Docs
HomeGitHubSign Up

Prometheus Exporter

Suggest Edits

Since Kubescape runs as an in-cluster component as part of a helm install, you can use Prometheus Exporter to scan clusters and scrape the scan results.

Install Prometheus and Kubescape

Prepare your environment to run Prometheus and Kubescape, and then install Kubescape using Helm commands.

  1. Install kube-prometheus-stack.

    helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
kubectl create namespace prometheus
helm install -n prometheus kube-prometheus-stack prometheus-community/kube-prometheus-stack --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false,prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false

  2. Install Kubescape Operator with the Helm command recommended in the platform, and enable the exporter by adding these flags:

    --set kubescape.serviceMonitor.enabled=true --set capabilities.prometheusExporter=enable --set prometheusExporter.enableWorkloadMetrics=true --set storage.forceVirtualCrds=true

Available metrics

All kubescape related metrics begin with kubescape.

Posture metrics

Posture metrics are exposed directly by the kubescape Pod.

RiskScore is the output of an algorithm that calculates the risk of the misconfiguration. 0 indicates there is no risk and 100 indicates the highest risk.

Cluster scope metrics

Overall risk score
# Overall riskScore of the scan
kubescape_cluster_riskScore{} <risk score>
Overall resources counters
# Number of resources that failed 
kubescape_cluster_count_resources_failed{} <counter>

# Number of resources that where excluded
kubescape_cluster_count_resources_excluded{} <counter>

# Number of resources that passed
kubescape_cluster_count_resources_passed{} <counter>
Overall controls counters
# Number of controls that failed 
kubescape_cluster_count_controls_failed{} <counter>

# Number of controls that where excluded 
kubescape_cluster_count_controls_excluded{} <counter>

# Number of controls that passed
kubescape_cluster_count_controls_passed{} <counter>

Frameworks metrics

Frameworks risk score
kubescape_framework_riskScore{name="<framework name>"} <risk score>
Frameworks resources counters
# Number of resources that failed 
kubescape_framework_count_resources_failed{} <counter>

# Number of resources that where excluded
kubescape_framework_count_resources_excluded{} <counter>

# Number of resources that passed
kubescape_framework_count_resources_passed{} <counter>
Frameworks controls counters
# Number of controls that failed 
kubescape_framework_count_controls_failed{name="<framework name>"} <counter>

# Number of controls that where excluded 
kubescape_framework_count_controls_excluded{name="<framework name>"} <counter>

# Number of controls that passed
kubescape_framework_count_controls_passed{name="<framework name>"} <counter>

Controls metrics

Controls risk score
kubescape_control_riskScore{name="<control name>",url="<docs url>",severity="<control severity>"} <risk score>
Controls resources counters
# Number of resources that failed 
kubescape_control_count_resources_failed{name="<control name>",url="<docs url>",severity="<control severity>"} <counter>

# Number of resources that where excluded
kubescape_control_count_resources_excluded{name="<control name>",url="<docs url>",severity="<control severity>"} <counter>

# Number of resources that passed
kubescape_control_count_resources_passed{name="<control name>",url="<docs url>",severity="<control severity>"} <counter>

Vulnerability metrics

Vulnerability metrics are exposed by the prometheus-exporter Pod.

Cluster scope metrics

Relevant and total vulnerabilities are available:

kubescape_vulnerabilities_relevant_cluster_critical
kubescape_vulnerabilities_relevant_cluster_high
kubescape_vulnerabilities_relevant_cluster_low
kubescape_vulnerabilities_relevant_cluster_medium
kubescape_vulnerabilities_relevant_cluster_unknown

kubescape_vulnerabilities_total_cluster_critical
kubescape_vulnerabilities_total_cluster_high
kubescape_vulnerabilities_total_cluster_low
kubescape_vulnerabilities_total_cluster_medium
kubescape_vulnerabilities_total_cluster_unknown

Prometheus exporter also exposes some control metrics:

kubescape_controls_total_cluster_critical
kubescape_controls_total_cluster_high
kubescape_controls_total_cluster_low
kubescape_controls_total_cluster_medium
kubescape_controls_total_cluster_unknown

Namespace scope metrics

Relevant and total vulnerabilities are available:

kubescape_vulnerabilities_relevant_namespace_critical{namespace="<namespace name>"}
kubescape_vulnerabilities_relevant_namespace_high{namespace="<namespace name>"}
kubescape_vulnerabilities_relevant_namespace_low{namespace="<namespace name>"}
kubescape_vulnerabilities_relevant_namespace_medium{namespace="<namespace name>"}
kubescape_vulnerabilities_relevant_namespace_unknown{namespace="<namespace name>"}

kubescape_vulnerabilities_total_namespace_critical{namespace="<namespace name>"}
kubescape_vulnerabilities_total_namespace_high{namespace="<namespace name>"}
kubescape_vulnerabilities_total_namespace_low{namespace="<namespace name>"}
kubescape_vulnerabilities_total_namespace_medium{namespace="<namespace name>"}
kubescape_vulnerabilities_total_namespace_unknown{namespace="<namespace name>"}

Workload scope metrics

Relevant and total vulnerabilities are available:

kubescape_vulnerabilities_relevant_workload_critical{namespace="<namespace name>",workload="<workload name>",workload_container_name="<container name>",workload_kind="<workload kind>"} 0
kubescape_vulnerabilities_relevant_workload_high{namespace="<namespace name>",workload="<workload name>",workload_container_name="<container name>",workload_kind="<workload kind>"} 0
kubescape_vulnerabilities_relevant_workload_low{namespace="<namespace name>",workload="<workload name>",workload_container_name="<container name>",workload_kind="<workload kind>"} 0
kubescape_vulnerabilities_relevant_workload_medium{namespace="<namespace name>",workload="<workload name>",workload_container_name="<container name>",workload_kind="<workload kind>"} 0
kubescape_vulnerabilities_relevant_workload_unknown{namespace="<namespace name>",workload="<workload name>",workload_container_name="<container name>",workload_kind="<workload kind>"} 0

kubescape_vulnerabilities_total_workload_critical{namespace="<namespace name>",workload="<workload name>",workload_container_name="<container name>",workload_kind="<workload kind>"} 0
kubescape_vulnerabilities_total_workload_high{namespace="<namespace name>",workload="<workload name>",workload_container_name="<container name>",workload_kind="<workload kind>"} 0
kubescape_vulnerabilities_total_workload_low{namespace="<namespace name>",workload="<workload name>",workload_container_name="<container name>",workload_kind="<workload kind>"} 0
kubescape_vulnerabilities_total_workload_medium{namespace="<namespace name>",workload="<workload name>",workload_container_name="<container name>",workload_kind="<workload kind>"} 0
kubescape_vulnerabilities_total_workload_unknown{namespace="<namespace name>",workload="<workload name>",workload_container_name="<container name>",workload_kind="<workload kind>"} 0

Updated 3 months ago