From bcb0ba997423073238f987e9535b0849579a1cb2 Mon Sep 17 00:00:00 2001
From: Antoine Legrand <2t.antoine@gmail.com>
Date: Thu, 14 Dec 2017 17:13:50 +0100
Subject: [PATCH] Add cert expiration rules

---
 assets/prometheus/rules/kubernetes.rules.yaml  | 14 ++++++++++++++
 manifests/prometheus/prometheus-k8s-rules.yaml | 14 ++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/assets/prometheus/rules/kubernetes.rules.yaml b/assets/prometheus/rules/kubernetes.rules.yaml
index 537079a4..f961ce6b 100644
--- a/assets/prometheus/rules/kubernetes.rules.yaml
+++ b/assets/prometheus/rules/kubernetes.rules.yaml
@@ -84,3 +84,17 @@ groups:
     annotations:
       description: No API servers are reachable or all have disappeared from service
         discovery
+
+  - alert: K8sCertificateExpirationNotice
+    labels:
+      severity: warning
+    annotations:
+      description: Kubernetes API Certificate is expiring soon (less than 7 days)
+    expr: sum(apiserver_client_certificate_expiration_seconds_bucket{le="604800"}) > 0
+
+  - alert: K8sCertificateExpirationNotice
+    labels:
+      severity: critical
+    annotations:
+      description: Kubernetes API Certificate is expiring in less than 1 day
+    expr: sum(apiserver_client_certificate_expiration_seconds_bucket{le="86400"}) > 0
diff --git a/manifests/prometheus/prometheus-k8s-rules.yaml b/manifests/prometheus/prometheus-k8s-rules.yaml
index b844d160..d563a571 100644
--- a/manifests/prometheus/prometheus-k8s-rules.yaml
+++ b/manifests/prometheus/prometheus-k8s-rules.yaml
@@ -469,6 +469,20 @@ data:
         annotations:
           description: No API servers are reachable or all have disappeared from service
             discovery
+    
+      - alert: K8sCertificateExpirationNotice
+        labels:
+          severity: warning
+        annotations:
+          description: Kubernetes API Certificate is expiring soon (less than 7 days)
+        expr: sum(apiserver_client_certificate_expiration_seconds_bucket{le="604800"}) > 0
+    
+      - alert: K8sCertificateExpirationNotice
+        labels:
+          severity: critical
+        annotations:
+          description: Kubernetes API Certificate is expiring in less than 1 day
+        expr: sum(apiserver_client_certificate_expiration_seconds_bucket{le="86400"}) > 0
   node.rules.yaml: |+
     groups:
     - name: node.rules
-- 
GitLab