Kyverno & Policy Health

The Kyverno Health Check feature in NCH provides visibility into the operational health and configuration best practices of your Kyverno installation. It continuously analyzes Kyverno deployments across your clusters and offers a detailed health score based on four key categories:

  • Security
  • Availability
  • Scalability
  • Observability

Each category is evaluated independently and flagged as Healthy, Warning, or Critical based on current configurations. The overall health score is then calculated and displayed prominently in the UI.

Key Benefits

  • Instant Health Grade: See at-a-glance how well Kyverno is configured in your environment.
  • Detailed Diagnostics: Get category-wise breakdowns with precise issues and configuration gaps.
  • Remediation Guidance: View recommended changes to restore Kyverno to optimal health.
  • Proactive Alerts: Identify and resolve misconfigurations before they affect policy enforcement.

Health Categories Overview

Security

Evaluates security-related configurations including:

  • RBAC Validation: Role-based access control configurations
  • Network Policy: Network segmentation and traffic controls
  • Cluster-Admin Binding: Excessive privilege assignments

Availability

Assesses deployment resilience and reliability:

  • Resource Configuration: CPU and memory requests/limits
  • High Availability: Pod disruption budgets and replica counts
  • Runtime Stability: Pod restart patterns and health

Scalability

Reviews auto-scaling and performance configurations:

  • Auto-scaling: Horizontal Pod Autoscaler setup
  • ETCD Optimization: Reports server deployment status
  • Replica Management: Controller replica distribution

Observability

Monitors health and monitoring capabilities:

  • Controller Health: Component operational status
  • Pod Health Probes: Readiness and liveness probe configuration

Using the Kyverno Health Dashboard

Accessing Health Information

  1. Navigate to Health Tab

    • Go to Control Hub → Select Cluster → Health tab
    • View your overall Kyverno Health Grade (e.g., Score: 8/16, Status: F)

  2. Understanding Health Status

    • Healthy (Green): Component meets best practice standards
    • Warning (Yellow): Minor issues that should be addressed post measuring the impact
    • Critical (Red): Serious problems requiring immediate attention

Interpreting Health Results

Overall Health Score

  • The health score shows how many checks passed out of total checks
  • Letter grades (A-F) provide quick assessment of overall health
  • Hover over the score for additional context

Category-Specific Analysis

  1. Expand each category (Security, Availability, Scalability, Observability)
  2. Review individual checks within each category
  3. Check status indicators for each component

Finding Recommendations and Solutions

Using Info Buttons

  • Click the info (ℹī¸) icon next to any health check item
  • View detailed explanations of what the check evaluates
  • Access step-by-step remediation guidance provided by the system or
  • Reach out to support for personalized guidance at support@nirmata.com

Health Check Navigation Tips

Prioritizing Issues

  • Start with Critical findings as they impact cluster stability
  • Address Warning items during maintenance windows
  • Use the severity indicators to plan remediation order

Best Practices for Regular Monitoring

  • Check health status weekly for production clusters
  • Review after any major changes to Kyverno configuration
  • Include health scores in operational reports
  • Set up alerts for critical health score drops

Getting Additional Support

For environment-specific remediation strategies and best practices tailored to your infrastructure, reach out to support for personalized guidance.

Additional Notes

  • Health checks are non-intrusive and read-only
  • Evaluations are refreshed periodically based on scan frequency
  • No cluster modifications are made by the health check process
  • Remediation guidance is accessible through the dashboard interface

Policy Health

Policies Tab

The Policies tab provides a comprehensive view of all Kyverno policies deployed in your cluster, displaying their current health status, type (validate/mutate), and last update timestamps. Each policy is evaluated for its operational health, configuration correctness, and performance impact, with status indicators showing whether policies are functioning as expected or require attention. This view helps administrators quickly identify problematic policies, track policy deployment success, and ensure that security and governance rules are actively enforced across the cluster environment.

Policy Exceptions Tab

The Policy Exceptions tab displays all active policy exceptions in your cluster, showing their name, target namespace, current state, and expiration dates. Policy exceptions allow you to temporarily or permanently exclude specific resources from policy enforcement while maintaining audit trails and governance oversight. This centralized view enables administrators to monitor exception usage, track their lifecycle, ensure exceptions are properly justified and time-bounded, and maintain security posture by preventing exception sprawl across the cluster infrastructure.