manifests/operator.yaml

# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- # Source: operator/templates/priorityclass.yaml apiVersion: scheduling.k8s.io/v1 kind: PriorityClass metadata: name: gmp-critical # Maximum allowed user-defined. Only system-node-critical and system-cluster-critical # pods are higher. value: 1000000000 description: Used for GMP collector pods. --- # Source: operator/templates/namespace.yaml apiVersion: v1 kind: Namespace metadata: name: gmp-system --- # Source: operator/templates/namespace.yaml apiVersion: v1 kind: Namespace metadata: name: gmp-public --- # Source: operator/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: collector namespace: gmp-system --- # Source: operator/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: operator namespace: gmp-system --- # Source: operator/templates/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: gmp-system:collector rules: - resources: - endpoints - nodes - nodes/metrics - pods - services apiGroups: [""] verbs: ["get", "list", "watch"] - resources: - configmaps apiGroups: [""] verbs: ["get"] - nonResourceURLs: ["/metrics"] verbs: ["get"] --- # Source: operator/templates/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: gmp-system:operator rules: # Resources controlled by the operator. - resources: - clusterpodmonitorings - clusterrules - globalrules - clusternodemonitorings - podmonitorings - rules apiGroups: ["monitoring.googleapis.com"] verbs: ["get", "list", "watch"] - resources: - clusterpodmonitorings/status - clusterrules/status - globalrules/status - clusternodemonitorings/status - podmonitorings/status - rules/status apiGroups: ["monitoring.googleapis.com"] verbs: ["get", "patch", "update"] - resources: - customresourcedefinitions resourceNames: ["verticalpodautoscalers.autoscaling.k8s.io"] apiGroups: ["apiextensions.k8s.io"] verbs: ["get"] --- # Source: operator/templates/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: gmp-system:operator:webhook-admin rules: # Permission to inject CA bundles into webhook configs of fixed name. - resources: - validatingwebhookconfigurations - mutatingwebhookconfigurations apiGroups: ["admissionregistration.k8s.io"] resourceNames: - gmp-operator.gmp-system.monitoring.googleapis.com verbs: ["get", "patch", "update", "watch"] # Permission to delete legacy webhook config the operator directly created # in previous versions. - resources: - validatingwebhookconfigurations - mutatingwebhookconfigurations apiGroups: ["admissionregistration.k8s.io"] resourceNames: - gmp-operator verbs: ["delete"] --- # Source: operator/templates/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: gmp-system:operator roleRef: name: gmp-system:operator kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - name: operator namespace: gmp-system kind: ServiceAccount --- # Source: operator/templates/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: gmp-system:operator:webhook-admin roleRef: name: gmp-system:operator:webhook-admin kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - name: operator namespace: gmp-system kind: ServiceAccount --- # Source: operator/templates/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: gmp-system:collector roleRef: name: gmp-system:collector kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - name: collector namespace: gmp-system kind: ServiceAccount --- # Source: operator/templates/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: operator namespace: gmp-system rules: - resources: - pods apiGroups: [""] verbs: ["list", "watch"] - resources: - secrets apiGroups: [""] verbs: ["list", "watch", "create"] - resources: - secrets apiGroups: [""] resourceNames: ["collection", "rules", "alertmanager"] verbs: ["get", "patch", "update"] - resources: - configmaps apiGroups: [""] verbs: ["list", "watch", "create"] - resources: - configmaps apiGroups: [""] resourceNames: ["collector", "rule-evaluator", "rules-generated"] verbs: ["get", "patch", "update"] - resources: - daemonsets apiGroups: ["apps"] resourceNames: ["collector"] verbs: ["get", "list", "watch"] - resources: - deployments apiGroups: ["apps"] resourceNames: ["rule-evaluator"] verbs: ["get", "list", "watch"] - resources: - deployments/scale apiGroups: ["apps"] resourceNames: ["rule-evaluator"] verbs: ["get", "patch", "update"] - resources: - services apiGroups: [""] resourceNames: ["alertmanager"] verbs: ["get", "list", "watch"] - resources: - statefulsets apiGroups: ["apps"] resourceNames: ["alertmanager"] verbs: ["get", "list", "watch"] - resources: - statefulsets/scale apiGroups: ["apps"] resourceNames: ["alertmanager"] verbs: ["get", "patch", "update"] - resources: - verticalpodautoscalers apiGroups: ["autoscaling.k8s.io"] verbs: ["create", "delete", "get", "list", "watch"] --- # Source: operator/templates/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: operator namespace: gmp-public rules: - resources: - secrets apiGroups: [""] verbs: ["get", "list", "watch"] - resources: - operatorconfigs apiGroups: ["monitoring.googleapis.com"] verbs: ["get", "update", "list", "watch"] --- # Source: operator/templates/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: operator namespace: gmp-public roleRef: name: operator kind: Role apiGroup: rbac.authorization.k8s.io subjects: - name: operator namespace: gmp-system kind: ServiceAccount --- # Source: operator/templates/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: operator namespace: gmp-system roleRef: name: operator kind: Role apiGroup: rbac.authorization.k8s.io subjects: - name: operator kind: ServiceAccount --- # Source: operator/templates/alertmanager.yaml apiVersion: v1 kind: Service metadata: name: alertmanager namespace: gmp-system spec: selector: app: managed-prometheus-alertmanager app.kubernetes.io/name: alertmanager ports: - name: alertmanager port: 9093 targetPort: 9093 clusterIP: None --- # Source: operator/templates/rule-evaluator.yaml apiVersion: v1 kind: Service metadata: name: rule-evaluator namespace: gmp-system spec: selector: app.kubernetes.io/name: rule-evaluator ports: - name: rule-evaluator port: 19092 targetPort: 19092 --- # Source: operator/templates/service.yaml apiVersion: v1 kind: Service metadata: name: gmp-operator namespace: gmp-system spec: selector: app.kubernetes.io/component: operator app.kubernetes.io/name: gmp-operator app.kubernetes.io/part-of: gmp ports: # This port does not do anything, but allows upgrades in the case # of server-side apply (SSA) conflicts. # TODO(pintohutch): remove once the SSA issues from upgrades are resolved. - name: legacy protocol: TCP port: 8443 targetPort: webhook - name: webhook protocol: TCP port: 443 targetPort: web --- # Source: operator/templates/collector.yaml apiVersion: apps/v1 kind: DaemonSet metadata: name: collector namespace: gmp-system spec: selector: matchLabels: # DO NOT MODIFY - label selectors are immutable by the Kubernetes API. # see: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#pod-selector. app.kubernetes.io/name: collector template: metadata: labels: app: managed-prometheus-collector app.kubernetes.io/name: collector app.kubernetes.io/version: 0.15.0 annotations: # The emptyDir for the storage and config directories prevents cluster # autoscaling unless this annotation is set. cluster-autoscaler.kubernetes.io/safe-to-evict: "true" components.gke.io/component-name: managed_prometheus spec: serviceAccountName: collector automountServiceAccountToken: true priorityClassName: gmp-critical initContainers: - name: config-init image: gke.gcr.io/gke-distroless/bash:gke_distroless_20240907.00_p0 command: ['/bin/bash', '-c', 'touch /prometheus/config_out/config.yaml'] volumeMounts: - name: config-out mountPath: /prometheus/config_out securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true containers: - name: config-reloader image: gke.gcr.io/prometheus-engine/config-reloader:v0.15.0-gke.12 args: - --config-file=/prometheus/config/config.yaml - --config-file-output=/prometheus/config_out/config.yaml - --reload-url=http://127.0.0.1:19090/-/reload - --ready-url=http://127.0.0.1:19090/-/ready - --listen-address=:19091 ports: - name: cfg-rel-metrics containerPort: 19091 env: - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName resources: limits: memory: 32M requests: cpu: 1m memory: 4M volumeMounts: - name: config readOnly: true mountPath: /prometheus/config - name: config-out mountPath: /prometheus/config_out securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true - name: prometheus image: gke.gcr.io/prometheus-engine/prometheus:v2.45.3-gmp.9-gke.0 args: - --config.file=/prometheus/config_out/config.yaml - --enable-feature=exemplar-storage # Special Google flag for authorization using native Kubernetes secrets. - --enable-feature=google-kubernetes-secret-provider - --storage.tsdb.path=/prometheus/data - --storage.tsdb.no-lockfile # Special Google flag for force deleting all data on start. We use ephemeral storage in # this manifest, but there are cases were container restart still reuses, potentially # bad data (corrupted, with high cardinality causing OOMs or slow startups). # Force deleting, so container restart is consistent with pod restart. # NOTE: Data is likely already sent GCM, plus GCM export does not use that # data on disk (WAL). - --gmp.storage.delete-data-on-start # Keep 30 minutes of data. As we are backed by an emptyDir volume, this will count towards # the containers memory usage. We could lower it further if this becomes problematic, but # it the window for local data is quite convenient for debugging. - --storage.tsdb.retention.time=30m - --storage.tsdb.wal-compression # Effectively disable compaction and make blocks short enough so that our retention window # can be kept in practice. - --storage.tsdb.min-block-duration=10m - --storage.tsdb.max-block-duration=10m - --web.listen-address=:19090 - --web.enable-lifecycle - --web.route-prefix=/ - --export.user-agent-mode=kubectl # JSON log format is needed for GKE to display log levels correctly. - --log.format=json ports: - name: prom-metrics containerPort: 19090 # The environment variable EXTRA_ARGS will be populated by the operator. # DO NOT specify it here. env: - name: GOGC value: "25" resources: limits: memory: 2G requests: cpu: 4m memory: 32M volumeMounts: - name: storage mountPath: /prometheus/data - name: config-out readOnly: true mountPath: /prometheus/config_out - name: collection-secret readOnly: true mountPath: /etc/secrets livenessProbe: httpGet: port: 19090 path: /-/healthy scheme: HTTP readinessProbe: httpGet: port: 19090 path: /-/ready scheme: HTTP securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true volumes: - name: storage emptyDir: {} - name: config configMap: name: collector - name: config-out emptyDir: {} - name: collection-secret secret: secretName: collection affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/arch operator: In values: - arm64 - amd64 - key: kubernetes.io/os operator: In values: - linux tolerations: - key: "components.gke.io/gke-managed-components" operator: "Exists" - effect: NoExecute operator: Exists - effect: NoSchedule operator: Exists securityContext: runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault --- # Source: operator/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: gmp-operator namespace: gmp-system labels: app: managed-prometheus-operator app.kubernetes.io/component: operator app.kubernetes.io/name: gmp-operator app.kubernetes.io/part-of: gmp spec: replicas: 1 selector: matchLabels: # DO NOT MODIFY - label selectors are immutable by the Kubernetes API. # see: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#label-selector-updates. app.kubernetes.io/component: operator app.kubernetes.io/name: gmp-operator app.kubernetes.io/part-of: gmp template: metadata: labels: app: managed-prometheus-operator app.kubernetes.io/component: operator app.kubernetes.io/name: gmp-operator app.kubernetes.io/part-of: gmp app.kubernetes.io/version: 0.15.0 spec: serviceAccountName: operator automountServiceAccountToken: true priorityClassName: gmp-critical containers: - name: operator image: gke.gcr.io/prometheus-engine/operator:v0.15.0-gke.12 args: - "--operator-namespace=gmp-system" - "--public-namespace=gmp-public" - "--webhook-addr=:10250" ports: - name: web # Note this should match the --listen-addr flag passed in to the operator args. # Default is 10250. containerPort: 10250 - name: metrics # Note this should match the --metrics-addr flag passed in to the operator args. # Default is 18080. containerPort: 18080 resources: limits: memory: 2G requests: cpu: 1m memory: 16M securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true livenessProbe: httpGet: path: /healthz # Note this should match the --probe-addr flag passed in to the operator args. # Default is 18081. port: 18081 scheme: HTTP readinessProbe: httpGet: path: /readyz # Note this should match the --probe-addr flag passed in to the operator args. # Default is 18081. port: 18081 scheme: HTTP volumeMounts: - name: certs mountPath: /etc/tls/private affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/arch operator: In values: - arm64 - amd64 - key: kubernetes.io/os operator: In values: - linux tolerations: - key: "components.gke.io/gke-managed-components" operator: "Exists" - value: "amd64" effect: "NoSchedule" key: "kubernetes.io/arch" operator: "Equal" - value: "arm64" effect: "NoSchedule" key: "kubernetes.io/arch" operator: "Equal" securityContext: runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault volumes: - name: certs emptyDir: {} --- # Source: operator/templates/rule-evaluator.yaml apiVersion: apps/v1 kind: Deployment metadata: name: rule-evaluator namespace: gmp-system spec: selector: matchLabels: # DO NOT MODIFY - label selectors are immutable by the Kubernetes API. # see: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#label-selector-updates. app.kubernetes.io/name: rule-evaluator template: metadata: labels: app.kubernetes.io/name: rule-evaluator app: managed-prometheus-rule-evaluator app.kubernetes.io/version: 0.15.0 annotations: # The emptyDir for the storage and config directories prevents cluster # autoscaling unless this annotation is set. cluster-autoscaler.kubernetes.io/safe-to-evict: "true" components.gke.io/component-name: managed_prometheus spec: serviceAccountName: collector automountServiceAccountToken: true priorityClassName: gmp-critical initContainers: - name: config-init image: gke.gcr.io/gke-distroless/bash:gke_distroless_20240907.00_p0 command: ['/bin/bash', '-c', 'touch /prometheus/config_out/config.yaml'] volumeMounts: - name: config-out mountPath: /prometheus/config_out securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true containers: - name: config-reloader image: gke.gcr.io/prometheus-engine/config-reloader:v0.15.0-gke.12 args: - --config-file=/prometheus/config/config.yaml - --config-file-output=/prometheus/config_out/config.yaml - --config-dir=/etc/rules - --config-dir-output=/prometheus/rules_out - --watched-dir=/etc/secrets - --reload-url=http://127.0.0.1:19092/-/reload - --ready-url=http://127.0.0.1:19092/-/ready - --listen-address=:19093 ports: - name: cfg-rel-metrics containerPort: 19093 resources: limits: memory: 32M requests: cpu: 1m memory: 4M volumeMounts: - name: config readOnly: true mountPath: /prometheus/config - name: config-out mountPath: /prometheus/config_out - name: rules readOnly: true mountPath: /etc/rules - name: rules-out mountPath: /prometheus/rules_out - name: rules-secret readOnly: true mountPath: /etc/secrets securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true - name: evaluator image: gke.gcr.io/prometheus-engine/rule-evaluator:v0.15.0-gke.12 args: - --config.file=/prometheus/config_out/config.yaml - --web.listen-address=:19092 - --export.user-agent-mode=kubectl ports: - name: r-eval-metrics containerPort: 19092 resources: limits: memory: 1G requests: cpu: 1m memory: 16M volumeMounts: - name: config-out readOnly: true mountPath: /prometheus/config_out - name: rules-out readOnly: true mountPath: /etc/rules - name: rules-secret readOnly: true mountPath: /etc/secrets livenessProbe: httpGet: port: 19092 path: /-/healthy scheme: HTTP readinessProbe: httpGet: port: 19092 path: /-/ready scheme: HTTP securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true volumes: - name: config configMap: name: rule-evaluator defaultMode: 420 - name: config-out emptyDir: {} - name: rules configMap: name: rules-generated defaultMode: 420 - name: rules-out emptyDir: {} - name: rules-secret secret: defaultMode: 420 secretName: rules affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/arch operator: In values: - arm64 - amd64 - key: kubernetes.io/os operator: In values: - linux tolerations: - key: "components.gke.io/gke-managed-components" operator: "Exists" - value: "amd64" effect: "NoSchedule" key: "kubernetes.io/arch" operator: "Equal" - value: "arm64" effect: "NoSchedule" key: "kubernetes.io/arch" operator: "Equal" securityContext: runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault --- # Source: operator/templates/alertmanager.yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: alertmanager namespace: gmp-system spec: selector: matchLabels: # DO NOT MODIFY - label selectors are immutable by the Kubernetes API. # see: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-selector. app: managed-prometheus-alertmanager app.kubernetes.io/name: alertmanager template: metadata: labels: app: managed-prometheus-alertmanager app.kubernetes.io/name: alertmanager app.kubernetes.io/version: 0.15.0 annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" components.gke.io/component-name: managed_prometheus spec: priorityClassName: gmp-critical automountServiceAccountToken: false initContainers: - name: config-init image: gke.gcr.io/gke-distroless/bash:gke_distroless_20240907.00_p0 command: ['/bin/bash', '-c', 'touch /alertmanager/config_out/config.yaml && echo -e "receivers:\n - name: noop\nroute:\n receiver: noop" > alertmanager/config_out/config.yaml'] volumeMounts: - name: alertmanager-config mountPath: /alertmanager/config_out securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true containers: - name: alertmanager image: gke.gcr.io/prometheus-engine/alertmanager:v0.27.0-gmp.1-gke.1 args: - --config.file=/alertmanager/config_out/config.yaml - --storage.path=/alertmanager-data - --cluster.listen-address=[$(POD_IP)]:9094 - --web.listen-address=:9093 - --log.format=json ports: - name: alertmanager containerPort: 9093 env: - name: POD_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP resources: limits: memory: 128M requests: cpu: 1m memory: 16M volumeMounts: - name: alertmanager-config readOnly: true mountPath: /alertmanager/config_out - name: alertmanager-data mountPath: /alertmanager-data securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true - name: config-reloader image: gke.gcr.io/prometheus-engine/config-reloader:v0.15.0-gke.12 args: - --config-file=/alertmanager/config.yaml - --config-file-output=/alertmanager/config_out/config.yaml - --reload-url=http://127.0.0.1:9093/-/reload - --ready-url=http://127.0.0.1:9093/-/ready - --listen-address=:19091 ports: - name: cfg-rel-metrics containerPort: 19091 env: - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName resources: limits: memory: 32M requests: cpu: 1m memory: 4M volumeMounts: - name: config readOnly: true mountPath: /alertmanager - name: alertmanager-config mountPath: /alertmanager/config_out securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true volumes: - name: config secret: secretName: alertmanager - name: alertmanager-data emptyDir: {} - name: alertmanager-config emptyDir: {} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/arch operator: In values: - arm64 - amd64 - key: kubernetes.io/os operator: In values: - linux tolerations: - key: "components.gke.io/gke-managed-components" operator: "Exists" - value: "amd64" effect: "NoSchedule" key: "kubernetes.io/arch" operator: "Equal" - value: "arm64" effect: "NoSchedule" key: "kubernetes.io/arch" operator: "Equal" securityContext: runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault serviceName: alertmanager --- # Source: operator/templates/mutatingwebhookconfiguration.yaml apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: gmp-operator.gmp-system.monitoring.googleapis.com webhooks: - name: default.operatorconfigs.gmp-operator.gmp-system.monitoring.googleapis.com admissionReviewVersions: - v1 clientConfig: # caBundle populated by operator. service: name: gmp-operator namespace: gmp-system port: 443 path: /default/monitoring.googleapis.com/v1/operatorconfigs # Since this is re-applied at runtime by the operator's controllers # we can safely ignore any transient issues with the webhook server. failurePolicy: Ignore rules: - resources: - operatorconfigs apiGroups: - monitoring.googleapis.com apiVersions: - v1 operations: - UPDATE sideEffects: None --- # Source: operator/templates/operatorconfig.yaml apiVersion: monitoring.googleapis.com/v1 kind: OperatorConfig metadata: name: config namespace: gmp-public --- # Source: operator/templates/validating-admission-policy.yaml # Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "operatorconfigs.monitoring.googleapis.com" spec: failurePolicy: Fail matchConstraints: resourceRules: - apiGroups: ["monitoring.googleapis.com"] apiVersions: ["*"] operations: ["CREATE", "UPDATE"] resources: ["operatorconfigs"] validations: - expression: "object.metadata.name == 'config'" - expression: "object.metadata.namespace == 'gmp-public'" --- # Source: operator/templates/validating-admission-policy.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "protected-labels.monitoring.googleapis.com" spec: failurePolicy: Fail matchConstraints: resourceRules: - apiGroups: ["monitoring.googleapis.com"] apiVersions: ["*"] operations: ["CREATE", "UPDATE"] resources: ["clusternodemonitorings", "clusterpodmonitorings", "podmonitorings"] validations: - expression: "object.spec.endpoints.all(e, !has(e.metricRelabeling) || e.metricRelabeling.all(m, !has(m.regex) || 'project_id'.matches(m.regex) == false))" message: "Relabeling rule regex would match protected label: \"project_id\"" - expression: "object.spec.endpoints.all(e, !has(e.metricRelabeling) || e.metricRelabeling.all(m, !has(m.regex) || 'location'.matches(m.regex) == false))" message: "Relabeling rule regex would match protected label: \"location\"" - expression: "object.spec.endpoints.all(e, !has(e.metricRelabeling) || e.metricRelabeling.all(m, !has(m.regex) || 'cluster'.matches(m.regex) == false))" message: "Relabeling rule regex would match protected label: \"cluster\"" - expression: "object.spec.endpoints.all(e, !has(e.metricRelabeling) || e.metricRelabeling.all(m, !has(m.regex) || 'namespace'.matches(m.regex) == false))" message: "Relabeling rule regex would match protected label: \"namespace\"" - expression: "object.spec.endpoints.all(e, !has(e.metricRelabeling) || e.metricRelabeling.all(m, !has(m.regex) || 'instance'.matches(m.regex) == false))" message: "Relabeling rule regex would match protected label: \"instance\"" - expression: "object.spec.endpoints.all(e, !has(e.metricRelabeling) || e.metricRelabeling.all(m, !has(m.regex) || 'top_level_controller'.matches(m.regex) == false))" message: "Relabeling rule regex would match protected label: \"top_level_controller\"" - expression: "object.spec.endpoints.all(e, !has(e.metricRelabeling) || e.metricRelabeling.all(m, !has(m.regex) || 'top_level_controller_type'.matches(m.regex) == false))" message: "Relabeling rule regex would match protected label: \"top_level_controller_type\"" - expression: "object.spec.endpoints.all(e, !has(e.metricRelabeling) || e.metricRelabeling.all(m, !has(m.regex) || '__address__'.matches(m.regex) == false))" message: "Relabeling rule regex would match protected label: \"__address__\"" --- # Source: operator/templates/validating-admission-policy.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "unique-ports.monitoring.googleapis.com" spec: failurePolicy: Fail matchConstraints: resourceRules: - apiGroups: ["monitoring.googleapis.com"] apiVersions: ["*"] operations: ["CREATE", "UPDATE"] resources: ["clusterpodmonitorings", "podmonitorings"] variables: - name: "ports" expression: "object.spec.endpoints.map(e, e.port)" validations: - expression: "variables.ports.all(p, variables.ports.exists_one(ep, ep == p))" message: "Ports must be unique across all endpoints" --- # Source: operator/templates/validating-admission-policy.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: "operatorconfigs.monitoring.googleapis.com" spec: policyName: "operatorconfigs.monitoring.googleapis.com" validationActions: [Deny] --- # Source: operator/templates/validating-admission-policy.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: "protected-labels.monitoring.googleapis.com" spec: policyName: "protected-labels.monitoring.googleapis.com" validationActions: [Deny] --- # Source: operator/templates/validating-admission-policy.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: "unique-ports.monitoring.googleapis.com" spec: policyName: "unique-ports.monitoring.googleapis.com" validationActions: [Deny] --- # Source: operator/templates/validatingwebhookconfiguration.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: gmp-operator.gmp-system.monitoring.googleapis.com webhooks: - name: validate.rules.gmp-operator.gmp-system.monitoring.googleapis.com admissionReviewVersions: - v1 clientConfig: # caBundle populated by operator. service: name: gmp-operator namespace: gmp-system port: 443 path: /validate/monitoring.googleapis.com/v1/rules failurePolicy: Fail rules: - resources: - rules apiGroups: - monitoring.googleapis.com apiVersions: - v1 operations: - CREATE - UPDATE sideEffects: None - name: validate.clusterrules.gmp-operator.gmp-system.monitoring.googleapis.com admissionReviewVersions: - v1 clientConfig: # caBundle populated by operator. service: name: gmp-operator namespace: gmp-system port: 443 path: /validate/monitoring.googleapis.com/v1/clusterrules failurePolicy: Fail rules: - resources: - clusterrules apiGroups: - monitoring.googleapis.com apiVersions: - v1 operations: - CREATE - UPDATE sideEffects: None - name: validate.globalrules.gmp-operator.gmp-system.monitoring.googleapis.com admissionReviewVersions: - v1 clientConfig: # caBundle populated by operator. service: name: gmp-operator namespace: gmp-system port: 443 path: /validate/monitoring.googleapis.com/v1/globalrules failurePolicy: Fail rules: - resources: - globalrules apiGroups: - monitoring.googleapis.com apiVersions: - v1 operations: - CREATE - UPDATE sideEffects: None - name: validate.operatorconfigs.gmp-operator.gmp-system.monitoring.googleapis.com admissionReviewVersions: - v1 clientConfig: # caBundle populated by operator. service: name: gmp-operator namespace: gmp-system port: 443 path: /validate/monitoring.googleapis.com/v1/operatorconfigs failurePolicy: Fail rules: - resources: - operatorconfigs apiGroups: - monitoring.googleapis.com apiVersions: - v1 operations: - CREATE - UPDATE sideEffects: None

manifests/operator.yaml (1,090 lines of code) (raw):