Policies and Rule Counts
Metric Name
kyverno_policy_rule_info_total
Metric Value
- 0 - if the rule is not anymore present in the cluster (although it was created in the past).
- 1 - if the rule is currently actively present in the cluster.
Use cases
- The cluster admin wants to know the average number of cluster policies in the cluster since last 1 year.
- The cluster admin wants to track the trend of the count of policies applied in the default namespace.
- The cluster admin wants to track and see the month when the default namespace possessed the highest number of policies.
Filter Labels
| Label | Allowed Values | Description |
|---|---|---|
| policy_validation_mode | “enforce”, “audit” | PolicyValidationFailure action of the rule’s parent policy |
| policy_type | “cluster”, “namespaced” | Kind of the rule’s parent policy. Kind: ClusterPolicy or Kind: Policy |
| policy_background_mode | “true”, “false” | Policy’s set background mode |
| policy_name | Name of the policy to which the rule belongs | |
| policy_namespace | Namespace in which this Policy resides (only for policies with kind: Policy), For ClusterPolicies, this field will be “-” | |
| rule_name | Name of the rule, in the above policy, which is evaluating in this situation | |
| rule_type | “validate”, “mutate”, “generate” | Rule’s behavior type. For rule_execution_cause=“background_scan”, it will always be “validate” as background scans only run validate rules |
| status_ready | “true”, “false” | Readiness of the policy. When ready, the policy is able to serve admission requests |
Useful Queries
Tracking the count of the cluster policies currently active:
count(count(kyverno_policy_rule_info_total{policy_type="cluster"} == 1) by (policy_name))Tracking the per-minute rate (avged over 30s) at which “validate” rules (both of cluster and namespaced policies) are being added to the cluster:
rate(kyverno_policy_rule_info_total{rule_type="validate"}[30s] == 1)*60Tracking the total number of mutate rules added in the last 24hrs:
count(kyverno_policy_rule_info_total{rule_type="mutate"}[24h]==1)Tracking the total number of active policies with enforce mode and background mode:
count(count(kyverno_policy_rule_info_total{policy_validation_mode="enforce", policy_background_mode="true"}==1) by (policy_name))