Introduction
Kyverno operates as a dynamic admission controller in a Kubernetes cluster. It processes validating and mutating webhook requests from the Kubernetes API server and enforces matching policies to either allow or reject requests.
Kyverno policies can target resources based on attributes like kind, name, label selectors, and more.
Kyverno comprises four Deployments, each running a specific type of controller, responsible for key functionalities:
- Admission Controller
- Reports Controller
- Background Controller
- Cleanup Controller
Prometheus metrics are exposed on all controller pods at port 8000. These metrics are collected from all pods on this port.
Kubernetes 2.0 ConfigMap
Users should update or append the existing ConfigMap named opsramp-workload-metric-user-config by adding application-specific fields. These fields may include authentication credentials, collection frequency, and other relevant configurations.
apiVersion: v1
kind: ConfigMap
metadata:
name: opsramp-workload-metric-user-config
namespace: opsramp-agent
data:
workloads: |
kyverno:
- name: kyverno
collectionFrequency: 1m
port: 8000
filters:
- regex: 'kyverno_policy_results_total'
action: include
- regex: 'kyverno_policy_rule_info_total'
action: exclude
targetPodSelector:
matchLabels:
- key: app.kubernetes.io/instance
operator: ==
value:
- kyvernoSupported Metrics
Supported metrics for this workload as provided by the Kubernetes 2.0 Agent.
| Metric name | Description | Unit |
|---|---|---|
| kyverno_policy_rule_info_total | Can be used to track the info of the rules or/and policies present in the cluster. 0 means the rule doesn't exist and has been deleted, 1 means the rule is currently existent in the cluster. | Gauge |
| kyverno_policy_results_total | Can be used to track the results associated with the policies applied in the user's cluster, at the level from rule to policy to admission requests. | Counter |
| kyverno_http_requests_duration_seconds_count | Can be used to track the latencies (in seconds) associated with the entire individual HTTP request. | Histogram |
| kyverno_http_requests_duration_seconds_sum | Can be used to track the latencies (in seconds) associated with the entire individual HTTP request. | Histogram |
| kyverno_http_requests_duration_seconds_bucket | Can be used to track the latencies (in seconds) associated with the entire individual HTTP request. | Histogram |
| kyverno_policy_execution_duration_seconds_count | Can be used to track the latencies (in seconds) associated with the execution/processing of the individual rules under Kyverno policies whenever they evaluate incoming resource requests. | Histogram |
| kyverno_policy_execution_duration_seconds_sum | Can be used to track the latencies (in seconds) associated with the execution/processing of the individual rules under Kyverno policies whenever they evaluate incoming resource requests. | Histogram |
| kyverno_policy_execution_duration_seconds_bucket | Can be used to track the latencies (in seconds) associated with the execution/processing of the individual rules under Kyverno policies whenever they evaluate incoming resource requests. | Histogram |
| kyverno_admission_review_duration_seconds_count | Can be used to track the end-to-end latencies associated with the entire individual admission review, corresponding to the incoming resource request triggering a bunch of policies and rules. | Histogram |
| kyverno_admission_review_duration_seconds_sum | Can be used to track the end-to-end latencies associated with the entire individual admission review, corresponding to the incoming resource request triggering a bunch of policies and rules. | Histogram |
| kyverno_admission_review_duration_seconds_bucket | Can be used to track the end-to-end latencies associated with the entire individual admission review, corresponding to the incoming resource request triggering a bunch of policies and rules. | Histogram |
| kyverno_admission_requests_total | Can be used to track the number of admission requests encountered by Kyverno in the cluster. | Counter |
| kyverno_client_queries_total | Can be used to track the number of client queries sent from Kyverno to the API-server. | Counter |
| kyverno_policy_changes_total | Can be used to track all the changes associated with the Kyverno policies present on the cluster such as creation, updates, and deletions. | Counter |
| kyverno_http_requests_total | Can be used to track the number of HTTP requests. | Counter |
| kyverno_controller_reconcile_total | Can be used to track the number of reconciliation cycles. | Counter |
| kyverno_controller_drop_total | Can be used to track the number of times a controller drops elements. | Counter |
| kyverno_controller_requeue_total | Can be used to track the number of times a controller requeues elements to be processed. | Counter |
| kyverno_cleanup_controller_deletedobjects_total | Can be used to track the number of objects deleted by the cleanup controller. | Counter |
| kyverno_ttl_controller_deletedobjects | Can be used to track the number of objects deleted by the cleanup TTL controller. | Counter |
| kyverno_cleanup_controller_errors_total | Can be used to track the number of errors encountered by the cleanup controller while trying to delete objects. | Counter |
| kyverno_ttl_controller_errors | Can be used to track the number of errors encountered by the cleanup TTL controller while trying to delete objects. | Counter |