Set up alerts on vulnerabilities
Big picture
Create alerts on high-severity vulnerabilities so you can delegate remediation efforts to the appropriate team.
How to
To create alerts, use the Global alert resource.
Example 1 - Alert on a failed image
In this example, an alert is created whenever there is more than one event for an image from the specified registry/repo that has a result value of Fail within the past 30 minutes.
apiVersion: projectcalico.org/v3
kind: GlobalAlert
metadata:
name: example-1
spec:
summary: 'Vulnerabilities for a specific repo based on results'
description: 'Vulnerabilities for a specific repo based on results'
severity: 100
period: 30m
lookback: 30m
dataSet: vulnerability
query: registry="quay.io/tigera" AND repository="node" AND result="Fail"
metric: count
condition: gt
threshold: 1
Example 2 - Alert on a specific repo with maximum CVSS greater than 7.0
In this example, an alert is created whenever there is at least one event for an image from the specified registry/ repo that has a max CVSS score greater than 7.0 within the past 30 minutes. Providing control over the exact max CVSS score threshold lets you define a trigger that is different from what the CVSS score threshold is configured for Fail scan result on the Scan Results page in Manager UI.
apiVersion: projectcalico.org/v3
kind: GlobalAlert
metadata:
name: example-2
spec:
summary: 'Vulnerabilities for a specific repo based on max CVSS score'
description: 'Vulnerabilities for a specific repo based on max CVSS score'
severity: 100
period: 30m
lookback: 30m
dataSet: vulnerability
query: registry="quay.io/tigera" AND repository="node"
field: max_cvss_score
metric: max
condition: gt
threshold: 7.0
Example 3 - Alert on a failed scan result within a pod in a namespace
In this example, an alert is created whenever there is at least one event for an image that has a scan result of Fail, that is running within a pod in any cluster in the namespace tigera-elasticsearch
, within the past 30 minutes.
apiVersion: projectcalico.org/v3
kind: GlobalAlert
metadata:
name: example-3
spec:
summary: 'Vulnerabilities for namespace tigera-elasticsearch'
description: 'Vulnerabilities for namespace tigera-elasticsearch'
severity: 100
period: 30m
lookback: 30m
dataSet: vulnerability
query: result="Fail" AND namespace="tigera-elasticsearch"
metric: count
condition: gt
threshold: 1
You must apply global alerts across all applicable managed clusters. For example, if you have five clusters, you must apply the alerts five times.
For a complete list of parameters, see Global alert resource.