Helm Chart Upgrade v2.x .. v3.x Guide
General
The overall structure has been revised by resolving the subcharts of the Helm Chart into a single chart organized with sub-directories for the various components.
This procedure simplifies the configuration of global settings and the configuration of the components with each other.
Upgrade Globals
global:
plugins:
kyverno: false
backend: ""
fullnameOverride: ""
namespace: ""
labels: {}
basicAuth:
username: ""
password: ""
secretRef: ""
fullnameOverride: "policy-reporter"
namespaceOverride: ""
global:
labels: {}
basicAuth:
username: ""
password: ""
secretRef: ""Upgrade ReportFilter
Small change to unify configuration structure across features
reportFilter:
namespaces:
include: []
exclude: []
clusterReports:
disabled: false
disableClusterReports: falseTargets
The Policy Reporter specific field priority was removed and the corresponding minimumPriority configuration replaced by minimumSeverity. This changed for all targets.
The default behavior of target pushes has also been changed, generally only fail, warning and error results are sent. There were no known use cases in which successful or skipped results were sent.
Example change
target:
loki:
host: http://loki.monitoring:3000
minimumPriority: 'warning'
# minimum severity "" < info < low < medium < high < critical
minimumSeverity: ''UI Target
In the new Policy Reporter UI v2, the Log page function has been removed as it was of little use, so the related ui push target was also dropped.
Telegram Target
To unify naming conventions the chatID option was renamed to chatId.
AWS Targets
To unify naming conventions the accessKeyID option for all AWS targets (S3, Kinesis, SecurityHub) was renamed to accessKeyId.
Same applies for the accessKeyID key in Secrets used via secretRef or mountedSecret.
SecurityHub Target
The SecurityHub integration has been completely redesigned. Instead of only pushing new violations without synchronizing removed resources or resolved policies, the new integration synchronizes all existing violations with SecurityHub and automatically resolves them once the associated resource or policy has been removed or the violation has been resolved.
securityHub:
accessKeyID: ""
accessKeyId: ""
secretAccessKey: ""
secretRef: ""
mountedSecret: ""
region: ""
endpoint: ""
accountID: ""
accountId: ""
productName: ""
minimumPriority: ""
minimumSeverity: ""
sources: []
skipExistingOnStartup: true
# Takes only effect when `cleanup` is disabled.
skipExistingOnStartup: false
cleanup: false
# Synces removed or resolved findings to SecurityHub
synchronize: true
# Delay between AWS GetFindings API calls, to avoid hitting the API RequestLimit
delayInSeconds: 2Loki Target
The Loki target now uses the /loki/api/v1/push API by default.
To align with other targets, the source label now reflects the source field of a PolicyReportResult. You can query all logs created by Policy Reporter now with the new createdBy=policy-reporter label.
LeaderElecation
Small cleanup to enable LeaderElecation manually, its now only configured if Policy Reporter runs with replicaCount > 1
leaderElection:
enabled: false
releaseOnCancel: true
leaseDuration: 15
renewDeadline: 10
retryPeriod: 2Policy Reporter UI
As a result of the general chart restructering all Policy Reporter UI related values can now be found under ui in the main values.yaml file.
RefreshInterval
Automatic refresh has been removed in Policy Reporter UI v2. The page must now be refreshed manually.
ui:
refreshInterval: 10000Logs
As mentioned, this feature has also been removed and the maximum number of logs no longer needs to be configured.
ui:
log:
size: 200Views
The organization of the dashboard has been completely revised and is now dependent on the available sources and categories. The current MVP does not offer the possibility to control the generally displayed pages. This might be implemented in a future release.
ui:
views:
dashboard:
policyReports: true
clusterPolicyReports: true
logs: true
policyReports: true
clusterPolicyReports: true
kyvernoPolicies: true
kyvernoVerifyImages: trueClusters
The configuration of all connected clusters, including the default cluster, are now unified in a single clusters list configuration.
ui:
plugins:
kyverno: false
clusterName: ""
clusters:
- name: External Cluster
api: https://policy-reporter.external.cluster
kyvernoApi: https://policy-reporter-kyverno-plugin.external.cluster
skipTLS: false
certificate: "/app/certs/root.ca"
secreRef: ""
basicAuth:
username: ""
password: ""
name: Default
clusters:
- name: External Cluster
host: https://policy-reporter.external.cluster
skipTLS: false
certificate: "/app/certs/root.ca"
secreRef: ""
basicAuth:
username: ""
password: ""
plugins:
- name: kyverno
host: https://policy-reporter-kyverno-plugin.external.clusterLabel Filter
They are not available in the corrent MVP, checkout Custom Boards as an alternative approach.
ui:
labelFilter: ['owner'] API Config
The API configuration moved to server.
ui:
api:
logging: false
overwriteHost: true
server:
port: 8080
overwriteHost: true
logging:
api: trueRedis
The optional redis support in the UI was only intended for the removed Logs page and is no longer necessary.
ui:
redis:
enabled: false
address: ""
database: 0
prefix: "policy-reporter-ui"
username: ""
password: ""Component API Port configurations
They were only needed because of the previous structure of the subcharts and are no longer necessary.
ui:
policyReporter:
port: 8080
kyvernoPlugin:
port: 8080Kyverno Plugin
The plugin system has been completely revised for Policy Reporter UI v2, details can be found in the corresponding Plugin-System section in the documentation. While most of the configuration options for the Kyverno plugin have remained the same, the value path in the Helm Chart has been moved from kyvernoPlugin to plugin.kyverno.
As a result of the general chart restructering all Kyverno Plugin related values can now be found under plugin.kyverno in the main values.yaml file.
Enable the Plugin
kyvernoPlugin:
enabled: true
ui:
plugins:
kyverno: false
plugin:
kyverno:
enabled: trueAPI Config
The configuration of api and port are now combined under server. The REST API is now always activated.
kyvernoPlugin:
enabled: true
port:
name: rest
number: 8080
api:
logging: false
rest:
enabled: true
plugin:
kyverno:
enabled: true
server:
port: 8080Metrics
The plugin's metrics support has been removed in the current MVP.
kyvernoPlugin:
enabled: true
metrics:
enabled: falseTrivy Plugin
The Policy Reporter Helm Chart v3 introduced a new Plugin for Trivy Vulnerability findings, you can find details on the correspondig Trivy Plugin page.
Enable the Plugin
plugin:
trivy:
enabled: trueMonitoring
While the structure of the monitoring subchart remains largely the same, the hardcoded ServiceMonitor relabelings for removing duplicate data has been removed. Instead, the dashboards have been updated to handle metrics from an HA setup with multiple pods.
ServiceMonitor
If you only use the provided dashboards from the monitoring subchart you have nothing to change. All are dashboards updated to handle this change.
If you use your own dashboards you can:
- recreate the old behavior by adding the removed relabelings to your values:
monitoring:
serviceMonitor:
relabelings:
- action: labeldrop
regex: pod|service|container
- targetLabel: instance
replacement: policy-reporter
action: replace- update your dashboards to handle the pod label
Example:
# before
sum(policy_report_result{policy=~"$policy", category=~"$category", severity=~"$severity", source=~"$source", kind=~"$kind", exported_namespace=~"$namespace" } > 0) by (status, exported_namespace)
# after
max(sum(policy_report_result{policy=~"$policy", category=~"$category", severity=~"$severity", source=~"$source", kind=~"$kind", exported_namespace=~"$namespace" } > 0) by (status, exported_namespace, pod)) by (status, exported_namespace)