Prometheus Exporter

Kubescape is running as a microservice. As a result, you can set up a pod monitor for scanning and scraping the scanning results.

Install kube-prometheus-stack

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
kubectl create namespace prometheus
helm install -n prometheus kube-prometheus-stack prometheus-community/kube-prometheus-stack --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false,prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false

Add ARMO helm repo

helm repo add armo https://kubescape.github.io/helm-charts/

Or, if already installed, run an upgrade:

helm repo update

Install the helm chart with the following values:
- kubescape.serviceMonitor.enabled=true # Create the Prometheus serviceMonitor
If you wish to integrate only with Prometheus and not with the Kubescape Cloud Platform, it is recommended to set the following values
- kubescape.submit=false # Do not submit scan results
- kubescape.enableHostScan=false # Do not install the Host Scanner
- kubescape.downloadArtifacts=false # Do not download artifacts every scan
Install:
```
helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set kubescape.serviceMonitor.enabled=true
```

Grafana dashboard

Add kubescape dashboard to Grafana

Metrics

All kubescape related metrics begin with kubescape

riskScore is the output of an algorithm calculating the risk of the vulnerability. 0 indicates there is no risk and 100 indicates the highest risk.

Cluster scope metrics

Overall risk score

# Overall riskScore of the scan
kubescape_cluster_riskScore{} <risk score>

Overall resources counters

# Number of resources that failed 
kubescape_cluster_count_resources_failed{} <counter>

# Number of resources that where excluded
kubescape_cluster_count_resources_excluded{} <counter>

# Number of resources that passed
kubescape_cluster_count_resources_passed{} <counter>

Overall controls counters

# Number of controls that failed 
kubescape_cluster_count_controls_failed{} <counter>

# Number of controls that where excluded 
kubescape_cluster_count_controls_excluded{} <counter>

# Number of controls that passed
kubescape_cluster_count_controls_passed{} <counter>

Frameworks metrics

Frameworks risk score

kubescape_framework_riskScore{name="<framework name>"} <risk score>

Frameworks resources counters

# Number of resources that failed 
kubescape_framework_count_resources_failed{} <counter>

# Number of resources that where excluded
kubescape_framework_count_resources_excluded{} <counter>

# Number of resources that passed
kubescape_framework_count_resources_passed{} <counter>

Frameworks controls counters

# Number of controls that failed 
kubescape_framework_count_controls_failed{name="<framework name>"} <counter>

# Number of controls that where excluded 
kubescape_framework_count_controls_excluded{name="<framework name>"} <counter>

# Number of controls that passed
kubescape_framework_count_controls_passed{name="<framework name>"} <counter>

Controls metrics

Controls risk score

kubescape_control_riskScore{name="<control name>",url="<docs url>",severity="<control severity>"} <risk score>

Controls resources counters

# Number of resources that failed 
kubescape_control_count_resources_failed{name="<control name>",url="<docs url>",severity="<control severity>"} <counter>

# Number of resources that where excluded
kubescape_control_count_resources_excluded{name="<control name>",url="<docs url>",severity="<control severity>"} <counter>

# Number of resources that passed
kubescape_control_count_resources_passed{name="<control name>",url="<docs url>",severity="<control severity>"} <counter>