OPA
Metrics, Dashboards, Alerts and more for OPA Integration in Sysdig Monitor.
This integration is enabled by default.
Versions supported: > v3.5.1
This integration is out-of-the-box, so it doesn’t require any exporter.
This integration has 10 metrics.
Timeseries generated: 150 series for each Gatekeeper
List of Alerts
| Alert | Description | Format |
|---|---|---|
| [Opa gatekeeper] Too much time since the last audit | There was more than 120 second since the last audit | Prometheus |
| [Opa gatekeeper] Spike of violations | There was more than 30 violations | Prometheus |
List of Dashboards
OPA Gatekeeper
The dashboard provides information on the requests rate, latency, violations rate per constraint.
List of Metrics
| Metric name |
|---|
| gatekeeper_audit_duration_seconds_bucket |
| gatekeeper_audit_last_run_time |
| gatekeeper_constraint_template_ingestion_count |
| gatekeeper_constraint_template_ingestion_duration_seconds_bucket |
| gatekeeper_constraint_templates |
| gatekeeper_constraints |
| gatekeeper_request_count |
| gatekeeper_request_duration_seconds_bucket |
| gatekeeper_request_duration_seconds_count |
| gatekeeper_violations |
Prerequisites
None.
Installation
Installing an exporter is not required for this integration.
Agent Configuration
The default agent job for this integration is as follows:
- job_name: opa-default
tls_config:
insecure_skip_verify: true
kubernetes_sd_configs:
- role: pod
relabel_configs:
- action: keep
source_labels: [__meta_kubernetes_pod_host_ip]
regex: __HOSTIPS__
- action: drop
source_labels: [__meta_kubernetes_pod_annotation_promcat_sysdig_com_omit]
regex: true
- source_labels: [__meta_kubernetes_pod_phase]
action: keep
regex: Running
- action: replace
source_labels:
- __meta_kubernetes_pod_container_name
- __meta_kubernetes_pod_label_control_plane
- __meta_kubernetes_pod_annotation_promcat_sysdig_com_integration_type
regex: (manager);(audit-controller|controller-manager);(.{0}$)
replacement: opa-gatekeeper
target_label: __meta_kubernetes_pod_annotation_promcat_sysdig_com_integration_type
- action: keep
source_labels:
- __meta_kubernetes_pod_annotation_promcat_sysdig_com_integration_type
regex: "opa-gatekeeper"
- action: keep
source_labels:
- __meta_kubernetes_pod_container_port_name
regex: "metrics"
- action: replace
source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
target_label: __scheme__
regex: (https?)
- action: replace
source_labels: [__address__,__meta_kubernetes_pod_container_port_name]
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: replace
source_labels: [__meta_kubernetes_pod_uid]
target_label: sysdig_k8s_pod_uid
- action: replace
source_labels: [__meta_kubernetes_pod_container_name]
target_label: sysdig_k8s_pod_container_name
metric_relabel_configs:
- source_labels: [__name__]
regex: (certwatcher_read_certificate_errors_total|certwatcher_read_certificate_total|gatekeeper_mutation_request_count|gatekeeper_mutation_request_duration_seconds|gatekeeper_mutation_system_iterations|gatekeeper_validation_request_count|gatekeeper_validation_request_duration_seconds|gatekeeper_audit_duration_seconds|gatekeeper_audit_last_run_end_time|gatekeeper_audit_last_run_time|gatekeeper_audit_duration_seconds_bucket|gatekeeper_constraint_template_ingestion_count|gatekeeper_constraint_template_ingestion_duration_seconds_bucket|gatekeeper_constraint_templates|gatekeeper_constraints|gatekeeper_request_count|gatekeeper_request_duration_seconds_bucket|gatekeeper_request_duration_seconds_count|gatekeeper_violations)
action: keep
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.