feat(monitoring): k8s CronJob monitoring (#3118)

andrewpollock · web-flow · commit 75f999bb41d8 · 2025-02-06T15:27:46.000+10:00
This PR adds Terraform config to auto-generate alerting policy for all Kubernetes CronJobs so that we are informed of failures in them. Much credit goes to @rjerrems for doing most of the legwork, I've just picked up his Terraform and massaged it into something that appears to work, based on `terraform plan` (any additional feedback on implementation greatly appreciated): ``` Terraform will perform the following actions: # module.k8s_cron_alert["CronJob--alias-computation"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: alias-computation has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: alias-computation has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"alias-computation\"})/60) > 45" + rule_group = "cronjob alias-computation" } } } # module.k8s_cron_alert["CronJob--alpine-cve-convert"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: alpine-cve-convert has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: alpine-cve-convert has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"alpine-cve-convert\"})/60) > 180" + rule_group = "cronjob alpine-cve-convert" } } } # module.k8s_cron_alert["CronJob--backup"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: backup has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: backup has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"backup\"})/60) > 2880" + rule_group = "cronjob backup" } } } # module.k8s_cron_alert["CronJob--combine-to-osv"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: combine-to-osv has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: combine-to-osv has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"combine-to-osv\"})/60) > 90" + rule_group = "cronjob combine-to-osv" } } } # module.k8s_cron_alert["CronJob--cpe-repo-gen"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: cpe-repo-gen has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: cpe-repo-gen has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"cpe-repo-gen\"})/60) > 2880" + rule_group = "cronjob cpe-repo-gen" } } } # module.k8s_cron_alert["CronJob--debian-convert"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: debian-convert has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: debian-convert has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"debian-convert\"})/60) > 180" + rule_group = "cronjob debian-convert" } } } # module.k8s_cron_alert["CronJob--debian-copyright-mirror"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: debian-copyright-mirror has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: debian-copyright-mirror has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"debian-copyright-mirror\"})/60) > 2880" + rule_group = "cronjob debian-copyright-mirror" } } } # module.k8s_cron_alert["CronJob--debian-cve-convert"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: debian-cve-convert has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: debian-cve-convert has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"debian-cve-convert\"})/60) > 120" + rule_group = "cronjob debian-cve-convert" } } } # module.k8s_cron_alert["CronJob--debian-first-version"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: debian-first-version has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: debian-first-version has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"debian-first-version\"})/60) > 120" + rule_group = "cronjob debian-first-version" } } } # module.k8s_cron_alert["CronJob--exporter"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: exporter has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: exporter has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"exporter\"})/60) > 90" + rule_group = "cronjob exporter" } } } # module.k8s_cron_alert["CronJob--generate-sitemap"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: generate-sitemap has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: generate-sitemap has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"generate-sitemap\"})/60) > 2880" + rule_group = "cronjob generate-sitemap" } } } # module.k8s_cron_alert["CronJob--importer"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: importer has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: importer has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"importer\"})/60) > 90" + rule_group = "cronjob importer" } } } # module.k8s_cron_alert["CronJob--importer-deleter"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: importer-deleter has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: importer-deleter has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"importer-deleter\"})/60) > 360" + rule_group = "cronjob importer-deleter" } } } # module.k8s_cron_alert["CronJob--nvd-cve-osv"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: nvd-cve-osv has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: nvd-cve-osv has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"nvd-cve-osv\"})/60) > 86400" + rule_group = "cronjob nvd-cve-osv" } } } # module.k8s_cron_alert["CronJob--nvd-mirror"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: nvd-mirror has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: nvd-mirror has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"nvd-mirror\"})/60) > 240" + rule_group = "cronjob nvd-mirror" } } } # module.k8s_cron_alert["CronJob--staging-api-test"].google_monitoring_alert_policy.cron_alert_policy will be created + resource "google_monitoring_alert_policy" "cron_alert_policy" { + combiner = "OR" + creation_record = (known after apply) + display_name = "Cronjob: staging-api-test has not run recently." + enabled = true + id = (known after apply) + name = (known after apply) + project = "oss-vdb-test" + conditions { + display_name = "Cronjob: staging-api-test has not run recently." + name = (known after apply) + condition_prometheus_query_language { + alert_rule = "AlwaysOn" + duration = "60s" + evaluation_interval = "60s" + query = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"staging-api-test\"})/60) > 2880" + rule_group = "cronjob staging-api-test" } } } Plan: 16 to add, 0 to change, 0 to destroy. ```
diff --git a/deployment/clouddeploy/gke-workers/base/alias-computation.yaml b/deployment/clouddeploy/gke-workers/base/alias-computation.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: alias-computation
+  labels:
+    cronLastSuccessfulTimeMins: 45
 spec:
   schedule: "10/15 * * * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/base/alpine-cve-convert.yaml b/deployment/clouddeploy/gke-workers/base/alpine-cve-convert.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: alpine-cve-convert
+  labels:
+    cronLastSuccessfulTimeMins: 180
 spec:
   schedule: "0 */1 * * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/base/backup.yaml b/deployment/clouddeploy/gke-workers/base/backup.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: backup
+  labels:
+    cronLastSuccessfulTimeMins: 2880
 spec:
   schedule: "0 18 * * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/base/combine-to-osv.yaml b/deployment/clouddeploy/gke-workers/base/combine-to-osv.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: combine-to-osv
+  labels:
+    cronLastSuccessfulTimeMins: 90
 spec:
   schedule: "30 */1 * * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/base/cpe-repo-gen.yaml b/deployment/clouddeploy/gke-workers/base/cpe-repo-gen.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: cpe-repo-gen
+  labels:
+    cronLastSuccessfulTimeMins: 2880
 spec:
   schedule: "0 6 */1 * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/base/debian-convert.yaml b/deployment/clouddeploy/gke-workers/base/debian-convert.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: debian-convert
+  labels:
+    cronLastSuccessfulTimeMins: 180
 spec:
   schedule: "0 */1 * * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/base/debian-copyright-mirror.yaml b/deployment/clouddeploy/gke-workers/base/debian-copyright-mirror.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: debian-copyright-mirror
+  labels:
+    cronLastSuccessfulTimeMins: 2880
 spec:
   schedule: "0 6 */1 * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/base/debian-cve-convert.yaml b/deployment/clouddeploy/gke-workers/base/debian-cve-convert.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: debian-cve-convert
+  labels:
+    cronLastSuccessfulTimeMins: 120
 spec:
   schedule: "0 */1 * * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/base/debian-first-version.yaml b/deployment/clouddeploy/gke-workers/base/debian-first-version.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: debian-first-version
+  labels:
+    cronLastSuccessfulTimeMins: 120
 spec:
   schedule: "0 1 * * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/base/exporter.yaml b/deployment/clouddeploy/gke-workers/base/exporter.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: exporter
+  labels:
+    cronLastSuccessfulTimeMins: 90
 spec:
   schedule: "*/30 * * * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/base/generate-sitemap.yaml b/deployment/clouddeploy/gke-workers/base/generate-sitemap.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: generate-sitemap
+  labels:
+    cronLastSuccessfulTimeMins: 2880
 spec:
   schedule: "30 8 * * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/base/importer-deleter.yaml b/deployment/clouddeploy/gke-workers/base/importer-deleter.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: importer-deleter
+  labels:
+    cronLastSuccessfulTimeMins: 360
 spec:
   schedule: "* */3 * * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/base/importer.yaml b/deployment/clouddeploy/gke-workers/base/importer.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: importer
+  labels:
+    cronLastSuccessfulTimeMins: 90
 spec:
   schedule: "*/15 * * * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/base/nvd-cve-osv.yaml b/deployment/clouddeploy/gke-workers/base/nvd-cve-osv.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: nvd-cve-osv
+  labels:
+    cronLastSuccessfulTimeMins: 86400
 spec:
   timeZone: Australia/Sydney
   schedule: "0 6,13 * * *"
diff --git a/deployment/clouddeploy/gke-workers/base/nvd-mirror.yaml b/deployment/clouddeploy/gke-workers/base/nvd-mirror.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: nvd-mirror
+  labels:
+    cronLastSuccessfulTimeMins: 240
 spec:
   schedule: "0 */2 * * *"
   concurrencyPolicy: Forbid
diff --git a/deployment/clouddeploy/gke-workers/environments/oss-vdb-test/staging-api-test.yaml b/deployment/clouddeploy/gke-workers/environments/oss-vdb-test/staging-api-test.yaml
@@ -2,6 +2,8 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: staging-api-test
+  labels:
+    cronLastSuccessfulTimeMins: 2880
 spec:
   timeZone: Australia/Sydney
   schedule: "0 9 * * *"
diff --git a/deployment/terraform/environments/oss-vdb-test/main.tf b/deployment/terraform/environments/oss-vdb-test/main.tf
@@ -1,3 +1,22 @@
+locals {
+  env_kustomization_path  = "../../../clouddeploy/gke-workers/environments/oss-vdb-test"
+  base_kustomization_path = "../../../clouddeploy/gke-workers/base"
+  env_kustomization       = yamldecode(file("${local.env_kustomization_path}/kustomization.yaml"))
+  base_kustomization      = yamldecode(file("${local.base_kustomization_path}/kustomization.yaml"))
+
+  all_resources = concat(
+    [for resource in local.env_kustomization.resources : "${local.env_kustomization_path}/${resource}" if can(regex("\\.yaml$", resource))],
+    [for resource in local.base_kustomization.resources : "${local.base_kustomization_path}/${resource}" if can(regex("\\.yaml$", resource))],
+  )
+
+  # Iterate of each yaml configuration and create a key based on kind and name in the yaml file.
+  kube_manifests = {
+    for manifest in flatten([for file in local.all_resources : yamldecode(file(file))]) :
+    "${try(manifest.kind, "")}--${try(manifest.metadata.name, "")}" => manifest
+    if try(manifest.kind, "") == "CronJob"
+  }
+}
+
 module "osv_test" {
   source = "../../modules/osv"
 
@@ -19,6 +38,14 @@ module "osv_test" {
   esp_version    = "2.51.0"
 }
 
+module "k8s_cron_alert" {
+  for_each                         = local.kube_manifests
+  source                           = "../../modules/k8s_cron_alert"
+  project_id                       = module.osv_test.project_id
+  cronjob_name                     = each.value.metadata.name
+  cronjob_expected_latency_minutes = lookup(each.value.metadata.labels, "cronLastSuccessfulTimeMins", null)
+}
+
 import {
   to = module.osv_test.google_firestore_database.datastore
   id = "oss-vdb-test/(default)"
diff --git a/deployment/terraform/modules/k8s_cron_alert/k8s_cron_alert.tf b/deployment/terraform/modules/k8s_cron_alert/k8s_cron_alert.tf
@@ -0,0 +1,30 @@
+variable "project_id" {
+  type        = string
+  description = "The project to create the alert policy in."
+}
+
+variable "cronjob_name" {
+  type        = string
+  description = "Name of the kubernetes cronjob to monitor."
+}
+
+variable "cronjob_expected_latency_minutes" {
+  type        = number
+  description = "Expected amount of time since last successful run of the job expressed in minutes."
+}
+
+resource "google_monitoring_alert_policy" "cron_alert_policy" {
+  project      = var.project_id
+  display_name = "Cronjob: ${var.cronjob_name} has not run recently."
+  combiner     = "OR"
+  conditions {
+    display_name = "Cronjob: ${var.cronjob_name} has not run recently."
+    condition_prometheus_query_language {
+      query               = "((time() - kube_cronjob_status_last_successful_time{cronjob=\"${var.cronjob_name}\"})/60) > ${var.cronjob_expected_latency_minutes}"
+      duration            = "60s"
+      evaluation_interval = "60s"
+      alert_rule          = "AlwaysOn"
+      rule_group          = "cronjob ${var.cronjob_name}"
+    }
+  }
+}
diff --git a/deployment/terraform/modules/osv/outputs.tf b/deployment/terraform/modules/osv/outputs.tf
@@ -0,0 +1,4 @@
+output "project_id" {
+  value       = var.project_id # Assuming you are using a variable for project_id within the module
+  description = "The Google Cloud Project ID"
+}
