chore: address review comments

XRFXLP · XRFXLP · commit 2426e16033d9 · 2025-11-17T16:01:09.000+05:30
Signed-off-by: Ajay Mishra &lt;ajmishra@nvidia.com&gt;
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -106,6 +106,9 @@ jobs:
           - component: syslog-health-monitor
             make_command: 'make -C health-monitors/syslog-health-monitor docker-publish'
             container_name: 'nvsentinel/syslog-health-monitor'
+          - component: kubernetes-object-monitor
+            make_command: 'make -C health-monitors/kubernetes-object-monitor docker-publish'
+            container_name: 'nvsentinel/kubernetes-object-monitor'
           - component: metadata-collector
             make_command: 'make -C metadata-collector docker-publish'
             container_name: 'nvsentinel/metadata-collector'
diff --git a/distros/kubernetes/nvsentinel/charts/kubernetes-object-monitor/templates/clusterrole.yaml b/distros/kubernetes/nvsentinel/charts/kubernetes-object-monitor/templates/clusterrole.yaml
@@ -12,6 +12,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+{{- $resourcesByGroup := dict -}}
+{{- range .Values.policies -}}
+  {{- $group := .resource.group | default "" -}}
+  {{- $kind := .resource.kind | lower -}}
+  {{- $resource := printf "%ss" $kind -}}
+  {{- $existing := index $resourcesByGroup $group | default list -}}
+  {{- if not (has $resource $existing) -}}
+    {{- $updated := append $existing $resource -}}
+    {{- $_ := set $resourcesByGroup $group $updated -}}
+  {{- end -}}
+{{- end -}}
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -29,3 +41,18 @@ rules:
       - watch
       - patch
       - update
+
+  {{- range $group, $resources := $resourcesByGroup }}
+  {{- if ne $group "" }}
+  - apiGroups:
+      - {{ $group | quote }}
+    resources:
+      {{- range $resources }}
+      - {{ . }}
+      {{- end }}
+    verbs:
+      - get
+      - list
+      - watch
+  {{- end }}
+  {{- end }}
diff --git a/distros/kubernetes/nvsentinel/charts/kubernetes-object-monitor/values.yaml b/distros/kubernetes/nvsentinel/charts/kubernetes-object-monitor/values.yaml
@@ -30,6 +30,9 @@ podAnnotations: {}
 maxConcurrentReconciles: 1
 resyncPeriod: 5m
 
+# RBAC permissions are automatically generated based on the resources defined in policies.
+# Nodes always get write permissions (patch/update) for annotations.
+# All other resources get read-only permissions (get/list/watch).
 policies:
   - name: node-not-ready
     enabled: true
@@ -48,6 +51,45 @@ policies:
       errorCode:
         - NODE_NOT_READY
 
+  # Example: Monitor a custom resource (e.g., a GPU Job)
+  # Uncomment and modify to monitor your own custom resources
+  #
+  # - name: gpu-job-failed
+  #   enabled: true
+  #   resource:
+  #     group: batch.example.com
+  #     version: v1alpha1
+  #     kind: GPUJob
+  #   predicate:
+  #     # CEL expression to detect unhealthy state
+  #     # Access the resource via 'resource' variable
+  #     expression: |
+  #       has(resource.status.state) && resource.status.state == "Failed"
+  #   nodeAssociation:
+  #     # Optional: CEL expression to map this resource to a specific node
+  #     # This is useful for resources that run on specific nodes
+  #     
+  #     # Example 1: Direct node reference
+  #     expression: resource.spec.nodeName
+  #     
+  #     # Example 2: Use lookup() to find the node from a related Pod
+  #     # Useful when monitoring resources that reference other resources
+  #     # expression: |
+  #     #   lookup('v1', 'Pod', resource.metadata.namespace, resource.spec.podName).spec.nodeName
+  #     
+  #     # Example 3: Chain lookup() calls to traverse multiple resources
+  #     # expression: |
+  #     #   lookup('v1', 'Node', '', 
+  #     #     lookup('v1', 'Pod', resource.metadata.namespace, resource.status.podName).spec.nodeName
+  #     #   ).metadata.name
+  #   healthEvent:
+  #     componentClass: GPU
+  #     isFatal: false
+  #     message: "GPU job failed on node"
+  #     recommendedAction: CONTACT_SUPPORT
+  #     errorCode:
+  #       - GPU_JOB_FAILED
+
 resources:
   requests:
     cpu: 100m
diff --git a/distros/kubernetes/nvsentinel/values.yaml b/distros/kubernetes/nvsentinel/values.yaml
@@ -54,6 +54,8 @@ global:
     cleanupMetricsPort: 9002
   mongodbStore:
     enabled: false
+  kubernetesObjectMonitor:
+    enabled: false
 
 platformConnector:
   image:
