{ "annotations": { "list": [] }, "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 1, "links": [], "panels": [ { "title": "Enforced Denials", "description": "Pods rejected by Pod Security Standards (enforce mode)", "type": "stat", "datasource": { "type": "prometheus" }, "gridPos": { "h": 5, "w": 6, "x": 0, "y": 0 }, "targets": [ { "expr": "sum(increase(pod_security_evaluations_total{decision=\"deny\", mode=\"enforce\"}[$__range])) or vector(0)", "refId": "A" } ], "fieldConfig": { "defaults": { "noValue": "0", "thresholds": { "mode": "absolute", "steps": [ { "value": null, "color": "green" }, { "value": 1, "color": "red" } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "colorMode": "background", "textMode": "auto" } }, { "title": "Audit Violations", "description": "Pods that violate audit-level policy (allowed but logged)", "type": "stat", "datasource": { "type": "prometheus" }, "gridPos": { "h": 5, "w": 6, "x": 6, "y": 0 }, "targets": [ { "expr": "sum(increase(pod_security_evaluations_total{decision=\"deny\", mode=\"audit\"}[$__range])) or vector(0)", "refId": "A" } ], "fieldConfig": { "defaults": { "noValue": "0", "thresholds": { "mode": "absolute", "steps": [ { "value": null, "color": "green" }, { "value": 1, "color": "orange" } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "colorMode": "background", "textMode": "auto" } }, { "title": "Warnings", "description": "Pods that triggered warn-level policy (allowed with warning)", "type": "stat", "datasource": { "type": "prometheus" }, "gridPos": { "h": 5, "w": 6, "x": 12, "y": 0 }, "targets": [ { "expr": "sum(increase(pod_security_evaluations_total{decision=\"deny\", mode=\"warn\"}[$__range])) or vector(0)", "refId": "A" } ], "fieldConfig": { "defaults": { "noValue": "0", "thresholds": { "mode": "absolute", "steps": [ { "value": null, "color": "green" }, { "value": 1, "color": "yellow" } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "colorMode": "background", "textMode": "auto" } }, { "title": "Total Evaluations", "description": "All pod security evaluations across all modes", "type": "stat", "datasource": { "type": "prometheus" }, "gridPos": { "h": 5, "w": 6, "x": 18, "y": 0 }, "targets": [ { "expr": "sum(increase(pod_security_evaluations_total[$__range])) or vector(0)", "refId": "A" } ], "fieldConfig": { "defaults": { "noValue": "0", "thresholds": { "mode": "absolute", "steps": [ { "value": null, "color": "blue" } ] } }, "overrides": [] }, "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "colorMode": "background", "textMode": "auto" } }, { "title": "Violation Rate by Mode", "description": "Rate of policy violations over time, grouped by enforcement mode", "type": "timeseries", "datasource": { "type": "prometheus" }, "gridPos": { "h": 8, "w": 12, "x": 0, "y": 5 }, "targets": [ { "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=\"enforce\"}[5m]))", "legendFormat": "enforce (denied)", "refId": "A" }, { "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=\"audit\"}[5m]))", "legendFormat": "audit", "refId": "B" }, { "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=\"warn\"}[5m]))", "legendFormat": "warn", "refId": "C" } ], "fieldConfig": { "defaults": { "custom": { "drawStyle": "line", "lineWidth": 2, "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" }, "unit": "ops" }, "overrides": [ { "matcher": { "id": "byName", "options": "enforce (denied)" }, "properties": [{ "id": "color", "value": { "fixedColor": "red", "mode": "fixed" } }] }, { "matcher": { "id": "byName", "options": "audit" }, "properties": [{ "id": "color", "value": { "fixedColor": "orange", "mode": "fixed" } }] }, { "matcher": { "id": "byName", "options": "warn" }, "properties": [{ "id": "color", "value": { "fixedColor": "yellow", "mode": "fixed" } }] } ] } }, { "title": "Violations by Policy Level", "description": "Violation rate grouped by the PSS level that was violated", "type": "timeseries", "datasource": { "type": "prometheus" }, "gridPos": { "h": 8, "w": 12, "x": 12, "y": 5 }, "targets": [ { "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\"}[5m])) by (policy_level)", "legendFormat": "{{ policy_level }}", "refId": "A" } ], "fieldConfig": { "defaults": { "custom": { "drawStyle": "line", "lineWidth": 2, "fillOpacity": 15, "pointSize": 5, "showPoints": "auto" }, "unit": "ops" }, "overrides": [ { "matcher": { "id": "byName", "options": "restricted" }, "properties": [{ "id": "color", "value": { "fixedColor": "yellow", "mode": "fixed" } }] }, { "matcher": { "id": "byName", "options": "baseline" }, "properties": [{ "id": "color", "value": { "fixedColor": "orange", "mode": "fixed" } }] }, { "matcher": { "id": "byName", "options": "privileged" }, "properties": [{ "id": "color", "value": { "fixedColor": "red", "mode": "fixed" } }] } ] } }, { "title": "Enforced Denials by Namespace", "description": "Pods blocked per namespace (enforce mode only)", "type": "timeseries", "datasource": { "type": "prometheus" }, "gridPos": { "h": 8, "w": 12, "x": 0, "y": 13 }, "targets": [ { "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=\"enforce\"}[5m])) by (resource_namespace)", "legendFormat": "{{ resource_namespace }}", "refId": "A" } ], "fieldConfig": { "defaults": { "custom": { "drawStyle": "bars", "lineWidth": 1, "fillOpacity": 80, "stacking": { "mode": "normal" } }, "unit": "ops" }, "overrides": [] } }, { "title": "Audit + Warn Violations by Namespace", "description": "Non-enforced violations per namespace — candidates for tightening", "type": "timeseries", "datasource": { "type": "prometheus" }, "gridPos": { "h": 8, "w": 12, "x": 12, "y": 13 }, "targets": [ { "expr": "sum(rate(pod_security_evaluations_total{decision=\"deny\", mode=~\"audit|warn\"}[5m])) by (resource_namespace)", "legendFormat": "{{ resource_namespace }}", "refId": "A" } ], "fieldConfig": { "defaults": { "custom": { "drawStyle": "bars", "lineWidth": 1, "fillOpacity": 80, "stacking": { "mode": "normal" } }, "unit": "ops" }, "overrides": [] } }, { "title": "Violations Breakdown", "description": "Detailed breakdown of all policy violations", "type": "table", "datasource": { "type": "prometheus" }, "gridPos": { "h": 10, "w": 24, "x": 0, "y": 21 }, "targets": [ { "expr": "sum(increase(pod_security_evaluations_total{decision=\"deny\"}[$__range])) by (resource_namespace, policy_level, mode, request_operation) > 0", "format": "table", "instant": true, "refId": "A" } ], "transformations": [ { "id": "organize", "options": { "excludeByName": { "Time": true }, "renameByName": { "resource_namespace": "Namespace", "policy_level": "Policy Level", "mode": "Mode", "request_operation": "Operation", "Value": "Violations" }, "indexByName": { "resource_namespace": 0, "policy_level": 1, "mode": 2, "request_operation": 3, "Value": 4 } } }, { "id": "sortBy", "options": { "fields": {}, "sort": [ { "field": "Violations", "desc": true } ] } } ], "fieldConfig": { "defaults": {}, "overrides": [ { "matcher": { "id": "byName", "options": "Mode" }, "properties": [ { "id": "mappings", "value": [ { "type": "value", "options": { "enforce": { "text": "Enforce", "color": "red" }, "audit": { "text": "Audit", "color": "orange" }, "warn": { "text": "Warn", "color": "yellow" } } } ] } ] }, { "matcher": { "id": "byName", "options": "Violations" }, "properties": [ { "id": "custom.cellOptions", "value": { "type": "color-background", "mode": "gradient" } }, { "id": "thresholds", "value": { "mode": "absolute", "steps": [ { "value": null, "color": "transparent" }, { "value": 1, "color": "orange" }, { "value": 100, "color": "red" } ] } } ] } ] } }, { "title": "Exemptions", "description": "Pods exempted from policy evaluation", "type": "timeseries", "datasource": { "type": "prometheus" }, "gridPos": { "h": 8, "w": 24, "x": 0, "y": 31 }, "targets": [ { "expr": "sum(rate(pod_security_exemptions_total[5m])) by (request_namespace)", "legendFormat": "{{ request_namespace }}", "refId": "A" } ], "fieldConfig": { "defaults": { "custom": { "drawStyle": "line", "lineWidth": 2, "fillOpacity": 10 }, "unit": "ops" }, "overrides": [] } } ], "schemaVersion": 39, "tags": [ "security", "pod-security", "pss", "compliance" ], "templating": { "list": [] }, "time": { "from": "now-24h", "to": "now" }, "title": "Pod Security Violations", "uid": "pod-security-violations" }