Skip to content

Comments

Config Structural Validation Schema Part 4: Monitoring#2066

Merged
Zash merged 1 commit intomainfrom
ka/jsonschema-monitoring
May 16, 2024
Merged

Config Structural Validation Schema Part 4: Monitoring#2066
Zash merged 1 commit intomainfrom
ka/jsonschema-monitoring

Conversation

@Zash
Copy link
Contributor

@Zash Zash commented Mar 27, 2024

Warning

This is a public repository, ensure not to disclose:

  • personal data beyond what is necessary for interacting with this pull request, nor
  • business confidential information, such as customer names.

What kind of PR is this?

Required: Mark one of the following that is applicable:

  • kind/feature
  • kind/improvement
  • kind/deprecation
  • kind/documentation
  • kind/clean-up
  • kind/bug
  • kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

  • kind/admin-change
  • kind/dev-change
  • kind/security
  • kind/adr

What does this PR do / why do we need this PR?

This adds structural validation for the following top-level config sections:

  • alerts
  • grafana
  • grafanaLabelEnforcer
  • kubeStateMetrics
  • metricsServer
  • openstackMonitoring
  • prometheus
  • prometheusBlackboxExporter
  • prometheusNodeExporter
  • prometheusOperator
  • s3Exporter
  • thanos
  • wcProbeIngress
  • welcomingDashboard
  • fluentd
  • opensearch
  • elasticsearch

For more context including the required scripts and see #1862
Part of issue #1427

Information to reviewers

ck8s validate should now perform validation of the above sections.

While the CI is failing:
Please help determine whether it is the schema that is lacking or whether it detected a config mistake.

Suggestions and improvements very welcome!

Also see the README for brief information about the schema format

Obs: The $defs are really added in #2063 but the commit is included here too for CI.

Checklist

  • Proper commit message prefix on all commits
  • Change checks:
    • The change is transparent
    • The change is disruptive
    • The change requires no migration steps
    • The change requires migration steps
    • The change upgrades CRDs
    • The change updates the config and the schema
  • Metrics checks:
    • The metrics are still exposed and present in Grafana after the change
    • The metrics names didn't change (Grafana dashboards and Prometheus alerts are not affected)
    • The metrics names did change (Grafana dashboards and Prometheus alerts were fixed)
  • Logs checks:
    • The logs do not show any errors after the change
  • Pod Security Policy checks:
    • Any changed pod is covered by Pod Security Admission
    • Any changed pod is covered by Gatekeeper Pod Security Policies
    • The change does not cause any pods to be blocked by Pod Security Admission or Policies
  • Network Policy checks:
    • Any changed pod is covered by Network Policies
    • The change does not cause any dropped packets in the NetworkPolicy Dashboard
  • Audit checks:
    • The change does not cause any unnecessary Kubernetes audit events
    • The change requires changes to Kubernetes audit policy
  • Falco checks:
    • The change does not cause any alerts to be generated by Falco
  • Bug checks:
    • The bug fix is covered by regression tests

@Zash Zash changed the base branch from main to ka/jsonschema March 27, 2024 11:01
@Zash Zash changed the title Ka/jsonschema monitoring Config Schema Part 4: Monitoring Mar 27, 2024
@Zash Zash force-pushed the ka/jsonschema branch 2 times, most recently from 089dffc to 777f75f Compare March 27, 2024 12:56
@Zash Zash force-pushed the ka/jsonschema-monitoring branch from 427c56a to bd9b03c Compare March 27, 2024 13:30
@Zash Zash changed the title Config Schema Part 4: Monitoring Config Structural Validation Schema Part 4: Monitoring Mar 27, 2024
Base automatically changed from ka/jsonschema to main March 27, 2024 13:44
@Zash Zash force-pushed the ka/jsonschema-monitoring branch from bd9b03c to afa1f7a Compare March 27, 2024 13:48
@Zash Zash changed the base branch from main to ka/jsonschema-core March 27, 2024 14:02
@Zash Zash changed the base branch from ka/jsonschema-core to main March 27, 2024 14:22
@Zash Zash changed the base branch from main to ka/jsonschema-core April 2, 2024 09:40
@Zash Zash force-pushed the ka/jsonschema-monitoring branch from afa1f7a to fd686db Compare April 2, 2024 09:40
@Zash Zash force-pushed the ka/jsonschema-core branch from 9c79c33 to 45169fa Compare April 2, 2024 12:28
@Zash Zash changed the base branch from ka/jsonschema-core to main April 2, 2024 13:30
@Zash Zash force-pushed the ka/jsonschema-monitoring branch from ec0e78b to e2da9e7 Compare April 2, 2024 13:30
@lunkan93
Copy link
Contributor

This for example seems like a config mistake and should be {} in the defaults
https://github.com/elastisys/compliantkubernetes-apps/blob/main/config/config/common-config.yaml#L265
https://github.com/elastisys/compliantkubernetes-apps/blob/main/config/config/common-config.yaml#L290

@Zash Zash marked this pull request as ready for review April 26, 2024 11:33
Copy link
Contributor

@anders-elastisys anders-elastisys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like there is a missing schema for extraConfigMaps for wc:

✗ ./bin/ck8s validate wc
[ck8s] Validating wc config
...
[ck8s] Failed schema validation:
wc-config.yaml: fluentd: Additional property extraConfigMaps is not allowed

@Zash
Copy link
Contributor Author

Zash commented Apr 29, 2024

Seems like there is a missing schema for extraConfigMaps

What is the format of extraConfigMaps? Map of string filenames to string content?

@lunkan93
Copy link
Contributor

Seems like there is a missing schema for extraConfigMaps

What is the format of extraConfigMaps? Map of string filenames to string content?

Yeah should be the same as this for SC https://github.com/elastisys/compliantkubernetes-apps/blob/main/helmfile.d/values/fluentd/forwarder-service-cluster.yaml.gotmpl#L6

@Zash Zash force-pushed the ka/jsonschema-monitoring branch from 38cfe97 to d22a765 Compare April 29, 2024 13:30
@Zash Zash force-pushed the ka/jsonschema-monitoring branch from 15adfb2 to 679c96e Compare May 8, 2024 11:39
@Zash
Copy link
Contributor Author

Zash commented May 10, 2024

I will rebase this once #2063 has been merged.

@Zash Zash force-pushed the ka/jsonschema-monitoring branch 4 times, most recently from 77152a1 to 671e0b4 Compare May 15, 2024 10:02
This adds:
- alerts
- elasticsearch
- fluentd
- grafana
- grafanaLabelEnforcer
- kubeStateMetrics
- metricsServer
- opensearch
- openstackMonitoring
- prometheus
- prometheusBlackboxExporter
- prometheusNodeExporter
- prometheusOperator
- s3Exporter
- thanos
- wcProbeIngress
- welcomingDashboard

Co-authored-by: anders-elastisys <112394389+anders-elastisys@users.noreply.github.com>
@Zash Zash force-pushed the ka/jsonschema-monitoring branch from 671e0b4 to 329f715 Compare May 16, 2024 11:21
@Zash Zash merged commit a511d20 into main May 16, 2024
@Zash Zash deleted the ka/jsonschema-monitoring branch May 16, 2024 11:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants