# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- # Source: rule-evaluator/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: rule-evaluator --- # Source: rule-evaluator/templates/configmaps.yaml apiVersion: v1 kind: ConfigMap metadata: name: rule-evaluator labels: app.kubernetes.io/name: rule-evaluator data: config.yaml: | global: external_labels: {} evaluation_interval: 60s rule_files: - "/etc/rules/*.yaml" --- # Source: rule-evaluator/templates/configmaps.yaml apiVersion: v1 kind: ConfigMap metadata: name: rules labels: app.kubernetes.io/name: rule-evaluator data: rules.yaml: | groups: - name: example interval: 10s rules: - record: job:up:sum expr: sum without(instance) (up) - alert: AlwaysFiring expr: vector(1) --- # Source: rule-evaluator/templates/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: rule-evaluator rules: - resources: - endpoints - nodes - nodes/metrics - pods - services apiGroups: [""] verbs: ["get", "list", "watch"] - resources: - configmaps apiGroups: [""] verbs: ["get"] - nonResourceURLs: ["/metrics"] verbs: ["get"] --- # Source: rule-evaluator/templates/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: rule-evaluator roleRef: name: rule-evaluator kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - name: rule-evaluator namespace: default kind: ServiceAccount --- # Source: rule-evaluator/templates/service.yaml apiVersion: v1 kind: Service metadata: name: rule-evaluator labels: app.kubernetes.io/name: rule-evaluator spec: selector: app.kubernetes.io/name: rule-evaluator ports: - name: rule-evaluator port: 9092 targetPort: 9092 --- # Source: rule-evaluator/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: rule-evaluator labels: app.kubernetes.io/name: rule-evaluator spec: selector: matchLabels: app.kubernetes.io/name: rule-evaluator template: metadata: labels: app.kubernetes.io/name: rule-evaluator app.kubernetes.io/version: 0.15.0 spec: serviceAccountName: rule-evaluator automountServiceAccountToken: true initContainers: - name: config-init image: gke.gcr.io/gke-distroless/bash:gke_distroless_20240907.00_p0 command: ['/bin/bash', '-c', 'touch /prometheus/config_out/config.yaml'] volumeMounts: - name: config-out mountPath: /prometheus/config_out containers: - name: config-reloader image: gke.gcr.io/prometheus-engine/config-reloader:v0.15.0-gke.12 args: - --config-file=/prometheus/config/config.yaml - --config-file-output=/prometheus/config_out/config.yaml - --config-dir=/etc/rules - --config-dir-output=/prometheus/rules_out - --reload-url=http://127.0.0.1:9092/-/reload - --ready-url=http://127.0.0.1:9092/-/ready - --listen-address=:9093 ports: - name: cfg-rel-metrics protocol: TCP containerPort: 9093 resources: limits: memory: 32M requests: cpu: 1m memory: 4M volumeMounts: - name: config readOnly: true mountPath: /prometheus/config - name: config-out mountPath: /prometheus/config_out - name: rules readOnly: true mountPath: /etc/rules - name: rules-out mountPath: /prometheus/rules_out securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true - name: evaluator image: gke.gcr.io/prometheus-engine/rule-evaluator:v0.15.0-gke.12 args: - "--config.file=/prometheus/config_out/config.yaml" - "--web.listen-address=:9092" ports: - name: r-eval-metrics containerPort: 9092 resources: limits: memory: 1G requests: cpu: 1m memory: 16M volumeMounts: - name: config-out readOnly: true mountPath: /prometheus/config_out - name: rules-out readOnly: true mountPath: /etc/rules livenessProbe: httpGet: port: r-eval-metrics path: /-/healthy readinessProbe: httpGet: port: r-eval-metrics path: /-/ready # Readiness attempts a query round-trip so we need a more generous timeout. timeoutSeconds: 5 securityContext: allowPrivilegeEscalation: false capabilities: drop: - all privileged: false readOnlyRootFilesystem: true volumes: - name: config configMap: name: rule-evaluator - name: config-out emptyDir: {} - name: rules configMap: name: rules - name: rules-out emptyDir: {} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/arch operator: In values: - arm64 - amd64 - key: kubernetes.io/os operator: In values: - linux tolerations: - key: "components.gke.io/gke-managed-components" operator: "Exists" - value: "amd64" effect: "NoSchedule" key: "kubernetes.io/arch" operator: "Equal" - value: "arm64" effect: "NoSchedule" key: "kubernetes.io/arch" operator: "Equal" securityContext: runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault