feat(kyverno): add flux policy

buroa · Jan 9, 2025 · 610205b · 610205b
1 parent aad9409
commit 610205b
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 0 deletions.
diff --git a/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml b/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml
@@ -40,6 +40,9 @@ spec:
             - apiGroups: ["volsync.backube"]
               resources: ["replicationsources", "replicationdestinations"]
               verbs: ["create", "update", "patch", "delete", "get", "list"]
+            - apiGroups: ["notification.toolkit.fluxcd.io"]
+              resources: ["alerts", "providers"]
+              verbs: ["create", "update", "patch", "delete", "get", "list"]
       serviceMonitor:
         enabled: true
     backgroundController:
@@ -55,6 +58,9 @@ spec:
             - apiGroups: ["volsync.backube"]
               resources: ["replicationsources", "replicationdestinations"]
               verbs: ["create", "update", "patch", "delete", "get", "list"]
+            - apiGroups: ["notification.toolkit.fluxcd.io"]
+              resources: ["alerts", "providers"]
+              verbs: ["create", "update", "patch", "delete", "get", "list"]
       resources:
         requests:
           cpu: 100m

diff --git a/kubernetes/apps/kyverno/kyverno/policies/flux.yaml b/kubernetes/apps/kyverno/kyverno/policies/flux.yaml
@@ -0,0 +1,64 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: flux
+  annotations:
+    policies.kyverno.io/title: Flux
+    policies.kyverno.io/category: Monitoring
+    policies.kyverno.io/severity: low
+    policies.kyverno.io/subject: Namespace
+    policies.kyverno.io/description: >-
+      This policy will automatically generate the necessary resources for
+      Flux monitoring for Namespaces.
+    pod-policies.kyverno.io/autogen-controllers: none
+spec:
+  rules:
+    - &rule
+      name: flux-provider
+      match:
+        resources:
+          kinds:
+            - Namespace
+      generate:
+        generateExisting: true
+        apiVersion: notification.toolkit.fluxcd.io/v1beta3
+        kind: Provider
+        name: alert-manager
+        namespace: "{{ request.object.metadata.name }}"
+        synchronize: true
+        data:
+          spec:
+            type: alertmanager
+            address: http://alertmanager-operated.monitoring.svc.cluster.local:9093/api/v2/alerts/
+    - <<: *rule
+      name: flux-alert
+      generate:
+        generateExisting: true
+        apiVersion: notification.toolkit.fluxcd.io/v1beta3
+        kind: Alert
+        name: alert-manager
+        namespace: "{{ request.object.metadata.name }}"
+        synchronize: true
+        data:
+          spec:
+            providerRef:
+              name: alert-manager
+            eventSeverity: error
+            eventSources:
+              - kind: GitRepository
+                name: "*"
+              - kind: HelmRelease
+                name: "*"
+              - kind: HelmRepository
+                name: "*"
+              - kind: Kustomization
+                name: "*"
+              - kind: OCIRepository
+                name: "*"
+            exclusionList:
+              - "error.*lookup github\\.com"
+              - "error.*lookup raw\\.githubusercontent\\.com"
+              - "dial.*tcp.*timeout"
+              - "waiting.*socket"
+            suspend: false
diff --git a/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml b/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml
@@ -2,6 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ./flux.yaml
   - ./gatus.yaml
   - ./limits.yaml
   - ./ndots.yaml