Introduction

Kyverno operates as a dynamic admission controller in a Kubernetes cluster. It processes validating and mutating webhook requests from the Kubernetes API server and enforces matching policies to either allow or reject requests.
Kyverno policies can target resources based on attributes like kind, name, label selectors, and more.

Kyverno comprises four Deployments, each running a specific type of controller, responsible for key functionalities:

  • Admission Controller
  • Reports Controller
  • Background Controller
  • Cleanup Controller

Prometheus metrics are exposed on all controller pods at port 8000. These metrics are collected from all pods on this port.

Kubernetes 2.0 ConfigMap

Users should update or append the existing ConfigMap named opsramp-workload-metric-user-config by adding application-specific fields. These fields may include authentication credentials, collection frequency, and other relevant configurations.

apiVersion: v1
kind: ConfigMap
metadata:
  name: opsramp-workload-metric-user-config
  namespace: opsramp-agent
data:
  workloads: |
    kyverno:
    - name: kyverno
      collectionFrequency: 1m
      port: 8000
      filters:
        - regex: 'kyverno_policy_results_total'
          action: include
        - regex: 'kyverno_policy_rule_info_total' 
          action: exclude
      targetPodSelector:
        matchLabels:
          - key: app.kubernetes.io/instance
            operator: ==
            value:
              - kyverno

Supported Metrics

Supported metrics for this workload as provided by the Kubernetes 2.0 Agent.

Metric nameDescriptionUnit
kyverno_policy_rule_info_totalCan be used to track the info of the rules or/and policies present in the cluster. 0 means the rule doesn't exist and has been deleted, 1 means the rule is currently existent in the cluster.Gauge
kyverno_policy_results_totalCan be used to track the results associated with the policies applied in the user's cluster, at the level from rule to policy to admission requests.Counter
kyverno_http_requests_duration_seconds_countCan be used to track the latencies (in seconds) associated with the entire individual HTTP request.Histogram
kyverno_http_requests_duration_seconds_sumCan be used to track the latencies (in seconds) associated with the entire individual HTTP request.Histogram
kyverno_http_requests_duration_seconds_bucketCan be used to track the latencies (in seconds) associated with the entire individual HTTP request.Histogram
kyverno_policy_execution_duration_seconds_countCan be used to track the latencies (in seconds) associated with the execution/processing of the individual rules under Kyverno policies whenever they evaluate incoming resource requests.Histogram
kyverno_policy_execution_duration_seconds_sumCan be used to track the latencies (in seconds) associated with the execution/processing of the individual rules under Kyverno policies whenever they evaluate incoming resource requests.Histogram
kyverno_policy_execution_duration_seconds_bucketCan be used to track the latencies (in seconds) associated with the execution/processing of the individual rules under Kyverno policies whenever they evaluate incoming resource requests.Histogram
kyverno_admission_review_duration_seconds_countCan be used to track the end-to-end latencies associated with the entire individual admission review, corresponding to the incoming resource request triggering a bunch of policies and rules.Histogram
kyverno_admission_review_duration_seconds_sumCan be used to track the end-to-end latencies associated with the entire individual admission review, corresponding to the incoming resource request triggering a bunch of policies and rules.Histogram
kyverno_admission_review_duration_seconds_bucketCan be used to track the end-to-end latencies associated with the entire individual admission review, corresponding to the incoming resource request triggering a bunch of policies and rules.Histogram
kyverno_admission_requests_totalCan be used to track the number of admission requests encountered by Kyverno in the cluster.Counter
kyverno_client_queries_totalCan be used to track the number of client queries sent from Kyverno to the API-server.Counter
kyverno_policy_changes_totalCan be used to track all the changes associated with the Kyverno policies present on the cluster such as creation, updates, and deletions.Counter
kyverno_http_requests_totalCan be used to track the number of HTTP requests.Counter
kyverno_controller_reconcile_totalCan be used to track the number of reconciliation cycles.Counter
kyverno_controller_drop_totalCan be used to track the number of times a controller drops elements.Counter
kyverno_controller_requeue_totalCan be used to track the number of times a controller requeues elements to be processed.Counter
kyverno_cleanup_controller_deletedobjects_totalCan be used to track the number of objects deleted by the cleanup controller.Counter
kyverno_ttl_controller_deletedobjectsCan be used to track the number of objects deleted by the cleanup TTL controller.Counter
kyverno_cleanup_controller_errors_totalCan be used to track the number of errors encountered by the cleanup controller while trying to delete objects.Counter
kyverno_ttl_controller_errorsCan be used to track the number of errors encountered by the cleanup TTL controller while trying to delete objects.Counter