Skip to main content

Set up alerts on vulnerabilities

Big picture

Create alerts on high-severity vulnerabilities so you can delegate remediation efforts to the appropriate team.

How to

To create alerts, use the Global alert resource.

Example 1 - Alert on a failed image

In this example, an alert is created whenever there is more than one event for an image from the specified registry/repo that has a result value of Fail within the past 30 minutes.

apiVersion: projectcalico.org/v3
kind: GlobalAlert
metadata:
  name: example-1
spec:
  summary: 'Vulnerabilities for a specific repo based on results'
  description: 'Vulnerabilities for a specific repo based on results'
  severity: 100
  period: 30m
  lookback: 30m
  dataSet: vulnerability
  query: registry="quay.io/tigera" AND repository="node" AND result="Fail"
  metric: count
  condition: gt
  threshold: 1

Example 2 - Alert on a specific repo with maximum CVSS greater than 7.0

In this example, an alert is created whenever there is at least one event for an image from the specified registry/ repo that has a max CVSS score greater than 7.0 within the past 30 minutes. Providing control over the exact max CVSS score threshold lets you define a trigger that is different from what the CVSS score threshold is configured for Fail scan result on the Scan Results page in Manager UI.

apiVersion: projectcalico.org/v3
kind: GlobalAlert
metadata:
  name: example-2
spec:
  summary: 'Vulnerabilities for a specific repo based on max CVSS score'
  description: 'Vulnerabilities for a specific repo based on max CVSS score'
  severity: 100
  period: 30m
  lookback: 30m
  dataSet: vulnerability
  query: registry="quay.io/tigera" AND repository="node"
  field: max_cvss_score
  metric: max
  condition: gt
  threshold: 7.0

Example 3 - Alert on a failed scan result within a pod in a namespace

In this example, an alert is created whenever there is at least one event for an image that has a scan result of Fail, that is running within a pod in any cluster in the namespace tigera-elasticsearch, within the past 30 minutes.

apiVersion: projectcalico.org/v3
kind: GlobalAlert
metadata:
  name: example-3
spec:
  summary: 'Vulnerabilities for namespace tigera-elasticsearch'
  description: 'Vulnerabilities for namespace tigera-elasticsearch'
  severity: 100
  period: 30m
  dataSet: vulnerability
  query: result="Fail" AND namespace="tigera-elasticsearch"
  metric: count
  condition: gt
  threshold: 1
note

You must apply global alerts across all applicable managed clusters. For example, if you have five clusters, you must apply the alerts five times.

For a complete list of parameters, see Global alert resource.