Multi-team alert routing for base alerts

One option is to modify the alert queries to join the kube_namespace_labels metric to the result, such that the information therein can be used in the (statically defined) routing rules. This implies that namespace ownership is configured by setting a specific label on the namespace in question. No suitable label currently exists, so all components would need to be updated to provide one, for example based on component ownership.

However, not all alert rules have the namespace label, since not all are namespace scoped. Blindly joining the namespace label metric will therefore lead to some broken alerts. This problem can be solved by creating a new configuration option in component-openshift4-monitoring, in which a list of alerts and a list of labels can be specified. All listed alert rules will be modified to append the listed labels.

component-openshift4-monitoring already modifies the base OpenShift alert rules by creating copies of them. Modifying the alert rules in this way would be straightforward. The challenging part is figuring out which rules to modify, which would be specified through configuration. The alert routing rules will still be configured in the same way as they presently are.

If the modified alert queries are written in such a way that the ownership team label is renamed to syn_team, the existing alert routing rules should work without modification.

With this option, namespace ownership is inferred from component ownership: Components with a dedicated team for operative responsibility should be configured with a syn.teams label, and components generally have a namespace label already. From this, a mapping between namespaces and teams can be inferred from the cluster hierarchy.

component-openshift4-monitoring would then generate routing rules for each team, which match any alerts where the namespace label is present and matches one of the team’s namespaces.

With this approach, the routing rules would be generated by component-openshift4-monitoring. Previously, they were configured statically (though still through the component) by specifying parameters.openshift4_monitoring.alertManagerConfig. In our setup, this configuration is provided as a template in commodore-defaults, and is included into the cluster hierarchy where necessary.

component-openshift4-monitoring should expose a way to configure which team’s alerts should go to which alert receiver, so it can generate the rules accordingly. There should be a default receiver, for teams where no explicit receiver was provided. The new configuration can continue to be provided as a global template.

If the complete new configuration can be provided under parameters.openshift4_monitoring.alertManagerConfig, tenant repos won’t require any changes. Only commodore-defaults will need to be updated with the new configuration.