tommeramber

---
- name: ocp test
  hosts: localhost #A must because the invenroty is empty
  gather_facts: false
  pre_tasks:
  #OCP login based on input
  - name: set oc login command based on input from user
    set_fact:
      oc_login: >-
      {% if env == "nocp" %}

tommeramber

apiVersion: v1
kind: Pod
metadata:
  name: rebooter-{{ problematic_node }}
  namespace: openshift-monitoring
spec:
  nodeName: {{ problematic_node }}
  hostPID: true
  restartPolicy: Never
  serviceAccountName: {{ privileged_sa }}

tommeramber

---
- name: playbook reacting to alerts nfs-stale OR node-health-check
  hosts: localhost
  gather_facts: false
  vars_prompt:
  - name: payload
    prompt: ""
    private: false
  
  pre_tasks:

tommeramber

# detect-nfs-stale
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: detect-nfs-stale
  namespace: openshift-monitoring
spec:
  concurrencyPolicy: Allow
  failedJobsHistoryLimit: 1

tommeramber

---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
  name: pvc-over-used
  namespace: openshift-monitoring
spec:
  groups:
  - name: cron-job-monitoring
    rules:

tommeramber

---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
  name: pvc-over-used
  namespace: openshift-monitoring
spec:
  groups:
  - name: cron-job-monitoring
    rules:

tommeramber

- name: alertmanager events listener
  hosts: all
  
  sources:
  - name: eda alertmanager webhook
    ansible.eda.alertmanager:
      host: 0.0.0.0
      port: 9091
      
  rules:

tommeramber

apiVersion: v1
kind: ConfigMap
metadata:
  name: silence-alerts-script
  namespace: openshift-monitoring
data:
  runScript.sh: |
    #!/bin/bash
    oc -n openshift-monitoring exec alertmanager-main-0 -- amtool silence --alertmanager.url="http://localhost:9093" -o json | jq -r '.[].comment' >> /tmp/existing-silences.txt

tommeramber

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: block-cluster-admin-openshift-etcd-ns
  annotations:
    policies.kyverno.io/title: Block Cluster Admin on Openshift-etcd Namespace
    policies.kyverno.io/category: Sample
    policies.kyverno.io/subject: RBAC
spec:
  validationFailureAction: enforce

tommeramber

for NAMESPACE in $(oc get namespace --no-headers | awk '{print $1}' | grep -v "openshift-*") ;
do
  oc get deployment,deploymentconfig -o name -n $NAMESPACE |\
  xargs -n 1 -I OBJECT oc get OBJECT -o json -n $NS 2>/dev/null |\
  jq -r 'select(.spec.template.spec.containers[].securityContext!={}) |
  "Kind: " + .metadata.kind,
  "NAME: " + .metadata.name,
  "NAMESPACE: " + .metadata.namespace,
  "To see the exact SCC, run:",
  "oc get " + .kind + " " + .metadata.name + " -n " .metadata.namespace + " -o jsonpath={.spec.template.spec.containers[].securityContext} | jq .",