Policies and Rules Count

This metric can be used to track the number of policies as well as rules present in the cluster which are currently active and even the ones which are not currently active but were created in the past.

Metric Name(s)

  • kyverno_policy_rule_info_total

Metric Value

Gauge - 1 for rules currently actively present in the cluster.

Metric Labels

LabelAllowed ValuesDescription
policy_background_mode“true”, “false”Policy’s set background mode
policy_nameName of the policy to which the rule belongs
policy_namespaceNamespace in which this Policy resides (only for policies with kind: Policy), For ClusterPolicies, this field will be “-”
policy_type“cluster”, “namespaced”Kind of the rule’s parent policy. Kind: ClusterPolicy or Kind: Policy
policy_validation_mode“enforce”, “audit”PolicyValidationFailure action of the rule’s parent policy
rule_nameName of the rule, in the above policy, which is evaluating in this situation
rule_type“validate”, “mutate”, “generate”Rule’s behavior type.
For rule_execution_cause=“background_scan”, it will always be “validate” as background scans only run validate rules
status_ready“true”, “false”Readiness of the policy. When ready, the policy is able to serve admission requests

Use cases

  • The cluster admin wants to know the average number of cluster policies in the cluster since last 1 year.
  • The cluster admin wants to track the trend of the count of policies applied in the default namespace.
  • The cluster admin wants to track and see the month when the default namespace possessed the highest number of policies.

Useful Queries

  • Tracking the count of the cluster policies currently active:
    count(count(kyverno_policy_rule_info_total{policy_type="cluster"} == 1) by (policy_name))

  • Tracking the per-minute rate (avged over 30s) at which “validate” rules (both of cluster and namespaced policies) are being added to the cluster:
    rate(kyverno_policy_rule_info_total{rule_type="validate"}[30s] == 1)*60

  • Tracking the total number of mutate rules added in the last 24hrs:

  • Tracking the total number of active policies with enforce mode and background mode:
    count(count(kyverno_policy_rule_info_total{policy_validation_mode="enforce", policy_background_mode="true"}==1) by (policy_name))

Last modified April 08, 2024 at 8:29 AM PST: Refactor links (#1205) (5060f3d)