Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to add a certain label to the Metrics #37

Open
sherifkayad opened this issue Nov 28, 2022 · 5 comments
Open

Ability to add a certain label to the Metrics #37

sherifkayad opened this issue Nov 28, 2022 · 5 comments
Milestone
2.6

Comments

@sherifkayad
Copy link

Currently the official Trivy Operator provides a very strong and much needed feature that's enabling Kubernetes labels (on the Workloads to scan) as metrics labels.

Would be great to also have such feature.

Reference: https://aquasecurity.github.io/trivy-operator/v0.7.1/integrations/metrics/#adding-custom-label-to-metrics
@devopstales
Copy link
Owner

Hi @sherifkayad,

Thank you for your interest in the original Trivy Operator. I didn't see why it is a "very strong and much needed feature". I read the linked documentation but it didn't clean to me what will be the value of this custom label. Perhaps if you if you tell me more what purpose do you want to achieve it would be easier to me.

@sherifkayad
Copy link
Author

sherifkayad commented Nov 29, 2022
edited
Loading

@devopstales one use case we have is to be able to filter in Grafana / alert the responsible team for a certain service / container / manifest list dynamically when they have high / critical vulnerabilities by reading a team & app labels from the k8s objects.

In our current PoC with the original operator that's possible to add those two labels to the metrics generated and hence being able to do exactly that.

I hope I managed to answer your question.

@devopstales
Copy link
Owner

Hi @sherifkayad,

Now I understand your use case, but you didn't answered one of my question. Where the value of the label will come from. in the example they created this on he helm deploy --set="trivyOperator.reportResourceLabels": "owner" that created a label called k8s_label_owner. The example show this label like this k8s_label_owner="platform" but I didn't know where the value platform come. It would be more logical to me if all annotation on the namespace starts with trivy-operator-label_ and it's value would create a label whit the same value. For example if you create an annotation trivy-operator-label_owner: devops it creates a label owner=devops.

@sherifkayad
Copy link
Author

sherifkayad commented Nov 29, 2022
edited
Loading

@devopstales I might think there's a slight misunderstanding from your side. Assuming you have a Deployment object e.g. with the name service-x-deployment that looks like that:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: service-x-deployment
  namespace: whatever
  labels:
    app: service-x
    owner: team-a
    ping: pong
    otherLabel: otherValue
...
spec:
...
    spec:
      containers:
        - name: service-x
          image: >-
            my-registry/service-x:myTag
...

Specifying the Trivy Operator trivyOperator.reportResourceLabels": "owner,app" will lead that all vulnerability reports generated out of this deployment object (e.g. the Image Vulnerability Reports towards my-registry/service-x:myTag) will have the labels owner set to team-a and app set to service-x. The same thing happens to the metrics, as these labels would be added as metric labels. Also note that the same behavior applies to the rest of the scans performed on the other k8s objects and generating other reports in the Trivy Operator CRD ..

E.g. you might end up with something like:

apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
  labels:
    owner: team-a
    app: service-x
    resource-spec-hash: 7b7979f777
    trivy-operator.container.name: service-x
    trivy-operator.resource.kind: ReplicaSet
    trivy-operator.resource.name: service-x-65c76595f
    trivy-operator.resource.namespace: whatever
  name: replicaset-service-x-65c76595f-service-x
  namespace: whatever
  ownerReferences:
    - apiVersion: apps/v1
      blockOwnerDeletion: false
      controller: true
      kind: ReplicaSet
      name: service-x-65c76595f
      uid: 79387df7-e1a3-4a2b-8615-37b05aa14a9d
report:
  artifact:
    repository: my-registry/service-x
    tag: myTag
  registry:
    server: my-registry
  scanner:
    name: Trivy
    vendor: Aqua Security
    version: 0.34.0
  summary:
    criticalCount: 2
    highCount: 30
    lowCount: 314
    mediumCount: 23
    noneCount: 0
    unknownCount: 0
  updateTimestamp: '2022-11-28T12:48:27Z'
  vulnerabilities:
    ...
...
---
apiVersion: aquasecurity.github.io/v1alpha1
kind: ConfigAuditReport
metadata:
  annotations:
    trivy-operator.aquasecurity.github.io/report-ttl: 24h0m0s
  creationTimestamp: '2022-11-28T12:50:41Z'
  generation: 1
  labels:
    owner: team-a
    app: service-x
....
---

And then of course on the metrics side of things, you would be able to query something like:

trivy_clusterrole_clusterrbacassessments{app="service-x", owner="team-a"}
trivy_image_exposedsecrets{app="service-x", owner="team-a"}
trivy_image_vulnerabilities{app="service-x", owner="team-a"}
trivy_resource_configaudits{app="service-x", owner="team-a"}

@devopstales
Copy link
Owner

devopstales commented Dec 9, 2022
edited
Loading

@sherifkayad Sorry for the late response. Now I understand how it is works. I will check this in the next version but I didn't think I can do that in this year. If you can and want to work on this the pull-request is welcomed.

@devopstales devopstales added this to the 2.6 milestone Dec 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.6
Development

No branches or pull requests
2 participants
@sherifkayad @devopstales