docs: task the daily assistant with driving Kyverno policy violations to zero#2054
docs: task the daily assistant with driving Kyverno policy violations to zero#2054devantler wants to merge 1 commit into
Conversation
… to zero Makes the autonomous Daily AI Assistant aware of Policy Reporter and gives it a standing objective: watch Kyverno PolicyReport / ClusterPolicyReport results (existing and newly introduced) and drive the failing count to zero, so the whole prod cluster runs compliant. Adds a "Policy compliance (Kyverno) — drive violations to zero and hold" section to the platform product card, mirroring the existing Kubescape "Security posture — drive to 100% and hold" program (the two are complementary compliance surfaces). Names Policy Reporter as the aggregation surface (UI + read API), and reuses the same fix-vs-except ladder: root-cause fix by default, graduate a cleared policy from Audit to Enforce, and except only when genuinely by-design via a scoped per-policy `exclude` (the repo does not enable PolicyException CRs). Pairs with the Policy Reporter deployment in devantler-tech/platform#2459. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
📝 WalkthroughWalkthroughDocumentation-only update to the Platform maintenance skill file, adding Policy Reporter alongside Kyverno in the observability stack description and health checklist, and introducing a new "Policy compliance (Kyverno)" section describing a fix-vs-except workflow to drive policy violations to zero. ChangesPlatform Skill Documentation
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.claude/skills/products/platform/SKILL.md:
- Around line 110-114: The guidance currently mixes `warn` with `fail` in the
same remediation tally, which conflicts with the intent to track warnings
separately. Update the Policy Reporter instructions in SKILL.md to call out
`warn` as a separate category from `fail`, and clarify whether warnings should
be remediated independently or treated with the same urgency; keep the
zero-target language tied specifically to `fail` using the existing Policy
Reporter and kubectl references.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: bebdd753-7fe6-409a-bdb7-9ce57b94ed55
📒 Files selected for processing (1)
.claude/skills/products/platform/SKILL.md
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
.claude/**/*.md
📄 CodeRabbit inference engine (AGENTS.md)
Keep the
.claude/agents, skills, and product cards synchronized with the repo’s current commands, paths, labels, validate steps, and conventions.
Files:
.claude/skills/products/platform/SKILL.md
🪛 SkillSpector (2.3.7)
.claude/skills/products/platform/SKILL.md
[error] 25: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.
Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.
(Privilege Escalation (PE3))
[error] 25: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.
Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.
(Privilege Escalation (PE3))
[error] 25: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.
Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.
(Privilege Escalation (PE3))
🔇 Additional comments (2)
.claude/skills/products/platform/SKILL.md (2)
3-3: LGTM!Also applies to: 43-49
104-109: LGTM!Also applies to: 115-132
| - **Enumerate every run** via **Policy Reporter** — the dashboard/read API that aggregates all reports | ||
| (SSO UI at `policy-reporter.${domain}`; in-cluster API `policy-reporter.policy-reporter.svc:8080`) — | ||
| or `kubectl --context=admin@prod get polr,cpolr -A`. Count the `fail` (and `warn`) results and treat | ||
| a **newly introduced** failure as a regression to clear promptly, like a red CI check — not just the | ||
| long-standing backlog. |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show the target section with line numbers
sed -n '90,130p' .claude/skills/products/platform/SKILL.md | cat -n
echo
echo "---- related mentions ----"
rg -n --hidden -S "Policy Reporter|policy-reporter|\\bfail\\b|\\bwarn\\b|\\bpolr\\b|\\bcpolr\\b" .claude docs . 2>/dev/null | head -n 200Repository: devantler-tech/monorepo
Length of output: 50386
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect nearby context and search for explicit handling of warnings vs failures.
sed -n '1,220p' .claude/skills/products/platform/SKILL.md | cat -n
echo
echo "---- warning/failure semantics in repo ----"
rg -n --hidden -S "warnings? .*separate|warn.*separate|fail.*warn|soft signal|remediation queue|newly introduced failure|Policy Reporter|policy reporter" .claude . 2>/dev/null | head -n 200Repository: devantler-tech/monorepo
Length of output: 15129
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Focused search for platform docs that define how alerts/policy violations are counted.
rg -n --hidden -S "Policy Reporter|policy-reporter|polr|cpolr|warn|warning|fail|violation|regression" .claude/skills/products/platform .claude/docs .claude 2>/dev/null | head -n 300Repository: devantler-tech/monorepo
Length of output: 13984
Track warn separately from fail. The section frames fail as the zero target; if warnings are only informational, keeping them in the same tally muddies the remediation queue. If they should share remediation, say that explicitly.
🧰 Tools
🪛 SkillSpector (2.3.7)
[error] 25: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.
Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.
(Privilege Escalation (PE3))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.claude/skills/products/platform/SKILL.md around lines 110 - 114, The
guidance currently mixes `warn` with `fail` in the same remediation tally, which
conflicts with the intent to track warnings separately. Update the Policy
Reporter instructions in SKILL.md to call out `warn` as a separate category from
`fail`, and clarify whether warnings should be remediated independently or
treated with the same urgency; keep the zero-target language tied specifically
to `fail` using the existing Policy Reporter and kubectl references.
Why
Policy Reporter now gives a whole-cluster view of the Kyverno
PolicyReports the cluster already produces (see devantler-tech/platform#2459). The autonomous assistant should act on that — not just observe — so cluster compliance actually reaches and stays at zero violations.What
Adds a "Policy compliance (Kyverno) — drive violations to zero and hold" program to the platform product card, and makes the assistant aware of Policy Reporter as the surface for it. It mirrors the existing Kubescape "drive to 100% and hold" section: enumerate failing results each run (existing and newly introduced), root-cause-fix by default, graduate a cleared policy from Audit to Enforce, and add a scoped exception only when a finding is genuinely by-design.
Notes
🤖 Generated with Claude Code