To search for Kubernetes policy rule violations (alerts), perform the following procedure.
Procedure
- On the left navigation pane, click Alerts.
- Search and filter for Kubernetes violations using the filters in the left pane and the Search text box. For help constructing a query, see the in-product Search Guide.
Note:
- You can define search results by time.
- The Alerts page offers four ways to filter alerts for Containers and Kubernetes:
- K8s Cluster
- K8s Namespace
- K8s Workload
- K8s Policy
You can combine filters to achieve a particular result.
- Click the vertical 3-dot Configuration menu to configure the filters that display in the console.
- Alerts with Monitor action rules are not visible by default. They are part of the Other Activity > Observed filter category.
- You can exclude search results by clicking the Exclude icon to the right of a filter value. For example:
Example search results table:
- To view details about a workload, click the workload name in the Asset column. See View a Kubernetes Workload - Overview.
- To view a summary of the policy assigned to a workload, click the policy name.
- To view the Process Analysis tree and details for this alert, click the Process Analysis icon. See Investigate Containers Events on the Process Analysis Page.
- To investigate the alert on the Investigate page, click the Investigate icon. See Investigating Container Events on the Investigate Page.
- Click the Actions dropdown menu for actions you can perform on the alert:
- Close the alert.
Important: Closing alerts is only recommended for excluding specific workloads that exhibit known behaviors from the alerts list.
- Mark the alert as being in progress.
- View the notifications that have been sent out about the alert.
- Add the alert behavior to the baseline. See Kubernetes Scope Baselines for Runtime Policies.
- Close the alert.
- To view more alert details, click the arrow icon at the right of the fow. See View Kubernetes Alert Details.