mcelep / opa-scorecard Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
Hi,
Did you consider putting in this repo helm chart for this deployment?
It seems opa-scorecard can only get the violations available in the Status field of any constraint. Which are not always the complete list of violations according the to gatekeeper documentation.
is it possible to get all the violations somehow?
Hi,
Thought I would give this a try as it seems interesting but when running I get 500 errors:-
# k get svc -n monitoring
opa-exporter ClusterIP 192.168.66.0 <none> 9141/TCP 49m
# k exec -it prometheus-monitoring-prometheus-0 -n monitoring -- /bin/sh -il
/prometheus $ wget -O - http://192.168.66.0:9141/metrics
Connecting to 192.168.66.0:9141 (192.168.66.0:9141)
wget: server returned error: HTTP/1.1 500 Internal Server Error
/prometheus $
The OPA Exporter pod logs show these being scraped:-
2021/06/28 11:24:22 Kind:AllowedServicePortName, Name:port-name-constraint, Namespace:
2021/06/28 11:24:22 Kind:K8sPSPAllowPrivilegeEscalationContainer, Name:psp-allow-privilege-escalation-container, Namespace:
2021/06/28 11:24:22 Kind:K8sPSPPrivilegedContainer, Name:psp-privileged-container, Namespace:
2021/06/28 11:24:22 Kind:K8sRequiredLabels, Name:all-must-have-owner, Namespace:
2021/06/28 11:24:22 Kind:K8sContainerLimits, Name:container-must-have-limits, Namespace:
Any ideas ? Maybe as I am running the Anthos/Google rebranded Gatekeeper but not sure why ?
It would be nice in the deployment if there was a health endpoint, which would validate general health of the system. This could mean exposing anything from inability to connect to the k8s api. not having the proper RBAC permissions, etc.
may be interesting you.
https://grafana.com/grafana/dashboards/15763
It would be great to publish this OPA dashboard to Grafana Dashboards so more people can know this exists ๐
@mcelep @Knappek @Gaardsholt @laimison
Hello Team
I tried to implement this in OpenShift Container Platform. Was able to setup and deployment/pod is up and running. But while trying to access Metrics endpoint via curl facing some 500 error
sh-4.4$ curl -kvs http://192.168.11.95:9141/metrics
GET /metrics HTTP/1.1
Host: 192.168.11.95:9141
User-Agent: curl/7.61.1
Accept: /
< HTTP/1.1 500 Internal Server Error
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Mon, 11 Dec 2023 17:49:20 GMT
< Transfer-Encoding: chunked
<
An error has occurred while serving metrics:
18 error(s) occurred:
Could you please advise me what is worng configuration going here?
OpenShift Target is also showing same 500 error code and Prometheus is not fetching any metrics.
Have added liveness and readiness probes as well and pod is coming up fine. Not seeing any error or warningh in opa-exporter pod log
opa-pod log
2023/12/11 17:55:46 Kind:K8sPSPHostNetworkingPorts, Name:host-network-ports, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPAllowedUsers, Name:allowed-user-ranges, Namespace:
2023/12/11 17:55:46 Kind:K8sPodDisruptionBudget, Name:pod-distruption-budget, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPForbiddenSysctls, Name:sysctls-forbidden, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPReadOnlyRootFilesystem, Name:read-only-root-filesystem, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPSeccomp, Name:psp-seccomp, Namespace:
2023/12/11 17:55:46 Kind:K8sAllowDefaultNamespaceWorkloads, Name:allow-default-namespace-workloads, Namespace:
2023/12/11 17:55:46 Kind:K8sContainerLimits, Name:container-must-have-limits, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPCapabilities, Name:capabilities, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPVolumeTypes, Name:volume-types, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPHostNamespace, Name:host-namespaces, Namespace:
2023/12/11 17:55:46 Kind:K8sContainerRequests, Name:container-must-have-requests, Namespace:
2023/12/11 17:55:46 Kind:K8sAllowedRepos, Name:trusted-repos, Namespace:
2023/12/11 17:55:46 Kind:K8sAssetUUID, Name:assetuuid, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPAutomountServiceAccountTokenPod, Name:psp-automount-serviceaccount-token-pod, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPAllowPrivilegeEscalationContainer, Name:allow-privilege-escalation-container, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPHostFilesystem, Name:host-filesystem, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPPrivilegedContainer, Name:privileged-containers, Namespace:
2023/12/11 17:55:55 Tick at 2023-12-11 17:55:55.264835838 +0000 UTC m=+4340.009384248
Hey there,
first: thanks for this great project, we use it in an Azure Kubernetes Service cluster to provide our customers a Grafana dashboard for their policy violations.
One thing we observed: It generates quite a lot of logs. In a dev cluster we have 3.000.000 lines per day for the different policies.
We created a ServiceMonitor to scrape the /metrics
endpoint every 5 minutes. Nevertheless the app is querying the K8S API Server for violations every 10 seconds (and logs it to stdout).
We can update the start command to send the output for /dev/null but it would be great to have a configuration about the
wdyt?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.