Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add detail rbacassessment,infraassessment info prometheus Metrics #1331

Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions deploy/helm/README.md
Original file line number Diff line number Diff line change
@@ -48,6 +48,8 @@ Keeps security report resources updated
| operator.metricsConfigAuditInfo | bool | `false` | MetricsConfigAuditInfo the flag to enable metrics about configuration audits be aware of metrics cardinality is significantly increased with this feature enabled. |
| operator.metricsExposedSecretInfo | bool | `false` | MetricsExposedSecretInfo the flag to enable metrics about exposed secrets be aware of metrics cardinality is significantly increased with this feature enabled. |
| operator.metricsFindingsEnabled | bool | `true` | metricsFindingsEnabled the flag to enable metrics for findings |
| operator.metricsInfraAssessmentInfo | bool | `false` | MetricsInfraAssessmentInfo the flag to enable metrics about Infra Assessment be aware of metrics cardinality is significantly increased with this feature enabled. |
| operator.metricsRbacAssessmentInfo | bool | `false` | MetricsRbacAssessmentInfo the flag to enable metrics about Rbac Assessment be aware of metrics cardinality is significantly increased with this feature enabled. |
| operator.metricsVulnIdEnabled | bool | `false` | metricsVulnIdEnabled the flag to enable metrics about cve vulns id be aware of metrics cardinality is significantly increased with this feature enabled. |
| operator.namespace | string | `""` | namespace to install the operator, defaults to the .Release.Namespace |
| operator.podLabels | object | `{}` | additional labels for the operator pod |
4 changes: 4 additions & 0 deletions deploy/helm/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -87,6 +87,10 @@ spec:
value: {{ .Values.operator.metricsExposedSecretInfo | quote }}
- name: OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED
value: {{ .Values.operator.metricsConfigAuditInfo | quote }}
- name: OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED
value: {{ .Values.operator.metricsRbacAssessmentInfo | quote }}
- name: OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED
value: {{ .Values.operator.metricsInfraAssessmentInfo | quote }}
- name: OPERATOR_WEBHOOK_BROADCAST_URL
value: {{ .Values.operator.webhookBroadcastURL | quote }}
- name: OPERATOR_WEBHOOK_BROADCAST_TIMEOUT
8 changes: 8 additions & 0 deletions deploy/helm/values.yaml
Original file line number Diff line number Diff line change
@@ -103,6 +103,14 @@ operator:
# be aware of metrics cardinality is significantly increased with this feature enabled.
metricsConfigAuditInfo: false

# -- MetricsRbacAssessmentInfo the flag to enable metrics about Rbac Assessment
# be aware of metrics cardinality is significantly increased with this feature enabled.
metricsRbacAssessmentInfo: false

# -- MetricsInfraAssessmentInfo the flag to enable metrics about Infra Assessment
# be aware of metrics cardinality is significantly increased with this feature enabled.
metricsInfraAssessmentInfo: false

# -- webhookBroadcastURL the flag to set reports should be sent to a webhook endpoint. "" means that the webhookBroadcastURL feature is disabled
webhookBroadcastURL: ""

4 changes: 4 additions & 0 deletions deploy/static/trivy-operator.yaml
Original file line number Diff line number Diff line change
@@ -1932,6 +1932,10 @@ spec:
value: "false"
- name: OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED
value: "false"
- name: OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED
value: "false"
- name: OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED
value: "false"
- name: OPERATOR_WEBHOOK_BROADCAST_URL
value: ""
- name: OPERATOR_WEBHOOK_BROADCAST_TIMEOUT
25 changes: 25 additions & 0 deletions docs/tutorials/integrations/metrics.md
Original file line number Diff line number Diff line change
@@ -24,6 +24,15 @@ trivy_resource_configaudits{
} 2
```

### ConfigAuditInfo

Exposes details about ConfigAudit that were discovered in images, enable by setting the EnvVar: `OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED" envDefault:"false"` . For example:

```shell
trivy_configaudits_info{
config_audit_category="car1 category for config audit",config_audit_description="car1 description for config audit",config_audit_id="car1 Id",config_audit_success="false",config_audit_title="car1 config audit title",name="replicaset-nginx-6d4cf56db6",namespace="default",resource_kind="ReplicaSet",resource_name="nginx-6d4cf56db6",severity="Critical"} 1
```

### RbacAssessments

A report summary series exposes the count of checks of each status reported in a given `RbacAssessmentsReport`. For example:
@@ -34,6 +43,15 @@ trivy_role_rbacassessments{
} 1
```

### RbacAssessmentsInfo

Exposes details about RbacAssessments that were discovered in images, enable by setting the EnvVar: `OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED" envDefault:"false"` . For example:

```shell
trivy_rbacassessments_info{
name="role-admin-6d4cf56db6",namespace="default",rbac_assessment_category="car1 category for rbac assessment",rbac_assessment_description="car1 description for rbac assessment",rbac_assessment_id="car1 Id",rbac_assessment_success="true",rbac_assessment_title="car1 rbac assessment title",resource_kind="Role",resource_name="admin-6d4cf56db6",severity="Critical"} 1
```

### ExposedsSecrets

A report summary series exposes the count of checks of each status reported in a given `ExposedsSecretsReport`. For example:
@@ -64,6 +82,13 @@ trivy_resource_infraassessments{
} 3
```

### InfraAssessmentsInfo
Exposes details about InfraAssessments that were discovered in images, enable by setting the EnvVar: `OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED" envDefault:"false"` . For example:
```shell
trivy_infraassessments_info{
name="pod-kube-apiserver-minikube-6d4cf56db6",namespace="kube-system",infra_assessment_category="car1 category for infra assessment",infra_assessment_description="car1 description for infra assessment",infra_assessment_id="car1 Id",infra_assessment_success="true",infra_assessment_title="car1 infra assessment title",resource_kind="Pod",resource_name="kube-apiserver-minikube-6d4cf56db6",severity="Critical"
} 1
```
### ClusterComplianceReport

A report summary series exposes the count of checks of each status reported in a given `ClusterComplianceReport`. For example:
166 changes: 148 additions & 18 deletions pkg/metrics/collector.go
Original file line number Diff line number Diff line change
@@ -53,6 +53,18 @@ const (
config_audit_description = "config_audit_description"
config_audit_category = "config_audit_category"
config_audit_success = "config_audit_success"
//rbac assessment
rbac_assessment_id = "rbac_assessment_id"
rbac_assessment_title = "rbac_assessment_title"
rbac_assessment_description = "rbac_assessment_description"
rbac_assessment_category = "rbac_assessment_category"
rbac_assessment_success = "rbac_assessment_success"
//infra assessment
infra_assessment_id = "infra_assessment_id"
infra_assessment_title = "infra_assessment_title"
infra_assessment_description = "infra_assessment_description"
infra_assessment_category = "infra_assessment_category"
infra_assessment_success = "infra_assessment_success"
)

type metricDescriptors struct {
@@ -65,15 +77,17 @@ type metricDescriptors struct {
complianceStatuses map[string]func(vs v1alpha1.ComplianceSummary) int

// Labels
imageVulnLabels []string
vulnIdLabels []string
exposedSecretLabels []string
exposedSecretInfoLabels []string
configAuditLabels []string
configAuditInfoLabels []string
rbacAssessmentLabels []string
infraAssessmentLabels []string
complianceLabels []string
imageVulnLabels []string
vulnIdLabels []string
exposedSecretLabels []string
exposedSecretInfoLabels []string
configAuditLabels []string
configAuditInfoLabels []string
rbacAssessmentLabels []string
rbacAssessmentInfoLabels []string
infraAssessmentLabels []string
infraAssessmentInfoLabels []string
complianceLabels []string

// Descriptors
imageVulnDesc *prometheus.Desc
@@ -83,8 +97,10 @@ type metricDescriptors struct {
exposedSecretDesc *prometheus.Desc
exposedSecretInfoDesc *prometheus.Desc
rbacAssessmentDesc *prometheus.Desc
rbacAssessmentInfoDesc *prometheus.Desc
clusterRbacAssessmentDesc *prometheus.Desc
infraAssessmentDesc *prometheus.Desc
infraAssessmentInfoDesc *prometheus.Desc
complianceDesc *prometheus.Desc
}

@@ -304,6 +320,19 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
severity,
}
rbacAssessmentLabels = append(rbacAssessmentLabels, dynamicLabels...)
rbacAssessmentInfoLabels := []string{
namespace,
name,
resource_kind,
resource_name,
rbac_assessment_id,
rbac_assessment_title,
rbac_assessment_description,
rbac_assessment_category,
rbac_assessment_success,
severity,
}
rbacAssessmentInfoLabels = append(rbacAssessmentInfoLabels, dynamicLabels...)
infraAssessmentLabels := []string{
namespace,
name,
@@ -312,6 +341,19 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
severity,
}
infraAssessmentLabels = append(infraAssessmentLabels, dynamicLabels...)
infraAssessmentInfoLabels := []string{
namespace,
name,
resource_kind,
resource_name,
infra_assessment_id,
infra_assessment_title,
infra_assessment_description,
infra_assessment_category,
infra_assessment_success,
severity,
}
infraAssessmentInfoLabels = append(infraAssessmentInfoLabels, dynamicLabels...)

clusterComplianceLabels := []string{
title,
@@ -361,6 +403,12 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
rbacAssessmentLabels,
nil,
)
rbacAssessmentInfoDesc := prometheus.NewDesc(
prometheus.BuildFQName("trivy", "rbacassessments", "info"),
"Number of rbac risky role assessment checks Info",
rbacAssessmentInfoLabels,
nil,
)
clusterRbacAssessmentDesc := prometheus.NewDesc(
prometheus.BuildFQName("trivy", "clusterrole", "clusterrbacassessments"),
"Number of rbac risky cluster role assessment checks",
@@ -373,6 +421,12 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
infraAssessmentLabels,
nil,
)
infraAssessmentInfoDesc := prometheus.NewDesc(
prometheus.BuildFQName("trivy", "infraassessments", "info"),
"Number of failing k8s infra assessment checks Info",
infraAssessmentInfoLabels,
nil,
)
complianceDesc := prometheus.NewDesc(
prometheus.BuildFQName("trivy", "cluster", "compliance"),
"cluster compliance report",
@@ -387,15 +441,17 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
infraAssessmentSeverities: infraAssessmentSeverities,
complianceStatuses: complainceStatuses,

imageVulnLabels: imageVulnLabels,
vulnIdLabels: vulnIdLabels,
exposedSecretLabels: exposedSecretLabels,
exposedSecretInfoLabels: exposedSecretInfoLabels,
configAuditLabels: configAuditLabels,
configAuditInfoLabels: configAuditInfoLabels,
rbacAssessmentLabels: rbacAssessmentLabels,
infraAssessmentLabels: infraAssessmentLabels,
complianceLabels: clusterComplianceLabels,
imageVulnLabels: imageVulnLabels,
vulnIdLabels: vulnIdLabels,
exposedSecretLabels: exposedSecretLabels,
exposedSecretInfoLabels: exposedSecretInfoLabels,
configAuditLabels: configAuditLabels,
configAuditInfoLabels: configAuditInfoLabels,
rbacAssessmentLabels: rbacAssessmentLabels,
rbacAssessmentInfoLabels: rbacAssessmentInfoLabels,
infraAssessmentLabels: infraAssessmentLabels,
infraAssessmentInfoLabels: infraAssessmentInfoLabels,
complianceLabels: clusterComplianceLabels,

imageVulnDesc: imageVulnDesc,
vulnIdDesc: vulnIdDesc,
@@ -404,8 +460,10 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
exposedSecretDesc: exposedSecretDesc,
exposedSecretInfoDesc: exposedSecretInfoDesc,
rbacAssessmentDesc: rbacAssessmentDesc,
rbacAssessmentInfoDesc: rbacAssessmentInfoDesc,
clusterRbacAssessmentDesc: clusterRbacAssessmentDesc,
infraAssessmentDesc: infraAssessmentDesc,
infraAssessmentInfoDesc: infraAssessmentInfoDesc,
complianceDesc: complianceDesc,
}
}
@@ -443,7 +501,13 @@ func (c ResourcesMetricsCollector) Collect(metrics chan<- prometheus.Metric) {
c.collectConfigAuditInfoReports(ctx, metrics, targetNamespaces)
}
c.collectRbacAssessmentReports(ctx, metrics, targetNamespaces)
if c.Config.MetricsRbacAssessmentInfo {
c.collectRbacAssessmentInfoReports(ctx, metrics, targetNamespaces)
}
c.collectInfraAssessmentReports(ctx, metrics, targetNamespaces)
if c.Config.MetricsInfraAssessmentInfo {
c.collectInfraAssessmentInfoReports(ctx, metrics, targetNamespaces)
}
c.collectClusterRbacAssessmentReports(ctx, metrics)
c.collectClusterComplianceReports(ctx, metrics)
}
@@ -679,6 +743,38 @@ func (c *ResourcesMetricsCollector) collectRbacAssessmentReports(ctx context.Con
}
}

func (c *ResourcesMetricsCollector) collectRbacAssessmentInfoReports(ctx context.Context, metrics chan<- prometheus.Metric, targetNamespaces []string) {
reports := &v1alpha1.RbacAssessmentReportList{}
labelValues := make([]string, len(c.rbacAssessmentInfoLabels))
for _, n := range targetNamespaces {
if err := c.List(ctx, reports, client.InNamespace(n)); err != nil {
c.Logger.Error(err, "failed to list rbacAssessment from API", "namespace", n)
continue
}
for _, r := range reports.Items {
if c.Config.MetricsRbacAssessmentInfo {
labelValues[0] = r.Namespace
labelValues[1] = r.Name
labelValues[2] = r.Labels[trivyoperator.LabelResourceKind]
labelValues[3] = r.Labels[trivyoperator.LabelResourceName]
for _, rbac := range r.Report.Checks {
labelValues[4] = rbac.ID
labelValues[5] = rbac.Title
labelValues[6] = rbac.Description
labelValues[7] = rbac.Category
labelValues[8] = strconv.FormatBool(rbac.Success)
labelValues[9] = NewSeverityLabel(rbac.Severity).Label
for i, label := range c.GetReportResourceLabels() {
labelValues[i+10] = r.Labels[label]
}

metrics <- prometheus.MustNewConstMetric(c.rbacAssessmentInfoDesc, prometheus.GaugeValue, float64(1), labelValues...)
}
}
}
}
}

func (c *ResourcesMetricsCollector) collectInfraAssessmentReports(ctx context.Context, metrics chan<- prometheus.Metric, targetNamespaces []string) {
reports := &v1alpha1.InfraAssessmentReportList{}
labelValues := make([]string, len(c.infraAssessmentLabels))
@@ -700,6 +796,38 @@ func (c *ResourcesMetricsCollector) collectInfraAssessmentReports(ctx context.Co
}
}

func (c *ResourcesMetricsCollector) collectInfraAssessmentInfoReports(ctx context.Context, metrics chan<- prometheus.Metric, targetNamespaces []string) {
reports := &v1alpha1.RbacAssessmentReportList{}
labelValues := make([]string, len(c.infraAssessmentInfoLabels))
for _, n := range targetNamespaces {
if err := c.List(ctx, reports, client.InNamespace(n)); err != nil {
c.Logger.Error(err, "failed to list infraAssessment from API", "namespace", n)
continue
}
for _, r := range reports.Items {
if c.Config.MetricsInfraAssessmentInfo {
labelValues[0] = r.Namespace
labelValues[1] = r.Name
labelValues[2] = r.Labels[trivyoperator.LabelResourceKind]
labelValues[3] = r.Labels[trivyoperator.LabelResourceName]
for _, infra := range r.Report.Checks {
labelValues[4] = infra.ID
labelValues[5] = infra.Title
labelValues[6] = infra.Description
labelValues[7] = infra.Category
labelValues[8] = strconv.FormatBool(infra.Success)
labelValues[9] = NewSeverityLabel(infra.Severity).Label
for i, label := range c.GetReportResourceLabels() {
labelValues[i+10] = r.Labels[label]
}

metrics <- prometheus.MustNewConstMetric(c.infraAssessmentInfoDesc, prometheus.GaugeValue, float64(1), labelValues...)
}
}
}
}
}

func (c *ResourcesMetricsCollector) collectClusterRbacAssessmentReports(ctx context.Context, metrics chan<- prometheus.Metric) {
reports := &v1alpha1.ClusterRbacAssessmentReportList{}
labelValues := make([]string, len(c.rbacAssessmentLabels[1:]))
@@ -767,7 +895,9 @@ func (c ResourcesMetricsCollector) Describe(descs chan<- *prometheus.Desc) {
descs <- c.exposedSecretDesc
descs <- c.exposedSecretInfoDesc
descs <- c.rbacAssessmentDesc
descs <- c.rbacAssessmentInfoDesc
descs <- c.infraAssessmentDesc
descs <- c.infraAssessmentInfoDesc
descs <- c.clusterRbacAssessmentDesc
descs <- c.complianceDesc
}
Loading