Skip to content

How to upgrade the Kyverno Policy Reporter Package chart💣

  1. Checkout the branch that renovate created. This branch will have the image tag updates and typically some other necessary version changes that you will want. You can either work off of this branch or branch off of it.
  2. Find the latest upstream chart version that corresponds to the new image version. Typically check the appVersion here and find the newest tag where this matches the image tag. Git tags are in the format policy-reporter-x.y.z.
  3. Update the chart via kpt, using the version you just found. You should be able to run kpt pkg update chart@<version> --strategy force-delete-replace (ex: kpt pkg update chart@policy-reporter-2.11.0 --strategy force-delete-replace). NOTE: You can use a different strategy here which may save time, but force-delete-replace is the safest to ensure we get all upstream changes.
  4. Follow the section below for modifications from upstream to restore all of the Big Bang specific changes.
  5. Validate versioning for Chart.yaml (this generally should be complete between renovate + restoring the modifications). appVersion should equal the new image version, version should be the upstream version with -bb.0 appended.
  6. Add a changelog entry for the new chart version. At minimum mention the new upstream chart version and new image version(s).
  7. Update the readme following the instructions from gluon.
  8. Push up all changes and open an MR (or use the one opened by Renovate). Validate the pipeline passes, then proceed to the testing section. Adjust CI tests if needed based on package changes.

Modifications from Upstream💣

This is a high level list of all changes from the upstream chart. Ensure that these changes are maintained across updates.

chart/templates/bigbang💣

  • This folder contains networkpolicies and peerauthentication resources
  • Can be restored after a kpt update with git restore chart/templates/bigbang

chart/tests/cypress💣

  • This folder contains cypress tests for CI testing of the reporter
  • Can be restored after a kpt update with git restore chart/tests/cypress

chart/templates/tests💣

  • This folder contains manifests to run the cypress tests in CI
  • Can be restored after a kpt update with git restore chart/templates/tests

chart/Chart.yaml💣

  • Add -bb.0 (or applicable bb version) to the version
  • Add gluon library as a dependency (and run helm dependency update chart)
  • Add the Big Bang version annotation to support release engineering automation

chart/charts/kyvernoPlugin/values.yaml💣

  • Update to point to the Ironbank image for policy-reporter-kyverno-plugin

chart/values.yaml💣

  • Update to point to the Ironbank image for policy-reporter
  • Addition of values for networkPolicies, openshift, istio, and bbtests
  • Addition of securityContext.runAsGroup set to 1234

Testing new Kyverno Reporter version💣

Pipeline tests will validate all basic functionality of monitoring components (servicemonitor healthy in prometheus + dashboards show in grafana with data).

Since the pipeline does not install Istio and the package is currently not part of the umbrella chart, it is advised to deploy locally for some basic testing of Istio injection/mTLS. You can follow the below instructions to install it on top of an umbrella deployment.

  1. Deploy the Big Bang chart with Istio, Kyverno, Kyverno Policies, and Monitoring enabled.
  2. Create a new namespace to deploy Kyverno Reporter into with kubectl create ns kyverno-reporter.
  3. Label the namespace for istio injection with kubectl label ns kyverno-reporter istio-injection=enabled.
  4. Add image pull secrets for Kyverno Reporter. One of the easy ways to do this is by copying from another namespace with kubectl get secret private-registry -n=istio-system -o yaml | sed 's/namespace: .*/namespace: kyverno-reporter/' | kubectl apply -n=kyverno-reporter -f -.
  5. Deploy Kyverno Reporter with a modified version of the test values using helm upgrade -i kyverno-reporter chart -n kyverno-reporter -f tests/test-values.yaml --set istio.enabled=true --set networkPolicies.controlPlaneCidr=$(kubectl get endpoints kubernetes -ojsonpath='{.subsets[0].addresses[0].ip}' 2>/dev/null)/32. The --set overrides here will ensure that network policies function appropriately for your deployment. Alternatively you could modify the test-values or point to a different override when you install.
  6. Navigate to the Prometheus targets page and validate that the Kyverno Reporter servicemonitor shows up and is healthy.
  7. Navigate to Grafana and search for polcy dashboards. Validate that 3 dashboards appear in the search and data is loaded in each. It can be helpful to deploy an additional package at this point to cause some additional policy violations/reports.
  8. Perform any additional testing (of specific new features, specific connections, etc) as needed.
  9. Uninstall as needed with helm uninstall kyverno-reporter -n kyverno-reporter or test changes iteratively by re-running the above helm upgrade command.

Last update: 2023-02-06 by Ernest Chuang