diff --git a/base-values/commons.yaml b/base-values/commons.yaml index ce54d8c..8ab47c7 100644 --- a/base-values/commons.yaml +++ b/base-values/commons.yaml @@ -24,6 +24,8 @@ commons: grafana_dashboard: "1" prometheus: + alertmanager: + alertmanager: default monitor: labels: prometheus: default diff --git a/base-values/infra.yaml b/base-values/infra.yaml index e194967..db392d4 100644 --- a/base-values/infra.yaml +++ b/base-values/infra.yaml @@ -25,3 +25,12 @@ components: dashboards: annotations: grafana.mon.local/dashboard-folder: "Logging" + + infra-trivy: + enabled: true + namespace: "monitoring-trivy" + values: + grafana: + dashboards: + annotations: + grafana.mon.local/dashboard-folder: "Security" diff --git a/infra-trivy/.helmignore b/infra-trivy/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/infra-trivy/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/infra-trivy/Chart.yaml b/infra-trivy/Chart.yaml new file mode 100644 index 0000000..633c7ca --- /dev/null +++ b/infra-trivy/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: infra-trivy +description: deploy trivy-operator + +type: application +version: 0.1.0 diff --git a/infra-trivy/grafana_dashboards/trivy.json b/infra-trivy/grafana_dashboards/trivy.json new file mode 100644 index 0000000..911a710 --- /dev/null +++ b/infra-trivy/grafana_dashboards/trivy.json @@ -0,0 +1,2249 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "", + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 16652, + "graphTooltip": 1, + "links": [], + "liveNow": false, + "panels": [ + { + "collapsed": false, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 43, + "panels": [], + "targets": [ + { + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "refId": "A" + } + ], + "title": "Summary of vulnerabilities", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 0, + "y": 1 + }, + "id": 51, + "options": { + "colorMode": "background", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "10.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_image_vulnerabilities{severity=\"Critical\",exported_namespace=~\"$namespace\"}) by (image_repository,image_tag))", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "CRITICAL", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "orange", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 4, + "y": 1 + }, + "id": 50, + "options": { + "colorMode": "background", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "10.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_image_vulnerabilities{severity=\"High\",exported_namespace=~\"$namespace\"}) by (image_repository,image_tag))", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "HIGH", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "yellow", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 8, + "y": 1 + }, + "id": 49, + "options": { + "colorMode": "background", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "10.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_image_vulnerabilities{severity=\"Medium\",exported_namespace=~\"$namespace\",}) by (image_repository,image_tag))", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "MEDIUM", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "blue", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 12, + "y": 1 + }, + "id": 60, + "options": { + "colorMode": "background", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "10.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_image_vulnerabilities{severity=\"Low\",exported_namespace=~\"$namespace\"}) by (image_repository,image_tag))", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "LOW", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "purple", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 16, + "y": 1 + }, + "id": 52, + "options": { + "colorMode": "background", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "10.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_image_vulnerabilities{severity=\"Unknown\",exported_namespace=~\"$namespace\"}) by (image_repository,image_tag))", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "UNKNOWN", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "text", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 20, + "y": 1 + }, + "id": 39, + "options": { + "colorMode": "background", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "10.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_image_vulnerabilities{exported_namespace=~\"$namespace\"}) by (image_repository,image_tag,severity))", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "TOTAL", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [], + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 8, + "x": 0, + "y": 5 + }, + "id": 58, + "options": { + "legend": { + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_image_vulnerabilities{}) by (exported_namespace, image_repository, image_tag)) by (exported_namespace)", + "instant": true, + "interval": "$__interval", + "legendFormat": "{{exported_namespace}}", + "range": false, + "refId": "A" + } + ], + "title": "All vulnerabilities by namespaces", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [], + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Critical" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "High" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Medium" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "yellow", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Low" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "blue", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Unknown" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "purple", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 9, + "w": 8, + "x": 8, + "y": 5 + }, + "id": 71, + "options": { + "legend": { + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_image_vulnerabilities{exported_namespace=~\"$namespace\"}) by (severity,image_tag,image_repository)) by (severity)", + "instant": true, + "interval": "$__interval", + "legendFormat": "{{severity}}", + "range": false, + "refId": "A" + } + ], + "title": "All vulnerabilities by severity", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 36, + "gradientMode": "hue", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 2, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Critical" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "High" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Medium" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "yellow", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Low" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "blue", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Unknown" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "purple", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 9, + "w": 8, + "x": 16, + "y": 5 + }, + "id": 78, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_image_vulnerabilities{exported_namespace=~\"$namespace\"}) by (severity,image_tag,image_repository)) by (severity)", + "instant": false, + "interval": "$__interval", + "legendFormat": "{{severity}}", + "range": true, + "refId": "A" + } + ], + "title": "All vulnerabilities by severity (time)", + "type": "timeseries" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 14 + }, + "id": 73, + "panels": [], + "title": "Vulnerabilities by image", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "left", + "cellOptions": { + "mode": "gradient", + "type": "color-background" + }, + "filterable": true, + "inspect": false + }, + "mappings": [], + "max": 2, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "transparent", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Image" + }, + "properties": [ + { + "id": "custom.cellOptions", + "value": { + "type": "json-view" + } + }, + { + "id": "custom.width", + "value": 350 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "image_tag" + }, + "properties": [ + { + "id": "custom.cellOptions", + "value": { + "type": "json-view" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Critical" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "red", + "mode": "thresholds" + } + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "transparent", + "value": null + }, + { + "color": "dark-red", + "value": 1 + }, + { + "color": "semi-dark-red", + "value": 2 + }, + { + "color": "red", + "value": 3 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "High" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "orange", + "mode": "thresholds" + } + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "transparent", + "value": null + }, + { + "color": "dark-orange", + "value": 1 + }, + { + "color": "semi-dark-orange", + "value": 5 + }, + { + "color": "orange", + "value": 10 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Medium" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "yellow", + "mode": "thresholds" + } + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "transparent", + "value": null + }, + { + "color": "dark-yellow", + "value": 1 + }, + { + "color": "semi-dark-yellow", + "value": 5 + }, + { + "color": "yellow", + "value": 10 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Low" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "blue", + "mode": "thresholds" + } + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "transparent", + "value": null + }, + { + "color": "dark-blue", + "value": 1 + }, + { + "color": "#3274D9", + "value": 5 + }, + { + "color": "blue", + "value": 10 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Unknown" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "text", + "mode": "thresholds" + } + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "transparent", + "value": null + }, + { + "color": "dark-purple", + "value": 1 + }, + { + "color": "semi-dark-purple", + "value": 5 + }, + { + "color": "purple", + "value": 10 + } + ] + } + } + ] + } + ] + }, + "gridPos": { + "h": 16, + "w": 24, + "x": 0, + "y": 15 + }, + "id": 77, + "options": { + "cellHeight": "sm", + "footer": { + "countRows": false, + "enablePagination": true, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "frameIndex": 1, + "showHeader": true, + "sortBy": [ + { + "desc": true, + "displayName": "Critical" + } + ] + }, + "pluginVersion": "10.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "max(trivy_image_vulnerabilities{exported_namespace=~\"$namespace\",severity=\"Critical\"}) by (image_repository,image_tag)", + "format": "table", + "instant": true, + "range": false, + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "max(trivy_image_vulnerabilities{exported_namespace=~\"$namespace\",severity=\"High\"}) by (image_repository,image_tag)", + "format": "table", + "hide": false, + "instant": true, + "range": false, + "refId": "B" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "max(trivy_image_vulnerabilities{exported_namespace=~\"$namespace\",severity=\"Medium\"}) by (image_repository,image_tag)", + "format": "table", + "hide": false, + "instant": true, + "range": false, + "refId": "C" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "max(trivy_image_vulnerabilities{exported_namespace=~\"$namespace\",severity=\"Low\"}) by (image_repository,image_tag)", + "format": "table", + "hide": false, + "instant": true, + "range": false, + "refId": "D" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "max(trivy_image_vulnerabilities{exported_namespace=~\"$namespace\",severity=\"Unknown\"}) by (image_repository,image_tag)", + "format": "table", + "hide": false, + "instant": true, + "range": false, + "refId": "E" + } + ], + "title": "Vulnerability by Image", + "transformations": [ + { + "id": "filterFieldsByName", + "options": { + "include": {} + } + }, + { + "id": "seriesToColumns", + "options": { + "byField": "image_repository" + } + }, + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "image_repository", + "Value #A", + "Value #B", + "Value #C", + "Value #D", + "Value #E", + "image_tag 1" + ] + } + } + }, + { + "id": "organize", + "options": { + "excludeByName": { + "image_tag": false + }, + "indexByName": {}, + "renameByName": { + "Value #A": "Critical", + "Value #B": "High", + "Value #C": "Medium", + "Value #D": "Low", + "Value #E": "Unknown", + "image_repository": "Image", + "image_tag": "Tag", + "image_tag 1": "Tag" + } + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "left", + "cellOptions": { + "mode": "gradient", + "type": "color-background" + }, + "filterable": true, + "inspect": false + }, + "mappings": [ + { + "options": { + "Critical": { + "color": "red", + "index": 1 + }, + "High": { + "color": "orange", + "index": 0 + } + }, + "type": "value" + } + ], + "max": 2, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "transparent", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Image" + }, + "properties": [ + { + "id": "custom.cellOptions", + "value": { + "type": "json-view" + } + }, + { + "id": "custom.width", + "value": 350 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "image_tag" + }, + "properties": [ + { + "id": "custom.cellOptions", + "value": { + "type": "json-view" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Critical" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "red", + "mode": "thresholds" + } + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "transparent", + "value": null + }, + { + "color": "dark-red", + "value": 1 + }, + { + "color": "semi-dark-red", + "value": 2 + }, + { + "color": "red", + "value": 3 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "High" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "orange", + "mode": "thresholds" + } + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "transparent", + "value": null + }, + { + "color": "dark-orange", + "value": 1 + }, + { + "color": "semi-dark-orange", + "value": 5 + }, + { + "color": "orange", + "value": 10 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Medium" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "yellow", + "mode": "thresholds" + } + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "transparent", + "value": null + }, + { + "color": "dark-yellow", + "value": 1 + }, + { + "color": "semi-dark-yellow", + "value": 5 + }, + { + "color": "yellow", + "value": 10 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Low" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "blue", + "mode": "thresholds" + } + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "transparent", + "value": null + }, + { + "color": "dark-blue", + "value": 1 + }, + { + "color": "#3274D9", + "value": 5 + }, + { + "color": "blue", + "value": 10 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Unknown" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "text", + "mode": "thresholds" + } + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "transparent", + "value": null + }, + { + "color": "dark-purple", + "value": 1 + }, + { + "color": "semi-dark-purple", + "value": 5 + }, + { + "color": "purple", + "value": 10 + } + ] + } + } + ] + } + ] + }, + "gridPos": { + "h": 14, + "w": 24, + "x": 0, + "y": 31 + }, + "id": 79, + "options": { + "cellHeight": "sm", + "footer": { + "countRows": false, + "enablePagination": true, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "frameIndex": 1, + "showHeader": true, + "sortBy": [ + { + "desc": false, + "displayName": "Severity" + } + ] + }, + "pluginVersion": "10.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(trivy_vulnerability_id{exported_namespace=~\"$namespace\",severity=~\"Critical|High\"}) by (image_repository,image_tag,vuln_id,severity)", + "format": "table", + "instant": true, + "range": false, + "refId": "A" + } + ], + "title": "CVEs by Image (Critical/High)", + "transformations": [ + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "image_repository", + "image_tag", + "vuln_id", + "severity" + ] + } + } + }, + { + "id": "organize", + "options": { + "excludeByName": {}, + "indexByName": { + "image_repository": 0, + "image_tag": 1, + "severity": 2, + "vuln_id": 3 + }, + "renameByName": { + "image_repository": "Image", + "image_tag": "Tag", + "severity": "Severity", + "vuln_id": "CVE" + } + } + } + ], + "type": "table" + }, + { + "collapsed": false, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 45 + }, + "id": 63, + "panels": [], + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "refId": "A" + } + ], + "title": "Summary Resource Config Audit", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 0, + "y": 46 + }, + "id": 67, + "options": { + "colorMode": "background", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "10.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_resource_configaudits{severity=\"Critical\",exported_namespace=~\"$namespace\"}) by (exported_namespace,name))", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "CRITICAL", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "orange", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 4, + "y": 46 + }, + "id": 66, + "options": { + "colorMode": "background", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "10.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_resource_configaudits{severity=\"High\",exported_namespace=~\"$namespace\"}) by (exported_namespace,name))", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "HIGH", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "yellow", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 8, + "y": 46 + }, + "id": 65, + "options": { + "colorMode": "background", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "10.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_resource_configaudits{severity=\"Medium\",exported_namespace=~\"$namespace\"}) by (exported_namespace,name))", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "MEDIUM", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "blue", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 12, + "y": 46 + }, + "id": 64, + "options": { + "colorMode": "background", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "10.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_resource_configaudits{severity=\"Low\",exported_namespace=~\"$namespace\"}) by (exported_namespace,name))", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "range": false, + "refId": "A" + } + ], + "title": "LOW", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "text", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 16, + "y": 46 + }, + "id": 68, + "options": { + "colorMode": "background", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "10.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_resource_configaudits{exported_namespace=~\"$namespace\"}) by (exported_namespace,name,severity))", + "instant": true, + "interval": "$__interval", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": "TOTAL", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [], + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 50 + }, + "id": 69, + "options": { + "legend": { + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_resource_configaudits{exported_namespace=~\"$namespace\"}) by (exported_namespace,name,severity)) by(exported_namespace)", + "instant": true, + "interval": "$__interval", + "legendFormat": "{{exported_namespace}}", + "range": false, + "refId": "A" + } + ], + "title": "All config audits by namespaces", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 15, + "gradientMode": "opacity", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 2, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "blue", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 50 + }, + "id": 70, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(max(trivy_resource_configaudits{exported_namespace=~\"$namespace\"}) by (exported_namespace,name,severity)) by (severity)", + "instant": false, + "interval": "$__interval", + "legendFormat": "{{severity}}", + "range": true, + "refId": "A" + } + ], + "title": "All config audits by severity", + "type": "timeseries" + } + ], + "refresh": "5m", + "schemaVersion": 38, + "style": "dark", + "tags": [ + "Prometheus", + "Trivy" + ], + "templating": { + "list": [ + { + "current": { + "selected": true, + "text": "default", + "value": "default" + }, + "hide": 0, + "includeAll": false, + "label": "Datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": true, + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(kube_namespace_labels{}, namespace)", + "hide": 0, + "includeAll": true, + "label": "Namespace", + "multi": true, + "name": "namespace", + "options": [], + "query": { + "query": "label_values(kube_namespace_labels{}, namespace)", + "refId": "StandardVariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 1, + "type": "query" + } + ] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Trivy Security Scan", + "uid": "kubernetes_security_trivy", + "version": 1, + "weekStart": "" +} diff --git a/infra-trivy/templates/alertmanager-config.yaml b/infra-trivy/templates/alertmanager-config.yaml new file mode 100644 index 0000000..413f42b --- /dev/null +++ b/infra-trivy/templates/alertmanager-config.yaml @@ -0,0 +1,39 @@ +{{- if (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1alpha1/AlertmanagerConfig") }} +--- +apiVersion: "monitoring.coreos.com/v1alpha1" +kind: "AlertmanagerConfig" +metadata: + name: "trivy-alertmanager-conf" + labels: + {{- toYaml .Values.commons.prometheus.alertmanager.labels | nindent 4 }} +spec: + inhibitRules: + - sourceMatch: + - name: "severity" + matchType: "=" + value: "critical" + targetMatch: + - name: "severity" + matchType: "=~" + value: "warning|info" + equal: + - "exported_namespace" + - "alertname" + - "image_repository" + - "image_registry" + - "image_tag" + - sourceMatch: + - name: "severity" + matchType: "=" + value: "warning" + targetMatch: + - name: "severity" + matchType: "=" + value: "info" + equal: + - "exported_namespace" + - "alertname" + - "image_repository" + - "image_registry" + - "image_tag" +{{- end }} diff --git a/infra-trivy/templates/configmap_grafana_dashboards.yaml b/infra-trivy/templates/configmap_grafana_dashboards.yaml new file mode 100644 index 0000000..9d84965 --- /dev/null +++ b/infra-trivy/templates/configmap_grafana_dashboards.yaml @@ -0,0 +1,13 @@ +{{- range $path, $bytes := $.Files.Glob "grafana_dashboards/*.json" }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: infra-trivy-grafana-db-{{ base $path }} + labels: + {{- toYaml $.Values.commons.grafana.dashboards.labels | nindent 4 }} + annotations: + {{- toYaml $.Values.grafana.dashboards.annotations | nindent 4 }} +data: + {{- ($.Files.Glob $path ).AsConfig | nindent 2 }} +{{- end }} diff --git a/infra-trivy/templates/configmap_init_crd.yaml b/infra-trivy/templates/configmap_init_crd.yaml new file mode 100644 index 0000000..a550da7 --- /dev/null +++ b/infra-trivy/templates/configmap_init_crd.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-init + namespace: "{{ .Values.init.namespace }}" +data: + {{- if and + (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1alpha1/AlertmanagerConfig") + (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") + (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") + }} + init: "-1" + {{- else }} + init: "{{ add1 .Values.init.version }}" + {{- end }} diff --git a/infra-trivy/templates/prometheus-rule.yaml b/infra-trivy/templates/prometheus-rule.yaml new file mode 100644 index 0000000..7f4f4ae --- /dev/null +++ b/infra-trivy/templates/prometheus-rule.yaml @@ -0,0 +1,266 @@ +{{- if and + .Values.prometheus.rules.enabled + (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") +}} +{{- $filter := `exported_namespace!="kube-system"` }} +{{- $without := "instance,endpoint,container,pod,service,job,alertmanagerInhibitDisable" }} +--- +apiVersion: "monitoring.coreos.com/v1" +kind: "PrometheusRule" +metadata: + name: "security-alerts" + labels: + {{- toYaml .Values.commons.prometheus.rules.labels | nindent 4 }} +spec: + {{- with .Values.prometheus.rules }} + groups: + - name: "Vulnerabilities" + rules: + {{- with .imageVulnerabilities }} + {{- if .enabled }} + - alert: "TrivyImageVulerabilities" + expr: 'sum(trivy_image_vulnerabilities{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "critical" + {{` + annotations: + summary: "Image {{ $labels.image_repository }} in namespace {{ $labels.exported_namespace }} has {{ $value }} {{ $labels.severity }} vulnerabilities" + description: "Affected by: {{ $labels.name }}, registry: {{ $labels.image_registry }}" + `}} + + {{- if .warning.enabled }} + - alert: "TrivyImageVulerabilities" + expr: 'sum(trivy_image_vulnerabilities{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "warning" + {{` + annotations: + summary: "Image {{ $labels.image_repository }} in namespace {{ $labels.exported_namespace }} has {{ $value }} {{ $labels.severity }} vulnerabilities" + description: "Affected by: {{ $labels.name }}, registry: {{ $labels.image_registry }}" + `}} + {{- end }} + + {{- if .info.enabled }} + - alert: "TrivyImageVulerabilities" + expr: 'sum(trivy_image_vulnerabilities{ {{ $filter }},}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "info" + {{` + annotations: + summary: "Image {{ $labels.image_repository }} in namespace {{ $labels.exported_namespace }} has {{ $value }} {{ $labels.severity }} vulnerabilities" + description: "Affected by: {{ $labels.name }}, registry {{ $labels.image_registry }}" + `}} + {{- end }} + {{- end }} + {{- end }}{{/* end-with .imageVulnerabilities */}} + + {{- with .imageExposedSecrets }} + {{- if .enabled }} + - alert: "TrivyImageExposedSecrets" + expr: 'sum(trivy_image_exposedsecrets{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "critical" + {{` + annotations: + summary: "Found {{ $value }} exposed secrets with {{ $labels.severity }} severity in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" + `}} + + {{- if .warning.enabled }} + - alert: "TrivyImageExposedSecrets" + expr: 'sum(trivy_image_exposedsecrets{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "warning" + {{` + annotations: + summary: "Found {{ $value }} exposed secrets with {{ $labels.severity }} severity in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" + `}} + {{- end }} + + {{- if .info.enabled }} + - alert: "TrivyImageExposedSecrets" + expr: 'sum(trivy_image_exposedsecrets{ {{ $filter }}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "info" + {{` + annotations: + summary: "Found {{ $value }} exposed secrets with {{ $labels.severity }} severity in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" + `}} + {{- end }} + {{- end }} + {{- end }}{{/* end-witj .imageExposedSecrets */}} + + {{- with .resourceConfigAudits }} + {{- if .enabled }} + - alert: "TrivyResourceConfigAudits" + expr: 'sum(trivy_resource_configaudits{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "critical" + {{` + annotations: + summary: "{{ $value }} {{ $labels.severity }} problems with resource configs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" + `}} + + {{- if .warning.enabled }} + - alert: "TrivyResourceConfigAudits" + expr: 'sum(trivy_resource_configaudits{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "warning" + {{` + annotations: + summary: "{{ $value }} {{ $labels.severity }} problems with resource configs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" + `}} + {{- end }} + + {{- if .info.enabled }} + - alert: "TrivyResourceConfigAudits" + expr: 'sum(trivy_resource_configaudits{ {{ $filter }}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "info" + {{` + annotations: + summary: "{{ $value }} {{ $labels.severity }} problems with resource configs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" + `}} + {{- end }} + {{- end }} + {{- end }}{{/* .resourceConfigAudits */}} + + {{- with .roleRBACAssessments }} + {{- if .enabled }} + - alert: "TrivyRoleRBACAssessments" + expr: 'sum(trivy_role_rbacassessments{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "critical" + {{` + annotations: + summary: "{{ $value }} {{ $labels.severity }} problems with RBACs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" + `}} + + {{- if .warning.enabled }} + - alert: "TrivyRoleRBACAssessments" + expr: 'sum(trivy_role_rbacassessments{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "warning" + {{` + annotations: + summary: "{{ $value }} {{ $labels.severity }} problems with RBACs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" + `}} + {{- end }} + + {{- if .info.enabled }} + - alert: "TrivyRoleRBACAssessments" + expr: 'sum(trivy_role_rbacassessments{ {{ $filter }}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "info" + {{` + annotations: + summary: "{{ $value }} {{ $labels.severity }} problems with RBACs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" + `}} + {{- end }} + {{- end }} + {{- end }}{{/* .roleRBACAssessments */}} + + {{- with .clusterRBACAssessments }} + {{- if .enabled }} + - alert: "TrivyClusterRBACAssessments" + expr: 'sum(trivy_clusterrole_clusterrbacassessments{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "critical" + {{` + annotations: + summary: "{{ $value }} {{ $labels.severity }} problems with Cluster RBACs in {{ $labels.name }}" + `}} + + {{- if .warning.enabled }} + - alert: "TrivyClusterRBACAssessments" + expr: 'sum(trivy_clusterrole_clusterrbacassessments{ {{ $filter }},severity="High"} > 0' + for: "1m" + labels: + severity: "warning" + {{` + annotations: + summary: "{{ $value }} {{ $labels.severity }} problems with Cluster RBACs in {{ $labels.name }}" + `}} + {{- end }} + + {{- if .info.enabled }} + - alert: "TrivyClusterRBACAssessments" + expr: 'sum(trivy_clusterrole_clusterrbacassessments{ {{ $filter }}) without ({{ $without }}) > 0' + for: "1m" + labels: + severity: "info" + {{` + annotations: + summary: "{{ $value }} {{ $labels.severity }} problems with Cluster RBACs in {{ $labels.name }}" + `}} + {{- end }} + {{- end }} + {{- end }}{{/* end-with .clusterRBACAssessments */}} + + {{- with .infraAssessments }} + {{- if .enabled }} + - alert: "TrivyInfraAssessments" + {{/* (exported_)namespace is always kube-system */}} + expr: 'sum(trivy_resource_infraassessments{severity="Critical"}) without ({{ $without }}, exported_namespace) > 0' + for: "1m" + labels: + severity: "critical" + {{` + annotations: + summary: "{{ $value }} {{ $labels.severity }} problems with infra assessments in {{ $labels.name }}" + `}} + + {{- if .warning.enabled }} + - alert: "TrivyInfraAssessments" + expr: 'sum(trivy_resource_infraassessments{severity="High"}) without ({{ $without }}, exported_namespace) > 0' + for: "1m" + labels: + severity: "critical" + {{` + annotations: + summary: "{{ $value }} {{ $labels.severity }} problems with infra assessments in {{ $labels.name }}" + `}} + {{- end }} + + {{- if .info.enabled }} + - alert: "TrivyInfraAssessments" + expr: 'sum(trivy_resource_infraassessments) without ({{ $without }}, exported_namespace) > 0' + for: "1m" + labels: + severity: "critical" + {{` + annotations: + summary: "{{ $value }} {{ $labels.severity }} problems with infra assessments in {{ $labels.name }}" + `}} + {{- end }} + {{- end }} + {{- end }}{{/* end-with .infraAssessments */}} + + {{- with .clusterCompliance }} + {{- if .enabled }} + - alert: "TrivyClusterCompliance" + {{/* (exported_)namespace is always monitoring-security */}} + expr: 'sum(trivy_cluster_compliance{ {{ $filter }}, status="Fail"}) without ({{ $without }}, exported_namespace) > 0' + for: "1m" + labels: + severity: "critical" + {{` + annotations: + summary: "Compliance for {{ $labels.title }} failed {{ $value }} times" + `}} + {{- end }} + {{- end }}{{/* end-with .clusterCompliance */}} + {{- end }}{{/* end-with .prometheus.rules */}} +{{- end }}{{/* end-if */}} diff --git a/infra-trivy/templates/release.yaml b/infra-trivy/templates/release.yaml new file mode 100644 index 0000000..5131194 --- /dev/null +++ b/infra-trivy/templates/release.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: trivy-operator +spec: + chart: + spec: + sourceRef: + kind: HelmRepository + name: "aqua" + chart: "trivy-operator" + version: "0.18.4" + interval: 10m + install: + {{- toYaml .Values.commons.helm.release.install | nindent 4 }} + test: + {{- toYaml .Values.commons.helm.release.test | nindent 4 }} + upgrade: + {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} + interval: 10m + postRenderers: + - kustomize: + patchesJson6902: + - target: + group: monitoring.coreos.com + version: v1 + kind: ServiceMonitor + name: trivy-operator + patch: + - op: "add" + path: "/spec/endpoints/0/metricRelabelings" + value: + - sourceLabels: [ "namespace" ] + targetLabel: "exported_namespace" + action: "replace" + - sourceLabels: [] + targetLabel: "namespace" + replacement: {{ .Release.Namespace }} + action: "replace" + - sourceLabels: [] + targetLabel: "alertmanagerInhibitDisable" + replacement: "true" + values: + trivy: + ignoreUnfixed: true + additionalVulnerabilityReportFields: "Description,Target,Class" + + operator: + metricsVulnIdEnabled: true + scanJobsConcurrentLimit: {{ .Values.scans.concurrent }} + vulnerabilityScannerReportTTL: {{ .Values.scans.ttl }} + + resources: + requests: + cpu: 100m + memory: 192Mi + limits: + memory: 768Mi + + serviceMonitor: + enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }} + labels: + {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 8 }} diff --git a/infra-trivy/templates/repo.yaml b/infra-trivy/templates/repo.yaml new file mode 100644 index 0000000..c98c096 --- /dev/null +++ b/infra-trivy/templates/repo.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: aqua +spec: + url: https://aquasecurity.github.io/helm-charts/ + interval: 10m0s diff --git a/infra-trivy/values.yaml b/infra-trivy/values.yaml new file mode 100644 index 0000000..2f5e5af --- /dev/null +++ b/infra-trivy/values.yaml @@ -0,0 +1,74 @@ +init: + version: 0 + namespace: "bases" + +commons: + helm: + release: + install: {} + test: {} + upgrade: {} + + prometheus: + alertmanager: + labels: {} + monitor: + labels: {} + rules: + labels: {} + + grafana: + dashboards: + labels: + grafana_dashboard: "1" + +grafana: + dashboards: + annotations: {} + + +scans: + concurrent: 2 + ttl: "168h" + +prometheus: + rules: + enabled: true + imageVulnerabilities: + enabled: false + warning: + enabled: false + info: + enabled: false + imageExposedSecrets: + enabled: true + warning: + enabled: false + info: + enabled: false + resourceConfigAudits: + enabled: true + warning: + enabled: false + info: + enabled: false + roleRBACAssessments: + enabled: false + warning: + enabled: false + info: + enabled: false + clusterRBACAssessments: + enabled: false + warning: + enabled: false + info: + enabled: false + infraAssessments: + enabled: true + warning: + enabled: true + info: + enabled: true + clusterCompliance: + enabled: false