Scrape limited policy-reporter metrics from WCs

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Scrape certain policy reporter metrics from workload clusters.
+
 ## [4.71.0] - 2024-03-19
 
 ### Added

files/templates/scrapeconfigs/additional-scrape-configs.template.yaml

@@ -773,3 +773,30 @@
 [[ include "_common" . | indent 2 ]]
 [[ include "_labelingschema" . | indent 2 ]]
 [[- end ]]
+# kyverno policy-reporter
+- job_name: [[ .ClusterID ]]-prometheus/kyverno-policy-reporter-[[ .ClusterID ]]/0
+  honor_labels: true
+  scrape_interval: 59m
+  scrape_timeout: 30s
+  scheme: http
+  kubernetes_sd_configs:
+  - role: endpoints
+    namespaces:
+      names:
+      - kyverno
+[[- include "_apiserver" . ]]
+[[- include "_tlsconfig_skip" . ]]
+  metric_relabel_configs:
+  # keep only the summary series to avoid storing lots of extra data
+  - source_labels: [__name__]
+    regex: policy_report_result
+    action: keep
+  relabel_configs:
+  - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name]
+    regex: policy-reporter
+    action: keep
+  - source_labels: [__meta_kubernetes_endpoints_label_app_kubernetes_io_name]
+    target_label: app
+  - regex: (exported_namespace|name|status)
+    action: labelkeep
+[[ include "_labelingschema" . | indent 2 ]]

service/controller/resource/monitoring/scrapeconfigs/test/aws/case-1-vintage-mc.golden

@@ -1285,3 +1285,58 @@
   # Add priority label.
   - target_label: service_priority
     replacement: highest
+# kyverno policy-reporter
+- job_name: kubernetes-prometheus/kyverno-policy-reporter-kubernetes/0
+  honor_labels: true
+  scrape_interval: 59m
+  scrape_timeout: 30s
+  scheme: http
+  kubernetes_sd_configs:
+  - role: endpoints
+    namespaces:
+      names:
+      - kyverno
+  bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
+  tls_config:
+    ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+    insecure_skip_verify: true
+  metric_relabel_configs:
+  # keep only the summary series to avoid storing lots of extra data
+  - source_labels: [__name__]
+    regex: policy_report_result
+    action: keep
+  relabel_configs:
+  - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name]
+    regex: policy-reporter
+    action: keep
+  - source_labels: [__meta_kubernetes_endpoints_label_app_kubernetes_io_name]
+    target_label: app
+  - regex: (exported_namespace|name|status)
+    action: labelkeep
+  # Add cluster_id label.
+  - target_label: cluster_id
+    replacement: kubernetes
+  # Add cluster_type label.
+  - target_label: cluster_type
+    replacement: management_cluster
+  # Add customer label.
+  - target_label: customer
+    replacement: pmo
+  # Add installation label.
+  - target_label: installation
+    replacement: test-installation
+  # Add organization label.
+  - target_label: organization
+    replacement: my-organization
+  # Add pipeline label.
+  - target_label: pipeline
+    replacement: test-pipeline
+  # Add provider label.
+  - target_label: provider
+    replacement: aws
+  # Add provider label.
+  - target_label: region
+    replacement: eu-central-1
+  # Add priority label.
+  - target_label: service_priority
+    replacement: highest

service/controller/resource/monitoring/scrapeconfigs/test/aws/case-2-aws-v16.golden

@@ -1082,3 +1082,63 @@
   # Add priority label.
   - target_label: service_priority
     replacement: highest
+# kyverno policy-reporter
+- job_name: alice-prometheus/kyverno-policy-reporter-alice/0
+  honor_labels: true
+  scrape_interval: 59m
+  scrape_timeout: 30s
+  scheme: http
+  kubernetes_sd_configs:
+  - role: endpoints
+    namespaces:
+      names:
+      - kyverno
+    api_server: https://master.alice:443
+    bearer_token_file: /etc/prometheus/secrets/cluster-certificates/token
+    tls_config:
+      ca_file: /etc/prometheus/secrets/cluster-certificates/ca
+      insecure_skip_verify: false
+  bearer_token_file: /etc/prometheus/secrets/cluster-certificates/token
+  tls_config:
+    ca_file: /etc/prometheus/secrets/cluster-certificates/ca
+    insecure_skip_verify: true
+  metric_relabel_configs:
+  # keep only the summary series to avoid storing lots of extra data
+  - source_labels: [__name__]
+    regex: policy_report_result
+    action: keep
+  relabel_configs:
+  - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name]
+    regex: policy-reporter
+    action: keep
+  - source_labels: [__meta_kubernetes_endpoints_label_app_kubernetes_io_name]
+    target_label: app
+  - regex: (exported_namespace|name|status)
+    action: labelkeep
+  # Add cluster_id label.
+  - target_label: cluster_id
+    replacement: alice
+  # Add cluster_type label.
+  - target_label: cluster_type
+    replacement: workload_cluster
+  # Add customer label.
+  - target_label: customer
+    replacement: pmo
+  # Add installation label.
+  - target_label: installation
+    replacement: test-installation
+  # Add organization label.
+  - target_label: organization
+    replacement: my-organization
+  # Add pipeline label.
+  - target_label: pipeline
+    replacement: test-pipeline
+  # Add provider label.
+  - target_label: provider
+    replacement: aws
+  # Add provider label.
+  - target_label: region
+    replacement: eu-central-1
+  # Add priority label.
+  - target_label: service_priority
+    replacement: highest

service/controller/resource/monitoring/scrapeconfigs/test/aws/case-3-aws-v18.golden

@@ -904,3 +904,63 @@
   # Add priority label.
   - target_label: service_priority
     replacement: highest
+# kyverno policy-reporter
+- job_name: baz-prometheus/kyverno-policy-reporter-baz/0
+  honor_labels: true
+  scrape_interval: 59m
+  scrape_timeout: 30s
+  scheme: http
+  kubernetes_sd_configs:
+  - role: endpoints
+    namespaces:
+      names:
+      - kyverno
+    api_server: https://master.baz:443
+    bearer_token_file: /etc/prometheus/secrets/cluster-certificates/token
+    tls_config:
+      ca_file: /etc/prometheus/secrets/cluster-certificates/ca
+      insecure_skip_verify: false
+  bearer_token_file: /etc/prometheus/secrets/cluster-certificates/token
+  tls_config:
+    ca_file: /etc/prometheus/secrets/cluster-certificates/ca
+    insecure_skip_verify: true
+  metric_relabel_configs:
+  # keep only the summary series to avoid storing lots of extra data
+  - source_labels: [__name__]
+    regex: policy_report_result
+    action: keep
+  relabel_configs:
+  - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name]
+    regex: policy-reporter
+    action: keep
+  - source_labels: [__meta_kubernetes_endpoints_label_app_kubernetes_io_name]
+    target_label: app
+  - regex: (exported_namespace|name|status)
+    action: labelkeep
+  # Add cluster_id label.
+  - target_label: cluster_id
+    replacement: baz
+  # Add cluster_type label.
+  - target_label: cluster_type
+    replacement: workload_cluster
+  # Add customer label.
+  - target_label: customer
+    replacement: pmo
+  # Add installation label.
+  - target_label: installation
+    replacement: test-installation
+  # Add organization label.
+  - target_label: organization
+    replacement: my-organization
+  # Add pipeline label.
+  - target_label: pipeline
+    replacement: test-pipeline
+  # Add provider label.
+  - target_label: provider
+    replacement: aws
+  # Add provider label.
+  - target_label: region
+    replacement: eu-central-1
+  # Add priority label.
+  - target_label: service_priority
+    replacement: highest

service/controller/resource/monitoring/scrapeconfigs/test/capa/case-1-capa-mc.golden

@@ -1050,3 +1050,65 @@
   # Add priority label.
   - target_label: service_priority
     replacement: highest
+# kyverno policy-reporter
+- job_name: test-installation-prometheus/kyverno-policy-reporter-test-installation/0
+  honor_labels: true
+  scrape_interval: 59m
+  scrape_timeout: 30s
+  scheme: http
+  kubernetes_sd_configs:
+  - role: endpoints
+    namespaces:
+      names:
+      - kyverno
+    api_server: https://master.test-installation:443
+    tls_config:
+      ca_file: /etc/prometheus/secrets/cluster-certificates/ca
+      cert_file: /etc/prometheus/secrets/cluster-certificates/crt
+      key_file: /etc/prometheus/secrets/cluster-certificates/key
+      insecure_skip_verify: false
+  tls_config:
+    ca_file: /etc/prometheus/secrets/cluster-certificates/ca
+    cert_file: /etc/prometheus/secrets/cluster-certificates/crt
+    key_file: /etc/prometheus/secrets/cluster-certificates/key
+    insecure_skip_verify: true
+  metric_relabel_configs:
+  # keep only the summary series to avoid storing lots of extra data
+  - source_labels: [__name__]
+    regex: policy_report_result
+    action: keep
+  relabel_configs:
+  - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name]
+    regex: policy-reporter
+    action: keep
+  - source_labels: [__meta_kubernetes_endpoints_label_app_kubernetes_io_name]
+    target_label: app
+  - regex: (exported_namespace|name|status)
+    action: labelkeep
+  # Add cluster_id label.
+  - target_label: cluster_id
+    replacement: test-installation
+  # Add cluster_type label.
+  - target_label: cluster_type
+    replacement: workload_cluster
+  # Add customer label.
+  - target_label: customer
+    replacement: pmo
+  # Add installation label.
+  - target_label: installation
+    replacement: test-installation
+  # Add organization label.
+  - target_label: organization
+    replacement: my-organization
+  # Add pipeline label.
+  - target_label: pipeline
+    replacement: test-pipeline
+  # Add provider label.
+  - target_label: provider
+    replacement: capa
+  # Add provider label.
+  - target_label: region
+    replacement: eu-central-1
+  # Add priority label.
+  - target_label: service_priority
+    replacement: highest

service/controller/resource/monitoring/scrapeconfigs/test/capa/case-2-capa.golden

@@ -751,3 +751,65 @@
   # Add priority label.
   - target_label: service_priority
     replacement: highest
+# kyverno policy-reporter
+- job_name: baz-prometheus/kyverno-policy-reporter-baz/0
+  honor_labels: true
+  scrape_interval: 59m
+  scrape_timeout: 30s
+  scheme: http
+  kubernetes_sd_configs:
+  - role: endpoints
+    namespaces:
+      names:
+      - kyverno
+    api_server: https://master.baz:443
+    tls_config:
+      ca_file: /etc/prometheus/secrets/cluster-certificates/ca
+      cert_file: /etc/prometheus/secrets/cluster-certificates/crt
+      key_file: /etc/prometheus/secrets/cluster-certificates/key
+      insecure_skip_verify: false
+  tls_config:
+    ca_file: /etc/prometheus/secrets/cluster-certificates/ca
+    cert_file: /etc/prometheus/secrets/cluster-certificates/crt
+    key_file: /etc/prometheus/secrets/cluster-certificates/key
+    insecure_skip_verify: true
+  metric_relabel_configs:
+  # keep only the summary series to avoid storing lots of extra data
+  - source_labels: [__name__]
+    regex: policy_report_result
+    action: keep
+  relabel_configs:
+  - source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_name]
+    regex: policy-reporter
+    action: keep
+  - source_labels: [__meta_kubernetes_endpoints_label_app_kubernetes_io_name]
+    target_label: app
+  - regex: (exported_namespace|name|status)
+    action: labelkeep
+  # Add cluster_id label.
+  - target_label: cluster_id
+    replacement: baz
+  # Add cluster_type label.
+  - target_label: cluster_type
+    replacement: workload_cluster
+  # Add customer label.
+  - target_label: customer
+    replacement: pmo
+  # Add installation label.
+  - target_label: installation
+    replacement: test-installation
+  # Add organization label.
+  - target_label: organization
+    replacement: my-organization
+  # Add pipeline label.
+  - target_label: pipeline
+    replacement: test-pipeline
+  # Add provider label.
+  - target_label: provider
+    replacement: capa
+  # Add provider label.
+  - target_label: region
+    replacement: eu-central-1
+  # Add priority label.
+  - target_label: service_priority
+    replacement: highest