From 14247e813e71d0df64c7eb6a80bf09060d57f186 Mon Sep 17 00:00:00 2001 From: jakub-racek-swi Date: Wed, 19 Nov 2025 14:43:01 +0100 Subject: [PATCH 1/4] fix: add namespace filtering to trivy metrics --- deploy/helm/metrics-collector-config.yaml | 5 ++++- .../metrics-collector-config-map-fargate_test.yaml.snap | 2 +- .../metrics-collector-config-map_test.yaml.snap | 6 +++--- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/deploy/helm/metrics-collector-config.yaml b/deploy/helm/metrics-collector-config.yaml index 4ae9df68..87f32801 100644 --- a/deploy/helm/metrics-collector-config.yaml +++ b/deploy/helm/metrics-collector-config.yaml @@ -821,7 +821,7 @@ processors: - set(resource.attributes["sw.k8s.cluster.uid"], "${CLUSTER_UID}") - set(resource.attributes["k8s.cluster.name"], "${CLUSTER_NAME}") - - set(datapoint.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) + - set(resource.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) - set(datapoint.attributes[Format("k8s.%s.name",[ToLowerCase(datapoint.attributes["resource_kind"])])], datapoint.attributes["resource_name"]) transform/trivy-operator-metrics-split: @@ -1170,6 +1170,9 @@ service: - memory_limiter - filter/trivy-operator-metrics - transform/trivy-operator-metrics-attributes +{{- if eq (include "isNamespacesFilterEnabled" .) "true" }} + - filter/namespaces +{{- end }} - metricstransform/rename - groupbyattrs/trivy-operator-metrics - metricstransform/trivy-operator-metrics-aggregation diff --git a/deploy/helm/tests/__snapshot__/metrics-collector-config-map-fargate_test.yaml.snap b/deploy/helm/tests/__snapshot__/metrics-collector-config-map-fargate_test.yaml.snap index e2ac1d7c..50a28a30 100644 --- a/deploy/helm/tests/__snapshot__/metrics-collector-config-map-fargate_test.yaml.snap +++ b/deploy/helm/tests/__snapshot__/metrics-collector-config-map-fargate_test.yaml.snap @@ -1491,7 +1491,7 @@ Metrics config should match snapshot when using default values: - set(resource.attributes["sw.k8s.agent.app.version"], "${APP_VERSION}") - set(resource.attributes["sw.k8s.cluster.uid"], "${CLUSTER_UID}") - set(resource.attributes["k8s.cluster.name"], "${CLUSTER_NAME}") - - set(datapoint.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) + - set(resource.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) - set(datapoint.attributes[Format("k8s.%s.name",[ToLowerCase(datapoint.attributes["resource_kind"])])], datapoint.attributes["resource_name"]) transform/trivy-operator-metrics-split: diff --git a/deploy/helm/tests/__snapshot__/metrics-collector-config-map_test.yaml.snap b/deploy/helm/tests/__snapshot__/metrics-collector-config-map_test.yaml.snap index 3b729240..bc4ecfcb 100644 --- a/deploy/helm/tests/__snapshot__/metrics-collector-config-map_test.yaml.snap +++ b/deploy/helm/tests/__snapshot__/metrics-collector-config-map_test.yaml.snap @@ -1491,7 +1491,7 @@ Metrics config should match snapshot when fargate is enabled: - set(resource.attributes["sw.k8s.agent.app.version"], "${APP_VERSION}") - set(resource.attributes["sw.k8s.cluster.uid"], "${CLUSTER_UID}") - set(resource.attributes["k8s.cluster.name"], "${CLUSTER_NAME}") - - set(datapoint.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) + - set(resource.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) - set(datapoint.attributes[Format("k8s.%s.name",[ToLowerCase(datapoint.attributes["resource_kind"])])], datapoint.attributes["resource_name"]) transform/trivy-operator-metrics-split: @@ -3275,7 +3275,7 @@ Metrics config should match snapshot when using Prometheus url with extra_scrape - set(resource.attributes["sw.k8s.agent.app.version"], "${APP_VERSION}") - set(resource.attributes["sw.k8s.cluster.uid"], "${CLUSTER_UID}") - set(resource.attributes["k8s.cluster.name"], "${CLUSTER_NAME}") - - set(datapoint.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) + - set(resource.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) - set(datapoint.attributes[Format("k8s.%s.name",[ToLowerCase(datapoint.attributes["resource_kind"])])], datapoint.attributes["resource_name"]) transform/trivy-operator-metrics-split: @@ -5001,7 +5001,7 @@ Metrics config should match snapshot when using default values: - set(resource.attributes["sw.k8s.agent.app.version"], "${APP_VERSION}") - set(resource.attributes["sw.k8s.cluster.uid"], "${CLUSTER_UID}") - set(resource.attributes["k8s.cluster.name"], "${CLUSTER_NAME}") - - set(datapoint.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) + - set(resource.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) - set(datapoint.attributes[Format("k8s.%s.name",[ToLowerCase(datapoint.attributes["resource_kind"])])], datapoint.attributes["resource_name"]) transform/trivy-operator-metrics-split: From 1c3e9b58e507f435c3c9a41251727d59cb2fcc15 Mon Sep 17 00:00:00 2001 From: jakub-racek-swi Date: Wed, 26 Nov 2025 09:32:14 +0100 Subject: [PATCH 2/4] fix: expand values --- deploy/helm/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index cb9f39dd..66284276 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -1318,6 +1318,8 @@ trivy-operator: nodeSelector: kubernetes.io/os: linux targetWorkloads: pod,replicaset,statefulset,daemonset,cronjob,job + targetNamespaces: "" + excludeNamespaces: "" trivy: severity: LOW,MEDIUM,HIGH,CRITICAL trivyOperator: From be42bca1481e79c9373141387e5dc4b8844bd445 Mon Sep 17 00:00:00 2001 From: jakub-racek-swi Date: Wed, 26 Nov 2025 13:04:21 +0100 Subject: [PATCH 3/4] comments --- deploy/helm/metrics-collector-config.yaml | 6 +++--- .../metrics-collector-config-map-fargate_test.yaml.snap | 2 +- .../metrics-collector-config-map_test.yaml.snap | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/deploy/helm/metrics-collector-config.yaml b/deploy/helm/metrics-collector-config.yaml index 87f32801..c2164f8c 100644 --- a/deploy/helm/metrics-collector-config.yaml +++ b/deploy/helm/metrics-collector-config.yaml @@ -821,7 +821,7 @@ processors: - set(resource.attributes["sw.k8s.cluster.uid"], "${CLUSTER_UID}") - set(resource.attributes["k8s.cluster.name"], "${CLUSTER_NAME}") - - set(resource.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) + - set(datapoint.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) - set(datapoint.attributes[Format("k8s.%s.name",[ToLowerCase(datapoint.attributes["resource_kind"])])], datapoint.attributes["resource_name"]) transform/trivy-operator-metrics-split: @@ -1170,11 +1170,11 @@ service: - memory_limiter - filter/trivy-operator-metrics - transform/trivy-operator-metrics-attributes + - metricstransform/rename + - groupbyattrs/trivy-operator-metrics {{- if eq (include "isNamespacesFilterEnabled" .) "true" }} - filter/namespaces {{- end }} - - metricstransform/rename - - groupbyattrs/trivy-operator-metrics - metricstransform/trivy-operator-metrics-aggregation - transform/trivy-operator-metrics-split exporters: diff --git a/deploy/helm/tests/__snapshot__/metrics-collector-config-map-fargate_test.yaml.snap b/deploy/helm/tests/__snapshot__/metrics-collector-config-map-fargate_test.yaml.snap index 50a28a30..e2ac1d7c 100644 --- a/deploy/helm/tests/__snapshot__/metrics-collector-config-map-fargate_test.yaml.snap +++ b/deploy/helm/tests/__snapshot__/metrics-collector-config-map-fargate_test.yaml.snap @@ -1491,7 +1491,7 @@ Metrics config should match snapshot when using default values: - set(resource.attributes["sw.k8s.agent.app.version"], "${APP_VERSION}") - set(resource.attributes["sw.k8s.cluster.uid"], "${CLUSTER_UID}") - set(resource.attributes["k8s.cluster.name"], "${CLUSTER_NAME}") - - set(resource.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) + - set(datapoint.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) - set(datapoint.attributes[Format("k8s.%s.name",[ToLowerCase(datapoint.attributes["resource_kind"])])], datapoint.attributes["resource_name"]) transform/trivy-operator-metrics-split: diff --git a/deploy/helm/tests/__snapshot__/metrics-collector-config-map_test.yaml.snap b/deploy/helm/tests/__snapshot__/metrics-collector-config-map_test.yaml.snap index bc4ecfcb..3b729240 100644 --- a/deploy/helm/tests/__snapshot__/metrics-collector-config-map_test.yaml.snap +++ b/deploy/helm/tests/__snapshot__/metrics-collector-config-map_test.yaml.snap @@ -1491,7 +1491,7 @@ Metrics config should match snapshot when fargate is enabled: - set(resource.attributes["sw.k8s.agent.app.version"], "${APP_VERSION}") - set(resource.attributes["sw.k8s.cluster.uid"], "${CLUSTER_UID}") - set(resource.attributes["k8s.cluster.name"], "${CLUSTER_NAME}") - - set(resource.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) + - set(datapoint.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) - set(datapoint.attributes[Format("k8s.%s.name",[ToLowerCase(datapoint.attributes["resource_kind"])])], datapoint.attributes["resource_name"]) transform/trivy-operator-metrics-split: @@ -3275,7 +3275,7 @@ Metrics config should match snapshot when using Prometheus url with extra_scrape - set(resource.attributes["sw.k8s.agent.app.version"], "${APP_VERSION}") - set(resource.attributes["sw.k8s.cluster.uid"], "${CLUSTER_UID}") - set(resource.attributes["k8s.cluster.name"], "${CLUSTER_NAME}") - - set(resource.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) + - set(datapoint.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) - set(datapoint.attributes[Format("k8s.%s.name",[ToLowerCase(datapoint.attributes["resource_kind"])])], datapoint.attributes["resource_name"]) transform/trivy-operator-metrics-split: @@ -5001,7 +5001,7 @@ Metrics config should match snapshot when using default values: - set(resource.attributes["sw.k8s.agent.app.version"], "${APP_VERSION}") - set(resource.attributes["sw.k8s.cluster.uid"], "${CLUSTER_UID}") - set(resource.attributes["k8s.cluster.name"], "${CLUSTER_NAME}") - - set(resource.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) + - set(datapoint.attributes["k8s.namespace.name"], datapoint.attributes["namespace"]) - set(datapoint.attributes[Format("k8s.%s.name",[ToLowerCase(datapoint.attributes["resource_kind"])])], datapoint.attributes["resource_name"]) transform/trivy-operator-metrics-split: From 653c5025b6daf21598bff251f7e19e75f829138d Mon Sep 17 00:00:00 2001 From: jakub-racek-swi Date: Wed, 26 Nov 2025 13:30:56 +0100 Subject: [PATCH 4/4] fix --- deploy/helm/values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index 66284276..cb9f39dd 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -1318,8 +1318,6 @@ trivy-operator: nodeSelector: kubernetes.io/os: linux targetWorkloads: pod,replicaset,statefulset,daemonset,cronjob,job - targetNamespaces: "" - excludeNamespaces: "" trivy: severity: LOW,MEDIUM,HIGH,CRITICAL trivyOperator: