---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
  creationTimestamp: "2026-02-17T12:42:33Z"
  generation: 1
  labels:
    hypershift.openshift.io/managed: "true"
  managedFields:
  - apiVersion: monitoring.coreos.com/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .: {}
          f:hypershift.openshift.io/managed: {}
      f:spec:
        .: {}
        f:groups:
          .: {}
          k:{"name":"pod-security-violation"}:
            .: {}
            f:name: {}
            f:rules: {}
    manager: hosted-cluster-config-operator-manager
    operation: Update
    time: "2026-02-17T12:42:33Z"
  name: podsecurity
  namespace: openshift-kube-apiserver
  resourceVersion: "1811"
  uid: 5a9d4b7f-9fdf-4b7c-96c4-d70e80ce31b0
spec:
  groups:
  - name: pod-security-violation
    rules:
    - alert: PodSecurityViolation
      annotations:
        description: A workload (pod, deployment, daemonset, ...) was created somewhere
          in the cluster but it did not match the PodSecurity "{{ $labels.policy_level
          }}" profile defined by its namespace either via the cluster-wide configuration
          (which triggers on a "restricted" profile violations) or by the namespace
          local Pod Security labels. Refer to Kubernetes documentation on Pod Security
          Admission to learn more about these violations.
        summary: One or more workloads users created in the cluster don't match their
          Pod Security profile
      expr: |
        sum(increase(pod_security_evaluations_total{decision="deny",mode="audit",resource="pod",ocp_namespace=""}[1d])) by (policy_level, ocp_namespace) > 0
      labels:
        namespace: openshift-kube-apiserver
        severity: info
    - alert: PodSecurityViolation
      annotations:
        description: A workload (pod, deployment, daemonset, ...) was created in namespace
          "{{ $labels.ocp_namespace }}" but it did not match the PodSecurity "{{ $labels.policy_level
          }}" profile defined by its namespace either via the cluster-wide configuration
          (which triggers on a "restricted" profile violations) or by the namespace
          local Pod Security labels. Refer to Kubernetes documentation on Pod Security
          Admission to learn more about these violations.
        summary: One or more workloads in platform namespaces of the cluster don't
          match their Pod Security profile
      expr: |
        sum(increase(pod_security_evaluations_total{decision="deny",mode="audit",resource="pod",ocp_namespace!=""}[1d])) by (policy_level, ocp_namespace) > 0
      labels:
        namespace: openshift-kube-apiserver
        severity: info