{{- if and .Values.prometheus.rules.enabled (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }} {{- $filter := `exported_namespace!="kube-system"` }} {{- $without := "instance,endpoint,container,pod,service,job,alertmanagerInhibitDisable" }} --- apiVersion: "monitoring.coreos.com/v1" kind: "PrometheusRule" metadata: name: "security-alerts" labels: {{- toYaml .Values.commons.prometheus.rules.labels | nindent 4 }} spec: {{- with .Values.prometheus.rules }} groups: - name: "Vulnerabilities" rules: {{- with .imageVulnerabilities }} {{- if .enabled }} - alert: "TrivyImageVulerabilities" expr: 'sum(trivy_image_vulnerabilities{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0' for: "1m" labels: severity: "critical" {{` annotations: summary: "Image {{ $labels.image_repository }} in namespace {{ $labels.exported_namespace }} has {{ $value }} {{ $labels.severity }} vulnerabilities" description: "Affected by: {{ $labels.name }}, registry: {{ $labels.image_registry }}" `}} {{- if .warning.enabled }} - alert: "TrivyImageVulerabilities" expr: 'sum(trivy_image_vulnerabilities{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0' for: "1m" labels: severity: "warning" {{` annotations: summary: "Image {{ $labels.image_repository }} in namespace {{ $labels.exported_namespace }} has {{ $value }} {{ $labels.severity }} vulnerabilities" description: "Affected by: {{ $labels.name }}, registry: {{ $labels.image_registry }}" `}} {{- end }} {{- if .info.enabled }} - alert: "TrivyImageVulerabilities" expr: 'sum(trivy_image_vulnerabilities{ {{ $filter }},}) without ({{ $without }}) > 0' for: "1m" labels: severity: "info" {{` annotations: summary: "Image {{ $labels.image_repository }} in namespace {{ $labels.exported_namespace }} has {{ $value }} {{ $labels.severity }} vulnerabilities" description: "Affected by: {{ $labels.name }}, registry {{ $labels.image_registry }}" `}} {{- end }} {{- end }} {{- end }}{{/* end-with .imageVulnerabilities */}} {{- with .imageExposedSecrets }} {{- if .enabled }} - alert: "TrivyImageExposedSecrets" expr: 'sum(trivy_image_exposedsecrets{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0' for: "1m" labels: severity: "critical" {{` annotations: summary: "Found {{ $value }} exposed secrets with {{ $labels.severity }} severity in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" `}} {{- if .warning.enabled }} - alert: "TrivyImageExposedSecrets" expr: 'sum(trivy_image_exposedsecrets{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0' for: "1m" labels: severity: "warning" {{` annotations: summary: "Found {{ $value }} exposed secrets with {{ $labels.severity }} severity in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" `}} {{- end }} {{- if .info.enabled }} - alert: "TrivyImageExposedSecrets" expr: 'sum(trivy_image_exposedsecrets{ {{ $filter }}) without ({{ $without }}) > 0' for: "1m" labels: severity: "info" {{` annotations: summary: "Found {{ $value }} exposed secrets with {{ $labels.severity }} severity in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" `}} {{- end }} {{- end }} {{- end }}{{/* end-witj .imageExposedSecrets */}} {{- with .resourceConfigAudits }} {{- if .enabled }} - alert: "TrivyResourceConfigAudits" expr: 'sum(trivy_resource_configaudits{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0' for: "1m" labels: severity: "critical" {{` annotations: summary: "{{ $value }} {{ $labels.severity }} problems with resource configs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" `}} {{- if .warning.enabled }} - alert: "TrivyResourceConfigAudits" expr: 'sum(trivy_resource_configaudits{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0' for: "1m" labels: severity: "warning" {{` annotations: summary: "{{ $value }} {{ $labels.severity }} problems with resource configs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" `}} {{- end }} {{- if .info.enabled }} - alert: "TrivyResourceConfigAudits" expr: 'sum(trivy_resource_configaudits{ {{ $filter }}) without ({{ $without }}) > 0' for: "1m" labels: severity: "info" {{` annotations: summary: "{{ $value }} {{ $labels.severity }} problems with resource configs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" `}} {{- end }} {{- end }} {{- end }}{{/* .resourceConfigAudits */}} {{- with .roleRBACAssessments }} {{- if .enabled }} - alert: "TrivyRoleRBACAssessments" expr: 'sum(trivy_role_rbacassessments{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0' for: "1m" labels: severity: "critical" {{` annotations: summary: "{{ $value }} {{ $labels.severity }} problems with RBACs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" `}} {{- if .warning.enabled }} - alert: "TrivyRoleRBACAssessments" expr: 'sum(trivy_role_rbacassessments{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0' for: "1m" labels: severity: "warning" {{` annotations: summary: "{{ $value }} {{ $labels.severity }} problems with RBACs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" `}} {{- end }} {{- if .info.enabled }} - alert: "TrivyRoleRBACAssessments" expr: 'sum(trivy_role_rbacassessments{ {{ $filter }}) without ({{ $without }}) > 0' for: "1m" labels: severity: "info" {{` annotations: summary: "{{ $value }} {{ $labels.severity }} problems with RBACs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}" `}} {{- end }} {{- end }} {{- end }}{{/* .roleRBACAssessments */}} {{- with .clusterRBACAssessments }} {{- if .enabled }} - alert: "TrivyClusterRBACAssessments" expr: 'sum(trivy_clusterrole_clusterrbacassessments{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0' for: "1m" labels: severity: "critical" {{` annotations: summary: "{{ $value }} {{ $labels.severity }} problems with Cluster RBACs in {{ $labels.name }}" `}} {{- if .warning.enabled }} - alert: "TrivyClusterRBACAssessments" expr: 'sum(trivy_clusterrole_clusterrbacassessments{ {{ $filter }},severity="High"} > 0' for: "1m" labels: severity: "warning" {{` annotations: summary: "{{ $value }} {{ $labels.severity }} problems with Cluster RBACs in {{ $labels.name }}" `}} {{- end }} {{- if .info.enabled }} - alert: "TrivyClusterRBACAssessments" expr: 'sum(trivy_clusterrole_clusterrbacassessments{ {{ $filter }}) without ({{ $without }}) > 0' for: "1m" labels: severity: "info" {{` annotations: summary: "{{ $value }} {{ $labels.severity }} problems with Cluster RBACs in {{ $labels.name }}" `}} {{- end }} {{- end }} {{- end }}{{/* end-with .clusterRBACAssessments */}} {{- with .infraAssessments }} {{- if .enabled }} - alert: "TrivyInfraAssessments" {{/* (exported_)namespace is always kube-system */}} expr: 'sum(trivy_resource_infraassessments{severity="Critical"}) without ({{ $without }}, exported_namespace) > 0' for: "1m" labels: severity: "critical" {{` annotations: summary: "{{ $value }} {{ $labels.severity }} problems with infra assessments in {{ $labels.name }}" `}} {{- if .warning.enabled }} - alert: "TrivyInfraAssessments" expr: 'sum(trivy_resource_infraassessments{severity="High"}) without ({{ $without }}, exported_namespace) > 0' for: "1m" labels: severity: "critical" {{` annotations: summary: "{{ $value }} {{ $labels.severity }} problems with infra assessments in {{ $labels.name }}" `}} {{- end }} {{- if .info.enabled }} - alert: "TrivyInfraAssessments" expr: 'sum(trivy_resource_infraassessments) without ({{ $without }}, exported_namespace) > 0' for: "1m" labels: severity: "critical" {{` annotations: summary: "{{ $value }} {{ $labels.severity }} problems with infra assessments in {{ $labels.name }}" `}} {{- end }} {{- end }} {{- end }}{{/* end-with .infraAssessments */}} {{- with .clusterCompliance }} {{- if .enabled }} - alert: "TrivyClusterCompliance" {{/* (exported_)namespace is always monitoring-security */}} expr: 'sum(trivy_cluster_compliance{ {{ $filter }}, status="Fail"}) without ({{ $without }}, exported_namespace) > 0' for: "1m" labels: severity: "critical" {{` annotations: summary: "Compliance for {{ $labels.title }} failed {{ $value }} times" `}} {{- end }} {{- end }}{{/* end-with .clusterCompliance */}} {{- end }}{{/* end-with .prometheus.rules */}} {{- end }}{{/* end-if */}}