From 2126f9300a6b3c058d14a34b86972255028a50e9 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Mon, 22 Apr 2024 13:31:02 +0200 Subject: [PATCH 01/10] Add new row to cluster overview dashboard for visualizing violation occurences --- .../sources/rhacs-cluster-overview.json | 429 ++++++++++++++++++ 1 file changed, 429 insertions(+) diff --git a/resources/grafana/sources/rhacs-cluster-overview.json b/resources/grafana/sources/rhacs-cluster-overview.json index f969b75e..b406802d 100644 --- a/resources/grafana/sources/rhacs-cluster-overview.json +++ b/resources/grafana/sources/rhacs-cluster-overview.json @@ -1825,6 +1825,435 @@ } ], "type": "table" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 28 + }, + "id": 140, + "panels": [], + "title": "Cluster Violations", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Shows occurrence intensity of SELinux AVC denials.", + "fieldConfig": { + "defaults": { + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "scaleDistribution": { + "type": "linear" + } + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 29 + }, + "id": 142, + "interval": "60s", + "options": { + "calculate": false, + "cellGap": 2, + "cellValues": { + "unit": "none" + }, + "color": { + "exponent": 0.5, + "fill": "dark-orange", + "max": 30, + "min": -20, + "mode": "scheme", + "reverse": true, + "scale": "exponential", + "scheme": "Oranges", + "steps": 64 + }, + "exemplars": { + "color": "rgba(255,0,255,0.7)" + }, + "filterValues": { + "le": 1e-9 + }, + "legend": { + "show": false + }, + "rowsFrame": { + "layout": "auto" + }, + "tooltip": { + "show": true, + "yHistogram": false + }, + "yAxis": { + "axisPlacement": "hidden", + "reverse": false, + "unit": "none" + } + }, + "pluginVersion": "10.2.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by() (selinux_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"})", + "format": "time_series", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "selinux_denials_sample_count occurrences", + "useBackend": false + } + ], + "title": "SELinux Violations occurences", + "transformations": [], + "type": "heatmap" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Shows occurrence intensity of Network Policy ACL denials.", + "fieldConfig": { + "defaults": { + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "scaleDistribution": { + "type": "linear" + } + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 29 + }, + "id": 143, + "interval": "60s", + "options": { + "calculate": false, + "cellGap": 2, + "cellValues": { + "unit": "none" + }, + "color": { + "exponent": 0.5, + "fill": "dark-orange", + "max": 30, + "min": -20, + "mode": "scheme", + "reverse": true, + "scale": "exponential", + "scheme": "Oranges", + "steps": 64 + }, + "exemplars": { + "color": "rgba(255,0,255,0.7)" + }, + "filterValues": { + "le": 1e-9 + }, + "legend": { + "show": false + }, + "rowsFrame": { + "layout": "auto" + }, + "tooltip": { + "show": true, + "yHistogram": false + }, + "yAxis": { + "axisPlacement": "hidden", + "reverse": false, + "unit": "none" + } + }, + "pluginVersion": "10.2.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by() (network_policy_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"})", + "format": "time_series", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "selinux_denials_sample_count occurrences", + "useBackend": false + } + ], + "title": "Network Policy Violations occurences", + "transformations": [], + "type": "heatmap" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Shows the SELinux AVC Denials per minute, as logged to CloudWatch.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 37 + }, + "id": 141, + "interval": "60s", + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "selinux_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"}", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "selinux_denials_sample_count { region=\"{{region}}\", rhacs_cluster_name=\"{{rhacs_cluster_name}}\" }", + "range": true, + "refId": "selinux_denials_sample_count per minute", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sgn(selinux_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"})", + "format": "time_series", + "fullMetaSearch": false, + "hide": true, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "selinux_denials_sample_count occurrences", + "useBackend": false + } + ], + "title": "SELinux Violations per minute", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Shows the Network Policy ACL Denials per minute, as logged to CloudWatch.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 37 + }, + "id": 144, + "interval": "60s", + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "network_policy_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"}", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "selinux_denials_sample_count { region=\"{{region}}\", rhacs_cluster_name=\"{{rhacs_cluster_name}}\" }", + "range": true, + "refId": "network_policy_denials_sample_count per minute", + "useBackend": false + } + ], + "title": "Network Policy Violations per minute", + "type": "timeseries" } ], "refresh": "", From b42414ae1356d509ccf5ca1d071770467bd2ff9f Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Wed, 24 Apr 2024 15:17:14 +0200 Subject: [PATCH 02/10] PR feefback + make generate --- .../rhacs-cluster-overview-configmap.yaml | 223 ++++++++++++++++++ .../rhacs-cluster-overview-dashboard.yaml | 223 ++++++++++++++++++ .../sources/rhacs-cluster-overview.json | 218 +---------------- resources/prometheus/federation-config.yaml | 2 + 4 files changed, 454 insertions(+), 212 deletions(-) diff --git a/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml b/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml index 7fbdca40..f18bed23 100644 --- a/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml +++ b/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml @@ -1836,6 +1836,229 @@ data: } ], "type": "table" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 28 + }, + "id": 140, + "panels": [], + "title": "Cluster Violations", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Shows the SELinux AVC Denials per minute, as logged to CloudWatch.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 29 + }, + "id": 141, + "interval": "60s", + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "selinux_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"}", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "selinux_denials_sample_count per minute", + "useBackend": false + } + ], + "title": "SELinux Violations per minute", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Shows the Network Policy ACL Denials per minute, as logged to CloudWatch.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 29 + }, + "id": 144, + "interval": "60s", + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "network_policy_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"}", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "network_policy_denials_sample_count per minute", + "useBackend": false + } + ], + "title": "Network Policy Violations per minute", + "type": "timeseries" } ], "refresh": "", diff --git a/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml b/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml index ed9ffabf..6cfcc38c 100644 --- a/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml +++ b/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml @@ -1836,6 +1836,229 @@ spec: } ], "type": "table" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 28 + }, + "id": 140, + "panels": [], + "title": "Cluster Violations", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Shows the SELinux AVC Denials per minute, as logged to CloudWatch.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 29 + }, + "id": 141, + "interval": "60s", + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "selinux_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"}", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "selinux_denials_sample_count per minute", + "useBackend": false + } + ], + "title": "SELinux Violations per minute", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "Shows the Network Policy ACL Denials per minute, as logged to CloudWatch.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 29 + }, + "id": 144, + "interval": "60s", + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "network_policy_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"}", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "network_policy_denials_sample_count per minute", + "useBackend": false + } + ], + "title": "Network Policy Violations per minute", + "type": "timeseries" } ], "refresh": "", diff --git a/resources/grafana/sources/rhacs-cluster-overview.json b/resources/grafana/sources/rhacs-cluster-overview.json index b406802d..3f93bacb 100644 --- a/resources/grafana/sources/rhacs-cluster-overview.json +++ b/resources/grafana/sources/rhacs-cluster-overview.json @@ -1839,194 +1839,6 @@ "title": "Cluster Violations", "type": "row" }, - { - "datasource": { - "type": "prometheus", - "uid": "PBFA97CFB590B2093" - }, - "description": "Shows occurrence intensity of SELinux AVC denials.", - "fieldConfig": { - "defaults": { - "custom": { - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "scaleDistribution": { - "type": "linear" - } - } - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 29 - }, - "id": 142, - "interval": "60s", - "options": { - "calculate": false, - "cellGap": 2, - "cellValues": { - "unit": "none" - }, - "color": { - "exponent": 0.5, - "fill": "dark-orange", - "max": 30, - "min": -20, - "mode": "scheme", - "reverse": true, - "scale": "exponential", - "scheme": "Oranges", - "steps": 64 - }, - "exemplars": { - "color": "rgba(255,0,255,0.7)" - }, - "filterValues": { - "le": 1e-9 - }, - "legend": { - "show": false - }, - "rowsFrame": { - "layout": "auto" - }, - "tooltip": { - "show": true, - "yHistogram": false - }, - "yAxis": { - "axisPlacement": "hidden", - "reverse": false, - "unit": "none" - } - }, - "pluginVersion": "10.2.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "PBFA97CFB590B2093" - }, - "disableTextWrap": false, - "editorMode": "builder", - "exemplar": false, - "expr": "sum by() (selinux_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"})", - "format": "time_series", - "fullMetaSearch": false, - "hide": false, - "includeNullMetadata": true, - "instant": false, - "legendFormat": "__auto", - "range": true, - "refId": "selinux_denials_sample_count occurrences", - "useBackend": false - } - ], - "title": "SELinux Violations occurences", - "transformations": [], - "type": "heatmap" - }, - { - "datasource": { - "type": "prometheus", - "uid": "PBFA97CFB590B2093" - }, - "description": "Shows occurrence intensity of Network Policy ACL denials.", - "fieldConfig": { - "defaults": { - "custom": { - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "scaleDistribution": { - "type": "linear" - } - } - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 29 - }, - "id": 143, - "interval": "60s", - "options": { - "calculate": false, - "cellGap": 2, - "cellValues": { - "unit": "none" - }, - "color": { - "exponent": 0.5, - "fill": "dark-orange", - "max": 30, - "min": -20, - "mode": "scheme", - "reverse": true, - "scale": "exponential", - "scheme": "Oranges", - "steps": 64 - }, - "exemplars": { - "color": "rgba(255,0,255,0.7)" - }, - "filterValues": { - "le": 1e-9 - }, - "legend": { - "show": false - }, - "rowsFrame": { - "layout": "auto" - }, - "tooltip": { - "show": true, - "yHistogram": false - }, - "yAxis": { - "axisPlacement": "hidden", - "reverse": false, - "unit": "none" - } - }, - "pluginVersion": "10.2.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "PBFA97CFB590B2093" - }, - "disableTextWrap": false, - "editorMode": "builder", - "exemplar": false, - "expr": "sum by() (network_policy_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"})", - "format": "time_series", - "fullMetaSearch": false, - "hide": false, - "includeNullMetadata": true, - "instant": false, - "legendFormat": "__auto", - "range": true, - "refId": "selinux_denials_sample_count occurrences", - "useBackend": false - } - ], - "title": "Network Policy Violations occurences", - "transformations": [], - "type": "heatmap" - }, { "datasource": { "type": "prometheus", @@ -2092,7 +1904,7 @@ "h": 8, "w": 12, "x": 0, - "y": 37 + "y": 29 }, "id": 141, "interval": "60s", @@ -2101,7 +1913,7 @@ "calcs": [], "displayMode": "list", "placement": "bottom", - "showLegend": true + "showLegend": false }, "tooltip": { "mode": "single", @@ -2123,27 +1935,9 @@ "includeNullMetadata": true, "instant": false, "interval": "", - "legendFormat": "selinux_denials_sample_count { region=\"{{region}}\", rhacs_cluster_name=\"{{rhacs_cluster_name}}\" }", - "range": true, - "refId": "selinux_denials_sample_count per minute", - "useBackend": false - }, - { - "datasource": { - "type": "prometheus", - "uid": "PBFA97CFB590B2093" - }, - "disableTextWrap": false, - "editorMode": "builder", - "expr": "sgn(selinux_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"})", - "format": "time_series", - "fullMetaSearch": false, - "hide": true, - "includeNullMetadata": true, - "instant": false, "legendFormat": "__auto", "range": true, - "refId": "selinux_denials_sample_count occurrences", + "refId": "selinux_denials_sample_count per minute", "useBackend": false } ], @@ -2215,7 +2009,7 @@ "h": 8, "w": 12, "x": 12, - "y": 37 + "y": 29 }, "id": 144, "interval": "60s", @@ -2224,7 +2018,7 @@ "calcs": [], "displayMode": "list", "placement": "bottom", - "showLegend": true + "showLegend": false }, "tooltip": { "mode": "single", @@ -2246,7 +2040,7 @@ "includeNullMetadata": true, "instant": false, "interval": "", - "legendFormat": "selinux_denials_sample_count { region=\"{{region}}\", rhacs_cluster_name=\"{{rhacs_cluster_name}}\" }", + "legendFormat": "__auto", "range": true, "refId": "network_policy_denials_sample_count per minute", "useBackend": false diff --git a/resources/prometheus/federation-config.yaml b/resources/prometheus/federation-config.yaml index 12b19667..c63da907 100644 --- a/resources/prometheus/federation-config.yaml +++ b/resources/prometheus/federation-config.yaml @@ -142,6 +142,7 @@ match[]: - namespace_memory:kube_pod_container_resource_limits:sum{job!~"central|scanner"} - namespace_memory:kube_pod_container_resource_requests:sum{job!~"central|scanner"} - namespace_workload_pod:kube_pod_owner:relabel{job!~"central|scanner"} + - network_policy_denials_sample_count{job!~"central|scanner"} - node_memory_MemTotal_bytes{job!~"central|scanner"} - node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate{job!~"central|scanner"} - node_namespace_pod_container:container_memory_cache{job!~"central|scanner"} @@ -168,6 +169,7 @@ match[]: - scheduler_scheduling_algorithm_duration_seconds_count{job!~"central|scanner"} - scheduler_volume_scheduling_duration_seconds_bucket{job!~"central|scanner"} - scheduler_volume_scheduling_duration_seconds_count{job!~"central|scanner"} + - selinux_denials_sample_count{job!~"central|scanner"} - storage_operation_duration_seconds_bucket{job!~"central|scanner"} - storage_operation_duration_seconds_count{job!~"central|scanner"} - storage_operation_errors_total{job!~"central|scanner"} From 3ccf8e6f5a2393e6f46dab8fb3222c45c57b00f0 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Thu, 25 Apr 2024 15:19:57 +0200 Subject: [PATCH 03/10] Added panel descriptions --- .../rhacs-cluster-overview-configmap.yaml | 59 +++++++++++++++++-- .../rhacs-cluster-overview-dashboard.yaml | 59 +++++++++++++++++-- .../sources/rhacs-cluster-overview.json | 59 +++++++++++++++++-- 3 files changed, 165 insertions(+), 12 deletions(-) diff --git a/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml b/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml index f18bed23..e3da00ce 100644 --- a/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml +++ b/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml @@ -1867,6 +1867,7 @@ data: "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", + "axisWidth": 5, "barAlignment": 0, "drawStyle": "line", "fillOpacity": 0, @@ -1913,7 +1914,7 @@ data: }, "gridPos": { "h": 8, - "w": 12, + "w": 17, "x": 0, "y": 29 }, @@ -1955,6 +1956,31 @@ data: "title": "SELinux Violations per minute", "type": "timeseries" }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "\n", + "gridPos": { + "h": 8, + "w": 7, + "x": 17, + "y": 29 + }, + "id": 145, + "options": { + "code": { + "language": "plaintext", + "showLineNumbers": false, + "showMiniMap": false + }, + "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", + "mode": "markdown" + }, + "pluginVersion": "10.2.0", + "type": "text" + }, { "datasource": { "type": "prometheus", @@ -2018,9 +2044,9 @@ data: }, "gridPos": { "h": 8, - "w": 12, - "x": 12, - "y": 29 + "w": 17, + "x": 0, + "y": 37 }, "id": 144, "interval": "60s", @@ -2059,6 +2085,31 @@ data: ], "title": "Network Policy Violations per minute", "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "\n", + "gridPos": { + "h": 8, + "w": 7, + "x": 17, + "y": 37 + }, + "id": 146, + "options": { + "code": { + "language": "plaintext", + "showLineNumbers": false, + "showMiniMap": false + }, + "content": "### Description\n\nThis graph shows the occurences per minute of Network Policy ACL denials on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @message like /acl_log(.*).*\\sverdict=drop/\n| filter @logStream like /.*ovn-audit\\.log/\n| sort @timestamp desc\n| limit 1000\n\n```\n", + "mode": "markdown" + }, + "pluginVersion": "10.2.0", + "type": "text" } ], "refresh": "", diff --git a/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml b/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml index 6cfcc38c..f66b896a 100644 --- a/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml +++ b/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml @@ -1867,6 +1867,7 @@ spec: "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", + "axisWidth": 5, "barAlignment": 0, "drawStyle": "line", "fillOpacity": 0, @@ -1913,7 +1914,7 @@ spec: }, "gridPos": { "h": 8, - "w": 12, + "w": 17, "x": 0, "y": 29 }, @@ -1955,6 +1956,31 @@ spec: "title": "SELinux Violations per minute", "type": "timeseries" }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "\n", + "gridPos": { + "h": 8, + "w": 7, + "x": 17, + "y": 29 + }, + "id": 145, + "options": { + "code": { + "language": "plaintext", + "showLineNumbers": false, + "showMiniMap": false + }, + "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", + "mode": "markdown" + }, + "pluginVersion": "10.2.0", + "type": "text" + }, { "datasource": { "type": "prometheus", @@ -2018,9 +2044,9 @@ spec: }, "gridPos": { "h": 8, - "w": 12, - "x": 12, - "y": 29 + "w": 17, + "x": 0, + "y": 37 }, "id": 144, "interval": "60s", @@ -2059,6 +2085,31 @@ spec: ], "title": "Network Policy Violations per minute", "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "\n", + "gridPos": { + "h": 8, + "w": 7, + "x": 17, + "y": 37 + }, + "id": 146, + "options": { + "code": { + "language": "plaintext", + "showLineNumbers": false, + "showMiniMap": false + }, + "content": "### Description\n\nThis graph shows the occurences per minute of Network Policy ACL denials on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @message like /acl_log(.*).*\\sverdict=drop/\n| filter @logStream like /.*ovn-audit\\.log/\n| sort @timestamp desc\n| limit 1000\n\n```\n", + "mode": "markdown" + }, + "pluginVersion": "10.2.0", + "type": "text" } ], "refresh": "", diff --git a/resources/grafana/sources/rhacs-cluster-overview.json b/resources/grafana/sources/rhacs-cluster-overview.json index 3f93bacb..82134efc 100644 --- a/resources/grafana/sources/rhacs-cluster-overview.json +++ b/resources/grafana/sources/rhacs-cluster-overview.json @@ -1856,6 +1856,7 @@ "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", + "axisWidth": 5, "barAlignment": 0, "drawStyle": "line", "fillOpacity": 0, @@ -1902,7 +1903,7 @@ }, "gridPos": { "h": 8, - "w": 12, + "w": 17, "x": 0, "y": 29 }, @@ -1944,6 +1945,31 @@ "title": "SELinux Violations per minute", "type": "timeseries" }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "\n", + "gridPos": { + "h": 8, + "w": 7, + "x": 17, + "y": 29 + }, + "id": 145, + "options": { + "code": { + "language": "plaintext", + "showLineNumbers": false, + "showMiniMap": false + }, + "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", + "mode": "markdown" + }, + "pluginVersion": "10.2.0", + "type": "text" + }, { "datasource": { "type": "prometheus", @@ -2007,9 +2033,9 @@ }, "gridPos": { "h": 8, - "w": 12, - "x": 12, - "y": 29 + "w": 17, + "x": 0, + "y": 37 }, "id": 144, "interval": "60s", @@ -2048,6 +2074,31 @@ ], "title": "Network Policy Violations per minute", "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "PBFA97CFB590B2093" + }, + "description": "\n", + "gridPos": { + "h": 8, + "w": 7, + "x": 17, + "y": 37 + }, + "id": 146, + "options": { + "code": { + "language": "plaintext", + "showLineNumbers": false, + "showMiniMap": false + }, + "content": "### Description\n\nThis graph shows the occurences per minute of Network Policy ACL denials on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @message like /acl_log(.*).*\\sverdict=drop/\n| filter @logStream like /.*ovn-audit\\.log/\n| sort @timestamp desc\n| limit 1000\n\n```\n", + "mode": "markdown" + }, + "pluginVersion": "10.2.0", + "type": "text" } ], "refresh": "", From 98d017a176204feb3cd68f489db784b57eae15f5 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Thu, 25 Apr 2024 15:24:03 +0200 Subject: [PATCH 04/10] Removed cluster name --- .../dashboards/rhacs-cluster-overview-configmap.yaml | 4 ++-- .../dashboards/rhacs-cluster-overview-dashboard.yaml | 4 ++-- resources/grafana/sources/rhacs-cluster-overview.json | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml b/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml index e3da00ce..95a33bbe 100644 --- a/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml +++ b/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml @@ -1941,7 +1941,7 @@ data: "disableTextWrap": false, "editorMode": "builder", "exemplar": false, - "expr": "selinux_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"}", + "expr": "selinux_denials_sample_count", "fullMetaSearch": false, "hide": false, "includeNullMetadata": true, @@ -2071,7 +2071,7 @@ data: "disableTextWrap": false, "editorMode": "builder", "exemplar": false, - "expr": "network_policy_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"}", + "expr": "network_policy_denials_sample_count", "fullMetaSearch": false, "hide": false, "includeNullMetadata": true, diff --git a/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml b/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml index f66b896a..9807cd6c 100644 --- a/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml +++ b/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml @@ -1941,7 +1941,7 @@ spec: "disableTextWrap": false, "editorMode": "builder", "exemplar": false, - "expr": "selinux_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"}", + "expr": "selinux_denials_sample_count", "fullMetaSearch": false, "hide": false, "includeNullMetadata": true, @@ -2071,7 +2071,7 @@ spec: "disableTextWrap": false, "editorMode": "builder", "exemplar": false, - "expr": "network_policy_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"}", + "expr": "network_policy_denials_sample_count", "fullMetaSearch": false, "hide": false, "includeNullMetadata": true, diff --git a/resources/grafana/sources/rhacs-cluster-overview.json b/resources/grafana/sources/rhacs-cluster-overview.json index 82134efc..1e6dfcd7 100644 --- a/resources/grafana/sources/rhacs-cluster-overview.json +++ b/resources/grafana/sources/rhacs-cluster-overview.json @@ -1930,7 +1930,7 @@ "disableTextWrap": false, "editorMode": "builder", "exemplar": false, - "expr": "selinux_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"}", + "expr": "selinux_denials_sample_count", "fullMetaSearch": false, "hide": false, "includeNullMetadata": true, @@ -2060,7 +2060,7 @@ "disableTextWrap": false, "editorMode": "builder", "exemplar": false, - "expr": "network_policy_denials_sample_count{rhacs_cluster_name=\"acs-int-us-01\"}", + "expr": "network_policy_denials_sample_count", "fullMetaSearch": false, "hide": false, "includeNullMetadata": true, From 0a8c1354e38bdb558c47559c0c55af0f6adf5d74 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Thu, 25 Apr 2024 15:29:04 +0200 Subject: [PATCH 05/10] Fix description --- .../generated/dashboards/rhacs-cluster-overview-configmap.yaml | 2 +- .../generated/dashboards/rhacs-cluster-overview-dashboard.yaml | 2 +- resources/grafana/sources/rhacs-cluster-overview.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml b/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml index 95a33bbe..113c5b5c 100644 --- a/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml +++ b/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml @@ -1975,7 +1975,7 @@ data: "showLineNumbers": false, "showMiniMap": false }, - "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", + "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that the cluster node's SELinux policy prevented a process' actions.\nAs an example, a violation could indicate that a process on the cluster tried to access a file which is SELinux-protected.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", "mode": "markdown" }, "pluginVersion": "10.2.0", diff --git a/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml b/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml index 9807cd6c..64f5328b 100644 --- a/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml +++ b/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml @@ -1975,7 +1975,7 @@ spec: "showLineNumbers": false, "showMiniMap": false }, - "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", + "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that the cluster node's SELinux policy prevented a process' actions.\nAs an example, a violation could indicate that a process on the cluster tried to access a file which is SELinux-protected.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", "mode": "markdown" }, "pluginVersion": "10.2.0", diff --git a/resources/grafana/sources/rhacs-cluster-overview.json b/resources/grafana/sources/rhacs-cluster-overview.json index 1e6dfcd7..e83bcb42 100644 --- a/resources/grafana/sources/rhacs-cluster-overview.json +++ b/resources/grafana/sources/rhacs-cluster-overview.json @@ -1964,7 +1964,7 @@ "showLineNumbers": false, "showMiniMap": false }, - "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", + "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that the cluster node's SELinux policy prevented a process' actions.\nAs an example, a violation could indicate that a process on the cluster tried to access a file which is SELinux-protected.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", "mode": "markdown" }, "pluginVersion": "10.2.0", From af07b3af60cfb8a79d5d6ac24642e4847f36ea97 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier <111092021+mclasmeier@users.noreply.github.com> Date: Fri, 26 Apr 2024 09:47:31 +0200 Subject: [PATCH 06/10] Update resources/grafana/sources/rhacs-cluster-overview.json Co-authored-by: Stephan Hesselmann --- resources/grafana/sources/rhacs-cluster-overview.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/grafana/sources/rhacs-cluster-overview.json b/resources/grafana/sources/rhacs-cluster-overview.json index e83bcb42..61346efa 100644 --- a/resources/grafana/sources/rhacs-cluster-overview.json +++ b/resources/grafana/sources/rhacs-cluster-overview.json @@ -2094,7 +2094,7 @@ "showLineNumbers": false, "showMiniMap": false }, - "content": "### Description\n\nThis graph shows the occurences per minute of Network Policy ACL denials on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @message like /acl_log(.*).*\\sverdict=drop/\n| filter @logStream like /.*ovn-audit\\.log/\n| sort @timestamp desc\n| limit 1000\n\n```\n", + "content": "### Description\n\nThis graph shows the occurences per minute of Network Policy ACL denials on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @message like /acl_log(.*).*\\sverdict=drop/\n| filter @logStream like /.*ovn-audit\\.log/\n| sort @timestamp desc\n| limit 1000\n\n```\n", "mode": "markdown" }, "pluginVersion": "10.2.0", From 6864c849bc8af9f8f6963b8a827d36fd121f12da Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier <111092021+mclasmeier@users.noreply.github.com> Date: Fri, 26 Apr 2024 09:47:45 +0200 Subject: [PATCH 07/10] Update resources/grafana/sources/rhacs-cluster-overview.json Co-authored-by: Stephan Hesselmann --- resources/grafana/sources/rhacs-cluster-overview.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/grafana/sources/rhacs-cluster-overview.json b/resources/grafana/sources/rhacs-cluster-overview.json index 61346efa..480065e3 100644 --- a/resources/grafana/sources/rhacs-cluster-overview.json +++ b/resources/grafana/sources/rhacs-cluster-overview.json @@ -1964,7 +1964,7 @@ "showLineNumbers": false, "showMiniMap": false }, - "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that the cluster node's SELinux policy prevented a process' actions.\nAs an example, a violation could indicate that a process on the cluster tried to access a file which is SELinux-protected.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", + "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that the cluster node's SELinux policy prevented a process' actions.\nAs an example, a violation could indicate that a process on the cluster tried to access a file which is SELinux-protected.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", "mode": "markdown" }, "pluginVersion": "10.2.0", From 529297a7651ba24a43024d039c87b71e6549a135 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Fri, 26 Apr 2024 10:29:29 +0200 Subject: [PATCH 08/10] Remove hardcoded axisWidth (which caused the y axis labels to be hidden --- resources/grafana/sources/rhacs-cluster-overview.json | 1 - 1 file changed, 1 deletion(-) diff --git a/resources/grafana/sources/rhacs-cluster-overview.json b/resources/grafana/sources/rhacs-cluster-overview.json index 480065e3..7cf160e3 100644 --- a/resources/grafana/sources/rhacs-cluster-overview.json +++ b/resources/grafana/sources/rhacs-cluster-overview.json @@ -1856,7 +1856,6 @@ "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", - "axisWidth": 5, "barAlignment": 0, "drawStyle": "line", "fillOpacity": 0, From 2df6e19a9d1417245c1b15ece5218cdc993e9033 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Fri, 26 Apr 2024 10:29:46 +0200 Subject: [PATCH 09/10] Added CW links --- resources/grafana/sources/rhacs-cluster-overview.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/resources/grafana/sources/rhacs-cluster-overview.json b/resources/grafana/sources/rhacs-cluster-overview.json index 7cf160e3..07663c06 100644 --- a/resources/grafana/sources/rhacs-cluster-overview.json +++ b/resources/grafana/sources/rhacs-cluster-overview.json @@ -1963,7 +1963,7 @@ "showLineNumbers": false, "showMiniMap": false }, - "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that the cluster node's SELinux policy prevented a process' actions.\nAs an example, a violation could indicate that a process on the cluster tried to access a file which is SELinux-protected.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", + "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that the cluster node's SELinux policy prevented a process' actions.\nAs an example, a violation could indicate that a process on the cluster tried to access a file which is SELinux-protected.\n\n### Drill-Down\n\nLog into the cluster's AWS account and use a [Log Insights query](https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:logs-insights$3FqueryDetail$3D~(end~0~start~-3600~timeType~'RELATIVE~unit~'seconds~editorString~'fields*20*40timestamp*2c*20*40message*2c*20*40logStream*2c*20*40log*0a*7c*20filter*20*40logStream*20like*20*2flinux-audit*2f*0a*7c*20filter*20*40message*20like*20*2fAVC*2f*0a*7c*20sort*20*40timestamp*20desc*0a*7c*20limit*201000~source~(~))) similar to this one:\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n\n**Note:**\n* all CloudWatch related resources are located in the `us-east-1` region.\n* the log group containing the violation logs are called `acs-.audit`.\n", "mode": "markdown" }, "pluginVersion": "10.2.0", @@ -2093,7 +2093,7 @@ "showLineNumbers": false, "showMiniMap": false }, - "content": "### Description\n\nThis graph shows the occurences per minute of Network Policy ACL denials on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @message like /acl_log(.*).*\\sverdict=drop/\n| filter @logStream like /.*ovn-audit\\.log/\n| sort @timestamp desc\n| limit 1000\n\n```\n", + "content": "### Description\n\nThis graph shows the occurences per minute of Network Policy ACL denials on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account and use a [Log Insights query](https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:logs-insights$3FqueryDetail$3D~(end~0~start~-3600~timeType~'RELATIVE~unit~'seconds~editorString~'fields*20*40timestamp*2c*20*40message*2c*20*40logStream*2c*20*40log*0a*7c*20filter*20*40message*20like*20*2facl_log*28.*2a*29.*2a*5csverdict*3ddrop*2f*0a*7c*20filter*20*40logStream*20like*20*2f.*2aovn-audit*5c.log*2f*0a*7c*20sort*20*40timestamp*20desc*0a*7c*20limit*201000~source~(~))) similar to this one:\n```\nfields @timestamp, @message, @logStream, @log\n| filter @message like /acl_log(.*).*\\sverdict=drop/\n| filter @logStream like /.*ovn-audit\\.log/\n| sort @timestamp desc\n| limit 1000\n```\n\n**Note:**\n* all CloudWatch related resources are located in the `us-east-1` region.\n* the log group containing the violation logs are called `acs-.audit`.\n\n", "mode": "markdown" }, "pluginVersion": "10.2.0", From 2f51487d27112e95f4133da0dc49e462bf92a2a7 Mon Sep 17 00:00:00 2001 From: Moritz Clasmeier Date: Fri, 26 Apr 2024 10:31:15 +0200 Subject: [PATCH 10/10] make generate --- .../dashboards/rhacs-cluster-overview-configmap.yaml | 5 ++--- .../dashboards/rhacs-cluster-overview-dashboard.yaml | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml b/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml index 113c5b5c..4b10c10d 100644 --- a/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml +++ b/resources/grafana/generated/dashboards/rhacs-cluster-overview-configmap.yaml @@ -1867,7 +1867,6 @@ data: "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", - "axisWidth": 5, "barAlignment": 0, "drawStyle": "line", "fillOpacity": 0, @@ -1975,7 +1974,7 @@ data: "showLineNumbers": false, "showMiniMap": false }, - "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that the cluster node's SELinux policy prevented a process' actions.\nAs an example, a violation could indicate that a process on the cluster tried to access a file which is SELinux-protected.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", + "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that the cluster node's SELinux policy prevented a process' actions.\nAs an example, a violation could indicate that a process on the cluster tried to access a file which is SELinux-protected.\n\n### Drill-Down\n\nLog into the cluster's AWS account and use a [Log Insights query](https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:logs-insights$3FqueryDetail$3D~(end~0~start~-3600~timeType~'RELATIVE~unit~'seconds~editorString~'fields*20*40timestamp*2c*20*40message*2c*20*40logStream*2c*20*40log*0a*7c*20filter*20*40logStream*20like*20*2flinux-audit*2f*0a*7c*20filter*20*40message*20like*20*2fAVC*2f*0a*7c*20sort*20*40timestamp*20desc*0a*7c*20limit*201000~source~(~))) similar to this one:\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n\n**Note:**\n* all CloudWatch related resources are located in the `us-east-1` region.\n* the log group containing the violation logs are called `acs-.audit`.\n", "mode": "markdown" }, "pluginVersion": "10.2.0", @@ -2105,7 +2104,7 @@ data: "showLineNumbers": false, "showMiniMap": false }, - "content": "### Description\n\nThis graph shows the occurences per minute of Network Policy ACL denials on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @message like /acl_log(.*).*\\sverdict=drop/\n| filter @logStream like /.*ovn-audit\\.log/\n| sort @timestamp desc\n| limit 1000\n\n```\n", + "content": "### Description\n\nThis graph shows the occurences per minute of Network Policy ACL denials on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account and use a [Log Insights query](https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:logs-insights$3FqueryDetail$3D~(end~0~start~-3600~timeType~'RELATIVE~unit~'seconds~editorString~'fields*20*40timestamp*2c*20*40message*2c*20*40logStream*2c*20*40log*0a*7c*20filter*20*40message*20like*20*2facl_log*28.*2a*29.*2a*5csverdict*3ddrop*2f*0a*7c*20filter*20*40logStream*20like*20*2f.*2aovn-audit*5c.log*2f*0a*7c*20sort*20*40timestamp*20desc*0a*7c*20limit*201000~source~(~))) similar to this one:\n```\nfields @timestamp, @message, @logStream, @log\n| filter @message like /acl_log(.*).*\\sverdict=drop/\n| filter @logStream like /.*ovn-audit\\.log/\n| sort @timestamp desc\n| limit 1000\n```\n\n**Note:**\n* all CloudWatch related resources are located in the `us-east-1` region.\n* the log group containing the violation logs are called `acs-.audit`.\n\n", "mode": "markdown" }, "pluginVersion": "10.2.0", diff --git a/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml b/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml index 64f5328b..749236f0 100644 --- a/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml +++ b/resources/grafana/generated/dashboards/rhacs-cluster-overview-dashboard.yaml @@ -1867,7 +1867,6 @@ spec: "axisColorMode": "text", "axisLabel": "", "axisPlacement": "auto", - "axisWidth": 5, "barAlignment": 0, "drawStyle": "line", "fillOpacity": 0, @@ -1975,7 +1974,7 @@ spec: "showLineNumbers": false, "showMiniMap": false }, - "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that the cluster node's SELinux policy prevented a process' actions.\nAs an example, a violation could indicate that a process on the cluster tried to access a file which is SELinux-protected.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n", + "content": "### Description\n\nThis graph shows the occurences per minute of **SELinux AVC denials** on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that the cluster node's SELinux policy prevented a process' actions.\nAs an example, a violation could indicate that a process on the cluster tried to access a file which is SELinux-protected.\n\n### Drill-Down\n\nLog into the cluster's AWS account and use a [Log Insights query](https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:logs-insights$3FqueryDetail$3D~(end~0~start~-3600~timeType~'RELATIVE~unit~'seconds~editorString~'fields*20*40timestamp*2c*20*40message*2c*20*40logStream*2c*20*40log*0a*7c*20filter*20*40logStream*20like*20*2flinux-audit*2f*0a*7c*20filter*20*40message*20like*20*2fAVC*2f*0a*7c*20sort*20*40timestamp*20desc*0a*7c*20limit*201000~source~(~))) similar to this one:\n```\nfields @timestamp, @message, @logStream, @log\n| filter @logStream like /linux-audit/\n| filter @message like /AVC/\n| sort @timestamp desc\n| limit 1000\n```\n\n**Note:**\n* all CloudWatch related resources are located in the `us-east-1` region.\n* the log group containing the violation logs are called `acs-.audit`.\n", "mode": "markdown" }, "pluginVersion": "10.2.0", @@ -2105,7 +2104,7 @@ spec: "showLineNumbers": false, "showMiniMap": false }, - "content": "### Description\n\nThis graph shows the occurences per minute of Network Policy ACL denials on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account. All CloudWwatch related resources are located in the `us-east-1` region.\nNavigate to `CloudWatch / Log Insights` and use a query similar to the following on the log group named `acs-.audit`:\n\n```\nfields @timestamp, @message, @logStream, @log\n| filter @message like /acl_log(.*).*\\sverdict=drop/\n| filter @logStream like /.*ovn-audit\\.log/\n| sort @timestamp desc\n| limit 1000\n\n```\n", + "content": "### Description\n\nThis graph shows the occurences per minute of Network Policy ACL denials on the cluster.\nThese violations are logged on the cluster, propagated to CloudWatch, aggregated by a log metric, retrieved by the cloudwatch-exporter and finally scraped by Prometheus.\n\n**Expected: 0 violations.**\n\nA violation means that network traffic was prevented due to a Kubernetes Network Policy.\nAs an example, a violation could indicate that communication between RHACS tenant namespaces\nwas attempted, which is strictly forbidden.\n\n### Drill-Down\n\nLog into the cluster's AWS account and use a [Log Insights query](https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:logs-insights$3FqueryDetail$3D~(end~0~start~-3600~timeType~'RELATIVE~unit~'seconds~editorString~'fields*20*40timestamp*2c*20*40message*2c*20*40logStream*2c*20*40log*0a*7c*20filter*20*40message*20like*20*2facl_log*28.*2a*29.*2a*5csverdict*3ddrop*2f*0a*7c*20filter*20*40logStream*20like*20*2f.*2aovn-audit*5c.log*2f*0a*7c*20sort*20*40timestamp*20desc*0a*7c*20limit*201000~source~(~))) similar to this one:\n```\nfields @timestamp, @message, @logStream, @log\n| filter @message like /acl_log(.*).*\\sverdict=drop/\n| filter @logStream like /.*ovn-audit\\.log/\n| sort @timestamp desc\n| limit 1000\n```\n\n**Note:**\n* all CloudWatch related resources are located in the `us-east-1` region.\n* the log group containing the violation logs are called `acs-.audit`.\n\n", "mode": "markdown" }, "pluginVersion": "10.2.0",