Monitor StackRox with Prometheus

Learn how to monitor the StackRox Kubernetes Security Platform by using Prometheus.

1 minute read

Prometheus is an open-source monitoring and alerting platform. You can use it to monitor health and availability of Central and Sensor components of the StackRox Kubernetes Security Platform.

Prerequisites

Before you begin, make sure that you install Prometheus and understand how to configure it to monitor specific ports.

Enable monitoring

To enable monitoring:

  1. Patch the services to expose the port number 9090. For exposing a different port, see the customize the default port section.

    Copy
    kubectl -n stackrox patch svc/sensor -p '{"spec":{"ports":[{"name":"monitoring","port":9090,"protocol":"TCP","targetPort":9090}]}}'
    kubectl -n stackrox patch svc/central -p '{"spec":{"ports":[{"name":"monitoring","port":9090,"protocol":"TCP","targetPort":9090}]}}'
    Copy
    oc -n stackrox patch svc/sensor -p '{"spec":{"ports":[{"name":"monitoring","port":9090,"protocol":"TCP","targetPort":9090}]}}'
    oc -n stackrox patch svc/central -p '{"spec":{"ports":[{"name":"monitoring","port":9090,"protocol":"TCP","targetPort":9090}]}}'
  2. Modify network policies to allow ingress.

    Copy
    kubectl apply -f - <<EOF
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      labels:
        app.kubernetes.io/name: stackrox
      name: allow-monitoring
      namespace: stackrox
    spec:
      ingress:
      - ports:
        - port: 9090
          protocol: TCP
      podSelector:
        matchExpressions:
        - {key: app, operator: In, values: [central, sensor, collector]}
      policyTypes:
      - Ingress
    EOF
    Copy
    oc apply -f - <<EOF
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
      labels:
        app.kubernetes.io/name: stackrox
      name: allow-monitoring
      namespace: stackrox
    spec:
      ingress:
      - ports:
        - port: 9090
          protocol: TCP
      podSelector:
        matchExpressions:
        - {key: app, operator: In, values: [central, sensor, collector]}
      policyTypes:
      - Ingress
    EOF

Customize the default port

To customize the port used for Prometheus metrics in StackRox Central and Sensor, you can use the ROX_METRICS_PORT environment variable.

Copy
kubectl -n stackrox set env deploy/central ROX_METRICS_PORT=<value>
Copy
oc -n stackrox set env deploy/central ROX_METRICS_PORT=<value>

You can specify the <value> for the ROX_METRICS_PORT environment variable as:

  • disabled to disable monitoring.
  • <port-number> to bind it to a wildcard address.
  • <address> : <port-number> to use specific address and port number. You can also specify IPv6 address by using square brackets, for example, [2001:db8::1234]:9090.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.