Enhancement proposal for new APIs to support alerts management UI

[sradco]

This PR includes the enhancement proposal for a new Alerts Management UI.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jan--f for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• enhancements/monitoring/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sradco]

@machadovilaca @avlitman @nunnatsa please review this enhancement proposal.

[simonpasquier]

Reading the proposal, it's not clear to me:

• whether we need a new supported API or only UI improvements are required.
• what are the gaps in the existing implementation that we want to fix (e.g. AlertingRule & AlertRelabel CRDs already exist but what make them hard to use?).

[simonpasquier]

Do we need to support customization for user-defined alerting rules? Right now, alert customization via AlertingRule is only meant for platform alerting rules.

[sradco]

We need to support user-defined alerting rules and create the Prometheusrules same as its already possible today in the CLI

[sradco]

But by support we mean I mean the creation, and lifecycle management, but not faulty expressions/summary/descriptions or any other user defined detail .

[simonpasquier]

We need to support user-defined alerting rules and create the Prometheusrules same as its already possible today in the CLI

you mean applying manifests with oc?

[sradco]

We would wrap the existing API(oc) that allows to create the alert rules, yes.
We want to keep APIs with same prefix as the new planned APIS, for clear definition for the UI.

[simonpasquier]

I'm not following your last comment, sorry. Which APIs are we talking about? For me CRDs are also APIs.

[sradco]

I mean we would wrap only the API for creating the new user defined alerts.
Other APIs require more complicated logic, since they will handle both User alerts and alert rules and platform alerts .

[simonpasquier]

What are the gaps in the current product? It already supports silence management in the console. The same remark applies to the following bullet points.

[sradco]

This effort will integrate the silences as part of the overall feature and will use the existing silences APIs, UI may require some updates for a unified view and management.

[simonpasquier]

See my comment above, I still don't understand what's missing in the console wrt silences.

[sradco]

Reading the proposal, it's not clear to me:

whether we need a new supported API or only UI improvements are required.
what are the gaps in the existing implementation that we want to fix (e.g. AlertingRule & AlertRelabel CRDs already exist but what make them hard to use?).

@simonpasquier We need REST APIs to support adding a UI for managing alerts.
There are no gaps for doing this plainly with CLI, but the gap is of missing REST APIs to do this through the UI.

[simonpasquier]

@simonpasquier We need REST APIs to support adding a UI for managing alerts.
There are no gaps for doing this plainly with CLI, but the gap is of missing REST APIs to do this through the UI.

I feel that we're taking the problem backwards and start from the implementation rather than user experience. As an OpenShift user/cluster admin, do I need a REST API? Or is the main problem that the UI displays information which is inconsistent currently?

[simonpasquier]

and save it as a user‑defined rule

IMHO this part isn't needed. The use case here is that you want to "replace" the definition of an built-in alerting rule because it doesn't fit your environment and that the new rule behaves as another platform alerting rule.

I would also recommend concrete examples (e.g. "by default the NodeNetworkReceiveErrs alert fires when there's more than 1% of received packets in error but I want the threshold to be 2%" and "I want the SamplesDegraded alerting rule's severity to be info rather than warning").

[sradco]

Not necessarily. Sometimes users will clone and add another similar alert and keep the existing alert.
For example if you want to fire one alert for warning in 70% and another for critical at 90%.
Or just use the source alert expression and details as a reference for your new alert and you want to inspect the expression.
We will not disable the source alert as part of the clone process, users are expected to do that.

[simonpasquier]

Agreed but I would separate the use cases for clarity.

1. Replace an existing platform alerting rule by a custom definition.
2. Create a new platform alerting rule from an existing platform alerting rule.
3. Create a new user-defined alerting rule from a plaform or user-defined alerting rule.

[sradco]

@simonpasquier How can a user create a new "Platform alerting rule"? (line 2)

[simonpasquier]

see https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/monitoring/managing-alerts#creating-new-alerting-rules_managing-alerts-as-an-administrator

[sradco]

2. Create a new platform alerting rule from an existing platform alerting rule.

The link you provided is about creating alerting rules out of platform metrics, not alerts.

And below it, it says for updating platform alerts:

• "As a cluster administrator, you can modify core platform alerts before Alertmanager routes them to a receiver. For example, you can change the severity label of an alert, add a custom label, or exclude an alert from being sent to Alertmanager."
• "You must create the AlertRelabelConfig object in the openshift-monitoring namespace. Otherwise, the alert label will not change."

[simonpasquier]

What if you could create an alerting rule from the Metrics > Observe page?

[sradco]

Not in scope of this effort, but possible later on I assume.

[simonpasquier]

I think that it would simplify the workflow a lot: you use existing data to tune the expression and then you turn it into a rule.

[sradco]

@simonpasquier We can simplify the process a bit by not allowing any updates to Platform alerts and always assume updates require creating a new alert and disabling the Platform one.
This could be a valid alternative that we can consider.

So that we only use the alertRelabelConfig to disable/enable alerts and to set Group and Component labels. WDYT?

[simonpasquier]

I'm not following your last comment, sorry. Which APIs are we talking about? For me CRDs are also APIs.

[simonpasquier]

See my comment above, I still don't understand what's missing in the console wrt silences.

[simonpasquier]

Agreed but I would separate the use cases for clarity.

1. Replace an existing platform alerting rule by a custom definition.
2. Create a new platform alerting rule from an existing platform alerting rule.
3. Create a new user-defined alerting rule from a plaform or user-defined alerting rule.

[simonpasquier]

I think that it would simplify the workflow a lot: you use existing data to tune the expression and then you turn it into a rule.

[sradco]

@simonpasquier who can be the api approvers?

[simonpasquier]

The api-approvers field is meant for custom resource definitions which we're not going to add/modify IIUC.
If we implement a new REST API, I assume that the approvers depend on where's going to live.

[sradco]

We plan to add the new REST APIs to CMO

[simonpasquier]

CMO is a single replica deployment so not a good fit for an API server since it won't be highly available.

[jan--f]

Additionally that intention should perhaps be mentioned in this proposal.

[sradco]

CMO is a single replica deployment so not a good fit for an API server since it won't be highly available.

@simonpasquier, @jan--f What do you propose?
When we discussed this with @jgbernalp I believe that we agreed this would be part of CMO.

Additionally that intention should perhaps be mentioned in this proposal.
@jan--f I updated the proposal. Please see if this is better.

[sradco]

Hi @jan--f, @jgbernalp, I would appreciate your review of this proposal

[jan--f]

I think improving how we deal with alerts in the UI is a great effort. We could do with a more unified and bulk friendly approach there. Some mockups for this would be helpful to illustrate what is being proposed (and where the current implementation falls short).

The proposed REST API doesn't make sense to me. Iiuc we already have the k8s API that covers all the the proposed functionality. The motivation section mentions While it's possible to customize built-in alerting rules with the AlertingRule+AlertRelabelConfig CRDs, the process is cumbersome and error-prone. It requires creating YAML manifests manually and there's no practical way to verify the correctness of the configuration. however this proposal doesn't demonstrate how to pass data to the new proposed API nor does it outline how correctness should be verified a priori.

[simonpasquier]

IMHO the summary needs to be revised, it mixes up the what and the how.

Suggested change

	Provide a user‑friendly UI and REST API for defining, viewing, editing, disabling/enabling and silencing Prometheus alerts without manual YAML edits, reducing alert fatigue and improving operational efficiency.
	Improve alert management in the OCP console to expose a unified view of the alerting rules (and associated alerts), provide flexible filtering capabilities and allow rules management without manual YAML edits.

[simonpasquier]

IMHO it doesn't fit in the summary but later. Also there's no AlertingRules.

[simonpasquier]

Suggested change

	- While it's possible to customize built-in alerting rules with the `AlertingRule` + `AlertRelabelConfig` CRDs, the process is cumbersome and error-prone. It requires creating YAML manifests manually and there's no practical way to verify the correctness of the configuration.
	- While it's possible to customize built-in alerting rules with the `AlertingRule` + `AlertRelabelConfig` CRDs, the process is cumbersome and error-prone. It requires creating YAML manifests manually and there's no practical way to verify the correctness of the configuration. Built-in alerting rules and alerts are still visible in the OCP console after they've been overridden .

[sradco]

Updated

[simonpasquier]

Suggested change

	- Some operational teams prefer an interactive console and API to manage alerts safely, guided by best practices.
	- Some operational teams prefer an interactive console and API to manage alerts.

[sradco]

Updated. Thanks.

[simonpasquier]

I think that I commented before but "disable during maintenance" is a wrong use case. Otherwise it's similar to the next user story.

[sradco]

True. I thought I updated it. Sorry.

[simonpasquier]

this part doesn't make sense to me.

[sradco]

Sorry, this was already updates in the design and not reflected here but in the UX doc.

[simonpasquier]

this assumption is wrong IMHO: I can find examples where 2 different rules would have the tuple.

[sradco]

Can you please expend on this? I dont think there should be the same alert rule, with the same severity.

Note: The namespace and prometheus where added and must be specified, so they will identify where it is saved to.

[simonpasquier]

One example is KubeAPIErrorBudgetBurn which has 2 alert definitions for each severity level (the distinction is based on the long and short labels).

[sradco]

@simonpasquier oh, this is bad. Thank you for pointing this out!
I was not aware this was possible.
Ill go back and review this.

[simonpasquier]

the primary key for a rule is composed of

• the namespace &name of the PrometheusRule resource
• the rule group
• the alert or record name
• the label name/value pairs

[sradco]

Hi @simonpasquier , I updated based on your suggestion.
I think group is not needed, but if its a must I this we can add it to the path.

[simonpasquier]

(nit) only alerts can be silenced, rules are not.

[sradco]

Today we show in the alerting rules page if the alert rule is silenced.
When you create a silence for example: silence all info alerts.
You will see that the info alert rules are silenced..

[sradco]

@simonpasquier do you know where is this calculated today ? on the UI side?

[simonpasquier]

I suppose that it's computed on the frontend side. @jgbernalp would know :)

You will see that the info alert rules are silenced..

Sorry for being nit-picky but the UI tells how many alerts associated to the alerting rule are silenced.

[simonpasquier]

I still fail to see the reason for a new API on top of what exists today:

• Prometheus/Thanos APIs (/api/v1/rules and /api/v1/alerts)
• Alertmanager API
• Kubernetes API (for CRDs)

[simonpasquier]

ee

Suggested change

	This includes adding a new REST APIs, Platform alerts will be overriden leveraging the `AlertRelabelConfig` CR (in `cluster-monitoring-config`) rather than editing their original AlertingRules in the `PrometheusRule`.
	As described in the existing [alert overrides](https://github.com/openshift/enhancements/blob/master/enhancements/monitoring/alert-overrides.md) proposal, platform alerts will be overriden leveraging the `AlertRelabelConfig` CR (in `cluster-monitoring-config`) rather than editing their original AlertingRules in the `PrometheusRule`.

[simonpasquier]

I'm not sure if "disable alerts" means "silence active alerts" or "disable an existing alerting rule". If the latter, it overlaps with the next story.

[sradco]

one is for bulk update and second is for single alert. Its "disable"

[simonpasquier]

We've talked about it before and my preference would be to limit this capability to platform alerting rules. Otherwise we need to expand how it will function for user-defined rules.

[simonpasquier]

Suggested change

	5. **Clone an alert base on platform or user-defined alerting rule**
	5. **Clone an alert based on an existing alerting rule (platform or user-defined)**

[simonpasquier]

not really adding since there's already an Alerting page, right?

[sradco]

No UI for managing alerts today.

[simonpasquier]

Sorry for being nit-picky but we need to be precise in the document and avoid confusing alerts and alerting rules. I feel that sometimes one name is used for the other.
I could argue that we can (at least partially) manage alerts from the UI since we can silence. IIUC what we're mostly after is being able to edit an alerting rule without editing the YAML manifest of the PrometheusRule resource holding that rule.

[simonpasquier]

while related to the UI improvements, it could be a separate enhancement proposal since it will impact all component owners (OCP core as well as layered products).

[sradco]

This is part of the effort. The UI uses these and its part of the MVP.

[sradco]

UI will allow to show aggregated alerts based on labels at the to in the "summery" in alerts page.

[simonpasquier]

Then there's no detail in this enhancement about what it entails for existing operators.

[simonpasquier]

To be more specific, we have https://github.com/openshift/enhancements/blob/master/enhancements/monitoring/alerting-consistency.md which describes the requirements and guidelines for OCP alerting rules (including layered products). It's fine to add new recommended labels but it should be documented there since it's the primary source of information for RH dev engineers.

[simonpasquier]

@jan--f @jgbernalp this is where I'm not clear if the Alerting API component is absolutely needed. What prevents the aggregation to happen in the console (client-side)?

If we deploy this intermediary API service then it needs to have access to the user's credentials to ensure that it gets only the resources allowed for the user.

[simonpasquier]

It's handled by CMO. If the question is "what happens when an operator changes the definition and the related AlertRelabelConfig no longer matches?" then (as of now) the onus is on the cluster admin who need to detect the drift and update their customization.

[simonpasquier]

An important upgrade consideration is that existing URLs should remain operational because we know that users depend on them.

[simonpasquier]

IMHO the flexibility should be left to the users: when they go through the creation wizard, the final step should ask whether they want to create a new PrometheusRule (and possibly in which namespace) or if they want to append to an existing PrometheusRule (and to which group).

[openshift-ci]

@sradco: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/markdownlint	68975c4	link	true	/test markdownlint

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tremes]

Do these two points assume some kind of mapping between the alert/alerting rule and its corresponding relabel context? There's no explicit connection or contract right now if I am not mistaken.

[tremes]

Would it make sense for the group values to reflect the Source values? platform and user

[tremes]

Nah it doesn't probably make sense. The source and impact are two different things. Feel free to close this comment

[tremes]

What is meant by static labels please?