reported non-compliance is covered by an existing, active exemption.
      • What reference material might a customer want/need to complete [action]?
        • A UI guide pointing out the new exemption indicators.
        • Links to the official Kyverno PolicyException documentation.
      • Is there source material that can be used as reference for the Technical
        Writer in writing the content? If yes, please link if available.
      • What is the doc impact (New Content, Updates to existing content, or
        Release Note)?
        • A release note announcing the improved visibility for Kyverno PolicyExceptions.

              showeimer Sho Weimer
              mp.singh Mahendra Singh
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: