Prometheus Exporter

Kubescape is running as a microservice. As a result, you can set up a pod monitor for scanning and scraping the scanning results.

  1. Install kube-prometheus-stack

    helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
    helm repo update
    kubectl create namespace prometheus
    helm install -n prometheus kube-prometheus-stack prometheus-community/kube-prometheus-stack --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false,prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
    
  2. Add ARMO helm repo

    helm repo add armo https://kubescape.github.io/helm-charts/
    

    Or, if already installed, run an upgrade:

    helm repo update
    
  3. Install the helm chart with the following values:

    • kubescape.serviceMonitor.enabled=true # Create the Prometheus serviceMonitor

    If you wish to integrate only with Prometheus and not with the Kubescape Cloud Platform, it is recommended to set the following values

    • kubescape.submit=false # Do not submit scan results
    • kubescape.enableHostScan=false # Do not install the Host Scanner
    • kubescape.downloadArtifacts=false # Do not download artifacts every scan

    Install:

    helm upgrade --install kubescape kubescape/kubescape-cloud-operator -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set kubescape.serviceMonitor.enabled=true
    

Grafana dashboard

Add kubescape dashboard to Grafana

Metrics

All kubescape related metrics begin with kubescape

riskScore is the output of an algorithm calculating the risk of the vulnerability. 0 indicates there is no risk and 100 indicates the highest risk.

Cluster scope metrics

Overall risk score
# Overall riskScore of the scan
kubescape_cluster_riskScore{} <risk score>
Overall resources counters
# Number of resources that failed 
kubescape_cluster_count_resources_failed{} <counter>

# Number of resources that where excluded
kubescape_cluster_count_resources_excluded{} <counter>

# Number of resources that passed
kubescape_cluster_count_resources_passed{} <counter>
Overall controls counters
# Number of controls that failed 
kubescape_cluster_count_controls_failed{} <counter>

# Number of controls that where excluded 
kubescape_cluster_count_controls_excluded{} <counter>

# Number of controls that passed
kubescape_cluster_count_controls_passed{} <counter>

Frameworks metrics

Frameworks risk score
kubescape_framework_riskScore{name="<framework name>"} <risk score>
Frameworks resources counters
# Number of resources that failed 
kubescape_framework_count_resources_failed{} <counter>

# Number of resources that where excluded
kubescape_framework_count_resources_excluded{} <counter>

# Number of resources that passed
kubescape_framework_count_resources_passed{} <counter>
Frameworks controls counters
# Number of controls that failed 
kubescape_framework_count_controls_failed{name="<framework name>"} <counter>

# Number of controls that where excluded 
kubescape_framework_count_controls_excluded{name="<framework name>"} <counter>

# Number of controls that passed
kubescape_framework_count_controls_passed{name="<framework name>"} <counter>

Controls metrics

Controls risk score
kubescape_control_riskScore{name="<control name>",url="<docs url>",severity="<control severity>"} <risk score>
Controls resources counters
# Number of resources that failed 
kubescape_control_count_resources_failed{name="<control name>",url="<docs url>",severity="<control severity>"} <counter>

# Number of resources that where excluded
kubescape_control_count_resources_excluded{name="<control name>",url="<docs url>",severity="<control severity>"} <counter>

# Number of resources that passed
kubescape_control_count_resources_passed{name="<control name>",url="<docs url>",severity="<control severity>"} <counter>