OPA

Metrics, Dashboards, Alerts and more for OPA Integration in Sysdig Monitor.
OPA

This integration is enabled by default.

Versions supported: > v3.5.1

This integration is out-of-the-box, so it doesn’t require any exporter.

This integration has 10 metrics.

Timeseries generated: 150 series for each Gatekeeper

List of Alerts

AlertDescriptionFormat
[Opa gatekeeper] Too much time since the last auditThere was more than 120 second since the last auditPrometheus
[Opa gatekeeper] Spike of violationsThere was more than 30 violationsPrometheus

List of Dashboards

OPA Gatekeeper

The dashboard provides information on the requests rate, latency, violations rate per constraint. OPA Gatekeeper

List of Metrics

Metric name
gatekeeper_audit_duration_seconds_bucket
gatekeeper_audit_last_run_time
gatekeeper_constraint_template_ingestion_count
gatekeeper_constraint_template_ingestion_duration_seconds_bucket
gatekeeper_constraint_templates
gatekeeper_constraints
gatekeeper_request_count
gatekeeper_request_duration_seconds_bucket
gatekeeper_request_duration_seconds_count
gatekeeper_violations

Preparing the Integration

No preparations are required for this integration.

Installing

The installation of an exporter is not required for this integration.

Monitoring and Troubleshooting OPA

This document describes important metrics and queries that you can use to monitor and troubleshoot OPA.

Tracking metrics status

You can track OPA metrics status with following alerts: Exporter proccess is not serving metrics

# [OPA] Exporter Process Down
absent(gatekeeper_request_count{kube_cluster_name=~$cluster,kube_namespace_name=~$namespace,kube_workload_name=~$workload}) > 0

Agent Configuration

This is the default agent job for this integration:

- job_name: opa-default
  tls_config:
    insecure_skip_verify: true
  kubernetes_sd_configs:
  - role: pod
  relabel_configs:
  - action: keep
    source_labels: [__meta_kubernetes_pod_host_ip]
    regex: __HOSTIPS__
  - action: drop
    source_labels: [__meta_kubernetes_pod_annotation_promcat_sysdig_com_omit]
    regex: true
  - action: replace
    source_labels:
    - __meta_kubernetes_pod_container_name
    - __meta_kubernetes_pod_annotation_promcat_sysdig_com_integration_type
    regex: (manager);(.{0}$)
    replacement: opa-gatekeeper
    target_label: __meta_kubernetes_pod_annotation_promcat_sysdig_com_integration_type
  - action: keep
    source_labels:
    - __meta_kubernetes_pod_annotation_promcat_sysdig_com_integration_type
    regex: "opa-gatekeeper"
  - action: keep
    source_labels:
    - __meta_kubernetes_pod_container_port_name
    regex: "metrics"
  - action: replace
    source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
    target_label: __scheme__
    regex: (https?)
  - action: replace
    source_labels: [__address__,__meta_kubernetes_pod_container_port_name]
    regex: ([^:]+)(?::\d+)?;(\d+)
    replacement: $1:$2
    target_label: __address__
  - action: replace
    source_labels: [__meta_kubernetes_pod_uid]
    target_label: sysdig_k8s_pod_uid
  - action: replace
    source_labels: [__meta_kubernetes_pod_container_name]
    target_label: sysdig_k8s_pod_container_name