acm aap

redhat/ocp4/4.16/2024.10.acm.aap.collect.heap.dump.md

@@ -456,13 +456,15 @@ subjects:
     kind: Policy
 ```
 
-## using policy set tooo enforce promethus alert rule
+## using policy to enforce promethus alert rule
+
+We now use policy to enforce promethus alert rule. Here is the promethus rule:
 
 ```yaml
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
-  name: cpu-alerts
+  name: wzh-cpu-alerts
   namespace: openshift-monitoring  # Ensure this is the correct namespace for your setup
 spec:
   groups:
@@ -478,4 +480,72 @@ spec:
             description: "Pod {{ $labels.pod }} is using more than 80% CPU for the last 5 minutes."
 ```
 
+Convert it into policy
+
+```yaml
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: must-have-prometheus-alert-rule
+  namespace: policies
+  annotations:
+    policy.open-cluster-management.io/categories: CM Configuration Management
+    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+    policy.open-cluster-management.io/standards: NIST SP 800-53
+spec:
+  disabled: false
+  remediationAction: enforce
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: policy-alert-rule
+        spec:
+          object-templates:
+            - complianceType: musthave
+              objectDefinition:
+                apiVersion: monitoring.coreos.com/v1
+                kind: PrometheusRule
+                metadata:
+                  name: wzh-cpu-alerts
+                  namespace: openshift-monitoring  # Ensure this is the correct namespace for your setup
+                spec:
+                  groups:
+                    - name: cpu-alerts
+                      rules:
+                        - alert: HighCpuUsage
+                          expr: sum(rate(container_cpu_usage_seconds_total{container!="POD"}[5m])) by (pod) > 0.8
+                          for: 5m
+                          labels:
+                            severity: warning
+                          annotations:
+                            summary: "High CPU usage detected"
+                            description: "Pod {{`{{$labels.pod}}`}} is using more than 80% CPU for the last 5 minutes."
+          pruneObjectBehavior: DeleteIfCreated
+          remediationAction: enforce
+          severity: low
+```
+
+Please note, we use `pruneObjectBehavior: DeleteIfCreated`, so if policy is deleted, the promethus rule will be deleted.
+
+We also use ``{{`{{$labels.pod}}`}}`` , which will overwrite the value of the pod label, and also compatible with policy template.
+
+Here is how to create using webUI:
+
+1. navigate to `governance` -> `policies` -> `create policy`
+![](imgs/2024.10.acm.aap.collect.heap.dump.md/2024-11-22-23-17-59.png)
+
+2. set the policy name, and namespace
+![](imgs/2024.10.acm.aap.collect.heap.dump.md/2024-11-22-23-18-43.png)
+
+3. copy the content of `policy-template` from above example, and select `enforce`. You can see the prune policy is set to `DeleteIfCreated`
+![](imgs/2024.10.acm.aap.collect.heap.dump.md/2024-11-22-23-19-44.png)
+
+4. select the placement.
+![](imgs/2024.10.acm.aap.collect.heap.dump.md/2024-11-22-23-20-07.png)
+
+5. finally, the policy is deployed. And the prometheus rule is created. So the policy is compliant.
+![](imgs/2024.10.acm.aap.collect.heap.dump.md/2024-11-22-23-20-29.png)
+
 # end