Skip to content

docs: task the daily assistant with driving Kyverno policy violations to zero#2054

Draft
devantler wants to merge 1 commit into
mainfrom
claude/definition-kyverno-compliance
Draft

docs: task the daily assistant with driving Kyverno policy violations to zero#2054
devantler wants to merge 1 commit into
mainfrom
claude/definition-kyverno-compliance

Conversation

@devantler

Copy link
Copy Markdown
Contributor

Why

Policy Reporter now gives a whole-cluster view of the Kyverno PolicyReports the cluster already produces (see devantler-tech/platform#2459). The autonomous assistant should act on that — not just observe — so cluster compliance actually reaches and stays at zero violations.

What

Adds a "Policy compliance (Kyverno) — drive violations to zero and hold" program to the platform product card, and makes the assistant aware of Policy Reporter as the surface for it. It mirrors the existing Kubescape "drive to 100% and hold" section: enumerate failing results each run (existing and newly introduced), root-cause-fix by default, graduate a cleared policy from Audit to Enforce, and add a scoped exception only when a finding is genuinely by-design.

Notes

  • Definition/self-improvement change — one product card, no behaviour outside the assistant's own instructions.
  • Pairs with platform#2459 (which deploys Policy Reporter). Draft until you promote.

🤖 Generated with Claude Code

… to zero

Makes the autonomous Daily AI Assistant aware of Policy Reporter and gives it a
standing objective: watch Kyverno PolicyReport / ClusterPolicyReport results
(existing and newly introduced) and drive the failing count to zero, so the
whole prod cluster runs compliant.

Adds a "Policy compliance (Kyverno) — drive violations to zero and hold" section
to the platform product card, mirroring the existing Kubescape "Security posture
— drive to 100% and hold" program (the two are complementary compliance
surfaces). Names Policy Reporter as the aggregation surface (UI + read API), and
reuses the same fix-vs-except ladder: root-cause fix by default, graduate a
cleared policy from Audit to Enforce, and except only when genuinely by-design
via a scoped per-policy `exclude` (the repo does not enable PolicyException CRs).

Pairs with the Policy Reporter deployment in devantler-tech/platform#2459.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Documentation-only update to the Platform maintenance skill file, adding Policy Reporter alongside Kyverno in the observability stack description and health checklist, and introducing a new "Policy compliance (Kyverno)" section describing a fix-vs-except workflow to drive policy violations to zero.

Changes

Platform Skill Documentation

Layer / File(s) Summary
Policy compliance workflow documentation
.claude/skills/products/platform/SKILL.md
Adds Policy Reporter references to the top-level skill description and health checklist, and introduces a new section detailing the Kyverno policy compliance workflow, including audit-to-enforce graduation and scoped exclude usage.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main documentation change about the assistant driving Kyverno policy violations to zero.
Description check ✅ Passed The description directly describes the Kyverno policy compliance program, Policy Reporter surface, and exception workflow in the patch.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/definition-kyverno-compliance

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/skills/products/platform/SKILL.md:
- Around line 110-114: The guidance currently mixes `warn` with `fail` in the
same remediation tally, which conflicts with the intent to track warnings
separately. Update the Policy Reporter instructions in SKILL.md to call out
`warn` as a separate category from `fail`, and clarify whether warnings should
be remediated independently or treated with the same urgency; keep the
zero-target language tied specifically to `fail` using the existing Policy
Reporter and kubectl references.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: bebdd753-7fe6-409a-bdb7-9ce57b94ed55

📥 Commits

Reviewing files that changed from the base of the PR and between e39d7b8 and 3e1f748.

📒 Files selected for processing (1)
  • .claude/skills/products/platform/SKILL.md
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
.claude/**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Keep the .claude/ agents, skills, and product cards synchronized with the repo’s current commands, paths, labels, validate steps, and conventions.

Files:

  • .claude/skills/products/platform/SKILL.md
🪛 SkillSpector (2.3.7)
.claude/skills/products/platform/SKILL.md

[error] 25: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))


[error] 25: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))


[error] 25: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))

🔇 Additional comments (2)
.claude/skills/products/platform/SKILL.md (2)

3-3: LGTM!

Also applies to: 43-49


104-109: LGTM!

Also applies to: 115-132

Comment on lines +110 to +114
- **Enumerate every run** via **Policy Reporter** — the dashboard/read API that aggregates all reports
(SSO UI at `policy-reporter.${domain}`; in-cluster API `policy-reporter.policy-reporter.svc:8080`) —
or `kubectl --context=admin@prod get polr,cpolr -A`. Count the `fail` (and `warn`) results and treat
a **newly introduced** failure as a regression to clear promptly, like a red CI check — not just the
long-standing backlog.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the target section with line numbers
sed -n '90,130p' .claude/skills/products/platform/SKILL.md | cat -n

echo
echo "---- related mentions ----"
rg -n --hidden -S "Policy Reporter|policy-reporter|\\bfail\\b|\\bwarn\\b|\\bpolr\\b|\\bcpolr\\b" .claude docs . 2>/dev/null | head -n 200

Repository: devantler-tech/monorepo

Length of output: 50386


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect nearby context and search for explicit handling of warnings vs failures.
sed -n '1,220p' .claude/skills/products/platform/SKILL.md | cat -n

echo
echo "---- warning/failure semantics in repo ----"
rg -n --hidden -S "warnings? .*separate|warn.*separate|fail.*warn|soft signal|remediation queue|newly introduced failure|Policy Reporter|policy reporter" .claude . 2>/dev/null | head -n 200

Repository: devantler-tech/monorepo

Length of output: 15129


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Focused search for platform docs that define how alerts/policy violations are counted.
rg -n --hidden -S "Policy Reporter|policy-reporter|polr|cpolr|warn|warning|fail|violation|regression" .claude/skills/products/platform .claude/docs .claude 2>/dev/null | head -n 300

Repository: devantler-tech/monorepo

Length of output: 13984


Track warn separately from fail. The section frames fail as the zero target; if warnings are only informational, keeping them in the same tally muddies the remediation queue. If they should share remediation, say that explicitly.

🧰 Tools
🪛 SkillSpector (2.3.7)

[error] 25: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/skills/products/platform/SKILL.md around lines 110 - 114, The
guidance currently mixes `warn` with `fail` in the same remediation tally, which
conflicts with the intent to track warnings separately. Update the Policy
Reporter instructions in SKILL.md to call out `warn` as a separate category from
`fail`, and clarify whether warnings should be remediated independently or
treated with the same urgency; keep the zero-target language tied specifically
to `fail` using the existing Policy Reporter and kubectl references.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant