From datum-platform
Covers proactive issue detection using the Insights system. Use when implementing InsightPolicy resources with CEL-based rules to automatically detect misconfigurations, health issues, or security concerns.
npx claudepluginhub datum-cloud/claude-code-plugins --plugin datum-platformThis skill uses the workspace's default tool permissions.
This skill covers insights integration for Datum Cloud services using the Insights system.
Generates design tokens/docs from CSS/Tailwind/styled-components codebases, audits visual consistency across 10 dimensions, detects AI slop in UI.
Records polished WebM UI demo videos of web apps using Playwright with cursor overlay, natural pacing, and three-phase scripting. Activates for demo, walkthrough, screen recording, or tutorial requests.
Delivers idiomatic Kotlin patterns for null safety, immutability, sealed classes, coroutines, Flows, extensions, DSL builders, and Gradle DSL. Use when writing, reviewing, refactoring, or designing Kotlin code.
This skill covers insights integration for Datum Cloud services using the Insights system.
The Insights system is a declarative, policy-driven, Kubernetes-native platform for proactively detecting issues in resources. It provides:
Key insight: Services don't detect issues programmatically. Instead, services define InsightPolicy resources with CEL expressions that describe what conditions warrant an insight.
All insights resources use the insights.miloapis.com API group with version v1alpha1.
The insights system has three resource types:
| Resource | Scope | Purpose |
|---|---|---|
| Insight | Namespaced | A detected issue or finding about a resource |
| InsightPolicy | Namespaced | CEL-based rules that generate insights automatically |
| InsightMuteRule | Namespaced | Suppress insights matching certain criteria |
Services integrate by creating InsightPolicy resources that define rules for detecting issues. The insights system automatically:
Insight resources when conditions matchapiVersion: insights.miloapis.com/v1alpha1
kind: InsightPolicy
metadata:
name: myresource-config-issues
namespace: myservice-system
spec:
targetSelector:
apiVersion: myservice.miloapis.com/v1alpha1
kind: MyResource
rules:
- name: config-conflict
condition: "object.spec.fieldA == 'value1' && object.spec.fieldB == 'incompatible'"
severity: warning
category: configuration
message: "MyResource {{ object.metadata.name }} has conflicting configuration"
description: "fieldA is set to 'value1' which is incompatible with fieldB 'incompatible'. Set fieldB to 'compatible' to resolve."
- name: missing-required-field
condition: "!has(object.spec.requiredField) || object.spec.requiredField == ''"
severity: critical
category: configuration
message: "MyResource {{ object.metadata.name }} is missing required field"
description: "The requiredField must be set for the resource to function correctly."
# config/insights/kustomization.yaml
resources:
- myresource-config-issues.yaml
kubectl get insightpolicies -n myservice-system
kubectl get insights -A # See generated insights
| Field | Type | Description |
|---|---|---|
targetSelector | TargetSelector | Which resources this policy applies to |
rules | []InsightRule | Rules that generate insights |
suspended | bool | Stops generating new insights when true |
targetSelector:
apiVersion: myservice.miloapis.com/v1alpha1
kind: MyResource
labelSelector: # Optional: filter by labels
matchLabels:
environment: production
namespaces: # Optional: limit to specific namespaces
- production
- staging
| Field | Type | Description |
|---|---|---|
name | string | Unique identifier for the rule (lowercase, hyphenated) |
condition | string | CEL expression that returns true when insight should exist |
severity | enum | info, warning, or critical |
category | string | Classification (e.g., configuration, security, performance) |
message | string | Short summary with CEL template support {{ expr }} |
description | string | Detailed explanation with CEL template support |
ttlSeconds | int64 | Optional time-to-live for generated insights |
In condition, message, and description expressions:
| Variable | Description |
|---|---|
object | The resource being evaluated |
object.metadata | Resource metadata (name, namespace, labels, etc.) |
object.spec | Resource spec |
object.status | Resource status |
Insights are created automatically by InsightPolicy rules or manually.
apiVersion: insights.miloapis.com/v1alpha1
kind: Insight
metadata:
name: insight-abc123
namespace: my-project
spec:
targetRef:
apiVersion: myservice.miloapis.com/v1alpha1
kind: MyResource
name: my-resource
namespace: my-project
severity: warning
category: configuration
message: "MyResource my-resource has conflicting configuration"
description: "fieldA is set to 'value1' which is incompatible..."
source:
type: Policy
policyRef:
name: myresource-config-issues
namespace: myservice-system
ruleName: config-conflict
ttlSeconds: 0 # 0 = never expires
status:
state: Active # Active, Acknowledged, Snoozed, Resolved
owner: # Who is responsible
type: user
name: alice@example.com
acknowledgement: # If acknowledged
by: { type: user, name: alice@example.com }
at: "2024-01-15T10:00:00Z"
note: "Looking into this"
snooze: # If snoozed
by: { type: user, name: bob@example.com }
at: "2024-01-15T10:00:00Z"
until: "2024-01-16T10:00:00Z"
assignment: # If assigned
by: { type: user, name: alice@example.com }
to: { type: user, name: bob@example.com }
at: "2024-01-15T10:00:00Z"
resolution: # If resolved
by: { type: user, name: bob@example.com }
at: "2024-01-16T10:00:00Z"
note: "Fixed the configuration"
muted: false # Whether muted by a mute rule
targetExists: true # Whether target resource still exists
| State | Meaning |
|---|---|
Active | Issue detected and needs attention |
Acknowledged | Someone has seen it and is aware |
Snoozed | Temporarily suppressed until a specified time |
Resolved | Issue has been addressed |
| Severity | Meaning | Typical Use |
|---|---|---|
info | Informational, optimization opportunity | Underutilization, cost savings |
warning | Should address soon | Misconfigurations, deprecations |
critical | Immediate action required | Security issues, failures |
Users interact with insights via subresources:
kubectl patch insight insight-abc123 --subresource=acknowledge \
--type=merge -p '{"note": "I am looking into this"}'
kubectl patch insight insight-abc123 --subresource=snooze \
--type=merge -p '{"duration": "4h"}' # or {"until": "2024-01-16T10:00:00Z"}
kubectl patch insight insight-abc123 --subresource=resolve \
--type=merge -p '{"note": "Fixed the configuration"}'
kubectl patch insight insight-abc123 --subresource=assign \
--type=merge -p '{"assignee": {"type": "user", "name": "bob@example.com"}}'
Suppress insights that are known or expected.
apiVersion: insights.miloapis.com/v1alpha1
kind: InsightMuteRule
metadata:
name: mute-dev-info
namespace: development
spec:
match:
severity: info
reason: "Development namespace - info-level insights expected"
apiVersion: insights.miloapis.com/v1alpha1
kind: InsightMuteRule
metadata:
name: mute-known-issue
namespace: my-project
spec:
match:
policyRef:
name: myresource-config-issues
namespace: myservice-system
ruleName: config-conflict
reason: "Known issue, fix scheduled for next sprint"
expiresAt: "2024-02-01T00:00:00Z" # Auto-expires
| Field | Description |
|---|---|
policyRef | Mute insights from specific policy/rule |
category | Mute insights of a specific category |
targetRef | Mute insights about a specific resource |
severity | Mute insights at or below this severity |
labelSelector | Mute insights matching labels |
rules:
- name: invalid-replica-count
condition: "object.spec.replicas < 1"
severity: critical
category: configuration
message: "{{ object.kind }} {{ object.metadata.name }} has invalid replica count"
description: "Replica count must be at least 1. Current value: {{ object.spec.replicas }}"
rules:
- name: not-ready
condition: |
object.status.conditions.exists(c,
c.type == 'Ready' && c.status == 'False' &&
timestamp(c.lastTransitionTime) < now() - duration('10m')
)
severity: warning
category: health
message: "{{ object.kind }} {{ object.metadata.name }} has been not ready for over 10 minutes"
rules:
- name: privileged-container
condition: "object.spec.template.spec.containers.exists(c, c.securityContext.privileged == true)"
severity: critical
category: security
message: "{{ object.kind }} {{ object.metadata.name }} uses privileged containers"
description: "Privileged containers are a security risk. Consider using specific capabilities instead."
rules:
- name: no-resource-limits
condition: |
object.spec.template.spec.containers.exists(c,
!has(c.resources.limits) || !has(c.resources.limits.memory)
)
severity: info
category: optimization
message: "{{ object.kind }} {{ object.metadata.name }} has containers without memory limits"
Ask:
Create policy files in config/insights/:
config/
└── insights/
├── kustomization.yaml
├── myresource-config.yaml # Configuration issues
├── myresource-health.yaml # Health checks
└── myresource-security.yaml # Security concerns
Use consistent categories across your service:
| Category | Use For |
|---|---|
configuration | Invalid settings, conflicts |
security | Security misconfigurations |
health | Failures, degraded state |
performance | Performance concerns |
optimization | Cost savings, efficiency |
compliance | Policy violations |
# config/base/kustomization.yaml
resources:
- deployment.yaml
- service.yaml
# Include insights policies
components:
- ../insights
kubectl get insights -A
kubectl get insights -n my-project
kubectl get insights -A --field-selector spec.severity=critical
kubectl get insights -A --field-selector status.state=Active
kubectl get insights -A --watch
implementation.md — Detailed policy creation guidescripts/validate-insights.sh — Validation scriptscripts/scaffold-insights.sh — Policy scaffolding scriptcapability-activity — Similar policy-driven model for activity timelinesk8s-apiserver-patterns — For implementing the resources that insights monitor