Add detail rbacassessment,infraassessment info prometheus Metrics (#1331

) * Added rbacassessment_info and infraassessments_info metrics * Added rbacassessment_info and infraassessments_info metrics * Added rbacassessment_info and infraassessments_info metrics * Added rbacassessment_info and infraassessments_info metrics * Added rbacassessment_info and infraassessments_info metrics
aquasecurity · Jun 28, 2023 · d3a1de1 · d3a1de1
1 parent 24fc44c
commit d3a1de1
Show file tree

Hide file tree

Showing 8 changed files with 299 additions and 18 deletions.
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -48,6 +48,8 @@ Keeps security report resources updated
 | operator.metricsConfigAuditInfo | bool | `false` | MetricsConfigAuditInfo the flag to enable metrics about configuration audits be aware of metrics cardinality is significantly increased with this feature enabled. |
 | operator.metricsExposedSecretInfo | bool | `false` | MetricsExposedSecretInfo the flag to enable metrics about exposed secrets be aware of metrics cardinality is significantly increased with this feature enabled. |
 | operator.metricsFindingsEnabled | bool | `true` | metricsFindingsEnabled the flag to enable metrics for findings |
+| operator.metricsInfraAssessmentInfo | bool | `false` | MetricsInfraAssessmentInfo the flag to enable metrics about Infra Assessment be aware of metrics cardinality is significantly increased with this feature enabled. |
+| operator.metricsRbacAssessmentInfo | bool | `false` | MetricsRbacAssessmentInfo the flag to enable metrics about Rbac Assessment be aware of metrics cardinality is significantly increased with this feature enabled. |
 | operator.metricsVulnIdEnabled | bool | `false` | metricsVulnIdEnabled the flag to enable metrics about cve vulns id be aware of metrics cardinality is significantly increased with this feature enabled. |
 | operator.namespace | string | `""` | namespace to install the operator, defaults to the .Release.Namespace |
 | operator.podLabels | object | `{}` | additional labels for the operator pod |

diff --git a/deploy/helm/templates/deployment.yaml b/deploy/helm/templates/deployment.yaml
@@ -87,6 +87,10 @@ spec:
               value: {{ .Values.operator.metricsExposedSecretInfo | quote }}
             - name: OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED
               value: {{ .Values.operator.metricsConfigAuditInfo | quote }}
+            - name: OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED
+              value: {{ .Values.operator.metricsRbacAssessmentInfo | quote }}
+            - name: OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED
+              value: {{ .Values.operator.metricsInfraAssessmentInfo | quote }}   
             - name: OPERATOR_WEBHOOK_BROADCAST_URL
               value: {{ .Values.operator.webhookBroadcastURL | quote }}
             - name: OPERATOR_WEBHOOK_BROADCAST_TIMEOUT

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -103,6 +103,14 @@ operator:
   # be aware of metrics cardinality is significantly increased with this feature enabled.
   metricsConfigAuditInfo: false
 
+  # -- MetricsRbacAssessmentInfo the flag to enable metrics about Rbac Assessment
+  # be aware of metrics cardinality is significantly increased with this feature enabled.
+  metricsRbacAssessmentInfo: false
+
+    # -- MetricsInfraAssessmentInfo the flag to enable metrics about Infra Assessment
+  # be aware of metrics cardinality is significantly increased with this feature enabled.
+  metricsInfraAssessmentInfo: false
+
   # -- webhookBroadcastURL the flag to set reports should be sent to a webhook endpoint. "" means that the webhookBroadcastURL feature is disabled
   webhookBroadcastURL: ""
 

diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml
@@ -1932,6 +1932,10 @@ spec:
               value: "false"
             - name: OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED
               value: "false"
+            - name: OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED
+              value: "false"
+            - name: OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED
+              value: "false"   
             - name: OPERATOR_WEBHOOK_BROADCAST_URL
               value: ""
             - name: OPERATOR_WEBHOOK_BROADCAST_TIMEOUT

diff --git a/docs/tutorials/integrations/metrics.md b/docs/tutorials/integrations/metrics.md
@@ -24,6 +24,15 @@ trivy_resource_configaudits{
     } 2
 ```
 
+### ConfigAuditInfo
+
+Exposes details about ConfigAudit that were discovered in images, enable by setting the EnvVar: `OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED" envDefault:"false"` . For example:
+
+```shell
+trivy_configaudits_info{
+    config_audit_category="car1 category for config audit",config_audit_description="car1 description for config audit",config_audit_id="car1 Id",config_audit_success="false",config_audit_title="car1 config audit title",name="replicaset-nginx-6d4cf56db6",namespace="default",resource_kind="ReplicaSet",resource_name="nginx-6d4cf56db6",severity="Critical"} 1
+```
+
 ### RbacAssessments
 
 A report summary series exposes the count of checks of each status reported in a given `RbacAssessmentsReport`. For example:
@@ -34,6 +43,15 @@ trivy_role_rbacassessments{
     } 1
 ```
 
+### RbacAssessmentsInfo
+
+Exposes details about RbacAssessments that were discovered in images, enable by setting the EnvVar: `OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED" envDefault:"false"` . For example:
+
+```shell
+trivy_rbacassessments_info{
+    name="role-admin-6d4cf56db6",namespace="default",rbac_assessment_category="car1 category for rbac assessment",rbac_assessment_description="car1 description for rbac assessment",rbac_assessment_id="car1 Id",rbac_assessment_success="true",rbac_assessment_title="car1 rbac assessment title",resource_kind="Role",resource_name="admin-6d4cf56db6",severity="Critical"} 1
+```
+
 ### ExposedsSecrets
 
 A report summary series exposes the count of checks of each status reported in a given `ExposedsSecretsReport`. For example:
@@ -64,6 +82,13 @@ trivy_resource_infraassessments{
     } 3
 ```
 
+### InfraAssessmentsInfo
+Exposes details about InfraAssessments that were discovered in images, enable by setting the EnvVar: `OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED" envDefault:"false"` . For example:
+```shell
+trivy_infraassessments_info{
+    name="pod-kube-apiserver-minikube-6d4cf56db6",namespace="kube-system",infra_assessment_category="car1 category for infra assessment",infra_assessment_description="car1 description for infra assessment",infra_assessment_id="car1 Id",infra_assessment_success="true",infra_assessment_title="car1 infra assessment title",resource_kind="Pod",resource_name="kube-apiserver-minikube-6d4cf56db6",severity="Critical"
+    } 1
+```
 ### ClusterComplianceReport
 
 A report summary series exposes the count of checks of each status reported in a given `ClusterComplianceReport`. For example:

diff --git a/pkg/metrics/collector.go b/pkg/metrics/collector.go
@@ -53,6 +53,18 @@ const (
 	config_audit_description = "config_audit_description"
 	config_audit_category    = "config_audit_category"
 	config_audit_success     = "config_audit_success"
+	//rbac assessment
+	rbac_assessment_id          = "rbac_assessment_id"
+	rbac_assessment_title       = "rbac_assessment_title"
+	rbac_assessment_description = "rbac_assessment_description"
+	rbac_assessment_category    = "rbac_assessment_category"
+	rbac_assessment_success     = "rbac_assessment_success"
+	//infra assessment
+	infra_assessment_id          = "infra_assessment_id"
+	infra_assessment_title       = "infra_assessment_title"
+	infra_assessment_description = "infra_assessment_description"
+	infra_assessment_category    = "infra_assessment_category"
+	infra_assessment_success     = "infra_assessment_success"
 )
 
 type metricDescriptors struct {
@@ -65,15 +77,17 @@ type metricDescriptors struct {
 	complianceStatuses        map[string]func(vs v1alpha1.ComplianceSummary) int
 
 	// Labels
-	imageVulnLabels         []string
-	vulnIdLabels            []string
-	exposedSecretLabels     []string
-	exposedSecretInfoLabels []string
-	configAuditLabels       []string
-	configAuditInfoLabels   []string
-	rbacAssessmentLabels    []string
-	infraAssessmentLabels   []string
-	complianceLabels        []string
+	imageVulnLabels           []string
+	vulnIdLabels              []string
+	exposedSecretLabels       []string
+	exposedSecretInfoLabels   []string
+	configAuditLabels         []string
+	configAuditInfoLabels     []string
+	rbacAssessmentLabels      []string
+	rbacAssessmentInfoLabels  []string
+	infraAssessmentLabels     []string
+	infraAssessmentInfoLabels []string
+	complianceLabels          []string
 
 	// Descriptors
 	imageVulnDesc             *prometheus.Desc
@@ -83,8 +97,10 @@ type metricDescriptors struct {
 	exposedSecretDesc         *prometheus.Desc
 	exposedSecretInfoDesc     *prometheus.Desc
 	rbacAssessmentDesc        *prometheus.Desc
+	rbacAssessmentInfoDesc    *prometheus.Desc
 	clusterRbacAssessmentDesc *prometheus.Desc
 	infraAssessmentDesc       *prometheus.Desc
+	infraAssessmentInfoDesc   *prometheus.Desc
 	complianceDesc            *prometheus.Desc
 }
 
@@ -304,6 +320,19 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
 		severity,
 	}
 	rbacAssessmentLabels = append(rbacAssessmentLabels, dynamicLabels...)
+	rbacAssessmentInfoLabels := []string{
+		namespace,
+		name,
+		resource_kind,
+		resource_name,
+		rbac_assessment_id,
+		rbac_assessment_title,
+		rbac_assessment_description,
+		rbac_assessment_category,
+		rbac_assessment_success,
+		severity,
+	}
+	rbacAssessmentInfoLabels = append(rbacAssessmentInfoLabels, dynamicLabels...)
 	infraAssessmentLabels := []string{
 		namespace,
 		name,
@@ -312,6 +341,19 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
 		severity,
 	}
 	infraAssessmentLabels = append(infraAssessmentLabels, dynamicLabels...)
+	infraAssessmentInfoLabels := []string{
+		namespace,
+		name,
+		resource_kind,
+		resource_name,
+		infra_assessment_id,
+		infra_assessment_title,
+		infra_assessment_description,
+		infra_assessment_category,
+		infra_assessment_success,
+		severity,
+	}
+	infraAssessmentInfoLabels = append(infraAssessmentInfoLabels, dynamicLabels...)
 
 	clusterComplianceLabels := []string{
 		title,
@@ -361,6 +403,12 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
 		rbacAssessmentLabels,
 		nil,
 	)
+	rbacAssessmentInfoDesc := prometheus.NewDesc(
+		prometheus.BuildFQName("trivy", "rbacassessments", "info"),
+		"Number of rbac risky role assessment checks Info",
+		rbacAssessmentInfoLabels,
+		nil,
+	)
 	clusterRbacAssessmentDesc := prometheus.NewDesc(
 		prometheus.BuildFQName("trivy", "clusterrole", "clusterrbacassessments"),
 		"Number of rbac risky cluster role assessment checks",
@@ -373,6 +421,12 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
 		infraAssessmentLabels,
 		nil,
 	)
+	infraAssessmentInfoDesc := prometheus.NewDesc(
+		prometheus.BuildFQName("trivy", "infraassessments", "info"),
+		"Number of failing k8s infra assessment checks Info",
+		infraAssessmentInfoLabels,
+		nil,
+	)
 	complianceDesc := prometheus.NewDesc(
 		prometheus.BuildFQName("trivy", "cluster", "compliance"),
 		"cluster compliance report",
@@ -387,15 +441,17 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
 		infraAssessmentSeverities: infraAssessmentSeverities,
 		complianceStatuses:        complainceStatuses,
 
-		imageVulnLabels:         imageVulnLabels,
-		vulnIdLabels:            vulnIdLabels,
-		exposedSecretLabels:     exposedSecretLabels,
-		exposedSecretInfoLabels: exposedSecretInfoLabels,
-		configAuditLabels:       configAuditLabels,
-		configAuditInfoLabels:   configAuditInfoLabels,
-		rbacAssessmentLabels:    rbacAssessmentLabels,
-		infraAssessmentLabels:   infraAssessmentLabels,
-		complianceLabels:        clusterComplianceLabels,
+		imageVulnLabels:           imageVulnLabels,
+		vulnIdLabels:              vulnIdLabels,
+		exposedSecretLabels:       exposedSecretLabels,
+		exposedSecretInfoLabels:   exposedSecretInfoLabels,
+		configAuditLabels:         configAuditLabels,
+		configAuditInfoLabels:     configAuditInfoLabels,
+		rbacAssessmentLabels:      rbacAssessmentLabels,
+		rbacAssessmentInfoLabels:  rbacAssessmentInfoLabels,
+		infraAssessmentLabels:     infraAssessmentLabels,
+		infraAssessmentInfoLabels: infraAssessmentInfoLabels,
+		complianceLabels:          clusterComplianceLabels,
 
 		imageVulnDesc:             imageVulnDesc,
 		vulnIdDesc:                vulnIdDesc,
@@ -404,8 +460,10 @@ func buildMetricDescriptors(config trivyoperator.ConfigData) metricDescriptors {
 		exposedSecretDesc:         exposedSecretDesc,
 		exposedSecretInfoDesc:     exposedSecretInfoDesc,
 		rbacAssessmentDesc:        rbacAssessmentDesc,
+		rbacAssessmentInfoDesc:    rbacAssessmentInfoDesc,
 		clusterRbacAssessmentDesc: clusterRbacAssessmentDesc,
 		infraAssessmentDesc:       infraAssessmentDesc,
+		infraAssessmentInfoDesc:   infraAssessmentInfoDesc,
 		complianceDesc:            complianceDesc,
 	}
 }
@@ -443,7 +501,13 @@ func (c ResourcesMetricsCollector) Collect(metrics chan<- prometheus.Metric) {
 		c.collectConfigAuditInfoReports(ctx, metrics, targetNamespaces)
 	}
 	c.collectRbacAssessmentReports(ctx, metrics, targetNamespaces)
+	if c.Config.MetricsRbacAssessmentInfo {
+		c.collectRbacAssessmentInfoReports(ctx, metrics, targetNamespaces)
+	}
 	c.collectInfraAssessmentReports(ctx, metrics, targetNamespaces)
+	if c.Config.MetricsInfraAssessmentInfo {
+		c.collectInfraAssessmentInfoReports(ctx, metrics, targetNamespaces)
+	}
 	c.collectClusterRbacAssessmentReports(ctx, metrics)
 	c.collectClusterComplianceReports(ctx, metrics)
 }
@@ -679,6 +743,38 @@ func (c *ResourcesMetricsCollector) collectRbacAssessmentReports(ctx context.Con
 	}
 }
 
+func (c *ResourcesMetricsCollector) collectRbacAssessmentInfoReports(ctx context.Context, metrics chan<- prometheus.Metric, targetNamespaces []string) {
+	reports := &v1alpha1.RbacAssessmentReportList{}
+	labelValues := make([]string, len(c.rbacAssessmentInfoLabels))
+	for _, n := range targetNamespaces {
+		if err := c.List(ctx, reports, client.InNamespace(n)); err != nil {
+			c.Logger.Error(err, "failed to list rbacAssessment from API", "namespace", n)
+			continue
+		}
+		for _, r := range reports.Items {
+			if c.Config.MetricsRbacAssessmentInfo {
+				labelValues[0] = r.Namespace
+				labelValues[1] = r.Name
+				labelValues[2] = r.Labels[trivyoperator.LabelResourceKind]
+				labelValues[3] = r.Labels[trivyoperator.LabelResourceName]
+				for _, rbac := range r.Report.Checks {
+					labelValues[4] = rbac.ID
+					labelValues[5] = rbac.Title
+					labelValues[6] = rbac.Description
+					labelValues[7] = rbac.Category
+					labelValues[8] = strconv.FormatBool(rbac.Success)
+					labelValues[9] = NewSeverityLabel(rbac.Severity).Label
+					for i, label := range c.GetReportResourceLabels() {
+						labelValues[i+10] = r.Labels[label]
+					}
+
+					metrics <- prometheus.MustNewConstMetric(c.rbacAssessmentInfoDesc, prometheus.GaugeValue, float64(1), labelValues...)
+				}
+			}
+		}
+	}
+}
+
 func (c *ResourcesMetricsCollector) collectInfraAssessmentReports(ctx context.Context, metrics chan<- prometheus.Metric, targetNamespaces []string) {
 	reports := &v1alpha1.InfraAssessmentReportList{}
 	labelValues := make([]string, len(c.infraAssessmentLabels))
@@ -700,6 +796,38 @@ func (c *ResourcesMetricsCollector) collectInfraAssessmentReports(ctx context.Co
 	}
 }
 
+func (c *ResourcesMetricsCollector) collectInfraAssessmentInfoReports(ctx context.Context, metrics chan<- prometheus.Metric, targetNamespaces []string) {
+	reports := &v1alpha1.RbacAssessmentReportList{}
+	labelValues := make([]string, len(c.infraAssessmentInfoLabels))
+	for _, n := range targetNamespaces {
+		if err := c.List(ctx, reports, client.InNamespace(n)); err != nil {
+			c.Logger.Error(err, "failed to list infraAssessment from API", "namespace", n)
+			continue
+		}
+		for _, r := range reports.Items {
+			if c.Config.MetricsInfraAssessmentInfo {
+				labelValues[0] = r.Namespace
+				labelValues[1] = r.Name
+				labelValues[2] = r.Labels[trivyoperator.LabelResourceKind]
+				labelValues[3] = r.Labels[trivyoperator.LabelResourceName]
+				for _, infra := range r.Report.Checks {
+					labelValues[4] = infra.ID
+					labelValues[5] = infra.Title
+					labelValues[6] = infra.Description
+					labelValues[7] = infra.Category
+					labelValues[8] = strconv.FormatBool(infra.Success)
+					labelValues[9] = NewSeverityLabel(infra.Severity).Label
+					for i, label := range c.GetReportResourceLabels() {
+						labelValues[i+10] = r.Labels[label]
+					}
+
+					metrics <- prometheus.MustNewConstMetric(c.infraAssessmentInfoDesc, prometheus.GaugeValue, float64(1), labelValues...)
+				}
+			}
+		}
+	}
+}
+
 func (c *ResourcesMetricsCollector) collectClusterRbacAssessmentReports(ctx context.Context, metrics chan<- prometheus.Metric) {
 	reports := &v1alpha1.ClusterRbacAssessmentReportList{}
 	labelValues := make([]string, len(c.rbacAssessmentLabels[1:]))
@@ -767,7 +895,9 @@ func (c ResourcesMetricsCollector) Describe(descs chan<- *prometheus.Desc) {
 	descs <- c.exposedSecretDesc
 	descs <- c.exposedSecretInfoDesc
 	descs <- c.rbacAssessmentDesc
+	descs <- c.rbacAssessmentInfoDesc
 	descs <- c.infraAssessmentDesc
+	descs <- c.infraAssessmentInfoDesc
 	descs <- c.clusterRbacAssessmentDesc
 	descs <- c.complianceDesc
 }