Skip to content

ROX-28326: node vulnerabilities as Prometheus metrics#15551

Merged
parametalol merged 2 commits intomasterfrom
michael/ROX-28326-node-vulnerabilities
Sep 29, 2025
Merged

ROX-28326: node vulnerabilities as Prometheus metrics#15551
parametalol merged 2 commits intomasterfrom
michael/ROX-28326-node-vulnerabilities

Conversation

@parametalol
Copy link
Copy Markdown
Contributor

@parametalol parametalol commented Jun 3, 2025
edited
Loading

Description

Node vulnerability metrics, exposed on the API port.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

Manual test:

# HELP rox_central_node_vuln_ns_severity The total number of node CVEs aggregated by Cluster,Node,Component,Severity and gathered every 10m0s
# TYPE rox_central_node_vuln_ns_severity gauge
rox_central_node_vuln_ns_severity{Cluster="production",Component="rhcos",Node="mp-09-22-universe-blo-jrcbs-master-0",Severity="IMPORTANT_VULNERABILITY_SEVERITY"} 28
rox_central_node_vuln_ns_severity{Cluster="production",Component="rhcos",Node="mp-09-22-universe-blo-jrcbs-master-0",Severity="LOW_VULNERABILITY_SEVERITY"} 2
rox_central_node_vuln_ns_severity{Cluster="production",Component="rhcos",Node="mp-09-22-universe-blo-jrcbs-master-0",Severity="MODERATE_VULNERABILITY_SEVERITY"} 17
rox_central_node_vuln_ns_severity{Cluster="production",Component="rhcos",Node="mp-09-22-universe-blo-jrcbs-master-1",Severity="IMPORTANT_VULNERABILITY_SEVERITY"} 28
...

@parametalol parametalol requested a review from a team as a code owner June 3, 2025 14:29
This was referenced Jun 3, 2025
Closed
Closed
Merged
Closed
@parametalol parametalol marked this pull request as draft June 3, 2025 14:29
@parametalol parametalol force-pushed the michael/ROX-28326-node-vulnerabilities branch from 9d0fa1f to dc472c9 Compare June 3, 2025 17:45
@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented Jun 3, 2025
edited
Loading

Images are ready for the commit at 9e8b69b.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.9.x-916-g9e8b69b426.

@codecov
Copy link
Copy Markdown

codecov bot commented Jun 3, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 75.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 48.80%. Comparing base (4b3682b) to head (9e8b69b).
⚠️ Report is 1 commits behind head on master.

Files with missing lines Patch % Lines
central/metrics/custom/singleton.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #15551   +/-   ##
=======================================
  Coverage   48.80%   48.80%           
=======================================
  Files        2706     2706           
  Lines      202086   202090    +4     
=======================================
+ Hits        98626    98632    +6     
+ Misses      95694    95692    -2     
  Partials     7766     7766
Flag Coverage Δ
go-unit-tests 48.80% <75.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@parametalol parametalol force-pushed the michael/ROX-28326-node-vulnerabilities branch 2 times, most recently from 530ef68 to ca0c8ca Compare June 3, 2025 19:08
@parametalol parametalol force-pushed the michael/ROX-28326-expose-cve-metrics branch from db52b78 to be8a8cf Compare June 4, 2025 08:57
@parametalol parametalol force-pushed the michael/ROX-28326-node-vulnerabilities branch from ca0c8ca to 7e181bf Compare June 4, 2025 19:29
@parametalol parametalol force-pushed the michael/ROX-28326-node-vulnerabilities branch from 7e181bf to fc0f1c9 Compare September 10, 2025 10:04
@parametalol parametalol changed the base branch from michael/ROX-28326-expose-cve-metrics to master September 10, 2025 14:16
@parametalol parametalol changed the title michael/ROX-28326-node-vulnerabilities ROX-28326: node vulnerabilities as Prometheus metrics Sep 10, 2025
@parametalol parametalol force-pushed the michael/ROX-28326-node-vulnerabilities branch from fc0f1c9 to 2b00c1b Compare September 19, 2025 14:14
@parametalol parametalol marked this pull request as ready for review September 22, 2025 08:03
@parametalol parametalol marked this pull request as draft September 22, 2025 09:23
@parametalol parametalol marked this pull request as ready for review September 24, 2025 15:01
@parametalol parametalol requested review from a team and rhybrillou September 24, 2025 15:09
@parametalol parametalol force-pushed the michael/ROX-28326-node-vulnerabilities branch from 93e00a4 to 9fc0e66 Compare September 25, 2025 16:21
@parametalol parametalol enabled auto-merge (squash) September 26, 2025 16:06
@parametalol
node vulnerabilities tracker
8b19f1f 
fixes

log.debug

fix walking error handling

debug log again

updated labels

revert unrelated changes
@parametalol parametalol force-pushed the michael/ROX-28326-node-vulnerabilities branch from 61fb513 to 9e8b69b Compare September 29, 2025 08:11
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Sep 29, 2025
edited
Loading

@parametalol: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/gke-operator-e2e-tests 9e8b69b link false /test gke-operator-e2e-tests
ci/prow/ocp-4-12-operator-e2e-tests 9e8b69b link false /test ocp-4-12-operator-e2e-tests
ci/prow/gke-qa-e2e-tests 9e8b69b link false /test gke-qa-e2e-tests
ci/prow/ocp-4-19-operator-e2e-tests 9e8b69b link false /test ocp-4-19-operator-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@parametalol
Copy link
Copy Markdown
Contributor Author

parametalol commented Sep 29, 2025

/retest

@red-hat-konflux
Copy link
Copy Markdown
Contributor

red-hat-konflux bot commented Sep 29, 2025

Caution

There are some errors in your PipelineRun template.

PipelineRun Error
central-db-on-push CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n (has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == \"konflux-build\"))\n ) && body.action != \"ready_for_review\"\n)\n" failed to evaluate: no such key: pull_request
main-on-push CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n (has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == \"konflux-build\"))\n ) && body.action != \"ready_for_review\"\n)\n" failed to evaluate: no such key: pull_request
operator-on-push CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n (has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == \"konflux-build\"))\n ) && body.action != \"ready_for_review\"\n)\n" failed to evaluate: no such key: pull_request
operator-bundle-on-push CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n (has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == \"konflux-build\"))\n ) && body.action != \"ready_for_review\"\n)\n" failed to evaluate: no such key: pull_request
retag-collector CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n (has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == \"konflux-build\"))\n ) && body.action != \"ready_for_review\"\n)\n" failed to evaluate: no such key: pull_request
retag-scanner-db-slim CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n (has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == \"konflux-build\"))\n ) && body.action != \"ready_for_review\"\n)\n" failed to evaluate: no such key: pull_request
retag-scanner-db CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n (has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == \"konflux-build\"))\n ) && body.action != \"ready_for_review\"\n)\n" failed to evaluate: no such key: pull_request
retag-scanner-slim CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n (has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == \"konflux-build\"))\n ) && body.action != \"ready_for_review\"\n)\n" failed to evaluate: no such key: pull_request
retag-scanner CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n (has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == \"konflux-build\"))\n ) && body.action != \"ready_for_review\"\n)\n" failed to evaluate: no such key: pull_request
roxctl-on-push CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n (has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == \"konflux-build\"))\n ) && body.action != \"ready_for_review\"\n)\n" failed to evaluate: no such key: pull_request
scanner-v4-on-push CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n (has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == \"konflux-build\"))\n ) && body.action != \"ready_for_review\"\n)\n" failed to evaluate: no such key: pull_request
scanner-v4-db-on-push CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master|release-.*|refs/tags/.*)$\")\n) || (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") ||\n source_branch.matches(\"(konflux|renovate|appstudio|rhtap)\") ||\n (has(body.pull_request.labels) && body.pull_request.labels.exists(l, l.name == \"konflux-build\"))\n ) && body.action != \"ready_for_review\"\n)\n" failed to evaluate: no such key: pull_request

@parametalol parametalol merged commit 2b2a970 into master Sep 29, 2025
95 of 99 checks passed
@parametalol parametalol deleted the michael/ROX-28326-node-vulnerabilities branch September 29, 2025 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhybrillou rhybrillou rhybrillou approved these changes

Assignees

No one assigned

Labels

area/central

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@parametalol @rhacs-bot @rhybrillou @janisz