feat: Implement kyverno health checks#27354
Open
sandert-k8s wants to merge 2 commits intoargoproj:masterfrom
Open
feat: Implement kyverno health checks#27354sandert-k8s wants to merge 2 commits intoargoproj:masterfrom
sandert-k8s wants to merge 2 commits intoargoproj:masterfrom
Conversation
🔴 Preview Environment stopped on BunnyshellSee: Environment Details | Pipeline Logs Available commands (reply to this comment):
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds Argo CD resource customization health checks for Kyverno policy CRDs (new policies.kyverno.io/* types plus kyverno.io/ClusterPolicy), using Lua-based health scripts and corresponding YAML-driven tests so these resources report meaningful Healthy/Degraded/Progressing statuses in the UI.
Changes:
- Added
health.luaimplementations for Kyverno policy resources to map Kyverno status/conditions into Argo CD health states. - Added
health_test.yamltest suites plustestdata/{progressing,healthy,degraded}.yamlfixtures for each new customization. - Added a new customization for
kyverno.io/ClusterPolicy(in addition to the pre-existingkyverno.io/Policy).
Reviewed changes
Copilot reviewed 55 out of 55 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| resource_customizations/policies.kyverno.io/ValidatingPolicy/health.lua | Health check logic for ValidatingPolicy (ready/conditions-based) |
| resource_customizations/policies.kyverno.io/ValidatingPolicy/health_test.yaml | Health test cases for ValidatingPolicy |
| resource_customizations/policies.kyverno.io/ValidatingPolicy/testdata/progressing.yaml | Fixture: no status yet → Progressing |
| resource_customizations/policies.kyverno.io/ValidatingPolicy/testdata/healthy.yaml | Fixture: ready/condition true → Healthy |
| resource_customizations/policies.kyverno.io/ValidatingPolicy/testdata/degraded.yaml | Fixture: ready/condition false → Degraded |
| resource_customizations/policies.kyverno.io/NamespacedValidatingPolicy/health.lua | Health check logic for NamespacedValidatingPolicy |
| resource_customizations/policies.kyverno.io/NamespacedValidatingPolicy/health_test.yaml | Health test cases for NamespacedValidatingPolicy |
| resource_customizations/policies.kyverno.io/NamespacedValidatingPolicy/testdata/progressing.yaml | Fixture for Progressing |
| resource_customizations/policies.kyverno.io/NamespacedValidatingPolicy/testdata/healthy.yaml | Fixture for Healthy |
| resource_customizations/policies.kyverno.io/NamespacedValidatingPolicy/testdata/degraded.yaml | Fixture for Degraded |
| resource_customizations/policies.kyverno.io/MutatingPolicy/health.lua | Health check logic for MutatingPolicy |
| resource_customizations/policies.kyverno.io/MutatingPolicy/health_test.yaml | Health test cases for MutatingPolicy |
| resource_customizations/policies.kyverno.io/MutatingPolicy/testdata/progressing.yaml | Fixture for Progressing |
| resource_customizations/policies.kyverno.io/MutatingPolicy/testdata/healthy.yaml | Fixture for Healthy |
| resource_customizations/policies.kyverno.io/MutatingPolicy/testdata/degraded.yaml | Fixture for Degraded |
| resource_customizations/policies.kyverno.io/NamespacedMutatingPolicy/health.lua | Health check logic for NamespacedMutatingPolicy |
| resource_customizations/policies.kyverno.io/NamespacedMutatingPolicy/health_test.yaml | Health test cases for NamespacedMutatingPolicy |
| resource_customizations/policies.kyverno.io/NamespacedMutatingPolicy/testdata/progressing.yaml | Fixture for Progressing |
| resource_customizations/policies.kyverno.io/NamespacedMutatingPolicy/testdata/healthy.yaml | Fixture for Healthy |
| resource_customizations/policies.kyverno.io/NamespacedMutatingPolicy/testdata/degraded.yaml | Fixture for Degraded |
| resource_customizations/policies.kyverno.io/ImageValidatingPolicy/health.lua | Health check logic for ImageValidatingPolicy |
| resource_customizations/policies.kyverno.io/ImageValidatingPolicy/health_test.yaml | Health test cases for ImageValidatingPolicy |
| resource_customizations/policies.kyverno.io/ImageValidatingPolicy/testdata/progressing.yaml | Fixture for Progressing |
| resource_customizations/policies.kyverno.io/ImageValidatingPolicy/testdata/healthy.yaml | Fixture for Healthy |
| resource_customizations/policies.kyverno.io/ImageValidatingPolicy/testdata/degraded.yaml | Fixture for Degraded |
| resource_customizations/policies.kyverno.io/NamespacedImageValidatingPolicy/health.lua | Health check logic for NamespacedImageValidatingPolicy |
| resource_customizations/policies.kyverno.io/NamespacedImageValidatingPolicy/health_test.yaml | Health test cases for NamespacedImageValidatingPolicy |
| resource_customizations/policies.kyverno.io/NamespacedImageValidatingPolicy/testdata/progressing.yaml | Fixture for Progressing |
| resource_customizations/policies.kyverno.io/NamespacedImageValidatingPolicy/testdata/healthy.yaml | Fixture for Healthy |
| resource_customizations/policies.kyverno.io/NamespacedImageValidatingPolicy/testdata/degraded.yaml | Fixture for Degraded |
| resource_customizations/policies.kyverno.io/GeneratingPolicy/health.lua | Health check logic for GeneratingPolicy |
| resource_customizations/policies.kyverno.io/GeneratingPolicy/health_test.yaml | Health test cases for GeneratingPolicy |
| resource_customizations/policies.kyverno.io/GeneratingPolicy/testdata/progressing.yaml | Fixture for Progressing |
| resource_customizations/policies.kyverno.io/GeneratingPolicy/testdata/healthy.yaml | Fixture for Healthy |
| resource_customizations/policies.kyverno.io/GeneratingPolicy/testdata/degraded.yaml | Fixture for Degraded |
| resource_customizations/policies.kyverno.io/NamespacedGeneratingPolicy/health.lua | Health check logic for NamespacedGeneratingPolicy |
| resource_customizations/policies.kyverno.io/NamespacedGeneratingPolicy/health_test.yaml | Health test cases for NamespacedGeneratingPolicy |
| resource_customizations/policies.kyverno.io/NamespacedGeneratingPolicy/testdata/progressing.yaml | Fixture for Progressing |
| resource_customizations/policies.kyverno.io/NamespacedGeneratingPolicy/testdata/healthy.yaml | Fixture for Healthy |
| resource_customizations/policies.kyverno.io/NamespacedGeneratingPolicy/testdata/degraded.yaml | Fixture for Degraded |
| resource_customizations/policies.kyverno.io/DeletingPolicy/health.lua | Health check logic for DeletingPolicy |
| resource_customizations/policies.kyverno.io/DeletingPolicy/health_test.yaml | Health test cases for DeletingPolicy |
| resource_customizations/policies.kyverno.io/DeletingPolicy/testdata/progressing.yaml | Fixture for Progressing |
| resource_customizations/policies.kyverno.io/DeletingPolicy/testdata/healthy.yaml | Fixture for Healthy |
| resource_customizations/policies.kyverno.io/DeletingPolicy/testdata/degraded.yaml | Fixture for Degraded |
| resource_customizations/policies.kyverno.io/NamespacedDeletingPolicy/health.lua | Health check logic for NamespacedDeletingPolicy |
| resource_customizations/policies.kyverno.io/NamespacedDeletingPolicy/health_test.yaml | Health test cases for NamespacedDeletingPolicy |
| resource_customizations/policies.kyverno.io/NamespacedDeletingPolicy/testdata/progressing.yaml | Fixture for Progressing |
| resource_customizations/policies.kyverno.io/NamespacedDeletingPolicy/testdata/healthy.yaml | Fixture for Healthy |
| resource_customizations/policies.kyverno.io/NamespacedDeletingPolicy/testdata/degraded.yaml | Fixture for Degraded |
| resource_customizations/kyverno.io/ClusterPolicy/health.lua | Health check logic for ClusterPolicy based on Ready condition |
| resource_customizations/kyverno.io/ClusterPolicy/health_test.yaml | Health test cases for ClusterPolicy |
| resource_customizations/kyverno.io/ClusterPolicy/testdata/progressing.yaml | Fixture for Progressing |
| resource_customizations/kyverno.io/ClusterPolicy/testdata/healthy.yaml | Fixture for Healthy |
| resource_customizations/kyverno.io/ClusterPolicy/testdata/degraded.yaml | Fixture for Degraded |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #27354 +/- ##
==========================================
+ Coverage 63.34% 63.41% +0.07%
==========================================
Files 415 417 +2
Lines 56697 56981 +284
==========================================
+ Hits 35917 36137 +220
- Misses 17395 17450 +55
- Partials 3385 3394 +9 ☔ View full report in Codecov by Sentry. |
Member
crenshaw-dev
left a comment
crenshaw-dev
left a comment
There was a problem hiding this comment.
Do these resources/conditions expose observedGeneration fields? If so, it's best practice to compare that to metadata.generation and return Progressing on mismatch, since the controller hasn't reconciled the updated spec yet.
Contributor
Author
Thanks for the review @crenshaw-dev . Unfortunately, I do not see Edit: |
Member
|
Check the status field at runtime, it's not in the spec. |
This was referenced Apr 17, 2026
Signed-off-by: sandert-k8s <sandert98@gmail.com> Co-authored-by: GitHub Copilot (model Claude Sonnet 4.6) <noreply@github.com>
Signed-off-by: sandert-k8s <sandert98@gmail.com> Co-authored-by: GitHub Copilot (model Claude Sonnet 4.6) <noreply@github.com>
sandert-k8s
force-pushed
the
health-check-kyverno
branch
from
839ec6f to
dc3a3fd
Compare
Contributor
Author
|
@crenshaw-dev Altough this is in the CRD spec, the kyverno controller does not populate this. I added PR's to add this. 1 and 2 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Feat: Implement Kyverno health checks.
This has been done for the new Kyverno CRD's, and also for one "old" CR, the ClusterPolicy. That one will be deprecated in kyverno 1.20 (current newest version 1.17). I added the ClusterPolicy, since the namespaced Policy was already there.
ClusterPolicykyverno.iostatus.conditions[type=Ready]→ True=Healthy, False=Degraded, absent=ProgressingDeletingPolicypolicies.kyverno.ioconditionStatus.ready, first True condition messageGeneratingPolicypolicies.kyverno.ioconditionStatus.ready, first True condition messageImageValidatingPolicypolicies.kyverno.ioconditionStatus.ready, WebhookConfigured fallbackMutatingPolicypolicies.kyverno.ioconditionStatus.ready, WebhookConfigured fallbackNamespacedDeletingPolicypolicies.kyverno.ioconditionStatus.ready, first True condition messageNamespacedGeneratingPolicypolicies.kyverno.ioconditionStatus.ready, first True condition messageNamespacedImageValidatingPolicypolicies.kyverno.ioconditionStatus.ready, WebhookConfigured fallbackNamespacedMutatingPolicypolicies.kyverno.ioconditionStatus.ready, WebhookConfigured fallbackNamespacedValidatingPolicypolicies.kyverno.ioconditionStatus.ready, WebhookConfigured fallbackValidatingPolicypolicies.kyverno.ioconditionStatus.ready, WebhookConfigured fallbackUsed the same setup/logic as my previous PR for health checks