Skip to main content
Calico Cloud documentation

Alert exception

An alert exception resource is a filter that hides specific alerts from users in Calico Cloud Manager UI. You can filter alerts by time range or indefinitely. If an alert exception expires, alerts will reappear in Manager UI.

For kubectl commands, the following case-insensitive aliases can be used to specify the resource type on the CLI: alertexception.projectcalico.org, alertexceptions.projectcalico.org and abbreviations such as alertexception.p and alertexceptions.p.

Sample YAML

apiVersion: projectcalico.org/v3
kind: AlertException
metadata:
name: sample
spec:
description: 'Sample alert exception'
selector: origin = "<desired alert origin>" and source_namespace = "<desired source namespace>"
startTime: '2022-01-02T00:00:00Z'
endTime: '2022-01-03T00:00:00Z'

Alert exception definition

FieldDescriptionAccepted ValuesSchema
nameThe name of this alert exception.Alphanumeric string with optional ., _, or -.string

Spec

FieldDescriptionTypeRequiredAcceptable Values
descriptionHuman-readable description of the alert exception.stringyes
selectorSelects alerts to filter from Calico Cloud Manager UI queries.stringyesselector
startTimeDefines the start time from which this alert exception will start filtering alerts.Date in RFC 3339 formatyesstartTime
endTimeDefines the end time at which this alert exception will stop filtering alerts.Date in RFC 3339 formatendTime

Selector

A selector is an expression that matches alerts based on their fields. For each alert, origin and type fields are automatically set by the applicable component, but other fields can be empty.

FieldDescription
originUser specified or generated names from Calico Cloud threat defense components.
typeCalico Cloud threat defense components an alert is generated from.
hostName of the node that triggers this alert.
dest_ipIP address of the destination pod.
dest_nameName of the destination pod.
dest_name_aggrAggregated name of the destination pod.
dest_namespaceNamespace of the destination endpoint. A - means the endpoint is not namespaced.
source_ipIP address of the source pod.
source_nameName of the source pod.
source_name_aggrAggregated name of the source pod.
source_namespaceNamespace of the source endpoint. A - means the endpoint is not namespaced.

The selector also supports logical operators, which can be combined into larger expressions.

ExpressionMeaning
<expression 1> AND <expression 2>Matches if and only if both <expression 1>, and, <expression 2> matches
<expression 1> OR <expression 2>Matches if and only if either <expression 1>, or, <expression 2> matches.

StartTime

Defines the start time when this alert exception starts filtering alerts in RFC 3339 format. This value is required.

EndTime

Defines the end time when this alert exception stops filtering alerts in RFC 3339 format. If omitted, alerts are filtered indefinitely. If the value is changed to the past, this alert exception is disabled immediately.