-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathalert-rules.yaml
35 lines (33 loc) · 1.74 KB
/
alert-rules.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# Custom set of rules developed by SIGHUP to alert when Gatekeeper webhooks are misbehaving
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
labels:
prometheus: k8s
role: alert-rules
name: gatekeeper-webhook-rules
spec:
groups:
- name: GatekeeperWebhooks
rules:
- alert: GatekeeperWebhookFailOpenHigh
annotations:
description: "Gatekeeper is not enforcing {{$labels.type}} requests to the API server."
doc: "Gatekeeper is not enforcing {{$labels.type}} requests to the API server because the Kubernetes API server is having trouble contacting the '{{ $labels.name }}' {{$labels.type}} webhook, but the webhook is in Fail open (Ignore) mode."
expr: |
rate(apiserver_admission_webhook_fail_open_count{name=~".*.gatekeeper.sh"}[5m]) > 0
for: 5m
labels:
severity: warning
- alert: GatekeeperWebhookCallError
annotations:
description: "Kubernetes API server is rejecting all requests because Gatekeeper's webhook '{{ $labels.name }}' is failing for '{{ $labels.operation }}'."
doc: "Gatekeeper's '{{ $labels.name }}' webhook is erroring with code {{ $labels.rejection_code }} for '{{ $labels.operation }}' operations and it is configured in Fail mode, effectivly rejecting all the request to the Kubernetes API server."
expr: |
rate(apiserver_admission_webhook_rejection_count{error_type="calling_webhook_error", name=~".*.gatekeeper.sh"}[5m]) > 0
for: 5m
labels:
severity: critical