Skip to main content
Calico Cloud Pro documentation

Set up alerts on vulnerabilities

deprecation and removal notice

This feature was deprecated in Calico Cloud version 21.1.0 and will be removed in a future release. Availability depends on when you started using Calico Cloud.

  • For users who started using Calico Cloud in April 2025 or later, this feature is not available.
  • Legacy users, who started using Calico Cloud before April 2025, can continue to use this feature until it is removed in a future release.

Big picture​

Create alerts on high-severity vulnerabilities so you can delegate remediation efforts to the appropriate team.

How to​

To create alerts, use the Global alert resource.

Example 1 - Alert on a failed image​

In this example, an alert is created whenever there is more than one event for an image from the specified registry/repo that has a result value of Fail within the past 30 minutes.

apiVersion: projectcalico.org/v3
kind: GlobalAlert
metadata:
name: example-1
spec:
summary: 'Vulnerabilities for a specific repo based on results'
description: 'Vulnerabilities for a specific repo based on results'
severity: 100
period: 30m
lookback: 30m
dataSet: vulnerability
query: registry="quay.io/tigera" AND repository="node" AND result="Fail"
metric: count
condition: gt
threshold: 1

Example 2 - Alert on a specific repo with maximum CVSS greater than 7.0​

In this example, an alert is created whenever there is at least one event for an image from the specified registry/ repo that has a max CVSS score greater than 7.0 within the past 30 minutes. Providing control over the exact max CVSS score threshold lets you define a trigger that is different from what the CVSS score threshold is configured for Fail scan result on the Scan Results page in the web console.

apiVersion: projectcalico.org/v3
kind: GlobalAlert
metadata:
name: example-2
spec:
summary: 'Vulnerabilities for a specific repo based on max CVSS score'
description: 'Vulnerabilities for a specific repo based on max CVSS score'
severity: 100
period: 30m
lookback: 30m
dataSet: vulnerability
query: registry="quay.io/tigera" AND repository="node"
field: max_cvss_score
metric: max
condition: gt
threshold: 7.0

Example 3 - Alert on a failed scan result within a pod in a namespace​

In this example, an alert is created whenever there is at least one event for an image that has a scan result of Fail, that is running within a pod in any cluster in the namespace tigera-elasticsearch, within the past 30 minutes.

apiVersion: projectcalico.org/v3
kind: GlobalAlert
metadata:
name: example-3
spec:
summary: 'Vulnerabilities for namespace tigera-elasticsearch'
description: 'Vulnerabilities for namespace tigera-elasticsearch'
severity: 100
period: 30m
lookback: 30m
dataSet: vulnerability
query: result="Fail" AND namespace="tigera-elasticsearch"
metric: count
condition: gt
threshold: 1
note

You must apply global alerts across all applicable managed clusters. For example, if you have five clusters, you must apply the alerts five times.

For a complete list of parameters, see Global alert resource.