Prometheus Exporter

Since Kubescape runs as an in-cluster component as part of a helm install, you can use Prometheus Exporter to scan clusters and scrape the scan results.

Install Prometheus and Kubescape

Prepare your environment to run Prometheus and Kubescape, and then install Kubescape using Helm commands.

  1. Install kube-prometheus-stack.

    helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
    helm repo update
    kubectl create namespace prometheus
    helm install -n prometheus kube-prometheus-stack prometheus-community/kube-prometheus-stack --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false,prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
    
  2. If you haven't added the ARMO helm repository, add it now.

    helm repo add armo https://kubescape.github.io/helm-charts/
    
  3. Update your repository.

    helm repo update
    
  4. Install the Kubescape helm chart and create a Prometheus service monitor.
    Replace the <ARMOPlatfromaccountID with your ARMO Platform account ID.

    helm upgrade --install kubescape kubescape/kubescape-cloud-operator -n kubescape --create-namespace --set 
    clusterName=`kubectl config current-context` --set kubescape.serviceMonitor.enabled=true --set account=<ARMOPlatformaccountID>
    

Grafana dashboard

If you use Prometheus with Grafana, you can add a kubescape dashboard to Grafana and view the scan results there.

Available metrics

All kubescape related metrics begin with kubescape.

RiskScore is the output of an algorithm that calculates the risk of the misconfiguration. 0 indicates there is no risk and 100 indicates the highest risk.

Cluster scope metrics

Overall risk score
# Overall riskScore of the scan
kubescape_cluster_riskScore{} <risk score>
Overall resources counters
# Number of resources that failed 
kubescape_cluster_count_resources_failed{} <counter>

# Number of resources that where excluded
kubescape_cluster_count_resources_excluded{} <counter>

# Number of resources that passed
kubescape_cluster_count_resources_passed{} <counter>
Overall controls counters
# Number of controls that failed 
kubescape_cluster_count_controls_failed{} <counter>

# Number of controls that where excluded 
kubescape_cluster_count_controls_excluded{} <counter>

# Number of controls that passed
kubescape_cluster_count_controls_passed{} <counter>

Frameworks metrics

Frameworks risk score
kubescape_framework_riskScore{name="<framework name>"} <risk score>
Frameworks resources counters
# Number of resources that failed 
kubescape_framework_count_resources_failed{} <counter>

# Number of resources that where excluded
kubescape_framework_count_resources_excluded{} <counter>

# Number of resources that passed
kubescape_framework_count_resources_passed{} <counter>
Frameworks controls counters
# Number of controls that failed 
kubescape_framework_count_controls_failed{name="<framework name>"} <counter>

# Number of controls that where excluded 
kubescape_framework_count_controls_excluded{name="<framework name>"} <counter>

# Number of controls that passed
kubescape_framework_count_controls_passed{name="<framework name>"} <counter>

Controls metrics

Controls risk score
kubescape_control_riskScore{name="<control name>",url="<docs url>",severity="<control severity>"} <risk score>
Controls resources counters
# Number of resources that failed 
kubescape_control_count_resources_failed{name="<control name>",url="<docs url>",severity="<control severity>"} <counter>

# Number of resources that where excluded
kubescape_control_count_resources_excluded{name="<control name>",url="<docs url>",severity="<control severity>"} <counter>

# Number of resources that passed
kubescape_control_count_resources_passed{name="<control name>",url="<docs url>",severity="<control severity>"} <counter>