Kubernetes (API Server)ΒΆ
Robusta can run automated playbooks when Kubernetes resources change. Playbooks can identify issues, track changes, or automate actions.
These triggers work even when Prometheus is not connected to Robusta. They're triggered by the Kubernetes APIServer directly.
Related Tutorials
Crashing Pod TriggersΒΆ
The following triggers are available for crashing Pods:
on_pod_crash_loop
on_pod_crash_loop fires when a Pod is crash looping. It has the following parameters:
restart_reason: Limit restart loops for this specific reason. If omitted, all restart reasons will be included.restart_count: Fire only after the specified number of restartsrate_limit: Limit firing to once every rate_limit seconds
An example playbook using report_crash_loop to show logs of crashing pods:
customPlaybooks:
- triggers:
- on_pod_crash_loop:
restart_reason: "CrashLoopBackOff"
actions:
- report_crash_loop: {}
on_pod_oom_killed
on_pod_oom_killed fires when any container in a Pod is OOMKilled. It has the following parameters:
rate_limit: Limit firing to once every rate_limit secondsexclude: A list of pod name prefixes and/or namespaces that this trigger will ignore.All pods that start with name in namespace namespace will be ignored for this trigger.
If A name is defined without a namespace than all pods with that name prefix will be ignored for this trigger.
If A namespace is defined without a name than all pods in that namespace will be ignored for this trigger.
An example playbook using pod_graph_enricher to show memory graphs of OOMKilled Pods:
customPlaybooks:
- triggers:
- on_pod_oom_killed:
rate_limit: 900
exclude:
- name: "oomkilled-pod"
namespace: "default"
actions:
- pod_graph_enricher:
resource_type: Memory
display_limits: true
on_container_oom_killed
on_container_oom_killed fires when a Container is OOMKilled. It has the following parameters:
rate_limit: Limit firing to once every rate_limit secondsexclude: A list of container name prefixes and/or namespaces that this trigger will ignore.All containers that start with name in namespace namespace will be ignored for this trigger.
If A name is defined without a namespace than all containers with that name prefix will be ignored for this trigger.
If A namespace is defined without a name than all containers in that namespace will be ignored for this trigger.
An example playbook using oomkilled_container_graph_enricher:
customPlaybooks:
- triggers:
- on_container_oom_killed:
rate_limit: 900
exclude:
- name: "oomkilled-container"
namespace: "default"
actions:
- oomkilled_container_graph_enricher:
resource_type: Memory
on_image_pull_backoff
on_image_pull_backoff fires when a Pod has ImagePullBackoff state. It has the following parameters:
rate_limit: Limit firing to once every rate_limit secondsfire_delay: Fire only if the pod is running for more than fire_delay seconds.name_prefix: Name of the pod (or a prefix of it)namespace_prefix: Namespace the pod is in (or a prefix of it)labels_selector: See Common Filters
An example playbook using the image_pull_backoff_reporter action to gather details about the issue:
customPlaybooks:
- triggers:
- on_image_pull_backoff: {}
actions:
- image_pull_backoff_reporter: {}
on_pod_evicted
on_pod_evicted fires when a Pod has the evicted reason in its status. It has the following parameters:
rate_limit: Limit firing to once every rate_limit secondsname_prefix: Name of the pod (or a prefix of it)namespace_prefix: Namespace the pod is in (or a prefix of it)labels_selector: See Common Filtersscope: See Common Filters
An example playbook:
customPlaybooks:
- triggers:
- on_pod_evicted: {}
actions:
- create_finding: #
title: "Pod $name in namespace $namespace was Evicted"
aggregation_key: "PodEvictedTriggered"
For triggers that fire on any Pod change, see Pod Triggers.
Job Failure TriggersΒΆ
The following triggers are available for failed Jobs:
on_job_failure
on_job_failure fires when a Job's status is updated to "failed".
Example playbook:
customPlaybooks:
- triggers:
- on_job_failure:
namespace_prefix: robusta
actions:
- create_finding:
title: "Job $name on namespace $namespace failed"
aggregation_key: "Job Failure"
- job_events_enricher: { }
For triggers that fire on any Job change, see Job Triggers.
Warning Event TriggersΒΆ
Warning events are the output of:
kubectl get events --all-namespaces --field-selector type=Warning
The following triggers track Warning Events:
on_kubernetes_warning_event_create
on_kubernetes_warning_event_create fires when a Kubernetes Warning Event is created
customPlaybooks:
- triggers:
- on_kubernetes_warning_event_create: {}
actions:
- create_finding: #
title: "WarningEvent created: $name!"
aggregation_key: "warning_events_created"
customPlaybooks:
- triggers:
- on_kubernetes_warning_event_create:
include: ["ImagePullBackOff"] #
actions:
- create_finding: #
title: "WarningEvent created: $name!"
aggregation_key: "warning_events_created"
customPlaybooks:
- triggers:
- on_kubernetes_warning_event_create:
exclude: ["NodeSysctlChange", "TooManyPods"] #
actions:
- create_finding: #
title: "WarningEvent created: $name!"
aggregation_key: "warning_events_created"
on_kubernetes_warning_event_update
on_kubernetes_warning_event_update fires when a Kubernetes Warning Event is updated. This is rarely useful, as Warning Events usually aren't updated after creation.
customPlaybooks:
- triggers:
- on_kubernetes_warning_event_update: {}
actions:
- create_finding: #
title: "WarningEvent updated: $name!"
aggregation_key: "warning_events_updated"
customPlaybooks:
- triggers:
- on_kubernetes_warning_event_update:
include: ["ImagePullBackOff"] #
actions:
- create_finding: #
title: "WarningEvent updated: $name!"
aggregation_key: "warning_events_updated"
customPlaybooks:
- triggers:
- on_kubernetes_warning_event_update:
exclude: ["NodeSysctlChange", "TooManyPods"] #
actions:
- create_finding: #
title: "WarningEvent updated: $name!"
aggregation_key: "warning_events_updated"
on_kubernetes_warning_event_deleted
on_kubernetes_warning_event_deleted fires when a Kubernetes Warning Event is deleted. This is rarely useful, as usually the creation of Warning Events is more interesting.
customPlaybooks:
- triggers:
- on_kubernetes_warning_event_deleted: {}
actions:
- create_finding: #
title: "WarningEvent deleted: $name!"
aggregation_key: "warning_events_deleted"
customPlaybooks:
- triggers:
- on_kubernetes_warning_event_deleted:
include: ["ImagePullBackOff"] #
actions:
- create_finding: #
title: "WarningEvent deleted: $name!"
aggregation_key: "warning_events_deleted"
customPlaybooks:
- triggers:
- on_kubernetes_warning_event_deleted:
exclude: ["NodeSysctlChange", "TooManyPods"] #
actions:
- create_finding: #
title: "WarningEvent deleted: $name!"
aggregation_key: "warning_events_deleted"
on_kubernetes_warning_event
on_kubernetes_warning_event fires when a Kubernetes Warning Event is modified in any way. This is rarely useful, as usually only the creation of Warning Events is interesting.
customPlaybooks:
- triggers:
- on_kubernetes_warning_event: {}
actions:
- create_finding: #
title: "WarningEvent modified: $name!"
aggregation_key: "warning_events_modified"
customPlaybooks:
- triggers:
- on_kubernetes_warning_event:
include: ["ImagePullBackOff"] #
actions:
- create_finding: #
title: "WarningEvent modified: $name!"
aggregation_key: "warning_events_modified"
customPlaybooks:
- triggers:
- on_kubernetes_warning_event:
exclude: ["NodeSysctlChange", "TooManyPods"] #
actions:
- create_finding: #
title: "WarningEvent modified: $name!"
aggregation_key: "warning_events_modified"
Which trigger should I use?
You should almost always use the on_kubernetes_warning_event_create trigger. The other triggers are documented for completeness, but are rarely useful.
All Warning Event Triggers support optional inclusion and exclusion filters. These filters perform a text-match on each the Event's reason and message fields. Matching is case insensitive.
Low-level TriggersΒΆ
Low-level triggers fire on the raw creation, deletion, and modification of resources in your cluster. They can be noisy compared to other triggers, as they fire on even the smallest change to a resource.
Multi-Resource TriggersΒΆ
on_kubernetes_resource_operation
on_kubernetes_resource_operation fires when one of the specified resources, had one of the specified operations.
operations: List of operations. If empty, all operations are included. Options:createupdatedelete
resources: List of Kubernetes resources. If empty, all resources are included. Options:deploymentpodjobnodereplicasetstatefulsetdaemonsetingressserviceeventhorizontalpodautoscalerclusterroleclusterrolebindingnamespaceserviceaccountpersistentvolumeconfigmap
Example playbook:
customPlaybooks:
- triggers:
- on_kubernetes_resource_operation:
resources: ["deployment"]
operations: ["update"]
actions:
- create_finding:
title: "Deployment $name on namespace $namespace updated"
aggregation_key: "Deployment Update"
Single Resource TriggersΒΆ
Pod TriggersΒΆ
The following triggers are available for Pods.
on_pod_create
Fires when a Pod is created
customPlaybooks:
- triggers:
- on_pod_create: {}
actions:
- create_finding: #
title: "Pod $name in namespace $namespace was created"
aggregation_key: "Pod_created"
customPlaybooks:
- triggers:
- on_pod_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Pod $name in namespace $namespace was created"
aggregation_key: "Pod_created"
Related actions:
on_pod_update
Fires when a Pod is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_pod_update: {}
actions:
- create_finding: #
title: "Pod $name in namespace $namespace was updated"
aggregation_key: "Pod_updated"
customPlaybooks:
- triggers:
- on_pod_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Pod $name in namespace $namespace was updated"
aggregation_key: "Pod_updated"
Related actions:
on_pod_delete
Fires when a Pod is deleted
customPlaybooks:
- triggers:
- on_pod_delete: {}
actions:
- create_finding: #
title: "Pod $name in namespace $namespace was deleted"
aggregation_key: "Pod_deleted"
customPlaybooks:
- triggers:
- on_pod_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Pod $name in namespace $namespace was deleted"
aggregation_key: "Pod_deleted"
Related actions:
on_pod_all_changes
Fires when a Pod is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_pod_all_changes: {}
actions:
- create_finding: #
title: "Pod $name in namespace $namespace was all_changes"
aggregation_key: "Pod_all_changes"
customPlaybooks:
- triggers:
- on_pod_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Pod $name in namespace $namespace was all_changes"
aggregation_key: "Pod_all_changes"
Related actions:
For triggers that fire only on Pod errors, see Crashing Pod Triggers.
ReplicaSet TriggersΒΆ
The following triggers are available for ReplicaSets.
on_replicaset_create
Fires when a ReplicaSet is created
customPlaybooks:
- triggers:
- on_replicaset_create: {}
actions:
- create_finding: #
title: "ReplicaSet $name in namespace $namespace was created"
aggregation_key: "ReplicaSet_created"
customPlaybooks:
- triggers:
- on_replicaset_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ReplicaSet $name in namespace $namespace was created"
aggregation_key: "ReplicaSet_created"
Related actions:
on_replicaset_update
Fires when a ReplicaSet is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_replicaset_update: {}
actions:
- create_finding: #
title: "ReplicaSet $name in namespace $namespace was updated"
aggregation_key: "ReplicaSet_updated"
customPlaybooks:
- triggers:
- on_replicaset_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ReplicaSet $name in namespace $namespace was updated"
aggregation_key: "ReplicaSet_updated"
Related actions:
on_replicaset_delete
Fires when a ReplicaSet is deleted
customPlaybooks:
- triggers:
- on_replicaset_delete: {}
actions:
- create_finding: #
title: "ReplicaSet $name in namespace $namespace was deleted"
aggregation_key: "ReplicaSet_deleted"
customPlaybooks:
- triggers:
- on_replicaset_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ReplicaSet $name in namespace $namespace was deleted"
aggregation_key: "ReplicaSet_deleted"
Related actions:
on_replicaset_all_changes
Fires when a ReplicaSet is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_replicaset_all_changes: {}
actions:
- create_finding: #
title: "ReplicaSet $name in namespace $namespace was all_changes"
aggregation_key: "ReplicaSet_all_changes"
customPlaybooks:
- triggers:
- on_replicaset_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ReplicaSet $name in namespace $namespace was all_changes"
aggregation_key: "ReplicaSet_all_changes"
Related actions:
DaemonSet TriggersΒΆ
The following triggers are available for DaemonSets.
on_daemonset_create
Fires when a DaemonSet is created
customPlaybooks:
- triggers:
- on_daemonset_create: {}
actions:
- create_finding: #
title: "DaemonSet $name in namespace $namespace was created"
aggregation_key: "DaemonSet_created"
customPlaybooks:
- triggers:
- on_daemonset_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "DaemonSet $name in namespace $namespace was created"
aggregation_key: "DaemonSet_created"
Related actions:
on_daemonset_update
Fires when a DaemonSet is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_daemonset_update: {}
actions:
- create_finding: #
title: "DaemonSet $name in namespace $namespace was updated"
aggregation_key: "DaemonSet_updated"
customPlaybooks:
- triggers:
- on_daemonset_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "DaemonSet $name in namespace $namespace was updated"
aggregation_key: "DaemonSet_updated"
Related actions:
on_daemonset_delete
Fires when a DaemonSet is deleted
customPlaybooks:
- triggers:
- on_daemonset_delete: {}
actions:
- create_finding: #
title: "DaemonSet $name in namespace $namespace was deleted"
aggregation_key: "DaemonSet_deleted"
customPlaybooks:
- triggers:
- on_daemonset_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "DaemonSet $name in namespace $namespace was deleted"
aggregation_key: "DaemonSet_deleted"
Related actions:
on_daemonset_all_changes
Fires when a DaemonSet is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_daemonset_all_changes: {}
actions:
- create_finding: #
title: "DaemonSet $name in namespace $namespace was all_changes"
aggregation_key: "DaemonSet_all_changes"
customPlaybooks:
- triggers:
- on_daemonset_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "DaemonSet $name in namespace $namespace was all_changes"
aggregation_key: "DaemonSet_all_changes"
Related actions:
Deployment TriggersΒΆ
The following triggers are available for Deployments.
on_deployment_create
Fires when a Deployment is created
customPlaybooks:
- triggers:
- on_deployment_create: {}
actions:
- create_finding: #
title: "Deployment $name in namespace $namespace was created"
aggregation_key: "Deployment_created"
customPlaybooks:
- triggers:
- on_deployment_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Deployment $name in namespace $namespace was created"
aggregation_key: "Deployment_created"
Related actions:
on_deployment_update
Fires when a Deployment is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_deployment_update: {}
actions:
- create_finding: #
title: "Deployment $name in namespace $namespace was updated"
aggregation_key: "Deployment_updated"
customPlaybooks:
- triggers:
- on_deployment_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Deployment $name in namespace $namespace was updated"
aggregation_key: "Deployment_updated"
Related actions:
on_deployment_delete
Fires when a Deployment is deleted
customPlaybooks:
- triggers:
- on_deployment_delete: {}
actions:
- create_finding: #
title: "Deployment $name in namespace $namespace was deleted"
aggregation_key: "Deployment_deleted"
customPlaybooks:
- triggers:
- on_deployment_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Deployment $name in namespace $namespace was deleted"
aggregation_key: "Deployment_deleted"
Related actions:
on_deployment_all_changes
Fires when a Deployment is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_deployment_all_changes: {}
actions:
- create_finding: #
title: "Deployment $name in namespace $namespace was all_changes"
aggregation_key: "Deployment_all_changes"
customPlaybooks:
- triggers:
- on_deployment_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Deployment $name in namespace $namespace was all_changes"
aggregation_key: "Deployment_all_changes"
Related actions:
StatefulSet TriggersΒΆ
The following triggers are available for StatefulSets.
on_statefulset_create
Fires when a StatefulSet is created
customPlaybooks:
- triggers:
- on_statefulset_create: {}
actions:
- create_finding: #
title: "StatefulSet $name in namespace $namespace was created"
aggregation_key: "StatefulSet_created"
customPlaybooks:
- triggers:
- on_statefulset_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "StatefulSet $name in namespace $namespace was created"
aggregation_key: "StatefulSet_created"
on_statefulset_update
Fires when a StatefulSet is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_statefulset_update: {}
actions:
- create_finding: #
title: "StatefulSet $name in namespace $namespace was updated"
aggregation_key: "StatefulSet_updated"
customPlaybooks:
- triggers:
- on_statefulset_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "StatefulSet $name in namespace $namespace was updated"
aggregation_key: "StatefulSet_updated"
on_statefulset_delete
Fires when a StatefulSet is deleted
customPlaybooks:
- triggers:
- on_statefulset_delete: {}
actions:
- create_finding: #
title: "StatefulSet $name in namespace $namespace was deleted"
aggregation_key: "StatefulSet_deleted"
customPlaybooks:
- triggers:
- on_statefulset_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "StatefulSet $name in namespace $namespace was deleted"
aggregation_key: "StatefulSet_deleted"
on_statefulset_all_changes
Fires when a StatefulSet is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_statefulset_all_changes: {}
actions:
- create_finding: #
title: "StatefulSet $name in namespace $namespace was all_changes"
aggregation_key: "StatefulSet_all_changes"
customPlaybooks:
- triggers:
- on_statefulset_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "StatefulSet $name in namespace $namespace was all_changes"
aggregation_key: "StatefulSet_all_changes"
Service TriggersΒΆ
The following triggers are available for Services.
on_service_create
Fires when a Service is created
customPlaybooks:
- triggers:
- on_service_create: {}
actions:
- create_finding: #
title: "Service $name in namespace $namespace was created"
aggregation_key: "Service_created"
customPlaybooks:
- triggers:
- on_service_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Service $name in namespace $namespace was created"
aggregation_key: "Service_created"
on_service_update
Fires when a Service is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_service_update: {}
actions:
- create_finding: #
title: "Service $name in namespace $namespace was updated"
aggregation_key: "Service_updated"
customPlaybooks:
- triggers:
- on_service_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Service $name in namespace $namespace was updated"
aggregation_key: "Service_updated"
on_service_delete
Fires when a Service is deleted
customPlaybooks:
- triggers:
- on_service_delete: {}
actions:
- create_finding: #
title: "Service $name in namespace $namespace was deleted"
aggregation_key: "Service_deleted"
customPlaybooks:
- triggers:
- on_service_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Service $name in namespace $namespace was deleted"
aggregation_key: "Service_deleted"
on_service_all_changes
Fires when a Service is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_service_all_changes: {}
actions:
- create_finding: #
title: "Service $name in namespace $namespace was all_changes"
aggregation_key: "Service_all_changes"
customPlaybooks:
- triggers:
- on_service_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Service $name in namespace $namespace was all_changes"
aggregation_key: "Service_all_changes"
Ingress TriggersΒΆ
The following triggers are available for Ingresses.
on_ingress_create
Fires when a Ingress is created
customPlaybooks:
- triggers:
- on_ingress_create: {}
actions:
- create_finding: #
title: "Ingress $name in namespace $namespace was created"
aggregation_key: "Ingress_created"
customPlaybooks:
- triggers:
- on_ingress_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Ingress $name in namespace $namespace was created"
aggregation_key: "Ingress_created"
on_ingress_update
Fires when a Ingress is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_ingress_update: {}
actions:
- create_finding: #
title: "Ingress $name in namespace $namespace was updated"
aggregation_key: "Ingress_updated"
customPlaybooks:
- triggers:
- on_ingress_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Ingress $name in namespace $namespace was updated"
aggregation_key: "Ingress_updated"
on_ingress_delete
Fires when a Ingress is deleted
customPlaybooks:
- triggers:
- on_ingress_delete: {}
actions:
- create_finding: #
title: "Ingress $name in namespace $namespace was deleted"
aggregation_key: "Ingress_deleted"
customPlaybooks:
- triggers:
- on_ingress_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Ingress $name in namespace $namespace was deleted"
aggregation_key: "Ingress_deleted"
on_ingress_all_changes
Fires when a Ingress is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_ingress_all_changes: {}
actions:
- create_finding: #
title: "Ingress $name in namespace $namespace was all_changes"
aggregation_key: "Ingress_all_changes"
customPlaybooks:
- triggers:
- on_ingress_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Ingress $name in namespace $namespace was all_changes"
aggregation_key: "Ingress_all_changes"
Event TriggersΒΆ
The following triggers are available for Events.
on_event_create
Fires when a Event is created
customPlaybooks:
- triggers:
- on_event_create: {}
actions:
- create_finding: #
title: "Event $name in namespace $namespace was created"
aggregation_key: "Event_created"
customPlaybooks:
- triggers:
- on_event_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Event $name in namespace $namespace was created"
aggregation_key: "Event_created"
Related actions:
on_event_update
Fires when a Event is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_event_update: {}
actions:
- create_finding: #
title: "Event $name in namespace $namespace was updated"
aggregation_key: "Event_updated"
customPlaybooks:
- triggers:
- on_event_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Event $name in namespace $namespace was updated"
aggregation_key: "Event_updated"
Related actions:
on_event_delete
Fires when a Event is deleted
customPlaybooks:
- triggers:
- on_event_delete: {}
actions:
- create_finding: #
title: "Event $name in namespace $namespace was deleted"
aggregation_key: "Event_deleted"
customPlaybooks:
- triggers:
- on_event_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Event $name in namespace $namespace was deleted"
aggregation_key: "Event_deleted"
Related actions:
on_event_all_changes
Fires when a Event is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_event_all_changes: {}
actions:
- create_finding: #
title: "Event $name in namespace $namespace was all_changes"
aggregation_key: "Event_all_changes"
customPlaybooks:
- triggers:
- on_event_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Event $name in namespace $namespace was all_changes"
aggregation_key: "Event_all_changes"
Related actions:
HorizontalPodAutoscaler TriggersΒΆ
The following triggers are available for HorizontalPodAutoscalers.
on_horizontalpodautoscaler_create
Fires when a HorizontalPodAutoscaler is created
customPlaybooks:
- triggers:
- on_horizontalpodautoscaler_create: {}
actions:
- create_finding: #
title: "HorizontalPodAutoscaler $name in namespace $namespace was created"
aggregation_key: "HorizontalPodAutoscaler_created"
customPlaybooks:
- triggers:
- on_horizontalpodautoscaler_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "HorizontalPodAutoscaler $name in namespace $namespace was created"
aggregation_key: "HorizontalPodAutoscaler_created"
on_horizontalpodautoscaler_update
Fires when a HorizontalPodAutoscaler is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_horizontalpodautoscaler_update: {}
actions:
- create_finding: #
title: "HorizontalPodAutoscaler $name in namespace $namespace was updated"
aggregation_key: "HorizontalPodAutoscaler_updated"
customPlaybooks:
- triggers:
- on_horizontalpodautoscaler_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "HorizontalPodAutoscaler $name in namespace $namespace was updated"
aggregation_key: "HorizontalPodAutoscaler_updated"
on_horizontalpodautoscaler_delete
Fires when a HorizontalPodAutoscaler is deleted
customPlaybooks:
- triggers:
- on_horizontalpodautoscaler_delete: {}
actions:
- create_finding: #
title: "HorizontalPodAutoscaler $name in namespace $namespace was deleted"
aggregation_key: "HorizontalPodAutoscaler_deleted"
customPlaybooks:
- triggers:
- on_horizontalpodautoscaler_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "HorizontalPodAutoscaler $name in namespace $namespace was deleted"
aggregation_key: "HorizontalPodAutoscaler_deleted"
on_horizontalpodautoscaler_all_changes
Fires when a HorizontalPodAutoscaler is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_horizontalpodautoscaler_all_changes: {}
actions:
- create_finding: #
title: "HorizontalPodAutoscaler $name in namespace $namespace was all_changes"
aggregation_key: "HorizontalPodAutoscaler_all_changes"
customPlaybooks:
- triggers:
- on_horizontalpodautoscaler_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "HorizontalPodAutoscaler $name in namespace $namespace was all_changes"
aggregation_key: "HorizontalPodAutoscaler_all_changes"
Node TriggersΒΆ
The following triggers are available for Nodes.
on_node_create
Fires when a Node is created
customPlaybooks:
- triggers:
- on_node_create: {}
actions:
- create_finding: #
title: "Node $name in namespace $namespace was created"
aggregation_key: "Node_created"
customPlaybooks:
- triggers:
- on_node_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Node $name in namespace $namespace was created"
aggregation_key: "Node_created"
Related actions:
on_node_update
Fires when a Node is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_node_update: {}
actions:
- create_finding: #
title: "Node $name in namespace $namespace was updated"
aggregation_key: "Node_updated"
customPlaybooks:
- triggers:
- on_node_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Node $name in namespace $namespace was updated"
aggregation_key: "Node_updated"
Related actions:
on_node_delete
Fires when a Node is deleted
customPlaybooks:
- triggers:
- on_node_delete: {}
actions:
- create_finding: #
title: "Node $name in namespace $namespace was deleted"
aggregation_key: "Node_deleted"
customPlaybooks:
- triggers:
- on_node_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Node $name in namespace $namespace was deleted"
aggregation_key: "Node_deleted"
Related actions:
on_node_all_changes
Fires when a Node is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_node_all_changes: {}
actions:
- create_finding: #
title: "Node $name in namespace $namespace was all_changes"
aggregation_key: "Node_all_changes"
customPlaybooks:
- triggers:
- on_node_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Node $name in namespace $namespace was all_changes"
aggregation_key: "Node_all_changes"
Related actions:
ClusterRole TriggersΒΆ
The following triggers are available for ClusterRoles.
on_clusterrole_create
Fires when a ClusterRole is created
customPlaybooks:
- triggers:
- on_clusterrole_create: {}
actions:
- create_finding: #
title: "ClusterRole $name in namespace $namespace was created"
aggregation_key: "ClusterRole_created"
customPlaybooks:
- triggers:
- on_clusterrole_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ClusterRole $name in namespace $namespace was created"
aggregation_key: "ClusterRole_created"
on_clusterrole_update
Fires when a ClusterRole is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_clusterrole_update: {}
actions:
- create_finding: #
title: "ClusterRole $name in namespace $namespace was updated"
aggregation_key: "ClusterRole_updated"
customPlaybooks:
- triggers:
- on_clusterrole_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ClusterRole $name in namespace $namespace was updated"
aggregation_key: "ClusterRole_updated"
on_clusterrole_delete
Fires when a ClusterRole is deleted
customPlaybooks:
- triggers:
- on_clusterrole_delete: {}
actions:
- create_finding: #
title: "ClusterRole $name in namespace $namespace was deleted"
aggregation_key: "ClusterRole_deleted"
customPlaybooks:
- triggers:
- on_clusterrole_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ClusterRole $name in namespace $namespace was deleted"
aggregation_key: "ClusterRole_deleted"
on_clusterrole_all_changes
Fires when a ClusterRole is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_clusterrole_all_changes: {}
actions:
- create_finding: #
title: "ClusterRole $name in namespace $namespace was all_changes"
aggregation_key: "ClusterRole_all_changes"
customPlaybooks:
- triggers:
- on_clusterrole_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ClusterRole $name in namespace $namespace was all_changes"
aggregation_key: "ClusterRole_all_changes"
ClusterRoleBinding TriggersΒΆ
The following triggers are available for ClusterRoleBindings.
on_clusterrolebinding_create
Fires when a ClusterRoleBinding is created
customPlaybooks:
- triggers:
- on_clusterrolebinding_create: {}
actions:
- create_finding: #
title: "ClusterRoleBinding $name in namespace $namespace was created"
aggregation_key: "ClusterRoleBinding_created"
customPlaybooks:
- triggers:
- on_clusterrolebinding_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ClusterRoleBinding $name in namespace $namespace was created"
aggregation_key: "ClusterRoleBinding_created"
on_clusterrolebinding_update
Fires when a ClusterRoleBinding is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_clusterrolebinding_update: {}
actions:
- create_finding: #
title: "ClusterRoleBinding $name in namespace $namespace was updated"
aggregation_key: "ClusterRoleBinding_updated"
customPlaybooks:
- triggers:
- on_clusterrolebinding_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ClusterRoleBinding $name in namespace $namespace was updated"
aggregation_key: "ClusterRoleBinding_updated"
on_clusterrolebinding_delete
Fires when a ClusterRoleBinding is deleted
customPlaybooks:
- triggers:
- on_clusterrolebinding_delete: {}
actions:
- create_finding: #
title: "ClusterRoleBinding $name in namespace $namespace was deleted"
aggregation_key: "ClusterRoleBinding_deleted"
customPlaybooks:
- triggers:
- on_clusterrolebinding_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ClusterRoleBinding $name in namespace $namespace was deleted"
aggregation_key: "ClusterRoleBinding_deleted"
on_clusterrolebinding_all_changes
Fires when a ClusterRoleBinding is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_clusterrolebinding_all_changes: {}
actions:
- create_finding: #
title: "ClusterRoleBinding $name in namespace $namespace was all_changes"
aggregation_key: "ClusterRoleBinding_all_changes"
customPlaybooks:
- triggers:
- on_clusterrolebinding_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ClusterRoleBinding $name in namespace $namespace was all_changes"
aggregation_key: "ClusterRoleBinding_all_changes"
Job TriggersΒΆ
The following triggers are available for Jobs.
on_job_create
Fires when a Job is created
customPlaybooks:
- triggers:
- on_job_create: {}
actions:
- create_finding: #
title: "Job $name in namespace $namespace was created"
aggregation_key: "Job_created"
customPlaybooks:
- triggers:
- on_job_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Job $name in namespace $namespace was created"
aggregation_key: "Job_created"
Related actions:
on_job_update
Fires when a Job is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_job_update: {}
actions:
- create_finding: #
title: "Job $name in namespace $namespace was updated"
aggregation_key: "Job_updated"
customPlaybooks:
- triggers:
- on_job_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Job $name in namespace $namespace was updated"
aggregation_key: "Job_updated"
Related actions:
on_job_delete
Fires when a Job is deleted
customPlaybooks:
- triggers:
- on_job_delete: {}
actions:
- create_finding: #
title: "Job $name in namespace $namespace was deleted"
aggregation_key: "Job_deleted"
customPlaybooks:
- triggers:
- on_job_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Job $name in namespace $namespace was deleted"
aggregation_key: "Job_deleted"
Related actions:
on_job_all_changes
Fires when a Job is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_job_all_changes: {}
actions:
- create_finding: #
title: "Job $name in namespace $namespace was all_changes"
aggregation_key: "Job_all_changes"
customPlaybooks:
- triggers:
- on_job_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Job $name in namespace $namespace was all_changes"
aggregation_key: "Job_all_changes"
Related actions:
Namespace TriggersΒΆ
The following triggers are available for Namespaces.
on_namespace_create
Fires when a Namespace is created
customPlaybooks:
- triggers:
- on_namespace_create: {}
actions:
- create_finding: #
title: "Namespace $name in namespace $namespace was created"
aggregation_key: "Namespace_created"
customPlaybooks:
- triggers:
- on_namespace_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Namespace $name in namespace $namespace was created"
aggregation_key: "Namespace_created"
on_namespace_update
Fires when a Namespace is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_namespace_update: {}
actions:
- create_finding: #
title: "Namespace $name in namespace $namespace was updated"
aggregation_key: "Namespace_updated"
customPlaybooks:
- triggers:
- on_namespace_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Namespace $name in namespace $namespace was updated"
aggregation_key: "Namespace_updated"
on_namespace_delete
Fires when a Namespace is deleted
customPlaybooks:
- triggers:
- on_namespace_delete: {}
actions:
- create_finding: #
title: "Namespace $name in namespace $namespace was deleted"
aggregation_key: "Namespace_deleted"
customPlaybooks:
- triggers:
- on_namespace_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Namespace $name in namespace $namespace was deleted"
aggregation_key: "Namespace_deleted"
on_namespace_all_changes
Fires when a Namespace is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_namespace_all_changes: {}
actions:
- create_finding: #
title: "Namespace $name in namespace $namespace was all_changes"
aggregation_key: "Namespace_all_changes"
customPlaybooks:
- triggers:
- on_namespace_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Namespace $name in namespace $namespace was all_changes"
aggregation_key: "Namespace_all_changes"
ServiceAccount TriggersΒΆ
The following triggers are available for ServiceAccounts.
on_serviceaccount_create
Fires when a ServiceAccount is created
customPlaybooks:
- triggers:
- on_serviceaccount_create: {}
actions:
- create_finding: #
title: "ServiceAccount $name in namespace $namespace was created"
aggregation_key: "ServiceAccount_created"
customPlaybooks:
- triggers:
- on_serviceaccount_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ServiceAccount $name in namespace $namespace was created"
aggregation_key: "ServiceAccount_created"
on_serviceaccount_update
Fires when a ServiceAccount is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_serviceaccount_update: {}
actions:
- create_finding: #
title: "ServiceAccount $name in namespace $namespace was updated"
aggregation_key: "ServiceAccount_updated"
customPlaybooks:
- triggers:
- on_serviceaccount_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ServiceAccount $name in namespace $namespace was updated"
aggregation_key: "ServiceAccount_updated"
on_serviceaccount_delete
Fires when a ServiceAccount is deleted
customPlaybooks:
- triggers:
- on_serviceaccount_delete: {}
actions:
- create_finding: #
title: "ServiceAccount $name in namespace $namespace was deleted"
aggregation_key: "ServiceAccount_deleted"
customPlaybooks:
- triggers:
- on_serviceaccount_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ServiceAccount $name in namespace $namespace was deleted"
aggregation_key: "ServiceAccount_deleted"
on_serviceaccount_all_changes
Fires when a ServiceAccount is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_serviceaccount_all_changes: {}
actions:
- create_finding: #
title: "ServiceAccount $name in namespace $namespace was all_changes"
aggregation_key: "ServiceAccount_all_changes"
customPlaybooks:
- triggers:
- on_serviceaccount_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "ServiceAccount $name in namespace $namespace was all_changes"
aggregation_key: "ServiceAccount_all_changes"
PersistentVolume TriggersΒΆ
The following triggers are available for PersistentVolumes.
on_persistentvolume_create
Fires when a PersistentVolume is created
customPlaybooks:
- triggers:
- on_persistentvolume_create: {}
actions:
- create_finding: #
title: "PersistentVolume $name in namespace $namespace was created"
aggregation_key: "PersistentVolume_created"
customPlaybooks:
- triggers:
- on_persistentvolume_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "PersistentVolume $name in namespace $namespace was created"
aggregation_key: "PersistentVolume_created"
on_persistentvolume_update
Fires when a PersistentVolume is updated. Creations and deletions are excluded.
customPlaybooks:
- triggers:
- on_persistentvolume_update: {}
actions:
- create_finding: #
title: "PersistentVolume $name in namespace $namespace was updated"
aggregation_key: "PersistentVolume_updated"
customPlaybooks:
- triggers:
- on_persistentvolume_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "PersistentVolume $name in namespace $namespace was updated"
aggregation_key: "PersistentVolume_updated"
on_persistentvolume_delete
Fires when a PersistentVolume is deleted
customPlaybooks:
- triggers:
- on_persistentvolume_delete: {}
actions:
- create_finding: #
title: "PersistentVolume $name in namespace $namespace was deleted"
aggregation_key: "PersistentVolume_deleted"
customPlaybooks:
- triggers:
- on_persistentvolume_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "PersistentVolume $name in namespace $namespace was deleted"
aggregation_key: "PersistentVolume_deleted"
on_persistentvolume_all_changes
Fires when a PersistentVolume is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_persistentvolume_all_changes: {}
actions:
- create_finding: #
title: "PersistentVolume $name in namespace $namespace was all_changes"
aggregation_key: "PersistentVolume_all_changes"
customPlaybooks:
- triggers:
- on_persistentvolume_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "PersistentVolume $name in namespace $namespace was all_changes"
aggregation_key: "PersistentVolume_all_changes"
Secret triggersΒΆ
Secret triggers fire when secret resource changes. By default Robusta does not support tracking secrets, but you can enable it by configuring kubewatch to monitor secrets.
on_secret_create
Fires when a Secret is created.
customPlaybooks:
- triggers:
- on_secret_create: {}
actions:
- create_finding: #
title: "Secret $name in namespace $namespace was created"
aggregation_key: "Secret_created"
customPlaybooks:
- triggers:
- on_secret_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Secret $name in namespace $namespace was created"
aggregation_key: "Secret_created"
on_secret_update
Fires when a Secret is updated.
customPlaybooks:
- triggers:
- on_secret_update: {}
actions:
- create_finding: #
title: "Secret $name in namespace $namespace was updated"
aggregation_key: "Secret_updated"
customPlaybooks:
- triggers:
- on_secret_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Secret $name in namespace $namespace was updated"
aggregation_key: "Secret_updated"
on_secret_delete
Fires when a Secret is deleted.
customPlaybooks:
- triggers:
- on_secret_delete: {}
actions:
- create_finding: #
title: "Secret $name in namespace $namespace was deleted"
aggregation_key: "Secret_deleted"
customPlaybooks:
- triggers:
- on_secret_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Secret $name in namespace $namespace was deleted"
aggregation_key: "Secret_deleted"
on_secret_all_changes
Fires when a Secret is created, updated, or deleted.
customPlaybooks:
- triggers:
- on_secret_all_changes: {}
actions:
- create_finding: #
title: "Secret $name in namespace $namespace was modified"
aggregation_key: "Secret_modified"
customPlaybooks:
- triggers:
- on_secret_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "Secret $name in namespace $namespace was modified"
aggregation_key: "Secret_modified"
Wildcard triggersΒΆ
Wildcard triggers fire when any supported Kubernetes resource changes. They are equivalent to a union of all other low-level triggers.
on_kubernetes_any_resource_create
Fires when any Kubernetes resource is created
customPlaybooks:
- triggers:
- on_kubernetes_any_resource_create: {}
actions:
- create_finding: #
title: "resource $name in namespace $namespace was created"
aggregation_key: "resource_created"
customPlaybooks:
- triggers:
- on_kubernetes_any_resource_create:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "resource $name in namespace $namespace was created"
aggregation_key: "resource_created"
on_kubernetes_any_resource_update
Fires when any Kubernetes resource is updated
customPlaybooks:
- triggers:
- on_kubernetes_any_resource_update: {}
actions:
- create_finding: #
title: "resource $name in namespace $namespace was updated"
aggregation_key: "resource_updated"
customPlaybooks:
- triggers:
- on_kubernetes_any_resource_update:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "resource $name in namespace $namespace was updated"
aggregation_key: "resource_updated"
on_kubernetes_any_resource_delete
Fires when any Kubernetes resource is deleted
customPlaybooks:
- triggers:
- on_kubernetes_any_resource_delete: {}
actions:
- create_finding: #
title: "resource $name in namespace $namespace was deleted"
aggregation_key: "resource_deleted"
customPlaybooks:
- triggers:
- on_kubernetes_any_resource_delete:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "resource $name in namespace $namespace was deleted"
aggregation_key: "resource_deleted"
on_kubernetes_any_resource_all_changes
Fires when any Kubernetes resource is created, updated, or deleted
customPlaybooks:
- triggers:
- on_kubernetes_any_resource_all_changes: {}
actions:
- create_finding: #
title: "resource $name in namespace $namespace was modified"
aggregation_key: "resource_modified"
customPlaybooks:
- triggers:
- on_kubernetes_any_resource_all_changes:
name_prefix: "my-resource" #
namespace_prefix: "kube-system" #
labels_selector: "label1=value1" #
actions:
- create_finding: #
title: "resource $name in namespace $namespace was modified"
aggregation_key: "resource_modified"
Common FiltersΒΆ
Most Kubernetes triggers support the following filters:
name_prefixnamespace_prefixlabels_selector- e.g.label1=value1,label2=value2. If multiple labels is provided, all must match.
Additionally, Kubernetes triggers support a scope filtering mechanism that works almost
exactly like the scope mechanism for sinks (see Routing Alerts To Specific Sinks for more
information). The only difference is that for triggers, there is an additional option
available for the include/exclude sections, attributes, that makes it possible
to filter on any attribute inside the YAML representation of the resource. An example
of use of this functionality:
customPlaybooks:
- name: "FilteredPodCreation"
triggers:
- on_pod_create:
scope:
include:
- name:
- my-pod.*
- other
namespace: ns1
labels:
- "foo=bar, boo=xx.*"
- "foo=xx, boo=xx.*"
attributes:
- "status.phase=Pending, status.qosClass=BestEffort, metadata.resourceVersion != 123"
- "spec.restartPolicy=OnFailure"
annotations:
- "foo=bar, boo=xx.*"
- "foo=xx, boo=xx.*"
exclude:
- name:
- woof.*
Note that attributes matching only allows exact equality and inequality. The left-hand side
of each of attributes filters is a path to select appropriate node in the document. It
supports typical constructs like following nested attributes using the . operator, or
selecting n-th element of a list using the [n] operator. In fact the language used to
describe paths is much more versatile, as the implementation uses jsonpath-ng under
the hood. You can read more about it here.
