ROX-28151: policy violations exposed as Prometheus metrics by parametalol · Pull Request #16434 · stackrox/stackrox

parametalol · 2025-08-18T11:45:37Z

Description

Implementation of the custom metrics tracker, that exposes alerts of policy violation.

User-facing documentation

CHANGELOG.md is updated OR update is not needed
documentation PR is created and is linked above OR is not needed

Testing and quality

the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
CI results are inspected

Automated testing

How I validated my change

CI

Current dependencies on/for this PR:

master
- PR ROX-28151: Custom Prometheus metrics minimal configuration #15783
  - PR ROX-28151: Custom Prometheus metrics minimal aggregator #15784
    - PR ROX-28151: Prometheus registry for custom metrics #15807
      - PR ROX-28151: Tracker, triggered by Prometheus scrape request #15796
        
        PR ROX-28151: Tracker runner, triggered by Prometheus scrape request #15797
        
        PR ROX-28151: Prometheus registry per user token #15809
        
        PR ROX-28151: Phonehome telemetry for custom Prometheus metrics #15487
        
        PR ROX-28151: custom registry cleanup #16176
        
        PR ROX-29523: Custom Prometheus metrics minimal UI #15782
        
        PR ROX-28151: policy violations exposed as Prometheus metrics #16434 👈

openshift-ci · 2025-08-18T11:45:42Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

red-hat-konflux · 2025-08-18T11:45:43Z

Caution

There are some errors in your PipelineRun template.

PipelineRun	Error
central-db-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels`
main-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels`
operator-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels`
operator-bundle-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels`
retag-collector	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels`
retag-scanner-db-slim	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels`
retag-scanner-db	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels`
retag-scanner-slim	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels`
retag-scanner	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels`
roxctl-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels`
scanner-v4-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels`
scanner-v4-db-on-push	`CEL expression evaluation error: expression "(\n event == \"push\" && target_branch.matches(\"^(master\|release-.\|refs/tags/.)$\")\n) \|\| (\n event == \"pull_request\" && (\n target_branch.startsWith(\"release-\") \|\|\n source_branch.matches(\"(konflux\|renovate\|appstudio\|rhtap)\") \|\|\n body.pull_request.labels.exists(l, l.name == \"konflux-build\")\n )\n)\n" failed to evaluate: no such key: labels`

rhacs-bot · 2025-08-18T12:05:19Z

Images are ready for the commit at f0e654f.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.9.x-713-gf0e654f902.

codecov · 2025-08-18T12:22:38Z

Codecov Report

❌ Patch coverage is 50.00000% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 48.67%. Comparing base (e767876) to head (f0e654f).
⚠️ Report is 4 commits behind head on master.

Files with missing lines	Patch %	Lines
central/metrics/custom/runner.go	50.00%	3 Missing and 1 partial ⚠️
central/metrics/custom/singleton.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #16434   +/-   ##
=======================================
  Coverage   48.66%   48.67%           
=======================================
  Files        2675     2675           
  Lines      199760   199767    +7     
=======================================
+ Hits        97216    97227   +11     
+ Misses      94935    94932    -3     
+ Partials     7609     7608    -1

Flag	Coverage Δ
go-unit-tests	`48.67% <50.00%> (+<0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

central/metrics/custom/policy_violations/labels.go

openshift-ci · 2025-09-09T15:04:29Z

@parametalol: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ocp-4-12-operator-e2e-tests	`1cdb11c`	link	false	`/test ocp-4-12-operator-e2e-tests`
ci/prow/ocp-4-12-qa-e2e-tests	`1cdb11c`	link	false	`/test ocp-4-12-qa-e2e-tests`
ci/prow/ocp-4-19-ui-e2e-tests	`f0e654f`	link	false	`/test ocp-4-19-ui-e2e-tests`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci bot added the do-not-merge/work-in-progress label Aug 18, 2025

github-actions bot added the area/central label Aug 18, 2025

parametalol changed the title ~~michael/ROX-28151-alerts~~ ROX-28151: policy violations exposed as Prometheus metrics Aug 18, 2025

parametalol requested a review from stehessel August 18, 2025 16:04

parametalol marked this pull request as ready for review August 18, 2025 16:05

parametalol requested a review from a team as a code owner August 18, 2025 16:05

openshift-ci bot removed the do-not-merge/work-in-progress label Aug 18, 2025

parametalol force-pushed the michael/ROX-28151-cached-runner branch 2 times, most recently from 5f58398 to 680ac3e Compare September 1, 2025 09:09

parametalol force-pushed the michael/ROX-28151-alerts branch 2 times, most recently from 3c94d94 to 5b62ddb Compare September 8, 2025 09:13

parametalol force-pushed the michael/ROX-28151-cached-runner branch from 7058c8a to 924e8b3 Compare September 8, 2025 14:22

Base automatically changed from michael/ROX-28151-cached-runner to master September 8, 2025 16:39

parametalol force-pushed the michael/ROX-28151-alerts branch from 5b62ddb to 1cdb11c Compare September 8, 2025 19:21

rhybrillou approved these changes Sep 9, 2025

View reviewed changes

central/metrics/custom/policy_violations/labels.go Outdated Show resolved Hide resolved

parametalol added 3 commits September 9, 2025 15:28

feat: policy violations as custom prometheus metrics

2223636

sort categories

703a064

fix rebase

f0e654f

parametalol force-pushed the michael/ROX-28151-alerts branch from f55b15c to f0e654f Compare September 9, 2025 13:29

parametalol enabled auto-merge (squash) September 9, 2025 13:29

parametalol merged commit a2e1094 into master Sep 9, 2025
89 of 98 checks passed

parametalol deleted the michael/ROX-28151-alerts branch September 9, 2025 15:51

parametalol mentioned this pull request Sep 9, 2025

ROX-28326: expose policy violation alerts as prometheus metrics #15392

Closed

9 tasks

ksurabhi91 pushed a commit that referenced this pull request Sep 11, 2025

ROX-28151: policy violations exposed as Prometheus metrics (#16434)

f76d846

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ROX-28151: policy violations exposed as Prometheus metrics#16434

ROX-28151: policy violations exposed as Prometheus metrics#16434
parametalol merged 3 commits intomasterfrom
michael/ROX-28151-alerts

parametalol commented Aug 18, 2025 •

edited

Loading

Uh oh!

openshift-ci bot commented Aug 18, 2025

Uh oh!

red-hat-konflux bot commented Aug 18, 2025

Uh oh!

rhacs-bot commented Aug 18, 2025 •

edited

Loading

Uh oh!

codecov bot commented Aug 18, 2025 •

edited

Loading

Uh oh!

Uh oh!

openshift-ci bot commented Sep 9, 2025 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

parametalol commented Aug 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

User-facing documentation

Testing and quality

Automated testing

How I validated my change

Uh oh!

openshift-ci bot commented Aug 18, 2025

Uh oh!

red-hat-konflux bot commented Aug 18, 2025

Uh oh!

rhacs-bot commented Aug 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov bot commented Aug 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

openshift-ci bot commented Sep 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

parametalol commented Aug 18, 2025 •

edited

Loading

rhacs-bot commented Aug 18, 2025 •

edited

Loading

codecov bot commented Aug 18, 2025 •

edited

Loading

openshift-ci bot commented Sep 9, 2025 •

edited

Loading