mcelep / opa-scorecard Goto Github PK

Hi,

Did you consider putting in this repo helm chart for this deployment?

It seems opa-scorecard can only get the violations available in the Status field of any constraint. Which are not always the complete list of violations according the to gatekeeper documentation.
is it possible to get all the violations somehow?

Hi,

Thought I would give this a try as it seems interesting but when running I get 500 errors:-

# k get svc -n monitoring
opa-exporter                          ClusterIP   192.168.66.0      <none>        9141/TCP   49m

# k exec -it prometheus-monitoring-prometheus-0 -n monitoring -- /bin/sh -il
/prometheus $ wget -O - http://192.168.66.0:9141/metrics
Connecting to 192.168.66.0:9141 (192.168.66.0:9141)
wget: server returned error: HTTP/1.1 500 Internal Server Error
/prometheus $

The OPA Exporter pod logs show these being scraped:-

2021/06/28 11:24:22 Kind:AllowedServicePortName, Name:port-name-constraint, Namespace:
2021/06/28 11:24:22 Kind:K8sPSPAllowPrivilegeEscalationContainer, Name:psp-allow-privilege-escalation-container, Namespace:
2021/06/28 11:24:22 Kind:K8sPSPPrivilegedContainer, Name:psp-privileged-container, Namespace:
2021/06/28 11:24:22 Kind:K8sRequiredLabels, Name:all-must-have-owner, Namespace:
2021/06/28 11:24:22 Kind:K8sContainerLimits, Name:container-must-have-limits, Namespace:

Any ideas ? Maybe as I am running the Anthos/Google rebranded Gatekeeper but not sure why ?

It would be nice in the deployment if there was a health endpoint, which would validate general health of the system. This could mean exposing anything from inability to connect to the k8s api. not having the proper RBAC permissions, etc.

may be interesting you.
https://grafana.com/grafana/dashboards/15763

It would be great to publish this OPA dashboard to Grafana Dashboards so more people can know this exists 😃

@mcelep @Knappek @Gaardsholt @laimison
Hello Team

I tried to implement this in OpenShift Container Platform. Was able to setup and deployment/pod is up and running. But while trying to access Metrics endpoint via curl facing some 500 error

sh-4.4$ curl -kvs http://192.168.11.95:9141/metrics

• Trying 192.168.11.95...
• TCP_NODELAY set
• Connected to 192.168.11.95 (192.168.11.95) port 9141 (#0)

GET /metrics HTTP/1.1
Host: 192.168.11.95:9141
User-Agent: curl/7.61.1
Accept: /

< HTTP/1.1 500 Internal Server Error
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Mon, 11 Dec 2023 17:49:20 GMT
< Transfer-Encoding: chunked
<
An error has occurred while serving metrics:

18 error(s) occurred:

• collected metric "opa_scorecard_constraint_violations" { label:<name:"kind" value:"K8sAssetUUID" > label:<name:"name" value:"assetuuid" > label:<name:"violating_kind" value:"Pod" > label:<name:"violating_name" value:"service-65d669b69f-g6k2v" > label:<name:"violating_namespace" value:"openshift-update-service" > label:<name:"violation_enforcement" value:"warn" > label:<name:"violation_msg" value:"Pod has a missing assetuuid. pod: service-65d669b69f-g6k2v" > gauge:<value:1 > } was collected before with the same name and label values
• collected metric "opa_scorecard_constraint_violations" { label:<name:"kind" value:"K8sAssetUUID" > label:<name:"name" value:"assetuuid" > label:<name:"violating_kind" value:"Pod" > label:<name:"violating_name" value:"service-65d669b69f-g6k2v" > label:<name:"violating_namespace" value:"openshift-update-service" > label:<name:"violation_enforcement" value:"warn" > label:<name:"violation_msg" value:"Pod has a missing assetuuid. pod: service-65d669b69f-g6k2v" > gauge:<value:1 > } was collected before with the same name and label values
  .
  .
  .
  .
• Connection #0 to host 192.168.11.95 left intact
  sh-4.4$

Could you please advise me what is worng configuration going here?

OpenShift Target is also showing same 500 error code and Prometheus is not fetching any metrics.

Have added liveness and readiness probes as well and pod is coming up fine. Not seeing any error or warningh in opa-exporter pod log

opa-pod log

2023/12/11 17:55:46 Kind:K8sPSPHostNetworkingPorts, Name:host-network-ports, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPAllowedUsers, Name:allowed-user-ranges, Namespace:
2023/12/11 17:55:46 Kind:K8sPodDisruptionBudget, Name:pod-distruption-budget, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPForbiddenSysctls, Name:sysctls-forbidden, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPReadOnlyRootFilesystem, Name:read-only-root-filesystem, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPSeccomp, Name:psp-seccomp, Namespace:
2023/12/11 17:55:46 Kind:K8sAllowDefaultNamespaceWorkloads, Name:allow-default-namespace-workloads, Namespace:
2023/12/11 17:55:46 Kind:K8sContainerLimits, Name:container-must-have-limits, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPCapabilities, Name:capabilities, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPVolumeTypes, Name:volume-types, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPHostNamespace, Name:host-namespaces, Namespace:
2023/12/11 17:55:46 Kind:K8sContainerRequests, Name:container-must-have-requests, Namespace:
2023/12/11 17:55:46 Kind:K8sAllowedRepos, Name:trusted-repos, Namespace:
2023/12/11 17:55:46 Kind:K8sAssetUUID, Name:assetuuid, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPAutomountServiceAccountTokenPod, Name:psp-automount-serviceaccount-token-pod, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPAllowPrivilegeEscalationContainer, Name:allow-privilege-escalation-container, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPHostFilesystem, Name:host-filesystem, Namespace:
2023/12/11 17:55:46 Kind:K8sPSPPrivilegedContainer, Name:privileged-containers, Namespace:
2023/12/11 17:55:55 Tick at 2023-12-11 17:55:55.264835838 +0000 UTC m=+4340.009384248

Hey there,

first: thanks for this great project, we use it in an Azure Kubernetes Service cluster to provide our customers a Grafana dashboard for their policy violations.

One thing we observed: It generates quite a lot of logs. In a dev cluster we have 3.000.000 lines per day for the different policies.
We created a ServiceMonitor to scrape the /metrics endpoint every 5 minutes. Nevertheless the app is querying the K8S API Server for violations every 10 seconds (and logs it to stdout).

We can update the start command to send the output for /dev/null but it would be great to have a configuration about the

• K8S API scrape interval
• and / or log level of the generated messages

wdyt?