init

03-mutation/02-sidecar/inject-prometheus-exporter.yaml

@@ -0,0 +1,58 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: inject-prometheus-exporter
+  annotations:
+    policies.kyverno.io/title: "Автовнедрение Prometheus exporter"
+    policies.kyverno.io/category: Monitoring
+    policies.kyverno.io/severity: low
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Добавляет node-exporter sidecar ко всем подам с аннотацией
+      monitoring.company.com/scrape: "true".
+      Порт scraping берётся из аннотации monitoring.company.com/port
+      или дефолт 8080.
+spec:
+  rules:
+  - name: inject-exporter
+    match:
+      resources:
+        kinds:
+        - Pod
+    preconditions:
+      all:
+      - key: "{{ request.object.metadata.annotations.\"monitoring.company.com/scrape\" }}"
+        operator: Equals
+        value: "true"
+      - key: "prometheus-exporter"
+        operator: NotIn
+        value: "{{ request.object.spec.containers[].name }}"
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            # Аннотация для Prometheus autodiscovery
+            +(prometheus.io/scrape): "true"
+            +(prometheus.io/port): >-
+              {{ request.object.metadata.annotations.\"monitoring.company.com/port\" || '9100' }}
+            +(prometheus.io/path): "/metrics"
+        spec:
+          containers:
+          - name: prometheus-exporter
+            image: prom/node-exporter:v1.7.0
+            ports:
+            - name: metrics
+              containerPort: 9100
+              protocol: TCP
+            resources:
+              limits:
+                cpu: 100m
+                memory: 64Mi
+              requests:
+                cpu: 50m
+                memory: 32Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
+              runAsUser: 65534