Added provenance support to alerting notification app platform APIs
Added provenance support to alerting notification app platform APIs
The grafana.com/provenance annotation on alerting notification resources is now correctly
read and enforced when writing using the Kubernetes-style API. Previously, provenance was
hardcoded to none on all Kubernetes API writes, so the annotation was silently ignored. It is now respected. Setting it requires one of the following permissions:
alert.provisioning:writealert.notifications.provisioning:writealert.provisioning.provenance:write
Callers without one of these permissions can still create, update spec fields, and delete notification resources — they just cannot escalate a resource’s provenance status. This brings the Kubernetes API into parity with the HTTP provisioning API, which already enforced this check. File provisioning is unaffected and continues to use relaxed provenance semantics.
Affected resources (receivers, notification policies, templates, mute timings, inhibition rules):
Action required
If you manage notification resources with the Kubernetes API and set the
grafana.com/provenance annotation, verify the calling identity has one of the required permissions. Callers that never set this annotation are unaffected.
