Sysdig Admission Controller

Metrics, Dashboards, Alerts and more for Sysdig Admission Controller Integration in Sysdig Monitor.
Sysdig Admission Controller

This integration is enabled by default.

This integration is out-of-the-box, so it doesn’t require any exporter.

This integration has 47 metrics.

List of Alerts

AlertDescriptionFormat
[Sysdig Admission Controller] No K8s Audit Events ReceivedThe Admission Controller is not receiving Kubernetes Audit eventsPrometheus
[Sysdig Admission Controller] K8s Audit Events ThrottlingKubernetes Audit events is being throttledPrometheus
[Sysdig Admission Controller] Scanning Events ThrottlingScanning events is being throttledPrometheus
[Sysdig Admission Controller] Inline Scanning ThrottlingThe inline scanning queue is not empty for a long timePrometheus
[Sysdig Admission Controller] High Error Rate In Scan Status From BackendHigh Error Rate In Scan Status From BackendPrometheus
[Sysdig Admission Controller] High Error Rate In Scan Report From BackendHigh Error Rate In Scan Status From BackendPrometheus
[Sysdig Admission Controller] High Error Rate In Image ScanHigh Error Rate In Image ScanPrometheus

List of Dashboards

Sysdig Admission Controller

The dashboard provides information on the Sysdig Admission Controller integration. Sysdig Admission Controller

List of Metrics

Metric name
go_build_info
go_gc_duration_seconds
go_gc_duration_seconds_count
go_gc_duration_seconds_sum
go_goroutines
go_info
go_memstats_buck_hash_sys_bytes
go_memstats_gc_sys_bytes
go_memstats_heap_alloc_bytes
go_memstats_heap_idle_bytes
go_memstats_heap_inuse_bytes
go_memstats_heap_released_bytes
go_memstats_heap_sys_bytes
go_memstats_lookups_total
go_memstats_mallocs_total
go_memstats_mcache_inuse_bytes
go_memstats_mcache_sys_bytes
go_memstats_mspan_inuse_bytes
go_memstats_mspan_sys_bytes
go_memstats_next_gc_bytes
go_memstats_stack_inuse_bytes
go_memstats_stack_sys_bytes
go_memstats_sys_bytes
go_threads
k8s_audit_ac_alerts_total
k8s_audit_ac_events_processed_total
k8s_audit_ac_events_received_total
process_cpu_seconds_total
process_max_fds
process_open_fds
queue_length
scan_report_cache_hits
scan_report_cache_misses
scan_status_cache_hits
scan_status_cache_misses
scanner_scan_errors
scanner_scan_report_error_from_backend_count
scanner_scan_report_retrieved_from_backend_count
scanner_scan_requests_already_queued
scanner_scan_requests_error
scanner_scan_requests_queued
scanner_scan_status_error_from_backend_count
scanner_scan_status_retrieved_from_backend_count
scanner_scan_success
scanning_ac_admission_responses_total
scanning_ac_containers_processed_total
scanning_ac_http_scanning_handler_requests_total

Prerequisites

Install Sysdig Admission Controller

Install Sysdig Admission Controller following the official documentation and make sure to provide a valid Sysdig Secure valid ULR and API token.

Installation

Installing an exporter is not required for this integration.

Agent Configuration

The default agent job for this integration is as follows:

- job_name: sysdig-admission-controller-default
  tls_config:
    insecure_skip_verify: true
  kubernetes_sd_configs:
  - role: pod
  relabel_configs:
  - action: keep
    source_labels: [__meta_kubernetes_pod_host_ip]
    regex: __HOSTIPS__
  - action: keep
    source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
    regex: true
  - action: drop
    source_labels: [__meta_kubernetes_pod_annotation_promcat_sysdig_com_omit]
    regex: true
  - source_labels: [__meta_kubernetes_pod_phase]
    action: keep
    regex: Running
  - action: keep
    source_labels:
    - __meta_kubernetes_pod_container_name
    - __meta_kubernetes_pod_annotation_prometheus_io_port
    regex: admission-controller;(8080|5000)
  - action: replace
    source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
    regex: ([^:]+)(?::\d+)?;(\d+)
    replacement: $1:$2
    target_label: __address__
  - action: replace
    source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
    target_label: __scheme__
    regex: (https?)
  - action: replace
    source_labels: [__meta_kubernetes_pod_uid]
    target_label: sysdig_k8s_pod_uid
  - action: replace
    source_labels: [__meta_kubernetes_pod_container_name]
    target_label: sysdig_k8s_pod_container_name