Add policy Collect Debug Information for Pods in CrashLoopBackOff

other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-1.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: background-controller
+    app.kubernetes.io/instance: kyverno
+    app.kubernetes.io/part-of: kyverno
+  name: kyverno:background-controller-generate
+rules:
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["create", "get", "list", "watch", "update", "delete"]

other/get-debug-information/.chainsaw-test/chainsaw-step-00-apply-2.yaml

@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pod-reader
+rules:
+- apiGroups: [""]
+  resources: ["pods", "pods/log", "events"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: read-pods-rolebinding
+subjects:
+- kind: Group
+  name: system:serviceaccounts
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: pod-reader
+  apiGroup: rbac.authorization.k8s.io

other/get-debug-information/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,48 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: get-debug-data
+spec:
+  steps:
+  - name: step-00
+    try:
+    - apply:
+        file: chainsaw-step-00-apply-1.yaml
+    - apply:
+        file: chainsaw-step-00-apply-2.yaml    
+  - name: step-01
+    try:
+    - script:
+        content: |
+          if kubectl get configmap kyverno -n kyverno -o jsonpath='{.data.excludeGroups}' | grep -q 'system:nodes'; then
+            kubectl patch configmap kyverno -n kyverno --type=json -p='[{"op": "remove", "path": "/data/excludeGroups"}]'
+          else
+            echo "excludeGroups: system:nodes does not exist in the configmap."
+          fi
+  - name: step-02
+    try: 
+    - apply:
+        file: ../collect-debug-information.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: ns.yaml
+    - apply:
+        file: depl-readonlyrootfs.yaml
+  - name: step-04
+    try: 
+    - sleep:
+        duration: 60s    
+    - assert:
+        resource:
+          apiVersion: batch/v1
+          kind: Job
+          metadata:
+            labels:
+              app.kubernetes.io/managed-by: kyverno
+              deleteme: allow
+            namespace: abc

other/get-debug-information/.chainsaw-test/depl-readonlyrootfs.yaml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  namespace: abc
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx-container
+        image: nginx:latest
+        ports:
+        - containerPort: 80
+        securityContext:
+          readOnlyRootFilesystem: true

other/get-debug-information/.chainsaw-test/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: abc

other/get-debug-information/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: get-debug-data-policy
+status:
+  ready: true

other/get-debug-information/artifacthub-pkg.yml

@@ -0,0 +1,20 @@
+name: get-debug-information
+version: 1.0.0
+displayName: Collect debug information for pods in crashloopback
+createdAt: "2024-07-25T20:30:05.000Z"
+description: "This policy generates a job which gathers troubleshooting data (including logs, kubectl describe output and events from the namespace) from pods that are in crashloopback and have 3 restarts. This data can further be used to automatically create a jira issue using some kind of automation or another Kyverno policy. For more information on the permissions needed to run the job created by the policy and how the image used in this policy was built, see https://github.com/nirmata/SRE-Operational-Usecases/tree/main/get-troubleshooting-data/get-debug-data."
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/get-debug-information/collect-debug-information.yaml
+  ```
+keywords:
+- kyverno
+- Sample
+readme: |
+  This policy generates a job which gathers troubleshooting data (including logs, kubectl describe output and events from the namespace) from pods that are in crashloopback and have 3 restarts. This data can further be used to automatically create a jira issue using some kind of automation or another Kyverno policy. For more information on the permissions needed to run the job created by the policy and how the image used in this policy was built, see https://github.com/nirmata/SRE-Operational-Usecases/tree/main/get-troubleshooting-data/get-debug-data.
+
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Sample"
+  kyverno/subject: "Pod"
+digest: 88b237e3eee9dface6d34ae3a6c93106db988cd9d9b68f3f6ae3de542037d8e1

other/get-debug-information/collect-debug-information.yaml

@@ -0,0 +1,82 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: get-debug-data-policy
+  annotations:
+    policies.kyverno.io/title: Collect Debug Information for Pods in CrashLoopBackOff
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.11.5
+    kyverno.io/kubernetes-version: "1.27"
+    policies.kyverno.io/description: >-
+      This policy generates a job which gathers troubleshooting data (including logs, kubectl describe output and events from the namespace) from pods that are in CrashLoopBackOff and have 3 restarts. This data can further be used to automatically create a Jira issue using some kind of automation or another Kyverno policy. For more information on the image used in this policy, see https://github.com/nirmata/SRE-Operational-Usecases/tree/main/get-troubleshooting-data/get-debug-data. 
+spec:
+  rules:
+  - name: get-debug-data-policy-rule
+    match:
+      any:
+      - resources:
+          kinds:
+          - v1/Pod.status
+    context:
+    - name: pdcount
+      apiCall:
+        urlPath: "/api/v1/namespaces/{{request.namespace}}/pods?labelSelector=requestpdname=pod-{{request.object.metadata.name}}"
+        jmesPath: "items | length(@)"
+    preconditions:
+      all:
+      - key: "{{ sum(request.object.status.containerStatuses[*].restartCount || `0`) }}"
+        operator: Equals
+        value: 3
+      - key: "{{ request.object.metadata.labels.deleteme || 'empty' }}"
+        operator: Equals
+        value: "empty"
+      - key: "{{ pdcount }}"
+        operator: Equals
+        value: 0
+    generate:
+      apiVersion: batch/v1
+      kind: Job
+      name: get-debug-data-{{request.object.metadata.name}}-{{ random('[0-9a-z]{8}') }}
+      namespace: "{{request.namespace}}"
+      synchronize: false
+      data:
+        metadata:
+          labels:
+            deleteme: allow
+        spec:
+          template:
+            metadata:
+              labels:
+                app: my-app
+                deleteme: allow
+                requestpdname: "pod-{{request.object.metadata.name}}"
+            spec:
+              restartPolicy: OnFailure
+              containers:
+              - name: my-container
+                image: sagarkundral/my-python-app:v52
+                ports:
+                - containerPort: 8080
+                volumeMounts:
+                - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+                  name: token
+                  readOnly: true
+                args:
+                - "/app/get-debug-jira-v2.sh"
+                - "{{request.namespace}}"
+                - "{{request.object.metadata.name}}"
+              volumes:
+              - name: token
+                projected:
+                  defaultMode: 420
+                  sources:
+                  - serviceAccountToken:
+                      expirationSeconds: 3607
+                      path: token
+                  - configMap:
+                      items:
+                      - key: ca.crt
+                        path: ca.crt
+                      name: kube-root-ca.crt