aquasecurity
Ability to read labels from pod/deployements being scanned and add to prometheus metrics
In our clusters we have specific labels that we'd like to add to the metrics generated by trivy-operator.
Namely we'd like the ability to assign owner label to these metrics since trying to join these metrics with other metrics to get the owner is non-trivial.
IE, trivy scans doom pod/deployment, then reads owner label. Adds that to the metrics generated.
Let me know if you need more clarification here.
Adding labels to the generated metrics which are generated by labels that the scanned pod/deployment/replicaset has.
For instance.
trivy scans pod-a with a label called owner with value team-a. It then adds it to the metric of that pod
For instance if I specify:
if pod/deployment has
labels:
owner: team-a
app: service-name-a
I'd like to have them here:
trivy_image_vulnerabilities{k8s_label_owner="team-a", k8s_label_app="service-name-a"}
k8s_label_* can ofcourse be something else, but the key takeaway is that it should be configurable .
@dinapappor sound reasonable , Adding it to backlog , you can pick up this issue and raise a PR if you want or we will get to it later
I would like to vote for this feature as well. Also, it'd be very useful to add the workload's labels and annotations to VulnerabilityReport object (using a flag of course).
We have a custom operator that creates Jira tickets for the vulnerabilities. For each VulnerabilityReport, we need to look up its corresponding deployment/daemonset etc. to find the owner tag, so the proposed feature would make such integrations easier.
It would indeed be helpful to add the workload's labels in the CRDs. I too vote for this feature
@chen-keinan Seems https://github.com/aquasecurity/trivy-operator/pull/612 does exactly what we'd like to do. We locally compiled it and ran it on our env and it works.
@dinapappor this feature it out with latest
trivy-operator v0.5.0
Yup, deployed it and it is working perfectly. @hlastras and @chen-keinan thank you. :heart: