Policies and Rules Count
Metric Name(s)
kyverno_policy_rule_info_total
Metric Value
Gauge - 1
for rules currently actively present in the cluster.
Metric Labels
Label | Allowed Values | Description |
---|---|---|
policy_background_mode | “true”, “false” | Policy’s set background mode |
policy_name | Name of the policy to which the rule belongs | |
policy_namespace | Namespace in which this Policy resides (only for policies with kind: Policy), For ClusterPolicies, this field will be “-” | |
policy_type | “cluster”, “namespaced” | Kind of the rule’s parent policy. Kind: ClusterPolicy or Kind: Policy |
policy_validation_mode | “enforce”, “audit” | PolicyValidationFailure action of the rule’s parent policy |
rule_name | Name of the rule, in the above policy, which is evaluating in this situation | |
rule_type | “validate”, “mutate”, “generate” | Rule’s behavior type. For rule_execution_cause=“background_scan”, it will always be “validate” as background scans only run validate rules |
status_ready | “true”, “false” | Readiness of the policy. When ready, the policy is able to serve admission requests |
Use cases
- The cluster admin wants to know the average number of cluster policies in the cluster since last 1 year.
- The cluster admin wants to track the trend of the count of policies applied in the default namespace.
- The cluster admin wants to track and see the month when the default namespace possessed the highest number of policies.
Useful Queries
Tracking the count of the cluster policies currently active:
count(count(kyverno_policy_rule_info_total{policy_type="cluster"} == 1) by (policy_name))
Tracking the per-minute rate (avged over 30s) at which “validate” rules (both of cluster and namespaced policies) are being added to the cluster:
rate(kyverno_policy_rule_info_total{rule_type="validate"}[30s] == 1)*60
Tracking the total number of mutate rules added in the last 24hrs:
count(kyverno_policy_rule_info_total{rule_type="mutate"}[24h]==1)
Tracking the total number of active policies with enforce mode and background mode:
count(count(kyverno_policy_rule_info_total{policy_validation_mode="enforce", policy_background_mode="true"}==1) by (policy_name))