Merge pull request #629 from openshift-cherrypick-robot/cherry-pick-6…

…23-to-release-4.11

[release-4.11] ROKS v4.11: Add missing PodSecurityViolation alert

assets/cluster-bootstrap/podsecurity-alert.yaml

@@ -0,0 +1,25 @@
+# Source: https://raw.githubusercontent.com/openshift/cluster-kube-apiserver-operator/release-4.11/bindata/assets/alerts/podsecurity-violations.yaml
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: podsecurity
+  namespace: openshift-kube-apiserver
+spec:
+  groups:
+  - name: pod-security-violation
+    rules:
+    - alert: PodSecurityViolation
+      annotations:
+        summary: One or more workloads users created in the cluster don't match their Pod Security profile
+        description: >-
+          A workload (pod, deployment, deamonset, ...) was created somewhere in the cluster but it
+          did not match the PodSecurity "{{ `$labels.policy_level` }}" profile defined by its namespace either via the cluster-wide
+          configuration (which triggers on a "restricted" profile violations) or by the namespace
+          local Pod Security labels.
+          Refer to Kubernetes documentation on Pod Security Admission to learn more about these
+          violations.
+      expr: |
+        sum(increase(pod_security_evaluations_total{decision="deny",mode="audit",resource="pod"}[1d])) by (policy_level) > 0
+      labels:
+        namespace: openshift-kube-apiserver
+        severity: info