From 212dc66fab874d4b1882f3a30ecfd67b14ced309 Mon Sep 17 00:00:00 2001 From: snothub Date: Sun, 29 Mar 2026 16:20:48 +0200 Subject: [PATCH] PSS dash --- infra/dashboards/kustomization.yaml | 3 + infra/dashboards/pod-security.json | 399 ++++++++++++++++++++++++++++ 2 files changed, 402 insertions(+) create mode 100644 infra/dashboards/pod-security.json diff --git a/infra/dashboards/kustomization.yaml b/infra/dashboards/kustomization.yaml index ecf5662..98af3cf 100644 --- a/infra/dashboards/kustomization.yaml +++ b/infra/dashboards/kustomization.yaml @@ -20,3 +20,6 @@ configMapGenerator: - name: grafana-dashboard-opencost files: - opencost.json +- name: grafana-dashboard-pod-security + files: + - pod-security.json diff --git a/infra/dashboards/pod-security.json b/infra/dashboards/pod-security.json new file mode 100644 index 0000000..8e8fd4e --- /dev/null +++ b/infra/dashboards/pod-security.json @@ -0,0 +1,399 @@ +{ + "annotations": { + "list": [] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 1, + "links": [], + "panels": [ + { + "title": "Enforced Denials", + "description": "Pods rejected by Pod Security Standards (enforce mode)", + "type": "stat", + "datasource": { "type": "prometheus" }, + "gridPos": { "h": 5, "w": 6, "x": 0, "y": 0 }, + "targets": [ + { + "expr": "sum(increase(pod_security_evaluations_total{decision=\"deny\", mode=\"enforce\"}[$__range])) or vector(0)", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { "value": null, "color": "green" }, + { "value": 1, "color": "red" } + ] + } + }, + "overrides": [] + }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"] }, + "colorMode": "background", + "textMode": "auto" + } + }, + { + "title": "Audit Violations", + "description": "Pods that violate audit-level policy (allowed but logged)", + "type": "stat", + "datasource": { "type": "prometheus" }, + "gridPos": { "h": 5, "w": 6, "x": 6, "y": 0 }, + "targets": [ + { + "expr": "sum(increase(pod_security_evaluations_total{decision=\"deny\", mode=\"audit\"}[$__range])) or vector(0)", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { "value": null, "color": "green" }, + { "value": 1, "color": "orange" } + ] + } + }, + "overrides": [] + }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"] }, + "colorMode": "background", + "textMode": "auto" + } + }, + { + "title": "Warnings", + "description": "Pods that triggered warn-level policy (allowed with warning)", + "type": "stat", + "datasource": { "type": "prometheus" }, + "gridPos": { "h": 5, "w": 6, "x": 12, "y": 0 }, + "targets": [ + { + "expr": "sum(increase(pod_security_evaluations_total{decision=\"deny\", mode=\"warn\"}[$__range])) or vector(0)", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { "value": null, "color": "green" }, + { "value": 1, "color": "yellow" } + ] + } + }, + "overrides": [] + }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"] }, + "colorMode": "background", + "textMode": "auto" + } + }, + { + "title": "Total Evaluations", + "description": "All pod security evaluations across all modes", + "type": "stat", + "datasource": { "type": "prometheus" }, + "gridPos": { "h": 5, "w": 6, "x": 18, "y": 0 }, + "targets": [ + { + "expr": "sum(increase(pod_security_evaluations_total[$__range])) or vector(0)", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { "value": null, "color": "blue" } + ] + } + }, + "overrides": [] + }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"] }, + "colorMode": "background", + "textMode": "auto" + } + }, + { + "title": "Violation Rate by Mode", + "description": "Rate of policy violations over time, grouped by enforcement mode", + "type": "timeseries", + "datasource": { "type": "prometheus" }, + "gridPos": { "h": 8, "w": 12, "x": 0, "y": 5 }, + "targets": [ + { + "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=\"enforce\"}[5m]))", + "legendFormat": "enforce (denied)", + "refId": "A" + }, + { + "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=\"audit\"}[5m]))", + "legendFormat": "audit", + "refId": "B" + }, + { + "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=\"warn\"}[5m]))", + "legendFormat": "warn", + "refId": "C" + } + ], + "fieldConfig": { + "defaults": { + "custom": { + "drawStyle": "line", + "lineWidth": 2, + "fillOpacity": 15, + "pointSize": 5, + "showPoints": "auto" + }, + "unit": "ops" + }, + "overrides": [ + { + "matcher": { "id": "byName", "options": "enforce (denied)" }, + "properties": [{ "id": "color", "value": { "fixedColor": "red", "mode": "fixed" } }] + }, + { + "matcher": { "id": "byName", "options": "audit" }, + "properties": [{ "id": "color", "value": { "fixedColor": "orange", "mode": "fixed" } }] + }, + { + "matcher": { "id": "byName", "options": "warn" }, + "properties": [{ "id": "color", "value": { "fixedColor": "yellow", "mode": "fixed" } }] + } + ] + } + }, + { + "title": "Violations by Policy Level", + "description": "Violation rate grouped by the PSS level that was violated", + "type": "timeseries", + "datasource": { "type": "prometheus" }, + "gridPos": { "h": 8, "w": 12, "x": 12, "y": 5 }, + "targets": [ + { + "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\"}[5m])) by (policy_level)", + "legendFormat": "{{ policy_level }}", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "custom": { + "drawStyle": "line", + "lineWidth": 2, + "fillOpacity": 15, + "pointSize": 5, + "showPoints": "auto" + }, + "unit": "ops" + }, + "overrides": [ + { + "matcher": { "id": "byName", "options": "restricted" }, + "properties": [{ "id": "color", "value": { "fixedColor": "yellow", "mode": "fixed" } }] + }, + { + "matcher": { "id": "byName", "options": "baseline" }, + "properties": [{ "id": "color", "value": { "fixedColor": "orange", "mode": "fixed" } }] + }, + { + "matcher": { "id": "byName", "options": "privileged" }, + "properties": [{ "id": "color", "value": { "fixedColor": "red", "mode": "fixed" } }] + } + ] + } + }, + { + "title": "Enforced Denials by Namespace", + "description": "Pods blocked per namespace (enforce mode only)", + "type": "timeseries", + "datasource": { "type": "prometheus" }, + "gridPos": { "h": 8, "w": 12, "x": 0, "y": 13 }, + "targets": [ + { + "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=\"enforce\"}[5m])) by (resource_namespace)", + "legendFormat": "{{ resource_namespace }}", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "custom": { + "drawStyle": "bars", + "lineWidth": 1, + "fillOpacity": 80, + "stacking": { "mode": "normal" } + }, + "unit": "ops" + }, + "overrides": [] + } + }, + { + "title": "Audit + Warn Violations by Namespace", + "description": "Non-enforced violations per namespace — candidates for tightening", + "type": "timeseries", + "datasource": { "type": "prometheus" }, + "gridPos": { "h": 8, "w": 12, "x": 12, "y": 13 }, + "targets": [ + { + "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=~\"audit|warn\"}[5m])) by (resource_namespace)", + "legendFormat": "{{ resource_namespace }}", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "custom": { + "drawStyle": "bars", + "lineWidth": 1, + "fillOpacity": 80, + "stacking": { "mode": "normal" } + }, + "unit": "ops" + }, + "overrides": [] + } + }, + { + "title": "Violations Breakdown", + "description": "Detailed breakdown of all policy violations", + "type": "table", + "datasource": { "type": "prometheus" }, + "gridPos": { "h": 10, "w": 24, "x": 0, "y": 21 }, + "targets": [ + { + "expr": "sum(increase(pod_security_evaluations_total{decision=\"deny\"}[$__range])) by (resource_namespace, policy_level, mode, request_operation) > 0", + "format": "table", + "instant": true, + "refId": "A" + } + ], + "transformations": [ + { + "id": "organize", + "options": { + "excludeByName": { "Time": true }, + "renameByName": { + "resource_namespace": "Namespace", + "policy_level": "Policy Level", + "mode": "Mode", + "request_operation": "Operation", + "Value": "Violations" + }, + "indexByName": { + "resource_namespace": 0, + "policy_level": 1, + "mode": 2, + "request_operation": 3, + "Value": 4 + } + } + }, + { + "id": "sortBy", + "options": { + "fields": {}, + "sort": [ + { "field": "Violations", "desc": true } + ] + } + } + ], + "fieldConfig": { + "defaults": {}, + "overrides": [ + { + "matcher": { "id": "byName", "options": "Mode" }, + "properties": [ + { + "id": "mappings", + "value": [ + { "type": "value", "options": { "enforce": { "text": "Enforce", "color": "red" }, "audit": { "text": "Audit", "color": "orange" }, "warn": { "text": "Warn", "color": "yellow" } } } + ] + } + ] + }, + { + "matcher": { "id": "byName", "options": "Violations" }, + "properties": [ + { + "id": "custom.cellOptions", + "value": { "type": "color-background", "mode": "gradient" } + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { "value": null, "color": "transparent" }, + { "value": 1, "color": "orange" }, + { "value": 100, "color": "red" } + ] + } + } + ] + } + ] + } + }, + { + "title": "Exemptions", + "description": "Pods exempted from policy evaluation", + "type": "timeseries", + "datasource": { "type": "prometheus" }, + "gridPos": { "h": 8, "w": 24, "x": 0, "y": 31 }, + "targets": [ + { + "expr": "sum(rate(pod_security_exemptions_total[5m])) by (request_namespace)", + "legendFormat": "{{ request_namespace }}", + "refId": "A" + } + ], + "fieldConfig": { + "defaults": { + "custom": { + "drawStyle": "line", + "lineWidth": 2, + "fillOpacity": 10 + }, + "unit": "ops" + }, + "overrides": [] + } + } + ], + "schemaVersion": 39, + "tags": [ + "security", + "pod-security", + "pss", + "compliance" + ], + "templating": { + "list": [] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "title": "Pod Security Violations", + "uid": "pod-security-violations" +}