- Description
- Setup Backstage with Kyverno-policy-reports
- How to annotate services
- Publishing New Versions of a Package
The Backstage-policy-reporter-plugin integrates Policy Reporter with Backstage to provide a clear and detailed view of Kyverno Policies applied to your entities
Note
It's currently not possible to integrate this with a Backstage instance since the packages aren't published yet.
From your backstage root directory, run the following commands:
yarn --cwd packages/app add @kyverno/backstage-plugin-policy-reporter
yarn --cwd packages/backend add @kyverno/backstage-plugin-policy-reporter-backend
Add the EntityKyvernoPoliciesContent component to the Entity routes in packages/app/src/components/catalog/EntityPage.tsx
+ import { EntityKyvernoPoliciesContent } from '@kyverno/backstage-plugin-policy-reporter';
const serviceEntityPage = (
<EntityLayout>
// ...
+ <EntityLayout.Route path="/kyverno" title="kyverno policy">
+ <EntityKyvernoPoliciesContent />
+ </EntityLayout.Route>
// ..
</EntityLayout>
)
for the new backend system, add the plugin in packages/backend/src/index.ts
const backend = createBackend();
// ..
+backend.add(import('@kyverno/backstage-plugin-policy-reporter-backend'));
// ..
backend.start();
In your Backstage instance, define your Kubernetes clusters using the Resource
kind and kubernetes-cluster
type. Add the kyverno.io/endpoint
annotation with the URL to the Policy Reporter API for each cluster.
apiVersion: backstage.io/v1alpha1
kind: Resource
metadata:
name: aks-dev
annotations:
# Add the Policy Reporter API endpoint as an annotation
kyverno.io/endpoint: http://kyverno.io/policy-reporter/api/
spec:
type: kubernetes-cluster
To show the policies on the service, add a dependency to the Kubernetes cluster resource in the catalog-info.yaml
file of your service. Ensure that the necessary annotations are added as well. For more details, refer to the How to annotate services section.
metadata:
annotations:
kyverno.io/namespace: default # Specify the namespace of the service
kyverno.io/kind: Deployment,Pod # Specify the kind(s) of the Kubernetes resource(s)
kyverno.io/resource-name: policy-reporter # Specify the name of the resource
spec:
dependsOn:
# Add dependency to all environments the service is deployed to using the Resource entityRef
- resource:default/aks-dev
- resource:default/aks-tst
- resource:default/aks-qa
- resource:default/aks-prd
To configure the plugin to make the policy Chip a link to custom documentation, follow the steps below.
To enable policy Chip links, the EntityKyvernoPolicyReportsContent component requires the policyDocumentationUrl prop to be set to the URL of the documentation.
const serviceEntityPage = (
<EntityLayout>
// ...
<EntityLayout.Route path="/kyverno" title="kyverno policy">
<EntityKyvernoPoliciesContent policyDocumentationUrl="Your full URL link" />
</EntityLayout.Route>
// ..
</EntityLayout>
);
The policy documentation file provided in the above step needs to follow a specific structure.
All policies being used should have a header that matches the exact same name as the policy. Under this header, you can add information about the policy and provide a guide on how to solve it.
The plugin will create a link using the following format: <DocumentationUrl>#<PolicyName>
See the example/policy-documentation.md file for an example of how this could look.
To use the Kyverno-Policy-Reports plugin with your services, you need to add the following annotations to your catalog-info.yaml
:
kyverno.io/namespace
: This annotation specifies the Kubernetes namespace where the service is located. Multiple values can be separated by a comma (e.g.,default,kyverno
)kyverno.io/kind
: This annotation specifies the kind of Kubernetes resource (e.g., Deployment, StatefulSet, Pod) Multiple values can be separated by a comma (e.g.,Deployment,Pod
).kyverno.io/resource-name
: This annotation specifies the name of the resource
metadata:
annotations:
# Annotations for Kyverno-Policy-Reports
+ kyverno.io/namespace: default # Specify the namespace(s) of the service
+ kyverno.io/kind: Deployment,Pod # Specify the kind(s) of the Kubernetes resource(s)
+ kyverno.io/resource-name: policy-reporter # Specify the name of the resource
First, you need to update the version
field in the package.json
file of the package you want to update.
Before creating a pull request, always run yarn install
to ensure all dependencies are correctly installed and up-to-date.
When creating a pull request, make sure to include the updated yarn.lock
file. This file ensures that the exact same dependency tree is installed across all environments.
After updating the package.json
version, merge your branch with the main
branch. The GitHub Actions workflow will automatically check if there's a new version and publish it.