apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: inject-prometheus-exporter
  annotations:
    policies.kyverno.io/title: "Автовнедрение Prometheus exporter"
    policies.kyverno.io/category: Monitoring
    policies.kyverno.io/severity: low
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Добавляет node-exporter sidecar ко всем подам с аннотацией
      monitoring.company.com/scrape: "true".
      Порт scraping берётся из аннотации monitoring.company.com/port
      или дефолт 8080.
spec:
  rules:
  - name: inject-exporter
    match:
      resources:
        kinds:
        - Pod
    preconditions:
      all:
      - key: "{{ request.object.metadata.annotations.\"monitoring.company.com/scrape\" }}"
        operator: Equals
        value: "true"
      - key: "prometheus-exporter"
        operator: NotIn
        value: "{{ request.object.spec.containers[].name }}"
    mutate:
      patchStrategicMerge:
        metadata:
          annotations:
            # Аннотация для Prometheus autodiscovery
            +(prometheus.io/scrape): "true"
            +(prometheus.io/port): >-
              {{ request.object.metadata.annotations.\"monitoring.company.com/port\" || '9100' }}
            +(prometheus.io/path): "/metrics"
        spec:
          containers:
          - name: prometheus-exporter
            image: prom/node-exporter:v1.7.0
            ports:
            - name: metrics
              containerPort: 9100
              protocol: TCP
            resources:
              limits:
                cpu: 100m
                memory: 64Mi
              requests:
                cpu: 50m
                memory: 32Mi
            securityContext:
              allowPrivilegeEscalation: false
              readOnlyRootFilesystem: true
              runAsNonRoot: true
              runAsUser: 65534