OPA
This integration is enabled by default.
Versions supported: > v3.5.1
This integration is out-of-the-box, so it doesn’t require any exporter.
This integration has 10 metrics.
Timeseries generated: 150 series for each Gatekeeper
List of Alerts
| Alert | Description | Format |
|---|---|---|
| [Opa gatekeeper] Too much time since the last audit | There was more than 120 second since the last audit | Prometheus |
| [Opa gatekeeper] Spike of violations | There was more than 30 violations | Prometheus |
List of Dashboards
OPA Gatekeeper
The dashboard provides information on the requests rate, latency, violations rate per constraint.
List of Metrics
| Metric name |
|---|
| gatekeeper_audit_duration_seconds_bucket |
| gatekeeper_audit_last_run_time |
| gatekeeper_constraint_template_ingestion_count |
| gatekeeper_constraint_template_ingestion_duration_seconds_bucket |
| gatekeeper_constraint_templates |
| gatekeeper_constraints |
| gatekeeper_request_count |
| gatekeeper_request_duration_seconds_bucket |
| gatekeeper_request_duration_seconds_count |
| gatekeeper_violations |
Preparing the Integration
No preparations are required for this integration.
Installing
The installation of an exporter is not required for this integration.
Monitoring and Troubleshooting OPA
This document describes important metrics and queries that you can use to monitor and troubleshoot OPA.
Tracking metrics status
You can track OPA metrics status with following alerts: Exporter proccess is not serving metrics
# [OPA] Exporter Process Down
absent(gatekeeper_request_count{kube_cluster_name=~$cluster,kube_namespace_name=~$namespace,kube_workload_name=~$workload}) > 0
Agent Configuration
This is the default agent job for this integration:
- job_name: opa-default
tls_config:
insecure_skip_verify: true
kubernetes_sd_configs:
- role: pod
relabel_configs:
- action: keep
source_labels: [__meta_kubernetes_pod_host_ip]
regex: __HOSTIPS__
- action: drop
source_labels: [__meta_kubernetes_pod_annotation_promcat_sysdig_com_omit]
regex: true
- action: replace
source_labels:
- __meta_kubernetes_pod_container_name
- __meta_kubernetes_pod_annotation_promcat_sysdig_com_integration_type
regex: (manager);(.{0}$)
replacement: opa-gatekeeper
target_label: __meta_kubernetes_pod_annotation_promcat_sysdig_com_integration_type
- action: keep
source_labels:
- __meta_kubernetes_pod_annotation_promcat_sysdig_com_integration_type
regex: "opa-gatekeeper"
- action: keep
source_labels:
- __meta_kubernetes_pod_container_port_name
regex: "metrics"
- action: replace
source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
target_label: __scheme__
regex: (https?)
- action: replace
source_labels: [__address__,__meta_kubernetes_pod_container_port_name]
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: replace
source_labels: [__meta_kubernetes_pod_uid]
target_label: sysdig_k8s_pod_uid
- action: replace
source_labels: [__meta_kubernetes_pod_container_name]
target_label: sysdig_k8s_pod_container_name
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.