Azure · vishiy · Oct 6, 2023 · Sep 27, 2023 · Oct 6, 2023 · Oct 6, 2023
@@ -235,7 +235,7 @@ jobs:
     - task: GoTool@0
       displayName: "Build: specify golang version"
       inputs:
-        version: '1.19'
+        version: '1.20'
 
     - bash: |
         sudo apt-get install build-essential -y
@@ -336,18 +336,28 @@ jobs:
         oras attach $(LINUX_FULL_IMAGE_NAME) \
           --artifact-type 'application/vnd.cncf.notary.signature' \
           ./payload.json:application/cose \
-          -a "io.cncf.notary.x509chain.thumbprint#S256=[\"659AAA9C0E822B4B20A964AA0178BD9419A50530\"]"
+          -a "io.cncf.notary.x509chain.thumbprint#S256=[\"79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\"]"
       workingDirectory: $(Build.ArtifactStagingDirectory)/linux/
       displayName: "ORAS Push Artifacts in $(Build.ArtifactStagingDirectory)/linux/"
       condition: eq(variables.IS_MAIN_BRANCH, true)
 
     - bash: |
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
         trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 $(LINUX_FULL_IMAGE_NAME)
+        if [ $? -ne 0 ]; then
+          exit 1
+        fi
         trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 $(KUBE_STATE_METRICS_IMAGE)
+        if [ $? -ne 0 ]; then
+          exit 1
+        fi
         trivy image --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --exit-code 1 $(NODE_EXPORTER_IMAGE)
+        if [ $? -ne 0 ]; then
+          exit 1
+        fi
       workingDirectory: $(Build.SourcesDirectory)
       displayName: "Build: run trivy scan"
+      condition: eq(variables.IS_PR, false)
 
     - task: CodeQL3000Finalize@0
       displayName: 'SDL: run codeql'
@@ -423,7 +433,7 @@ jobs:
     - task: GoTool@0
       displayName: "Build: specify golang version"
       inputs:
-        version: '1.19'
+        version: '1.20'
 
     - powershell: |
         ./makefile_windows.ps1
@@ -461,7 +471,7 @@ jobs:
     - task: GoTool@0
       displayName: "Build: specify golang version"
       inputs:
-        version: '1.19'
+        version: '1.20'
 
     - powershell: |
         ./makefile_windows.ps1
@@ -504,7 +514,7 @@ jobs:
     - task: GoTool@0
       displayName: "Build: specify golang version"
       inputs:
-        version: '1.19'
+        version: '1.20'
 
     - powershell: |
         New-Item -Path "$(Build.ArtifactStagingDirectory)" -Name "windows" -ItemType "directory"
@@ -570,7 +580,7 @@ jobs:
         New-Item -ItemType Directory -Force -Path $env:USERPROFILE\bin
         Copy-Item -Path $currentDirectory\oras.exe -Destination "$env:USERPROFILE\bin\"
         $env:PATH = "$env:USERPROFILE\bin;$env:PATH"
-        oras attach $(WINDOWS_FULL_IMAGE_NAME) --artifact-type application/vnd.cncf.notary.signature ./payload.json:application/cose -a io.cncf.notary.x509chain.thumbprint#S256=[\""659AAA9C0E822B4B20A964AA0178BD9419A50530\""]
+        oras attach $(WINDOWS_FULL_IMAGE_NAME) --artifact-type application/vnd.cncf.notary.signature ./payload.json:application/cose -a io.cncf.notary.x509chain.thumbprint#S256=[\""79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\""]
       workingDirectory: $(Build.ArtifactStagingDirectory)/windows
       displayName: "Download, install Oras and run oras attach"
       condition: eq(variables.IS_MAIN_BRANCH, true)
@@ -600,7 +610,7 @@ jobs:
   - task: HelmInstaller@1
     displayName: 'Build: install Helm version'
     inputs:
-      helmVersionToInstall: latest
+      helmVersionToInstall: 3.12.3
 
   - bash: |
       envsubst < $(Build.SourcesDirectory)/otelcollector/deploy/chart/prometheus-collector/Chart-template.yaml > $(Build.SourcesDirectory)/otelcollector/deploy/chart/prometheus-collector/Chart.yaml && envsubst < $(Build.SourcesDirectory)/otelcollector/deploy/chart/prometheus-collector/values-template.yaml > $(Build.SourcesDirectory)/otelcollector/deploy/chart/prometheus-collector/values.yaml
@@ -643,7 +653,7 @@ jobs:
   - task: HelmInstaller@1
     displayName: 'Build: install Helm version'
     inputs:
-      helmVersionToInstall: latest
+      helmVersionToInstall: 3.12.3
 
   - bash: |
       export HELM_CHART_NAME=$ARC_HELM_CHART_NAME

@@ -1,29 +1,23 @@
 # Check for HIGH/CRITICAL & MEDIUM CVEs. HIGH/CRITICAL to be fixed asap, MEDIUM is best effort
 # ignore these CVEs, but continue scanning to catch other vulns. Note : this will ignore these cves globally
 
-# CRITICAL/HIGH
-# Ruby GEM
-CVE-2021-33621
-# node-exporter
-CVE-2021-38561
-CVE-2021-44716
-CVE-2022-21698
-CVE-2022-27191
-# opt/telegraf/telegraf
-CVE-2022-23471
-CVE-2023-25153
-CVE-2023-25173
+# CRITICAL
+# none
 
-# MEDIUM
-# opt/telegraf/telegraf
-CVE-2019-3826
-# kube-state-metrics
-CVE-2022-41723
-# opt/microsoft/otelcollector/otelcollector
-# opt/promconfigvalidator
-# opt/telegraf/telegraf
-# kube-state-metrics
-# bin/node_exporter
-CVE-2022-41717
-CVE-2022-46146
-CVE-2022-41721
+# =========== HIGH ================
+# HIGH - otelcollector
+CVE-2023-2253
+CVE-2023-28840
+# HIGH - promconfigvalidator
+CVE-2023-2253
+CVE-2023-28840
+
+# =========== MEDIUM ================
+# MEDIUM - otelcollector
+CVE-2023-28841
+CVE-2023-28842
+CVE-2023-40577
+# MEDIUM - promconfigvalidator
+CVE-2023-28841
+CVE-2023-28842
+CVE-2023-40577
@@ -221,7 +221,8 @@
       "properties": {
         "description": "[concat(variables('nodeRecordingRuleGroupDescription'), variables('version'))]",
         "scopes": [
-          "[parameters('azureMonitorWorkspaceResourceId')]"
+          "[parameters('azureMonitorWorkspaceResourceId')]",
+          "[parameters('clusterResourceId')]"
         ],
         "clusterName": "[variables('clusterName')]",
         "interval": "PT1M",
@@ -281,7 +282,8 @@
       "properties": {
         "description": "[concat(variables('kubernetesRecordingRuleGroupDescription'), variables('version'))]",
         "scopes": [
-          "[parameters('azureMonitorWorkspaceResourceId')]"
+          "[parameters('azureMonitorWorkspaceResourceId')]",
+          "[parameters('clusterResourceId')]"
         ],
         "clusterName": "[variables('clusterName')]",
         "interval": "PT1M",
@@ -385,7 +387,8 @@
       "properties": {
         "description": "[concat(variables('RecordingRuleGroupDescriptionWin'), variables('version'))]",
         "scopes": [
-          "[parameters('azureMonitorWorkspaceResourceId')]"
+          "[parameters('azureMonitorWorkspaceResourceId')]",
+          "[parameters('clusterResourceId')]"
         ],
         "enabled": "[parameters('enableWindowsRecordingRules')]",
         "clusterName": "[variables('clusterName')]",
@@ -462,7 +465,8 @@
       "properties": {
         "description": "[concat(variables('RecordingRuleGroupDescriptionWin'), variables('version'))]",
         "scopes": [
-          "[parameters('azureMonitorWorkspaceResourceId')]"
+          "[parameters('azureMonitorWorkspaceResourceId')]",
+          "[parameters('clusterResourceId')]"
         ],
         "enabled": "[parameters('enableWindowsRecordingRules')]",
         "clusterName": "[variables('clusterName')]",

@@ -56,7 +56,8 @@
       "properties": {
         "description": "[concat(variables('RecordingRuleGroupDescriptionWin'), variables('version'))]",
         "scopes": [
-          "[parameters('azureMonitorWorkspaceResourceId')]"
+          "[parameters('azureMonitorWorkspaceResourceId')]",
+          "[parameters('clusterResourceId')]"
         ],
         "enabled": true,
         "clusterName": "[variables('clusterName')]",
@@ -133,7 +134,8 @@
       "properties": {
         "description": "[concat(variables('RecordingRuleGroupDescriptionWin'), variables('version'))]",
         "scopes": [
-          "[parameters('azureMonitorWorkspaceResourceId')]"
+          "[parameters('azureMonitorWorkspaceResourceId')]",
+          "[parameters('clusterResourceId')]"
         ],
         "enabled": true,
         "clusterName": "[variables('clusterName')]",
@@ -211,4 +213,4 @@
       }
     }
   ]
-}
+}
@@ -16,9 +16,7 @@ resource recommendedAlerts 'Microsoft.AlertsManagement/prometheusRuleGroups@2023
   location: location
   properties: {
     description: 'Kubernetes Alert RuleGroup-RecommendedCIAlerts - 0.1'
-    scopes: [
-      monitorWorkspace.id
-    ]
+    scopes: [monitorWorkspace.id,aksResourceId]
     clusterName: split(aksResourceId, '/')[8]
     enabled: true
     interval: 'PT5M'
@@ -241,9 +239,7 @@ resource communityALerts 'Microsoft.AlertsManagement/prometheusRuleGroups@2023-0
   location: location
   properties: {
     description: 'Kubernetes Alert RuleGroup-communityCIAlerts - 0.1'
-    scopes: [
-      monitorWorkspace.id
-    ]
+    scopes: [monitorWorkspace.id,aksResourceId]
     clusterName: split(aksResourceId, '/')[8]
     enabled: true
     interval: 'PT1M'

@@ -141,9 +141,7 @@ resource nodeRecordingRuleGroup 'Microsoft.AlertsManagement/prometheusRuleGroups
   location: azureMonitorWorkspaceLocation
   properties: {
     description: '${nodeRecordingRuleGroupDescription}${version}'
-    scopes: [
-      azureMonitorWorkspaceResourceId
-    ]
+    scopes: [azureMonitorWorkspaceResourceId,clusterResourceId]
     enabled: true
     clusterName: clusterName
     interval: 'PT1M'
@@ -201,9 +199,7 @@ resource kubernetesRecordingRuleGroup 'Microsoft.AlertsManagement/prometheusRule
   location: azureMonitorWorkspaceLocation
   properties: {
     description: '${kubernetesRecordingRuleGroupDescription}${version}'
-    scopes: [
-      azureMonitorWorkspaceResourceId
-    ]
+    scopes: [azureMonitorWorkspaceResourceId,clusterResourceId]
     enabled: true
     clusterName: clusterName
     interval: 'PT1M'
@@ -305,9 +301,7 @@ resource nodeRecordingRuleGroupNameWin 'Microsoft.AlertsManagement/prometheusRul
   location: azureMonitorWorkspaceLocation
   properties: {
     description: '${RecordingRuleGroupDescriptionWin}${version}'
-    scopes: [
-      azureMonitorWorkspaceResourceId
-    ]
+    scopes: [azureMonitorWorkspaceResourceId,clusterResourceId]
     enabled: enableWindowsRecordingRules
     clusterName: clusterName
     interval: 'PT1M'
@@ -381,9 +375,7 @@ resource nodeAndKubernetesRecordingRuleGroupNameWin 'Microsoft.AlertsManagement/
   location: azureMonitorWorkspaceLocation
   properties: {
     description: '${RecordingRuleGroupDescriptionWin}${version}'
-    scopes: [
-      azureMonitorWorkspaceResourceId
-    ]
+    scopes: [azureMonitorWorkspaceResourceId,clusterResourceId]
     enabled: enableWindowsRecordingRules
     clusterName: clusterName
     interval: 'PT1M'

@@ -5,7 +5,7 @@ You can deploy the templates using a command like :
 
 In order to deploy community alerts and ci recommended alerts through template, deploy using command like:
 
-```az deployment group create -g <resource_group> -n <deployment_name> --template-file .\AzureMonitorAlertsProfileParameters.json --parameters .\AzureMonitorAlertsProfileParameters.json```
+```az deployment group create -g <resource_group> -n <deployment_name> --template-file .\AzureMonitorAlertsProfile.bicep --parameters .\AzureMonitorAlertsProfileParameters.json```
 
 **NOTE**
 

@@ -225,7 +225,10 @@
 					"location": "[parameters('azureMonitorWorkspaceLocation')]",
 					"properties": {
 					  "description": "[concat(variables('nodeRecordingRuleGroupDescription'), variables('version'))]",
-					  "scopes": ["[parameters('azureMonitorWorkspaceResourceId')]"],
+					  "scopes": [
+						"[parameters('azureMonitorWorkspaceResourceId')]",
+						"[parameters('clusterResourceId')]"
+					  ],
 					  "clusterName": "[variables('clusterName')]",
 					  "interval": "PT1M",
 					  "rules": [
@@ -283,7 +286,10 @@
 					"location": "[parameters('azureMonitorWorkspaceLocation')]",
 					"properties": {
 					  "description": "[concat(variables('kubernetesRecordingRuleGroupDescription'), variables('version'))]",
-					  "scopes": ["[parameters('azureMonitorWorkspaceResourceId')]"],
+					  "scopes": [
+						"[parameters('azureMonitorWorkspaceResourceId')]",
+						"[parameters('clusterResourceId')]"
+					  ],
 					  "clusterName": "[variables('clusterName')]",
 					  "interval": "PT1M",
 					  "rules": [
@@ -386,7 +392,8 @@
 					"properties": {
 					  "description": "[concat(variables('RecordingRuleGroupDescriptionWin'), variables('version'))]",
 					  "scopes": [
-						"[parameters('azureMonitorWorkspaceResourceId')]"
+						"[parameters('azureMonitorWorkspaceResourceId')]",
+						"[parameters('clusterResourceId')]"
 					  ],
 					  "enabled": "[parameters('enableWindowsRecordingRules')]",
 					  "clusterName": "[variables('clusterName')]",
@@ -463,7 +470,8 @@
 					"properties": {
 					  "description": "[concat(variables('RecordingRuleGroupDescriptionWin'), variables('version'))]",
 					  "scopes": [
-						"[parameters('azureMonitorWorkspaceResourceId')]"
+						"[parameters('azureMonitorWorkspaceResourceId')]",
+						"[parameters('clusterResourceId')]"
 					  ],
 					  "enabled": "[parameters('enableWindowsRecordingRules')]",
 					  "clusterName": "[variables('clusterName')]",

@@ -119,7 +119,7 @@ resource "azurerm_monitor_alert_prometheus_rule_group" "node_recording_rules_rul
   description         = "Node Recording Rules Rule Group"
   rule_group_enabled  = true
   interval            = "PT1M"
-  scopes              = [azurerm_monitor_workspace.amw.id]
+  scopes              = [azurerm_monitor_workspace.amw.id,azurerm_kubernetes_cluster.k8s.id]
 
   rule {
     enabled    = true
@@ -209,7 +209,7 @@ resource "azurerm_monitor_alert_prometheus_rule_group" "kubernetes_recording_rul
   description         = "Kubernetes Recording Rules Rule Group"
   rule_group_enabled  = true
   interval            = "PT1M"
-  scopes              = [azurerm_monitor_workspace.amw.id]
+  scopes              = [azurerm_monitor_workspace.amw.id,azurerm_kubernetes_cluster.k8s.id]
 
   rule {
     enabled    = true
@@ -366,7 +366,7 @@ resource "azurerm_monitor_alert_prometheus_rule_group" "node_and_kubernetes_reco
   description         = "Node and Kubernetes Recording Rules Rule Group for Windows Nodes"
   rule_group_enabled  = true
   interval            = "PT1M"
-  scopes              = [azurerm_monitor_workspace.amw.id]
+  scopes              = [azurerm_monitor_workspace.amw.id,azurerm_kubernetes_cluster.k8s.id]
 
   rule {
     enabled    = true
@@ -497,7 +497,7 @@ resource "azurerm_monitor_alert_prometheus_rule_group" "node_recording_rules_rul
   description         = "Node and Kubernetes Recording Rules Rule Group for Windows Nodes"
   rule_group_enabled  = true
   interval            = "PT1M"
-  scopes              = [azurerm_monitor_workspace.amw.id]
+  scopes              = [azurerm_monitor_workspace.amw.id,azurerm_kubernetes_cluster.k8s.id]
 
   rule {
     enabled    = true

@@ -8,6 +8,12 @@
                 "description": "Cluster name"
             }
         },
+        "clusterResourceId": {
+            "type": "string",
+            "metadata": {
+                "description": "Cluster Resource Id"
+            }
+        },
         "actionGroupResourceId": {
             "type": "string",
             "metadata": {
@@ -40,7 +46,8 @@
             "properties": {
                 "description": "[concat(variables('kubernetesAlertRuleGroupDescription'), variables('version'))]",
                 "scopes": [
-                    "[parameters('azureMonitorWorkspaceResourceId')]"
+                    "[parameters('azureMonitorWorkspaceResourceId')]",
+                    "[parameters('clusterResourceId')]"
                 ],
                 "clusterName": "[parameters('clusterName')]",
                 "interval": "PT1M",