Policies and Rule Counts

This metric can be used to track the number of policies as well as rules present in the cluster which are currently active and even the ones which are not currently active but were created in the past.

Metric Name

kyverno_policy_rule_info_total

Metric Value

  • 0 - if the rule is not anymore present in the cluster (although it was created in the past).
  • 1 - if the rule is currently actively present in the cluster.

Use cases

  • The cluster admin wants to know the average number of cluster policies in the cluster since last 1 year.
  • The cluster admin wants to track the trend of the count of policies applied in the default namespace.
  • The cluster admin wants to track and see the month when the default namespace possessed the highest number of policies.

Filter Labels

Label Allowed Values Description
policy_validation_mode “enforce”, “audit” PolicyValidationFailure action of the rule’s parent policy
policy_type “cluster”, “namespaced” Kind of the rule’s parent policy. Kind: ClusterPolicy or Kind: Policy
policy_background_mode “true”, “false” Policy’s set background mode
policy_name Name of the policy to which the rule belongs
policy_namespace Namespace in which this Policy resides (only for policies with kind: Policy), For ClusterPolicies, this field will be “-”
rule_name Name of the rule, in the above policy, which is evaluating in this situation
rule_type “validate”, “mutate”, “generate” Rule’s behaviour type.
For rule_execution_cause=“background_scan”, it will always be “validate” as background scans only run validate rules
status_ready “true”, “false” Readiness of the policy. When ready, the policy is able to serve admission requests

Useful Queries

  • Tracking the count of the cluster policies currently active:
    count(count(kyverno_policy_rule_info_total{policy_type="cluster"} == 1) by (policy_name))

  • Tracking the per-minute rate (avged over 30s) at which “validate” rules (both of cluster and namespaced policies) are being added to the cluster:
    rate(kyverno_policy_rule_info_total{rule_type="validate"}[30s] == 1)*60

  • Tracking the total number of mutate rules added in the last 24hrs:
    count(kyverno_policy_rule_info_total{rule_type="mutate"}[24h]==1)

  • Tracking the total number of active policies with enforce mode and background mode:
    count(count(kyverno_policy_rule_info_total{policy_validation_mode="enforce", policy_background_mode="true"}==1) by (policy_name))

Last modified October 06, 2021 at 12:29 AM PST: updated to suggested description (c8bad1d)