wrenix/flux-charts
1
0
Fork 0
Code Issues 14 Pull requests 1 Projects Releases Packages Wiki Activity Actions
flux-charts/infra-trivy/templates/prometheus-rule.yaml
WrenIX abaccb3dde
fix(infra-trivy): init
2023-11-25 03:01:31 +01:00

266 lines
10 KiB
YAML
Raw Blame History

{{- if and
.Values.prometheus.rules.enabled
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule")
}}
{{- $filter := `exported_namespace!="kube-system"` }}
{{- $without := "instance,endpoint,container,pod,service,job,alertmanagerInhibitDisable" }}
---
apiVersion: "monitoring.coreos.com/v1"
kind: "PrometheusRule"
metadata:
name: "security-alerts"
labels:
{{- toYaml .Values.commons.prometheus.rules.labels | nindent 4 }}
spec:
{{- with .Values.prometheus.rules }}
groups:
- name: "Vulnerabilities"
rules:
{{- with .imageVulnerabilities }}
{{- if .enabled }}
- alert: "TrivyImageVulerabilities"
expr: 'sum(trivy_image_vulnerabilities{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "Image {{ $labels.image_repository }} in namespace {{ $labels.exported_namespace }} has {{ $value }} {{ $labels.severity }} vulnerabilities"
description: "Affected by: {{ $labels.name }}, registry: {{ $labels.image_registry }}"
`}}
{{- if .warning.enabled }}
- alert: "TrivyImageVulerabilities"
expr: 'sum(trivy_image_vulnerabilities{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "warning"
{{`
annotations:
summary: "Image {{ $labels.image_repository }} in namespace {{ $labels.exported_namespace }} has {{ $value }} {{ $labels.severity }} vulnerabilities"
description: "Affected by: {{ $labels.name }}, registry: {{ $labels.image_registry }}"
`}}
{{- end }}
{{- if .info.enabled }}
- alert: "TrivyImageVulerabilities"
expr: 'sum(trivy_image_vulnerabilities{ {{ $filter }},}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "info"
{{`
annotations:
summary: "Image {{ $labels.image_repository }} in namespace {{ $labels.exported_namespace }} has {{ $value }} {{ $labels.severity }} vulnerabilities"
description: "Affected by: {{ $labels.name }}, registry {{ $labels.image_registry }}"
`}}
{{- end }}
{{- end }}
{{- end }}{{/* end-with .imageVulnerabilities */}}
{{- with .imageExposedSecrets }}
{{- if .enabled }}
- alert: "TrivyImageExposedSecrets"
expr: 'sum(trivy_image_exposedsecrets{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "Found {{ $value }} exposed secrets with {{ $labels.severity }} severity in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- if .warning.enabled }}
- alert: "TrivyImageExposedSecrets"
expr: 'sum(trivy_image_exposedsecrets{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "warning"
{{`
annotations:
summary: "Found {{ $value }} exposed secrets with {{ $labels.severity }} severity in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- end }}
{{- if .info.enabled }}
- alert: "TrivyImageExposedSecrets"
expr: 'sum(trivy_image_exposedsecrets{ {{ $filter }}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "info"
{{`
annotations:
summary: "Found {{ $value }} exposed secrets with {{ $labels.severity }} severity in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- end }}
{{- end }}
{{- end }}{{/* end-witj .imageExposedSecrets */}}
{{- with .resourceConfigAudits }}
{{- if .enabled }}
- alert: "TrivyResourceConfigAudits"
expr: 'sum(trivy_resource_configaudits{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with resource configs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- if .warning.enabled }}
- alert: "TrivyResourceConfigAudits"
expr: 'sum(trivy_resource_configaudits{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "warning"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with resource configs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- end }}
{{- if .info.enabled }}
- alert: "TrivyResourceConfigAudits"
expr: 'sum(trivy_resource_configaudits{ {{ $filter }}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "info"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with resource configs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- end }}
{{- end }}
{{- end }}{{/* .resourceConfigAudits */}}
{{- with .roleRBACAssessments }}
{{- if .enabled }}
- alert: "TrivyRoleRBACAssessments"
expr: 'sum(trivy_role_rbacassessments{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with RBACs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- if .warning.enabled }}
- alert: "TrivyRoleRBACAssessments"
expr: 'sum(trivy_role_rbacassessments{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "warning"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with RBACs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- end }}
{{- if .info.enabled }}
- alert: "TrivyRoleRBACAssessments"
expr: 'sum(trivy_role_rbacassessments{ {{ $filter }}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "info"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with RBACs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- end }}
{{- end }}
{{- end }}{{/* .roleRBACAssessments */}}
{{- with .clusterRBACAssessments }}
{{- if .enabled }}
- alert: "TrivyClusterRBACAssessments"
expr: 'sum(trivy_clusterrole_clusterrbacassessments{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with Cluster RBACs in {{ $labels.name }}"
`}}
{{- if .warning.enabled }}
- alert: "TrivyClusterRBACAssessments"
expr: 'sum(trivy_clusterrole_clusterrbacassessments{ {{ $filter }},severity="High"} > 0'
for: "1m"
labels:
severity: "warning"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with Cluster RBACs in {{ $labels.name }}"
`}}
{{- end }}
{{- if .info.enabled }}
- alert: "TrivyClusterRBACAssessments"
expr: 'sum(trivy_clusterrole_clusterrbacassessments{ {{ $filter }}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "info"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with Cluster RBACs in {{ $labels.name }}"
`}}
{{- end }}
{{- end }}
{{- end }}{{/* end-with .clusterRBACAssessments */}}
{{- with .infraAssessments }}
{{- if .enabled }}
- alert: "TrivyInfraAssessments"
{{/* (exported_)namespace is always kube-system */}}
expr: 'sum(trivy_resource_infraassessments{severity="Critical"}) without ({{ $without }}, exported_namespace) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with infra assessments in {{ $labels.name }}"
`}}
{{- if .warning.enabled }}
- alert: "TrivyInfraAssessments"
expr: 'sum(trivy_resource_infraassessments{severity="High"}) without ({{ $without }}, exported_namespace) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with infra assessments in {{ $labels.name }}"
`}}
{{- end }}
{{- if .info.enabled }}
- alert: "TrivyInfraAssessments"
expr: 'sum(trivy_resource_infraassessments) without ({{ $without }}, exported_namespace) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with infra assessments in {{ $labels.name }}"
`}}
{{- end }}
{{- end }}
{{- end }}{{/* end-with .infraAssessments */}}
{{- with .clusterCompliance }}
{{- if .enabled }}
- alert: "TrivyClusterCompliance"
{{/* (exported_)namespace is always monitoring-security */}}
expr: 'sum(trivy_cluster_compliance{ {{ $filter }}, status="Fail"}) without ({{ $without }}, exported_namespace) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "Compliance for {{ $labels.title }} failed {{ $value }} times"
`}}
{{- end }}
{{- end }}{{/* end-with .clusterCompliance */}}
{{- end }}{{/* end-with .prometheus.rules */}}
{{- end }}{{/* end-if */}}
Reference in a new issue View git blame Copy permalink