-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathkyverno.tf
More file actions
106 lines (94 loc) · 3.58 KB
/
kyverno.tf
File metadata and controls
106 lines (94 loc) · 3.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
locals {
kyverno_project_id = var.kyverno.project_id != null ? var.kyverno.project_id : var.project_id
alert_documentation = var.kyverno.alert_documentation != null ? var.kyverno.alert_documentation : "Kyverno controllers produced ERROR logs in namespace ${var.kyverno.namespace}."
kyverno_notification_channels = var.kyverno.notification_enabled ? (length(var.kyverno.notification_channels) > 0 ? var.kyverno.notification_channels : var.notification_channels) : []
kyverno_cluster_name = var.kyverno.cluster_name != null ? trimspace(var.kyverno.cluster_name) : ""
# Default error patterns for Kyverno log matching
kyverno_default_error_patterns = [
"internal error",
"failed calling webhook",
"timeout",
"client-side throttling",
"failed to run warmup",
"schema not found",
"failed to list resources",
"failed to watch resource",
"context deadline exceeded",
"is forbidden",
"cannot list resource",
"cannot watch resource",
"RBAC.*denied",
"failed to start watcher",
"leader election lost",
"unable to update .*WebhookConfiguration",
"failed to sync",
"dropping request",
"failed to load certificate",
"failed to update lock",
"the object has been modified",
"no matches for kind",
"the server could not find the requested resource",
"Too Many Requests",
"x509",
"is invalid:",
"connection refused",
"no agent available",
"fatal error",
"panic",
]
# Combine default patterns with included patterns, then filter out excluded ones
kyverno_all_error_patterns = distinct(concat(
local.kyverno_default_error_patterns,
var.kyverno.error_patterns_include
))
kyverno_active_error_patterns = [
for pattern in local.kyverno_all_error_patterns :
pattern if !contains(var.kyverno.error_patterns_exclude, pattern)
]
# Build the error patterns filter string
kyverno_error_patterns_filter = length(local.kyverno_active_error_patterns) > 0 ? join("\n OR ", [
for pattern in local.kyverno_active_error_patterns :
"jsonPayload.error=~\"(?i)${pattern}\""
]) : ""
kyverno_log_filter = local.kyverno_cluster_name != "" && length(local.kyverno_active_error_patterns) > 0 ? (<<-EOT
resource.type="k8s_container"
AND resource.labels.project_id="${local.kyverno_project_id}"
AND resource.labels.cluster_name="${local.kyverno_cluster_name}"
AND resource.labels.namespace_name="${var.kyverno.namespace}"
AND (
labels."k8s-pod/app_kubernetes_io/component"=~"(admission-controller|background-controller|cleanup-controller|reports-controller)"
OR resource.labels.pod_name=~"kyverno-(admission|background|cleanup|reports)-controller-.*"
)
AND (
${local.kyverno_error_patterns_filter}
)
EOT
) : ""
}
resource "google_monitoring_alert_policy" "kyverno_logmatch_alert" {
count = (
var.kyverno.enabled
&& local.kyverno_cluster_name != ""
&& length(local.kyverno_active_error_patterns) > 0
) ? 1 : 0
display_name = "Kyverno controllers ERROR logs (namespace=${var.kyverno.namespace})"
combiner = "OR"
enabled = var.kyverno.enabled
conditions {
display_name = "Kyverno ERROR in logs"
condition_matched_log {
filter = local.kyverno_log_filter
}
}
documentation {
content = local.alert_documentation
mime_type = "text/markdown"
}
notification_channels = local.kyverno_notification_channels
alert_strategy {
auto_close = "${var.kyverno.auto_close_seconds}s"
notification_rate_limit {
period = var.kyverno.logmatch_notification_rate_limit
}
}
}