Skip to content

Enable cost-management in stone-prod-p01 #9358

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Dec 4, 2025
+619 −0
Merged

Enable cost-management in stone-prod-p01 #9358

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ac84f0f
Enable cost-management in prod
Nov 26, 2025
340c70c
Apply cost management policies to stone-prod-p01 in prod
Dec 3, 2025
aa2a85e
Merge branch 'main' into add_prod_cost_cluster
raks-tt Dec 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions components/policies/production/base/cost-management/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- propagate-cost-management-labels/
- validate-cost-management-labels/
9 changes: 9 additions & 0 deletions ...gement/propagate-cost-management-labels/.chainsaw-test/chainsaw-assert-clusterpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: propagate-cost-management-labels
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
195 changes: 195 additions & 0 deletions ...n/base/cost-management/propagate-cost-management-labels/.chainsaw-test/chainsaw-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,195 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: label-propagation-valid-cost-center
spec:
concurrent: false
description: |
tests that the labels are correctly set on pods in tenant namespace
that have the `cost-center` label
steps:
- name: Create namespaces for testing
try:
- create:
file: ./resources/namespace-cost-center.yaml
template: true
bindings:
- name: namespace
value: tenant
- name: cost_center
value: "670"
- name: Apply RBAC
try:
- apply:
file: ../kyverno-rbac.yaml
- name: Apply kyverno Cluster Policy and assert it exists
try:
- apply:
file: ../propagate-cost-management-labels.yaml
- assert:
file: chainsaw-assert-clusterpolicy.yaml
template: true
bindings:
- name: cluster_policy_name
value: propagate-cost-management-labels
- name: create pods in tenant
try:
- create:
file: ./resources/pod.yaml
bindings:
- name: namespace
value: tenant
template: true
- name: assert pods in the tenant are labeled
try:
- assert:
file: ./resources/expected-pod-matching.yaml
template: true
bindings:
- name: namespace
value: tenant
- name: cost_center
value: "670"
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: label-not-applied-random-ns
spec:
concurrent: false
description: |
tests that the label is not applied to pods in a non-tenant namespace
steps:
- name: Create namespaces for testing
try:
- create:
file: ./resources/namespace-nonmatching.yaml
- name: Apply RBAC
try:
- apply:
file: ../kyverno-rbac.yaml
- name: Apply kyverno Cluster Policy and assert it exists
try:
- apply:
file: ../propagate-cost-management-labels.yaml
- assert:
file: chainsaw-assert-clusterpolicy.yaml
template: true
bindings:
- name: cluster_policy_name
value: propagate-cost-management-labels
- name: create pods in random-ns
try:
- create:
file: ./resources/pod.yaml
template: true
bindings:
- name: namespace
value: random-ns
- name: assert pods in random-ns are not labeled
try:
- assert:
file: ./resources/pod.yaml
template: true
bindings:
- name: namespace
value: random-ns
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: rule-not-applied-to-rhtap-releng-tenant
spec:
concurrent: false
description: |
Tests that the Kyverno policy does not apply to pods in managed tenant namespaces.
steps:
- name: Create a managed namespace
try:
- create:
file: ./resources/namespace-no-cost-center.yaml
template: true
bindings:
- name: namespace
value: rhtap-releng-tenant
- name: Apply RBAC
try:
- apply:
file: ../kyverno-rbac.yaml
- name: Apply Kyverno Cluster Policy and assert it exists
try:
- apply:
file: ../propagate-cost-management-labels.yaml
- assert:
file: chainsaw-assert-clusterpolicy.yaml
template: true
bindings:
- name: cluster_policy_name
value: propagate-cost-management-labels
- name: Create a pod in the namespace
try:
- create:
file: ./resources/pod.yaml
template: true
bindings:
- name: namespace
value: rhtap-releng-tenant
- name: Assert pod in namespace is not labeled
try:
- assert:
resource:
apiVersion: v1
kind: Pod
metadata:
name: demo-pod
namespace: rhtap-releng-tenant
labels: {}
---
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: create-pod-in-tenant-namespace-without-cost-center
spec:
concurrent: false
description: |
Tests that it is possible to create a pod in an existing tenant namespace
that does not have the `cost-center` label.
steps:
- name: Create a tenant namespace without cost-center label
try:
- create:
file: ./resources/namespace-no-cost-center.yaml
template: true
bindings:
- name: namespace
value: tenant-no-cost-center
- name: Apply RBAC
try:
- apply:
file: ../kyverno-rbac.yaml
- name: Apply Kyverno Cluster Policy and assert it exists
try:
- apply:
file: ../propagate-cost-management-labels.yaml
- assert:
file: chainsaw-assert-clusterpolicy.yaml
template: true
bindings:
- name: cluster_policy_name
value: propagate-cost-management-labels
- name: Create a pod in the tenant namespace without cost-center label
try:
- create:
file: ./resources/pod.yaml
template: true
bindings:
- name: namespace
value: tenant-no-cost-center
- name: Assert pod in tenant namespace is created successfully
try:
- assert:
file: ./resources/pod.yaml
template: true
bindings:
- name: namespace
value: tenant-no-cost-center
8 changes: 8 additions & 0 deletions ...ment/propagate-cost-management-labels/.chainsaw-test/resources/expected-pod-matching.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: Pod
metadata:
name: demo-pod
namespace: ($namespace)
labels:
cost-center: ($cost_center)
cost_management_optimizations: "true"
8 changes: 8 additions & 0 deletions ...ment/propagate-cost-management-labels/.chainsaw-test/resources/namespace-cost-center.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: ($namespace)
labels:
konflux-ci.dev/type: tenant
cost-center: ($cost_center)
cost_management_optimizations: "true"
6 changes: 6 additions & 0 deletions ...t/propagate-cost-management-labels/.chainsaw-test/resources/namespace-no-cost-center.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: ($namespace)
labels:
konflux-ci.dev/type: tenant
4 changes: 4 additions & 0 deletions ...ment/propagate-cost-management-labels/.chainsaw-test/resources/namespace-nonmatching.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: random-ns
11 changes: 11 additions & 0 deletions ...n/base/cost-management/propagate-cost-management-labels/.chainsaw-test/resources/pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: demo-pod
namespace: ($namespace)
labels:
app: test-app
spec:
containers:
- name: test-container
image: nginx
5 changes: 5 additions & 0 deletions ...icies/production/base/cost-management/propagate-cost-management-labels/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- propagate-cost-management-labels.yaml
- kyverno-rbac.yaml
16 changes: 16 additions & 0 deletions ...licies/production/base/cost-management/propagate-cost-management-labels/kyverno-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno-admission-propagate-cost-management-labels
labels:
rbac.kyverno.io/aggregate-to-admission-controller: "true"
rules:
- apiGroups:
- ""
resources:
- pods
- namespaces
verbs:
- list
- get
56 changes: 56 additions & 0 deletions ...se/cost-management/propagate-cost-management-labels/propagate-cost-management-labels.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: propagate-cost-management-labels
annotations:
policies.kyverno.io/title: Propagate Cost-Center from Namespace
policies.kyverno.io/category: Cost Management
policies.kyverno.io/severity: low
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Propagates the `cost-center` label from non-managed tenant namespaces to pods,
and sets the `cost_management_optimizations` label to `true` on those pods.
spec:
webhookConfiguration:
failurePolicy: Ignore
rules:
- name: propagate-existing-cost-center-from-namespace
skipBackgroundRequests: true
match:
any:
- resources:
kinds:
- Pod
namespaceSelector:
matchLabels:
konflux-ci.dev/type: tenant
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
# managed tenant namespaces
- rhtap-releng-tenant
- rh-managed-bifrost-tenant
- rh-managed-cnv-fbc-tenant
- rh-managed-mng-s-2-tenant
- rh-managed-red-hat-acm-tenant
- rh-managed-rhtap-ser-tenant
- rhel-on-gitlab-tenant
context:
- name: costcenterLabel
apiCall:
urlPath: "/api/v1/namespaces/{{ request.object.metadata.namespace }}"
method: GET
jmesPath: "metadata.labels.\"cost-center\" || '' "
preconditions:
all:
- key: "{{ costcenterLabel }}"
operator: NotEquals
value: ""
mutate:
patchStrategicMerge:
metadata:
labels:
cost-center: "{{ costcenterLabel }}"
cost_management_optimizations: "true"
9 changes: 9 additions & 0 deletions ...agement/validate-cost-management-labels/.chainsaw-test/chainsaw-assert-clusterpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: validate-cost-management-labels
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
Loading
Loading