Chapter 3. Configuring the monitoring stack
The OpenShift Container Platform installation program provides only a low number of configuration options before installation. Configuring most OpenShift Container Platform framework components, including the cluster monitoring stack, happens after the installation.
This section explains what configuration is supported, shows how to configure the monitoring stack, and demonstrates several common configuration scenarios.
Not all configuration parameters for the monitoring stack are exposed. Only the parameters and fields listed in the Config map reference for the Cluster Monitoring Operator are supported for configuration.
3.1. Prerequisites
- The monitoring stack imposes additional resource requirements. Consult the computing resources recommendations in Scaling the Cluster Monitoring Operator and verify that you have sufficient resources.
3.2. Maintenance and support for monitoring
Not all configuration options for the monitoring stack are exposed. The only supported way of configuring OpenShift Container Platform monitoring is by configuring the Cluster Monitoring Operator (CMO) using the options described in the Config map reference for the Cluster Monitoring Operator. Do not use other configurations, as they are unsupported.
Configuration paradigms might change across Prometheus releases, and such cases can only be handled gracefully if all configuration possibilities are controlled. If you use configurations other than those described in the Config map reference for the Cluster Monitoring Operator, your changes will disappear because the CMO automatically reconciles any differences and resets any unsupported changes back to the originally defined state by default and by design.
3.2.1. Support considerations for monitoring
Backward compatibility for metrics, recording rules, or alerting rules is not guaranteed.
The following modifications are explicitly not supported:
-
Creating additional
ServiceMonitor
,PodMonitor
, andPrometheusRule
objects in theopenshift-*
andkube-*
projects. Modifying any resources or objects deployed in the
openshift-monitoring
oropenshift-user-workload-monitoring
projects. The resources created by the OpenShift Container Platform monitoring stack are not meant to be used by any other resources, as there are no guarantees about their backward compatibility.NoteThe Alertmanager configuration is deployed as the
alertmanager-main
secret resource in theopenshift-monitoring
namespace. If you have enabled a separate Alertmanager instance for user-defined alert routing, an Alertmanager configuration is also deployed as thealertmanager-user-workload
secret resource in theopenshift-user-workload-monitoring
namespace. To configure additional routes for any instance of Alertmanager, you need to decode, modify, and then encode that secret. This procedure is a supported exception to the preceding statement.- Modifying resources of the stack. The OpenShift Container Platform monitoring stack ensures its resources are always in the state it expects them to be. If they are modified, the stack will reset them.
-
Deploying user-defined workloads to
openshift-*
, andkube-*
projects. These projects are reserved for Red Hat provided components and they should not be used for user-defined workloads. -
Enabling symptom based monitoring by using the
Probe
custom resource definition (CRD) in Prometheus Operator. -
Manually deploying monitoring resources into namespaces that have the
openshift.io/cluster-monitoring: "true"
label. -
Adding the
openshift.io/cluster-monitoring: "true"
label to namespaces. This label is reserved only for the namespaces with core OpenShift Container Platform components and Red Hat certified components. - Installing custom Prometheus instances on OpenShift Container Platform. A custom instance is a Prometheus custom resource (CR) managed by the Prometheus Operator.
3.2.2. Support policy for monitoring Operators
Monitoring Operators ensure that OpenShift Container Platform monitoring resources function as designed and tested. If Cluster Version Operator (CVO) control of an Operator is overridden, the Operator does not respond to configuration changes, reconcile the intended state of cluster objects, or receive updates.
While overriding CVO control for an Operator can be helpful during debugging, this is unsupported and the cluster administrator assumes full control of the individual component configurations and upgrades.
Overriding the Cluster Version Operator
The spec.overrides
parameter can be added to the configuration for the CVO to allow administrators to provide a list of overrides to the behavior of the CVO for a component. Setting the spec.overrides[].unmanaged
parameter to true
for a component blocks cluster upgrades and alerts the administrator after a CVO override has been set:
Disabling ownership via cluster version overrides prevents upgrades. Please remove overrides before continuing.
Setting a CVO override puts the entire cluster in an unsupported state and prevents the monitoring stack from being reconciled to its intended state. This impacts the reliability features built into Operators and prevents updates from being received. Reported issues must be reproduced after removing any overrides for support to proceed.
3.2.3. Support version matrix for monitoring components
The following matrix contains information about versions of monitoring components for OpenShift Container Platform 4.12 and later releases:
OpenShift Container Platform | Prometheus Operator | Prometheus | Metrics Server | Alertmanager | kube-state-metrics agent | monitoring-plugin | node-exporter agent | Thanos |
---|---|---|---|---|---|---|---|---|
4.16 | 0.73.2 | 2.52.0 | 0.7.1 | 0.26.0 | 2.12.0 | 1.0.0 | 1.8.0 | 0.35.0 |
4.15 | 0.70.0 | 2.48.0 | 0.6.4 | 0.26.0 | 2.10.1 | 1.0.0 | 1.7.0 | 0.32.5 |
4.14 | 0.67.1 | 2.46.0 | N/A | 0.25.0 | 2.9.2 | 1.0.0 | 1.6.1 | 0.30.2 |
4.13 | 0.63.0 | 2.42.0 | N/A | 0.25.0 | 2.8.1 | N/A | 1.5.0 | 0.30.2 |
4.12 | 0.60.1 | 2.39.1 | N/A | 0.24.0 | 2.6.0 | N/A | 1.4.0 | 0.28.1 |
The openshift-state-metrics agent and Telemeter Client are OpenShift-specific components. Therefore, their versions correspond with the versions of OpenShift Container Platform.
3.3. Preparing to configure the monitoring stack
You can configure the monitoring stack by creating and updating monitoring config maps. These config maps configure the Cluster Monitoring Operator (CMO), which in turn configures the components of the monitoring stack.
3.3.1. Creating a cluster monitoring config map
You can configure the core OpenShift Container Platform monitoring components by creating the cluster-monitoring-config
ConfigMap
object in the openshift-monitoring
project. The Cluster Monitoring Operator (CMO) then configures the core components of the monitoring stack.
Prerequisites
-
You have access to the cluster as a user with the
cluster-admin
cluster role. -
You have installed the OpenShift CLI (
oc
).
Procedure
Check whether the
cluster-monitoring-config
ConfigMap
object exists:$ oc -n openshift-monitoring get configmap cluster-monitoring-config
If the
ConfigMap
object does not exist:Create the following YAML manifest. In this example the file is called
cluster-monitoring-config.yaml
:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: |
Apply the configuration to create the
ConfigMap
object:$ oc apply -f cluster-monitoring-config.yaml
3.3.2. Creating a user-defined workload monitoring config map
You can configure the user workload monitoring components with the user-workload-monitoring-config
ConfigMap
object in the openshift-user-workload-monitoring
project. The Cluster Monitoring Operator (CMO) then configures the components that monitor user-defined projects.
-
If you enable monitoring for user-defined projects, the
user-workload-monitoring-config
ConfigMap
object is created by default. -
When you save your changes to the
user-workload-monitoring-config
ConfigMap
object, some or all of the pods in theopenshift-user-workload-monitoring
project might be redeployed. It can sometimes take a while for these components to redeploy.
Prerequisites
-
You have access to the cluster as a user with the
cluster-admin
cluster role. -
You have installed the OpenShift CLI (
oc
).
Procedure
Check whether the
user-workload-monitoring-config
ConfigMap
object exists:$ oc -n openshift-user-workload-monitoring get configmap user-workload-monitoring-config
If the
user-workload-monitoring-config
ConfigMap
object does not exist:Create the following YAML manifest. In this example the file is called
user-workload-monitoring-config.yaml
:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: |
Apply the configuration to create the
ConfigMap
object:$ oc apply -f user-workload-monitoring-config.yaml
NoteConfigurations applied to the
user-workload-monitoring-config
ConfigMap
object are not activated unless a cluster administrator has enabled monitoring for user-defined projects.
Additional resources
3.4. Granting users permissions for core platform monitoring
As a cluster administrator, you can monitor all core OpenShift Container Platform and user-defined projects.
You can also grant developers and other users different permissions for core platform monitoring. You can grant the permissions by assigning one of the following monitoring roles or cluster roles:
Name | Description | Project |
---|---|---|
| Users with this role have the ability to access Thanos Querier API endpoints. Additionally, it grants access to the core platform Prometheus API and user-defined Thanos Ruler API endpoints. |
|
|
Users with this role can manage |
|
| Users with this role can manage the Alertmanager API for core platform monitoring. They can also manage alert silences in the Administrator perspective of the OpenShift Container Platform web console. |
|
| Users with this role can monitor the Alertmanager API for core platform monitoring. They can also view alert silences in the Administrator perspective of the OpenShift Container Platform web console. |
|
|
Users with this cluster role have the same access rights as |
Must be bound with |
3.5. Configuring the monitoring stack
In OpenShift Container Platform 4.16, you can configure the monitoring stack using the cluster-monitoring-config
or user-workload-monitoring-config
ConfigMap
objects. Config maps configure the Cluster Monitoring Operator (CMO), which in turn configures the components of the stack.
Prerequisites
If you are configuring core OpenShift Container Platform monitoring components:
-
You have access to the cluster as a user with the
cluster-admin
cluster role. -
You have created the
cluster-monitoring-config
ConfigMap
object.
-
You have access to the cluster as a user with the
If you are configuring components that monitor user-defined projects:
-
You have access to the cluster as a user with the
cluster-admin
cluster role, or as a user with theuser-workload-monitoring-config-edit
role in theopenshift-user-workload-monitoring
project. - A cluster administrator has enabled monitoring for user-defined projects.
-
You have access to the cluster as a user with the
-
You have installed the OpenShift CLI (
oc
).
Procedure
Edit the
ConfigMap
object.To configure core OpenShift Container Platform monitoring components:
Edit the
cluster-monitoring-config
ConfigMap
object in theopenshift-monitoring
project:$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add your configuration under
data/config.yaml
as a key-value pair<component_name>: <component_configuration>
:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | <component>: <configuration_for_the_component>
Substitute
<component>
and<configuration_for_the_component>
accordingly.The following example
ConfigMap
object configures a persistent volume claim (PVC) for Prometheus. This relates to the Prometheus instance that monitors core OpenShift Container Platform components only:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: 1 volumeClaimTemplate: spec: storageClassName: fast volumeMode: Filesystem resources: requests: storage: 40Gi
- 1
- Defines the Prometheus component and the subsequent lines define its configuration.
To configure components that monitor user-defined projects:
Edit the
user-workload-monitoring-config
ConfigMap
object in theopenshift-user-workload-monitoring
project:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add your configuration under
data/config.yaml
as a key-value pair<component_name>: <component_configuration>
:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | <component>: <configuration_for_the_component>
Substitute
<component>
and<configuration_for_the_component>
accordingly.The following example
ConfigMap
object configures a data retention period and minimum container resource requests for Prometheus. This relates to the Prometheus instance that monitors user-defined projects only:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: 1 retention: 24h 2 resources: requests: cpu: 200m 3 memory: 2Gi 4
- 1
- Defines the Prometheus component and the subsequent lines define its configuration.
- 2
- Configures a twenty-four hour data retention period for the Prometheus instance that monitors user-defined projects.
- 3
- Defines a minimum resource request of 200 millicores for the Prometheus container.
- 4
- Defines a minimum pod resource request of 2 GiB of memory for the Prometheus container.
NoteThe Prometheus config map component is called
prometheusK8s
in thecluster-monitoring-config
ConfigMap
object andprometheus
in theuser-workload-monitoring-config
ConfigMap
object.
Save the file to apply the changes to the
ConfigMap
object.WarningDifferent configuration changes to the
ConfigMap
object result in different outcomes:- The pods are not redeployed. Therefore, there is no service outage.
The affected pods are redeployed:
- For single-node clusters, this results in temporary service outage.
- For multi-node clusters, because of high-availability, the affected pods are gradually rolled out and the monitoring stack remains available.
- Configuring and resizing a persistent volume always results in a service outage, regardless of high availability.
Each procedure that requires a change in the config map includes its expected outcome.
Additional resources
-
Configuration reference for the
cluster-monitoring-config
config map -
Configuration reference for the
user-workload-monitoring-config
config map - See Preparing to configure the monitoring stack for steps to create monitoring config maps
- Enabling monitoring for user-defined projects
3.6. Configurable monitoring components
This table shows the monitoring components you can configure and the keys used to specify the components in the cluster-monitoring-config
and user-workload-monitoring-config
ConfigMap
objects.
Component | cluster-monitoring-config config map key | user-workload-monitoring-config config map key |
---|---|---|
Prometheus Operator |
|
|
Prometheus |
|
|
Alertmanager |
|
|
kube-state-metrics |
| |
monitoring-plugin |
| |
openshift-state-metrics |
| |
Telemeter Client |
| |
Metrics Server |
| |
Thanos Querier |
| |
Thanos Ruler |
|
The Prometheus key is called prometheusK8s
in the cluster-monitoring-config
ConfigMap
object and prometheus
in the user-workload-monitoring-config
ConfigMap
object.
3.7. Using node selectors to move monitoring components
By using the nodeSelector
constraint with labeled nodes, you can move any of the monitoring stack components to specific nodes. By doing so, you can control the placement and distribution of the monitoring components across a cluster.
By controlling placement and distribution of monitoring components, you can optimize system resource use, improve performance, and segregate workloads based on specific requirements or policies.
3.7.1. How node selectors work with other constraints
If you move monitoring components by using node selector constraints, be aware that other constraints to control pod scheduling might exist for a cluster:
- Topology spread constraints might be in place to control pod placement.
- Hard anti-affinity rules are in place for Prometheus, Thanos Querier, Alertmanager, and other monitoring components to ensure that multiple pods for these components are always spread across different nodes and are therefore always highly available.
When scheduling pods onto nodes, the pod scheduler tries to satisfy all existing constraints when determining pod placement. That is, all constraints compound when the pod scheduler determines which pods will be placed on which nodes.
Therefore, if you configure a node selector constraint but existing constraints cannot all be satisfied, the pod scheduler cannot match all constraints and will not schedule a pod for placement onto a node.
To maintain resilience and high availability for monitoring components, ensure that enough nodes are available and match all constraints when you configure a node selector constraint to move a component.
Additional resources
- Understanding how to update labels on nodes
- Placing pods on specific nodes using node selectors
- Placing pods relative to other pods using affinity and anti-affinity rules
- Controlling pod placement by using pod topology spread constraints
- Using pod topology spread constraints for monitoring
- Kubernetes documentation about node selectors
3.7.2. Moving monitoring components to different nodes
To specify the nodes in your cluster on which monitoring stack components will run, configure the nodeSelector
constraint in the component’s ConfigMap
object to match labels assigned to the nodes.
You cannot add a node selector constraint directly to an existing scheduled pod.
Prerequisites
If you are configuring core OpenShift Container Platform monitoring components:
-
You have access to the cluster as a user with the
cluster-admin
cluster role. -
You have created the
cluster-monitoring-config
ConfigMap
object.
-
You have access to the cluster as a user with the
If you are configuring components that monitor user-defined projects:
-
You have access to the cluster as a user with the
cluster-admin
cluster role or as a user with theuser-workload-monitoring-config-edit
role in theopenshift-user-workload-monitoring
project. - A cluster administrator has enabled monitoring for user-defined projects.
-
You have access to the cluster as a user with the
-
You have installed the OpenShift CLI (
oc
).
Procedure
If you have not done so yet, add a label to the nodes on which you want to run the monitoring components:
$ oc label nodes <node-name> <node-label>
Edit the
ConfigMap
object:To move a component that monitors core OpenShift Container Platform projects:
Edit the
cluster-monitoring-config
ConfigMap
object in theopenshift-monitoring
project:$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Specify the node labels for the
nodeSelector
constraint for the component underdata/config.yaml
:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | <component>: 1 nodeSelector: <node-label-1> 2 <node-label-2> 3 <...>
- 1
- Substitute
<component>
with the appropriate monitoring stack component name. - 2
- Substitute
<node-label-1>
with the label you added to the node. - 3
- Optional: Specify additional labels. If you specify additional labels, the pods for the component are only scheduled on the nodes that contain all of the specified labels.
NoteIf monitoring components remain in a
Pending
state after configuring thenodeSelector
constraint, check the pod events for errors relating to taints and tolerations.
To move a component that monitors user-defined projects:
Edit the
user-workload-monitoring-config
ConfigMap
object in theopenshift-user-workload-monitoring
project:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Specify the node labels for the
nodeSelector
constraint for the component underdata/config.yaml
:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | <component>: 1 nodeSelector: <node-label-1> 2 <node-label-2> 3 <...>
- 1
- Substitute
<component>
with the appropriate monitoring stack component name. - 2
- Substitute
<node-label-1>
with the label you added to the node. - 3
- Optional: Specify additional labels. If you specify additional labels, the pods for the component are only scheduled on the nodes that contain all of the specified labels.
NoteIf monitoring components remain in a
Pending
state after configuring thenodeSelector
constraint, check the pod events for errors relating to taints and tolerations.
- Save the file to apply the changes. The components specified in the new configuration are automatically moved to the new nodes, and the pods affected by the new configuration are redeployed.
Additional resources
- See Preparing to configure the monitoring stack for steps to create monitoring config maps
- Enabling monitoring for user-defined projects
- Understanding how to update labels on nodes
- Placing pods on specific nodes using node selectors
-
See the Kubernetes documentation for details on the
nodeSelector
constraint
3.8. Assigning tolerations to monitoring components
You can assign tolerations to any of the monitoring stack components to enable moving them to tainted nodes.
Prerequisites
If you are configuring core OpenShift Container Platform monitoring components:
-
You have access to the cluster as a user with the
cluster-admin
cluster role. -
You have created the
cluster-monitoring-config
ConfigMap
object.
-
You have access to the cluster as a user with the
If you are configuring components that monitor user-defined projects:
-
You have access to the cluster as a user with the
cluster-admin
cluster role, or as a user with theuser-workload-monitoring-config-edit
role in theopenshift-user-workload-monitoring
project. - A cluster administrator has enabled monitoring for user-defined projects.
-
You have access to the cluster as a user with the
-
You have installed the OpenShift CLI (
oc
).
Procedure
Edit the
ConfigMap
object:To assign tolerations to a component that monitors core OpenShift Container Platform projects:
Edit the
cluster-monitoring-config
ConfigMap
object in theopenshift-monitoring
project:$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Specify
tolerations
for the component:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | <component>: tolerations: <toleration_specification>
Substitute
<component>
and<toleration_specification>
accordingly.For example,
oc adm taint nodes node1 key1=value1:NoSchedule
adds a taint tonode1
with the keykey1
and the valuevalue1
. This prevents monitoring components from deploying pods onnode1
unless a toleration is configured for that taint. The following example configures thealertmanagerMain
component to tolerate the example taint:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | alertmanagerMain: tolerations: - key: "key1" operator: "Equal" value: "value1" effect: "NoSchedule"
To assign tolerations to a component that monitors user-defined projects:
Edit the
user-workload-monitoring-config
ConfigMap
object in theopenshift-user-workload-monitoring
project:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Specify
tolerations
for the component:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | <component>: tolerations: <toleration_specification>
Substitute
<component>
and<toleration_specification>
accordingly.For example,
oc adm taint nodes node1 key1=value1:NoSchedule
adds a taint tonode1
with the keykey1
and the valuevalue1
. This prevents monitoring components from deploying pods onnode1
unless a toleration is configured for that taint. The following example configures thethanosRuler
component to tolerate the example taint:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | thanosRuler: tolerations: - key: "key1" operator: "Equal" value: "value1" effect: "NoSchedule"
- Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.
Additional resources
- See Preparing to configure the monitoring stack for steps to create monitoring config maps
- Enabling monitoring for user-defined projects
- See the OpenShift Container Platform documentation on taints and tolerations
- See the Kubernetes documentation on taints and tolerations
3.9. Setting the body size limit for metrics scraping
By default, no limit exists for the uncompressed body size for data returned from scraped metrics targets. You can set a body size limit to help avoid situations in which Prometheus consumes excessive amounts of memory when scraped targets return a response that contains a large amount of data. In addition, by setting a body size limit, you can reduce the impact that a malicious target might have on Prometheus and on the cluster as a whole.
After you set a value for enforcedBodySizeLimit
, the alert PrometheusScrapeBodySizeLimitHit
fires when at least one Prometheus scrape target replies with a response body larger than the configured value.
If metrics data scraped from a target has an uncompressed body size exceeding the configured size limit, the scrape fails. Prometheus then considers this target to be down and sets its up
metric value to 0
, which can trigger the TargetDown
alert.
Prerequisites
-
You have access to the cluster as a user with the
cluster-admin
cluster role. -
You have installed the OpenShift CLI (
oc
).
Procedure
Edit the
cluster-monitoring-config
ConfigMap
object in theopenshift-monitoring
namespace:$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add a value for
enforcedBodySizeLimit
todata/config.yaml/prometheusK8s
to limit the body size that can be accepted per target scrape:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: |- prometheusK8s: enforcedBodySizeLimit: 40MB 1
- 1
- Specify the maximum body size for scraped metrics targets. This
enforcedBodySizeLimit
example limits the uncompressed size per target scrape to 40 megabytes. Valid numeric values use the Prometheus data size format: B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes), TB (terabytes), PB (petabytes), and EB (exabytes). The default value is0
, which specifies no limit. You can also set the value toautomatic
to calculate the limit automatically based on cluster capacity.
- Save the file to apply the changes. The new configuration is applied automatically.
Additional resources
3.10. Managing CPU and memory resources for monitoring components
You can ensure that the containers that run monitoring components have enough CPU and memory resources by specifying values for resource limits and requests for those components.
You can configure these limits and requests for core platform monitoring components in the openshift-monitoring
namespace and for the components that monitor user-defined projects in the openshift-user-workload-monitoring
namespace.
3.10.1. About specifying limits and requests for monitoring components
You can configure resource limits and request settings for core platform monitoring components and for the components that monitor user-defined projects, including the following components:
- Alertmanager (for core platform monitoring and for user-defined projects)
- kube-state-metrics
- monitoring-plugin
- node-exporter
- openshift-state-metrics
- Prometheus (for core platform monitoring and for user-defined projects)
- Metrics Server
- Prometheus Operator and its admission webhook service
- Telemeter Client
- Thanos Querier
- Thanos Ruler
By defining resource limits, you limit a container’s resource usage, which prevents the container from exceeding the specified maximum values for CPU and memory resources.
By defining resource requests, you specify that a container can be scheduled only on a node that has enough CPU and memory resources available to match the requested resources.
3.10.2. Specifying limits and requests for monitoring components
To configure CPU and memory resources, specify values for resource limits and requests in the appropriate ConfigMap
object for the namespace in which the monitoring component is located:
-
The
cluster-monitoring-config
config map in theopenshift-monitoring
namespace for core platform monitoring -
The
user-workload-monitoring-config
config map in theopenshift-user-workload-monitoring
namespace for components that monitor user-defined projects
Prerequisites
If you are configuring core platform monitoring components:
-
You have access to the cluster as a user with the
cluster-admin
cluster role. -
You have created a
ConfigMap
object namedcluster-monitoring-config
.
-
You have access to the cluster as a user with the
If you are configuring components that monitor user-defined projects:
-
You have access to the cluster as a user with the
cluster-admin
cluster role, or as a user with theuser-workload-monitoring-config-edit
role in theopenshift-user-workload-monitoring
project.
-
You have access to the cluster as a user with the
-
You have installed the OpenShift CLI (
oc
).
Procedure
To configure core platform monitoring components, edit the
cluster-monitoring-config
config map object in theopenshift-monitoring
namespace:$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add values to define resource limits and requests for each core platform monitoring component you want to configure.
ImportantMake sure that the value set for a limit is always higher than the value set for a request. Otherwise, an error will occur, and the container will not run.
Example
apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | alertmanagerMain: resources: limits: cpu: 500m memory: 1Gi requests: cpu: 200m memory: 500Mi prometheusK8s: resources: limits: cpu: 500m memory: 3Gi requests: cpu: 200m memory: 500Mi prometheusOperator: resources: limits: cpu: 500m memory: 1Gi requests: cpu: 200m memory: 500Mi metricsServer: resources: requests: cpu: 10m memory: 50Mi limits: cpu: 50m memory: 500Mi kubeStateMetrics: resources: limits: cpu: 500m memory: 1Gi requests: cpu: 200m memory: 500Mi telemeterClient: resources: limits: cpu: 500m memory: 1Gi requests: cpu: 200m memory: 500Mi openshiftStateMetrics: resources: limits: cpu: 500m memory: 1Gi requests: cpu: 200m memory: 500Mi thanosQuerier: resources: limits: cpu: 500m memory: 1Gi requests: cpu: 200m memory: 500Mi nodeExporter: resources: limits: cpu: 50m memory: 150Mi requests: cpu: 20m memory: 50Mi monitoringPlugin: resources: limits: cpu: 500m memory: 1Gi requests: cpu: 200m memory: 500Mi prometheusOperatorAdmissionWebhook: resources: limits: cpu: 50m memory: 100Mi requests: cpu: 20m memory: 50Mi
- Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.
Additional resources
3.11. Configuring persistent storage
Run cluster monitoring with persistent storage to gain the following benefits:
- Protect your metrics and alerting data from data loss by storing them in a persistent volume (PV). As a result, they can survive pods being restarted or recreated.
- Avoid getting duplicate notifications and losing silences for alerts when the Alertmanager pods are restarted.
For production environments, it is highly recommended to configure persistent storage.
In multi-node clusters, you must configure persistent storage for Prometheus, Alertmanager, and Thanos Ruler to ensure high availability.
3.11.1. Persistent storage prerequisites
- Dedicate sufficient persistent storage to ensure that the disk does not become full.
Use
Filesystem
as the storage type value for thevolumeMode
parameter when you configure the persistent volume.Important-
Do not use a raw block volume, which is described with
volumeMode: Block
in thePersistentVolume
resource. Prometheus cannot use raw block volumes. - Prometheus does not support file systems that are not POSIX compliant. For example, some NFS file system implementations are not POSIX compliant. If you want to use an NFS file system for storage, verify with the vendor that their NFS implementation is fully POSIX compliant.
-
Do not use a raw block volume, which is described with
3.11.2. Configuring a persistent volume claim
To use a persistent volume (PV) for monitoring components, you must configure a persistent volume claim (PVC).
Prerequisites
If you are configuring core OpenShift Container Platform monitoring components:
-
You have access to the cluster as a user with the
cluster-admin
cluster role. -
You have created the
cluster-monitoring-config
ConfigMap
object.
-
You have access to the cluster as a user with the
If you are configuring components that monitor user-defined projects:
-
You have access to the cluster as a user with the
cluster-admin
cluster role, or as a user with theuser-workload-monitoring-config-edit
role in theopenshift-user-workload-monitoring
project. - A cluster administrator has enabled monitoring for user-defined projects.
-
You have access to the cluster as a user with the
-
You have installed the OpenShift CLI (
oc
).
Procedure
Edit the
ConfigMap
object:To configure a PVC for a component that monitors core OpenShift Container Platform projects:
Edit the
cluster-monitoring-config
ConfigMap
object in theopenshift-monitoring
project:$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add your PVC configuration for the component under
data/config.yaml
:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | <component>: 1 volumeClaimTemplate: spec: storageClassName: <storage_class> 2 resources: requests: storage: <amount_of_storage> 3
See the Kubernetes documentation on PersistentVolumeClaims for information on how to specify
volumeClaimTemplate
.The following example configures a PVC that claims persistent storage for the Prometheus instance that monitors core OpenShift Container Platform components:
apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: volumeClaimTemplate: spec: storageClassName: my-storage-class resources: requests: storage: 40Gi
To configure a PVC for a component that monitors user-defined projects:
Edit the
user-workload-monitoring-config
ConfigMap
object in theopenshift-user-workload-monitoring
project:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add your PVC configuration for the component under
data/config.yaml
:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | <component>: 1 volumeClaimTemplate: spec: storageClassName: <storage_class> 2 resources: requests: storage: <amount_of_storage> 3
See the Kubernetes documentation on PersistentVolumeClaims for information on how to specify
volumeClaimTemplate
.The following example configures a PVC that claims persistent storage for Thanos Ruler:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | thanosRuler: volumeClaimTemplate: spec: storageClassName: my-storage-class resources: requests: storage: 10Gi
NoteStorage requirements for the
thanosRuler
component depend on the number of rules that are evaluated and how many samples each rule generates.
Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed and the new storage configuration is applied.
WarningWhen you update the config map with a PVC configuration, the affected
StatefulSet
object is recreated, resulting in a temporary service outage.
3.11.3. Resizing a persistent volume
You can resize a persistent volume (PV) for monitoring components, such as Prometheus, Thanos Ruler, or Alertmanager. You need to manually expand a persistent volume claim (PVC), and then update the config map in which the component is configured.
You can only expand the size of the PVC. Shrinking the storage size is not possible.
Prerequisites
-
You have installed the OpenShift CLI (
oc
). If you are configuring core OpenShift Container Platform monitoring components:
-
You have access to the cluster as a user with the
cluster-admin
cluster role. -
You have created the
cluster-monitoring-config
ConfigMap
object. - You have configured at least one PVC for core OpenShift Container Platform monitoring components.
-
You have access to the cluster as a user with the
If you are configuring components that monitor user-defined projects:
-
You have access to the cluster as a user with the
cluster-admin
cluster role, or as a user with theuser-workload-monitoring-config-edit
role in theopenshift-user-workload-monitoring
project. - A cluster administrator has enabled monitoring for user-defined projects.
- You have configured at least one PVC for components that monitor user-defined projects.
-
You have access to the cluster as a user with the
Procedure
- Manually expand a PVC with the updated storage request. For more information, see "Expanding persistent volume claims (PVCs) with a file system" in Expanding persistent volumes.
Edit the
ConfigMap
object:If you are configuring core OpenShift Container Platform monitoring components:
Edit the
cluster-monitoring-config
ConfigMap
object in theopenshift-monitoring
project:$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add a new storage size for the PVC configuration for the component under
data/config.yaml
:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | <component>: 1 volumeClaimTemplate: spec: resources: requests: storage: <amount_of_storage> 2
The following example sets the new PVC request to 100 gigabytes for the Prometheus instance that monitors core OpenShift Container Platform components:
apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: volumeClaimTemplate: spec: resources: requests: storage: 100Gi
If you are configuring components that monitor user-defined projects:
NoteYou can resize the volumes for the Thanos Ruler and for instances of Alertmanager and Prometheus that monitor user-defined projects.
Edit the
user-workload-monitoring-config
ConfigMap
object in theopenshift-user-workload-monitoring
project:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Update the PVC configuration for the monitoring component under
data/config.yaml
:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | <component>: 1 volumeClaimTemplate: spec: resources: requests: storage: <amount_of_storage> 2
The following example sets the new PVC request to 20 gigabytes for Thanos Ruler:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | thanosRuler: volumeClaimTemplate: spec: resources: requests: storage: 20Gi
NoteStorage requirements for the
thanosRuler
component depend on the number of rules that are evaluated and how many samples each rule generates.
Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.
WarningWhen you update the config map with a new storage size, the affected
StatefulSet
object is recreated, resulting in a temporary service outage.
3.11.4. Modifying the retention time and size for Prometheus metrics data
By default, Prometheus retains metrics data for the following durations:
- Core platform monitoring: 15 days
- Monitoring for user-defined projects: 24 hours
You can modify the retention time for Prometheus to change how soon the data is deleted. You can also set the maximum amount of disk space the retained metrics data uses. If the data reaches this size limit, Prometheus deletes the oldest data first until the disk space used is again below the limit.
Note the following behaviors of these data retention settings:
-
The size-based retention policy applies to all data block directories in the
/prometheus
directory, including persistent blocks, write-ahead log (WAL) data, and m-mapped chunks. -
Data in the
/wal
and/head_chunks
directories counts toward the retention size limit, but Prometheus never purges data from these directories based on size- or time-based retention policies. Thus, if you set a retention size limit lower than the maximum size set for the/wal
and/head_chunks
directories, you have configured the system not to retain any data blocks in the/prometheus
data directories. - The size-based retention policy is applied only when Prometheus cuts a new data block, which occurs every two hours after the WAL contains at least three hours of data.
-
If you do not explicitly define values for either
retention
orretentionSize
, retention time defaults to 15 days for core platform monitoring and 24 hours for user-defined project monitoring. Retention size is not set. -
If you define values for both
retention
andretentionSize
, both values apply. If any data blocks exceed the defined retention time or the defined size limit, Prometheus purges these data blocks. -
If you define a value for
retentionSize
and do not defineretention
, only theretentionSize
value applies. -
If you do not define a value for
retentionSize
and only define a value forretention
, only theretention
value applies. -
If you set the
retentionSize
orretention
value to0
, the default settings apply. The default settings set retention time to 15 days for core platform monitoring and 24 hours for user-defined project monitoring. By default, retention size is not set.
Data compaction occurs every two hours. Therefore, a persistent volume (PV) might fill up before compaction, potentially exceeding the retentionSize
limit. In such cases, the KubePersistentVolumeFillingUp
alert fires until the space on a PV is lower than the retentionSize
limit.
Prerequisites
If you are configuring core OpenShift Container Platform monitoring components:
-
You have access to the cluster as a user with the
cluster-admin
cluster role. -
You have created the
cluster-monitoring-config
ConfigMap
object.
-
You have access to the cluster as a user with the
If you are configuring components that monitor user-defined projects:
-
You have access to the cluster as a user with the
cluster-admin
cluster role, or as a user with theuser-workload-monitoring-config-edit
role in theopenshift-user-workload-monitoring
project. - A cluster administrator has enabled monitoring for user-defined projects.
-
You have access to the cluster as a user with the
-
You have installed the OpenShift CLI (
oc
).
Procedure
Edit the
ConfigMap
object:To modify the retention time and size for the Prometheus instance that monitors core OpenShift Container Platform projects:
Edit the
cluster-monitoring-config
ConfigMap
object in theopenshift-monitoring
project:$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add the retention time and size configuration under
data/config.yaml
:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: retention: <time_specification> 1 retentionSize: <size_specification> 2
- 1
- The retention time: a number directly followed by
ms
(milliseconds),s
(seconds),m
(minutes),h
(hours),d
(days),w
(weeks), ory
(years). You can also combine time values for specific times, such as1h30m15s
. - 2
- The retention size: a number directly followed by
B
(bytes),KB
(kilobytes),MB
(megabytes),GB
(gigabytes),TB
(terabytes),PB
(petabytes), andEB
(exabytes).
The following example sets the retention time to 24 hours and the retention size to 10 gigabytes for the Prometheus instance that monitors core OpenShift Container Platform components:
apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: retention: 24h retentionSize: 10GB
To modify the retention time and size for the Prometheus instance that monitors user-defined projects:
Edit the
user-workload-monitoring-config
ConfigMap
object in theopenshift-user-workload-monitoring
project:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add the retention time and size configuration under
data/config.yaml
:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: retention: <time_specification> 1 retentionSize: <size_specification> 2
- 1
- The retention time: a number directly followed by
ms
(milliseconds),s
(seconds),m
(minutes),h
(hours),d
(days),w
(weeks), ory
(years). You can also combine time values for specific times, such as1h30m15s
. - 2
- The retention size: a number directly followed by
B
(bytes),KB
(kilobytes),MB
(megabytes),GB
(gigabytes),TB
(terabytes),PB
(petabytes), orEB
(exabytes).
The following example sets the retention time to 24 hours and the retention size to 10 gigabytes for the Prometheus instance that monitors user-defined projects:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: retention: 24h retentionSize: 10GB
- Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.
3.11.5. Modifying the retention time for Thanos Ruler metrics data
By default, for user-defined projects, Thanos Ruler automatically retains metrics data for 24 hours. You can modify the retention time to change how long this data is retained by specifying a time value in the user-workload-monitoring-config
config map in the openshift-user-workload-monitoring
namespace.
Prerequisites
-
You have access to the cluster as a user with the
cluster-admin
cluster role or as a user with theuser-workload-monitoring-config-edit
role in theopenshift-user-workload-monitoring
project. - A cluster administrator has enabled monitoring for user-defined projects.
-
You have installed the OpenShift CLI (
oc
).
Procedure
Edit the
user-workload-monitoring-config
ConfigMap
object in theopenshift-user-workload-monitoring
project:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add the retention time configuration under
data/config.yaml
:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | thanosRuler: retention: <time_specification> 1
- 1
- Specify the retention time in the following format: a number directly followed by
ms
(milliseconds),s
(seconds),m
(minutes),h
(hours),d
(days),w
(weeks), ory
(years). You can also combine time values for specific times, such as1h30m15s
. The default is24h
.
The following example sets the retention time to 10 days for Thanos Ruler data:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | thanosRuler: retention: 10d
- Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.
3.12. Configuring remote write storage
You can configure remote write storage to enable Prometheus to send ingested metrics to remote systems for long-term storage. Doing so has no impact on how or for how long Prometheus stores metrics.
Prerequisites
If you are configuring core OpenShift Container Platform monitoring components:
-
You have access to the cluster as a user with the
cluster-admin
cluster role. -
You have created the
cluster-monitoring-config
ConfigMap
object.
-
You have access to the cluster as a user with the
If you are configuring components that monitor user-defined projects:
-
You have access to the cluster as a user with the
cluster-admin
cluster role or as a user with theuser-workload-monitoring-config-edit
role in theopenshift-user-workload-monitoring
project. - A cluster administrator has enabled monitoring for user-defined projects.
-
You have access to the cluster as a user with the
-
You have installed the OpenShift CLI (
oc
). You have set up a remote write compatible endpoint (such as Thanos) and know the endpoint URL. See the Prometheus remote endpoints and storage documentation for information about endpoints that are compatible with the remote write feature.
ImportantRed Hat only provides information for configuring remote write senders and does not offer guidance on configuring receiver endpoints. Customers are responsible for setting up their own endpoints that are remote-write compatible. Issues with endpoint receiver configurations are not included in Red Hat production support.
You have set up authentication credentials in a
Secret
object for the remote write endpoint. You must create the secret in the same namespace as the Prometheus object for which you configure remote write: theopenshift-monitoring
namespace for default platform monitoring or theopenshift-user-workload-monitoring
namespace for user workload monitoring.WarningTo reduce security risks, use HTTPS and authentication to send metrics to an endpoint.
Procedure
Edit the
ConfigMap
object:To configure remote write for the Prometheus instance that monitors core OpenShift Container Platform projects:
Edit the
cluster-monitoring-config
ConfigMap
object in theopenshift-monitoring
project:$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add a
remoteWrite:
section underdata/config.yaml/prometheusK8s
, as shown in the following example:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: remoteWrite: - url: "https://remote-write-endpoint.example.com" 1 <endpoint_authentication_credentials> 2
- 1
- The URL of the remote write endpoint.
- 2
- The authentication method and credentials for the endpoint. Currently supported authentication methods are AWS Signature Version 4, authentication using HTTP in an
Authorization
request header, Basic authentication, OAuth 2.0, and TLS client. See Supported remote write authentication settings for sample configurations of supported authentication methods.
Add write relabel configuration values after the authentication credentials:
apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: remoteWrite: - url: "https://remote-write-endpoint.example.com" <endpoint_authentication_credentials> writeRelabelConfigs: - <your_write_relabel_configs> 1
- 1
- Add configuration for metrics that you want to send to the remote endpoint.
Example of forwarding a single metric called
my_metric
apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: remoteWrite: - url: "https://remote-write-endpoint.example.com" writeRelabelConfigs: - sourceLabels: [__name__] regex: 'my_metric' action: keep
Example of forwarding metrics called
my_metric_1
andmy_metric_2
inmy_namespace
namespaceapiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: remoteWrite: - url: "https://remote-write-endpoint.example.com" writeRelabelConfigs: - sourceLabels: [__name__,namespace] regex: '(my_metric_1|my_metric_2);my_namespace' action: keep
To configure remote write for the Prometheus instance that monitors user-defined projects:
Edit the
user-workload-monitoring-config
ConfigMap
object in theopenshift-user-workload-monitoring
project:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add a
remoteWrite:
section underdata/config.yaml/prometheus
, as shown in the following example:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: remoteWrite: - url: "https://remote-write-endpoint.example.com" 1 <endpoint_authentication_credentials> 2
- 1
- The URL of the remote write endpoint.
- 2
- The authentication method and credentials for the endpoint. Currently supported authentication methods are AWS Signature Version 4, authentication using HTTP an
Authorization
request header, basic authentication, OAuth 2.0, and TLS client. See Supported remote write authentication settings below for sample configurations of supported authentication methods.
Add write relabel configuration values after the authentication credentials:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: remoteWrite: - url: "https://remote-write-endpoint.example.com" <endpoint_authentication_credentials> writeRelabelConfigs: - <your_write_relabel_configs> 1
- 1
- Add configuration for metrics that you want to send to the remote endpoint.
Example of forwarding a single metric called
my_metric
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: remoteWrite: - url: "https://remote-write-endpoint.example.com" writeRelabelConfigs: - sourceLabels: [__name__] regex: 'my_metric' action: keep
Example of forwarding metrics called
my_metric_1
andmy_metric_2
inmy_namespace
namespaceapiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: remoteWrite: - url: "https://remote-write-endpoint.example.com" writeRelabelConfigs: - sourceLabels: [__name__,namespace] regex: '(my_metric_1|my_metric_2);my_namespace' action: keep
- Save the file to apply the changes. The new configuration is applied automatically.
3.12.1. Supported remote write authentication settings
You can use different methods to authenticate with a remote write endpoint. Currently supported authentication methods are AWS Signature Version 4, basic authentication, authorization, OAuth 2.0, and TLS client. The following table provides details about supported authentication methods for use with remote write.
Authentication method | Config map field | Description |
---|---|---|
AWS Signature Version 4 |
| This method uses AWS Signature Version 4 authentication to sign requests. You cannot use this method simultaneously with authorization, OAuth 2.0, or Basic authentication. |
Basic authentication |
| Basic authentication sets the authorization header on every remote write request with the configured username and password. |
authorization |
|
Authorization sets the |
OAuth 2.0 |
|
An OAuth 2.0 configuration uses the client credentials grant type. Prometheus fetches an access token from |
TLS client |
| A TLS client configuration specifies the CA certificate, the client certificate, and the client key file information used to authenticate with the remote write endpoint server using TLS. The sample configuration assumes that you have already created a CA certificate file, a client certificate file, and a client key file. |
3.12.2. Example remote write authentication settings
The following samples show different authentication settings you can use to connect to a remote write endpoint. Each sample also shows how to configure a corresponding Secret
object that contains authentication credentials and other relevant settings. Each sample configures authentication for use with default platform monitoring in the openshift-monitoring
namespace.
3.12.2.1. Sample YAML for AWS Signature Version 4 authentication
The following shows the settings for a sigv4
secret named sigv4-credentials
in the openshift-monitoring
namespace.
apiVersion: v1 kind: Secret metadata: name: sigv4-credentials namespace: openshift-monitoring stringData: accessKey: <AWS_access_key> 1 secretKey: <AWS_secret_key> 2 type: Opaque
The following shows sample AWS Signature Version 4 remote write authentication settings that use a Secret
object named sigv4-credentials
in the openshift-monitoring
namespace:
apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: remoteWrite: - url: "https://authorization.example.com/api/write" sigv4: region: <AWS_region> 1 accessKey: name: sigv4-credentials 2 key: accessKey 3 secretKey: name: sigv4-credentials 4 key: secretKey 5 profile: <AWS_profile_name> 6 roleArn: <AWS_role_arn> 7
- 1
- The AWS region.
- 2 4
- The name of the
Secret
object containing the AWS API access credentials. - 3
- The key that contains the AWS API access key in the specified
Secret
object. - 5
- The key that contains the AWS API secret key in the specified
Secret
object. - 6
- The name of the AWS profile that is being used to authenticate.
- 7
- The unique identifier for the Amazon Resource Name (ARN) assigned to your role.
3.12.2.2. Sample YAML for Basic authentication
The following shows sample Basic authentication settings for a Secret
object named rw-basic-auth
in the openshift-monitoring
namespace:
apiVersion: v1 kind: Secret metadata: name: rw-basic-auth namespace: openshift-monitoring stringData: user: <basic_username> 1 password: <basic_password> 2 type: Opaque
The following sample shows a basicAuth
remote write configuration that uses a Secret
object named rw-basic-auth
in the openshift-monitoring
namespace. It assumes that you have already set up authentication credentials for the endpoint.
apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: remoteWrite: - url: "https://basicauth.example.com/api/write" basicAuth: username: name: rw-basic-auth 1 key: user 2 password: name: rw-basic-auth 3 key: password 4
3.12.2.3. Sample YAML for authentication with a bearer token using a Secret
Object
The following shows bearer token settings for a Secret
object named rw-bearer-auth
in the openshift-monitoring
namespace:
apiVersion: v1
kind: Secret
metadata:
name: rw-bearer-auth
namespace: openshift-monitoring
stringData:
token: <authentication_token> 1
type: Opaque
- 1
- The authentication token.
The following shows sample bearer token config map settings that use a Secret
object named rw-bearer-auth
in the openshift-monitoring
namespace:
apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | enableUserWorkload: true prometheusK8s: remoteWrite: - url: "https://authorization.example.com/api/write" authorization: type: Bearer 1 credentials: name: rw-bearer-auth 2 key: token 3
3.12.2.4. Sample YAML for OAuth 2.0 authentication
The following shows sample OAuth 2.0 settings for a Secret
object named oauth2-credentials
in the openshift-monitoring
namespace:
apiVersion: v1 kind: Secret metadata: name: oauth2-credentials namespace: openshift-monitoring stringData: id: <oauth2_id> 1 secret: <oauth2_secret> 2 type: Opaque
The following shows an oauth2
remote write authentication sample configuration that uses a Secret
object named oauth2-credentials
in the openshift-monitoring
namespace:
apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: remoteWrite: - url: "https://test.example.com/api/write" oauth2: clientId: secret: name: oauth2-credentials 1 key: id 2 clientSecret: name: oauth2-credentials 3 key: secret 4 tokenUrl: https://example.com/oauth2/token 5 scopes: 6 - <scope_1> - <scope_2> endpointParams: 7 param1: <parameter_1> param2: <parameter_2>
- 1 3
- The name of the corresponding
Secret
object. Note thatClientId
can alternatively refer to aConfigMap
object, althoughclientSecret
must refer to aSecret
object. - 2 4
- The key that contains the OAuth 2.0 credentials in the specified
Secret
object. - 5
- The URL used to fetch a token with the specified
clientId
andclientSecret
. - 6
- The OAuth 2.0 scopes for the authorization request. These scopes limit what data the tokens can access.
- 7
- The OAuth 2.0 authorization request parameters required for the authorization server.
3.12.2.5. Sample YAML for TLS client authentication
The following shows sample TLS client settings for a tls
Secret
object named mtls-bundle
in the openshift-monitoring
namespace.
apiVersion: v1 kind: Secret metadata: name: mtls-bundle namespace: openshift-monitoring data: ca.crt: <ca_cert> 1 client.crt: <client_cert> 2 client.key: <client_key> 3 type: tls
The following sample shows a tlsConfig
remote write authentication configuration that uses a TLS Secret
object named mtls-bundle
.
apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: remoteWrite: - url: "https://remote-write-endpoint.example.com" tlsConfig: ca: secret: name: mtls-bundle 1 key: ca.crt 2 cert: secret: name: mtls-bundle 3 key: client.crt 4 keySecret: name: mtls-bundle 5 key: client.key 6
- 1 3 5
- The name of the corresponding
Secret
object that contains the TLS authentication credentials. Note thatca
andcert
can alternatively refer to aConfigMap
object, thoughkeySecret
must refer to aSecret
object. - 2
- The key in the specified
Secret
object that contains the CA certificate for the endpoint. - 4
- The key in the specified
Secret
object that contains the client certificate for the endpoint. - 6
- The key in the specified
Secret
object that contains the client key secret.
3.12.3. Example remote write queue configuration
You can use the queueConfig
object for remote write to tune the remote write queue parameters. The following example shows the queue parameters with their default values for default platform monitoring in the openshift-monitoring
namespace.
Example configuration of remote write parameters with default values
apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: remoteWrite: - url: "https://remote-write-endpoint.example.com" <endpoint_authentication_credentials> queueConfig: capacity: 10000 1 minShards: 1 2 maxShards: 50 3 maxSamplesPerSend: 2000 4 batchSendDeadline: 5s 5 minBackoff: 30ms 6 maxBackoff: 5s 7 retryOnRateLimit: false 8 sampleAgeLimit: 0s 9
- 1
- The number of samples to buffer per shard before they are dropped from the queue.
- 2
- The minimum number of shards.
- 3
- The maximum number of shards.
- 4
- The maximum number of samples per send.
- 5
- The maximum time for a sample to wait in buffer.
- 6
- The initial time to wait before retrying a failed request. The time gets doubled for every retry up to the
maxbackoff
time. - 7
- The maximum time to wait before retrying a failed request.
- 8
- Set this parameter to
true
to retry a request after receiving a 429 status code from the remote write storage. - 9
- The samples that are older than the
sampleAgeLimit
limit are dropped from the queue. If the value is undefined or set to0s
, the parameter is ignored.
Additional resources
- Prometheus REST API reference for remote write
- Setting up remote write compatible endpoints (Prometheus documentation)
- Tuning remote write settings (Prometheus documentation)
- Understanding secrets
3.13. Adding cluster ID labels to metrics
If you manage multiple OpenShift Container Platform clusters and use the remote write feature to send metrics data from these clusters to an external storage location, you can add cluster ID labels to identify the metrics data coming from different clusters. You can then query these labels to identify the source cluster for a metric and distinguish that data from similar metrics data sent by other clusters.
This way, if you manage many clusters for multiple customers and send metrics data to a single centralized storage system, you can use cluster ID labels to query metrics for a particular cluster or customer.
Creating and using cluster ID labels involves three general steps:
- Configuring the write relabel settings for remote write storage.
- Adding cluster ID labels to the metrics.
- Querying these labels to identify the source cluster or customer for a metric.
3.13.1. Creating cluster ID labels for metrics
You can create cluster ID labels for metrics for default platform monitoring and for user workload monitoring.
For default platform monitoring, you add cluster ID labels for metrics in the write_relabel
settings for remote write storage in the cluster-monitoring-config
config map in the openshift-monitoring
namespace.
For user workload monitoring, you edit the settings in the user-workload-monitoring-config
config map in the openshift-user-workload-monitoring
namespace.
When Prometheus scrapes user workload targets that expose a namespace
label, the system stores this label as exported_namespace
. This behavior ensures that the final namespace label value is equal to the namespace of the target pod. You cannot override this default configuration by setting the value of the honorLabels
field to true
for PodMonitor
or ServiceMonitor
objects.
Prerequisites
If you are configuring default platform monitoring components:
-
You have access to the cluster as a user with the
cluster-admin
cluster role. -
You have created the
cluster-monitoring-config
ConfigMap
object.
-
You have access to the cluster as a user with the
If you are configuring components that monitor user-defined projects:
-
You have access to the cluster as a user with the
cluster-admin
cluster role or as a user with theuser-workload-monitoring-config-edit
role in theopenshift-user-workload-monitoring
project. - A cluster administrator has enabled monitoring for user-defined projects.
-
You have access to the cluster as a user with the
-
You have installed the OpenShift CLI (
oc
). - You have configured remote write storage.
Procedure
Edit the
ConfigMap
object:To create cluster ID labels for core OpenShift Container Platform metrics:
Edit the
cluster-monitoring-config
ConfigMap
object in theopenshift-monitoring
project:$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
In the
writeRelabelConfigs:
section underdata/config.yaml/prometheusK8s/remoteWrite
, add cluster ID relabel configuration values:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: remoteWrite: - url: "https://remote-write-endpoint.example.com" <endpoint_authentication_credentials> writeRelabelConfigs: 1 - <relabel_config> 2
The following sample shows how to forward a metric with the cluster ID label
cluster_id
in default platform monitoring:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: remoteWrite: - url: "https://remote-write-endpoint.example.com" writeRelabelConfigs: - sourceLabels: - __tmp_openshift_cluster_id__ 1 targetLabel: cluster_id 2 action: replace 3
- 1
- The system initially applies a temporary cluster ID source label named
__tmp_openshift_cluster_id__
. This temporary label gets replaced by the cluster ID label name that you specify. - 2
- Specify the name of the cluster ID label for metrics sent to remote write storage. If you use a label name that already exists for a metric, that value is overwritten with the name of this cluster ID label. For the label name, do not use
__tmp_openshift_cluster_id__
. The final relabeling step removes labels that use this name. - 3
- The
replace
write relabel action replaces the temporary label with the target label for outgoing metrics. This action is the default and is applied if no action is specified.
To create cluster ID labels for user-defined project metrics:
Edit the
user-workload-monitoring-config
ConfigMap
object in theopenshift-user-workload-monitoring
project:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
In the
writeRelabelConfigs:
section underdata/config.yaml/prometheus/remoteWrite
, add cluster ID relabel configuration values:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: remoteWrite: - url: "https://remote-write-endpoint.example.com" <endpoint_authentication_credentials> writeRelabelConfigs: 1 - <relabel_config> 2
The following sample shows how to forward a metric with the cluster ID label
cluster_id
in user-workload monitoring:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: remoteWrite: - url: "https://remote-write-endpoint.example.com" writeRelabelConfigs: - sourceLabels: - __tmp_openshift_cluster_id__ 1 targetLabel: cluster_id 2 action: replace 3
- 1
- The system initially applies a temporary cluster ID source label named
__tmp_openshift_cluster_id__
. This temporary label gets replaced by the cluster ID label name that you specify. - 2
- Specify the name of the cluster ID label for metrics sent to remote write storage. If you use a label name that already exists for a metric, that value is overwritten with the name of this cluster ID label. For the label name, do not use
__tmp_openshift_cluster_id__
. The final relabeling step removes labels that use this name. - 3
- The
replace
write relabel action replaces the temporary label with the target label for outgoing metrics. This action is the default and is applied if no action is specified.
- Save the file to apply the changes. The new configuration is applied automatically.
Additional resources
3.14. Configuring audit logs for Metrics Server
You can configure audit logs for Metrics Server to help you troubleshoot issues with the server. Audit logs record the sequence of actions in a cluster. It can record user, application, or control plane activities.
You can set audit log rules, which determine what events are recorded and what data they should include. This can be achieved with the following audit profiles:
- Metadata (default): This profile enables the logging of event metadata including user, timestamps, resource, and verb. It does not record request and response bodies.
- Request: This enables the logging of event metadata and request body, but it does not record response body. This configuration does not apply for non-resource requests.
- RequestResponse: This enables the logging of event metadata, and request and response bodies. This configuration does not apply for non-resource requests.
- None: None of the previously described events are recorded.
You can configure the audit profiles by modifying the cluster-monitoring-config
config map. The following example sets the profile to Request
, allowing the logging of event metadata and request body for Metrics Server:
apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | metricsServer: audit: profile: Request
3.15. Configuring metrics collection profiles
Using a metrics collection profile is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview.
By default, Prometheus collects metrics exposed by all default metrics targets in OpenShift Container Platform components. However, you might want Prometheus to collect fewer metrics from a cluster in certain scenarios:
- If cluster administrators require only alert, telemetry, and console metrics and do not require other metrics to be available.
- If a cluster increases in size, and the increased size of the default metrics data collected now requires a significant increase in CPU and memory resources.
You can use a metrics collection profile to collect either the default amount of metrics data or a minimal amount of metrics data. When you collect minimal metrics data, basic monitoring features such as alerting continue to work. At the same time, the CPU and memory resources required by Prometheus decrease.
3.15.1. About metrics collection profiles
You can enable one of two metrics collection profiles:
- full: Prometheus collects metrics data exposed by all platform components. This setting is the default.
- minimal: Prometheus collects only the metrics data required for platform alerts, recording rules, telemetry, and console dashboards.
3.15.2. Choosing a metrics collection profile
To choose a metrics collection profile for core OpenShift Container Platform monitoring components, edit the cluster-monitoring-config
ConfigMap
object.
Prerequisites
-
You have installed the OpenShift CLI (
oc
). -
You have enabled Technology Preview features by using the
FeatureGate
custom resource (CR). -
You have created the
cluster-monitoring-config
ConfigMap
object. -
You have access to the cluster as a user with the
cluster-admin
cluster role.
Procedure
Edit the
cluster-monitoring-config
ConfigMap
object in theopenshift-monitoring
project:$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
Add the metrics collection profile setting under
data/config.yaml/prometheusK8s
:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: collectionProfile: <metrics_collection_profile_name> 1
- 1
- The name of the metrics collection profile. The available values are
full
orminimal
. If you do not specify a value or if thecollectionProfile
key name does not exist in the config map, the default setting offull
is used.
The following example sets the metrics collection profile to
minimal
for the core platform instance of Prometheus:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | prometheusK8s: collectionProfile: minimal
- Save the file to apply the changes. The new configuration is applied automatically.
Additional resources
- See Viewing a list of available metrics for steps to view a list of metrics being collected for a cluster.
- See Enabling features using feature gates for steps to enable Technology Preview features.
3.16. Controlling the impact of unbound metrics attributes in user-defined projects
Developers can create labels to define attributes for metrics in the form of key-value pairs. The number of potential key-value pairs corresponds to the number of possible values for an attribute. An attribute that has an unlimited number of potential values is called an unbound attribute. For example, a customer_id
attribute is unbound because it has an infinite number of possible values.
Every assigned key-value pair has a unique time series. The use of many unbound attributes in labels can result in an exponential increase in the number of time series created. This can impact Prometheus performance and can consume a lot of disk space.
Cluster administrators can use the following measures to control the impact of unbound metrics attributes in user-defined projects:
- Limit the number of samples that can be accepted per target scrape in user-defined projects
- Limit the number of scraped labels, the length of label names, and the length of label values
- Create alerts that fire when a scrape sample threshold is reached or when the target cannot be scraped
Limiting scrape samples can help prevent the issues caused by adding many unbound attributes to labels. Developers can also prevent the underlying cause by limiting the number of unbound attributes that they define for metrics. Using attributes that are bound to a limited set of possible values reduces the number of potential key-value pair combinations.
3.16.1. Setting scrape sample and label limits for user-defined projects
You can limit the number of samples that can be accepted per target scrape in user-defined projects. You can also limit the number of scraped labels, the length of label names, and the length of label values.
If you set sample or label limits, no further sample data is ingested for that target scrape after the limit is reached.
Prerequisites
-
You have access to the cluster as a user with the
cluster-admin
cluster role, or as a user with theuser-workload-monitoring-config-edit
role in theopenshift-user-workload-monitoring
project. - A cluster administrator has enabled monitoring for user-defined projects.
-
You have installed the OpenShift CLI (
oc
).
Procedure
Edit the
user-workload-monitoring-config
ConfigMap
object in theopenshift-user-workload-monitoring
project:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
Add the
enforcedSampleLimit
configuration todata/config.yaml
to limit the number of samples that can be accepted per target scrape in user-defined projects:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: enforcedSampleLimit: 50000 1
- 1
- A value is required if this parameter is specified. This
enforcedSampleLimit
example limits the number of samples that can be accepted per target scrape in user-defined projects to 50,000.
Add the
enforcedLabelLimit
,enforcedLabelNameLengthLimit
, andenforcedLabelValueLengthLimit
configurations todata/config.yaml
to limit the number of scraped labels, the length of label names, and the length of label values in user-defined projects:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: enforcedLabelLimit: 500 1 enforcedLabelNameLengthLimit: 50 2 enforcedLabelValueLengthLimit: 600 3
- 1
- Specifies the maximum number of labels per scrape. The default value is
0
, which specifies no limit. - 2
- Specifies the maximum length in characters of a label name. The default value is
0
, which specifies no limit. - 3
- Specifies the maximum length in characters of a label value. The default value is
0
, which specifies no limit.
- Save the file to apply the changes. The limits are applied automatically.
3.16.2. Creating scrape sample alerts
You can create alerts that notify you when:
-
The target cannot be scraped or is not available for the specified
for
duration -
A scrape sample threshold is reached or is exceeded for the specified
for
duration
Prerequisites
-
You have access to the cluster as a user with the
cluster-admin
cluster role, or as a user with theuser-workload-monitoring-config-edit
role in theopenshift-user-workload-monitoring
project. - A cluster administrator has enabled monitoring for user-defined projects.
-
You have limited the number of samples that can be accepted per target scrape in user-defined projects, by using
enforcedSampleLimit
. -
You have installed the OpenShift CLI (
oc
).
Procedure
Create a YAML file with alerts that inform you when the targets are down and when the enforced sample limit is approaching. The file in this example is called
monitoring-stack-alerts.yaml
:apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: labels: prometheus: k8s role: alert-rules name: monitoring-stack-alerts 1 namespace: ns1 2 spec: groups: - name: general.rules rules: - alert: TargetDown 3 annotations: message: '{{ printf "%.4g" $value }}% of the {{ $labels.job }}/{{ $labels.service }} targets in {{ $labels.namespace }} namespace are down.' 4 expr: 100 * (count(up == 0) BY (job, namespace, service) / count(up) BY (job, namespace, service)) > 10 for: 10m 5 labels: severity: warning 6 - alert: ApproachingEnforcedSamplesLimit 7 annotations: message: '{{ $labels.container }} container of the {{ $labels.pod }} pod in the {{ $labels.namespace }} namespace consumes {{ $value | humanizePercentage }} of the samples limit budget.' 8 expr: (scrape_samples_post_metric_relabeling / (scrape_sample_limit > 0)) > 0.9 9 for: 10m 10 labels: severity: warning 11
- 1
- Defines the name of the alerting rule.
- 2
- Specifies the user-defined project where the alerting rule is deployed.
- 3
- The
TargetDown
alert fires if the target cannot be scraped and is not available for thefor
duration. - 4
- The message that is displayed when the
TargetDown
alert fires. - 5
- The conditions for the
TargetDown
alert must be true for this duration before the alert is fired. - 6
- Defines the severity for the
TargetDown
alert. - 7
- The
ApproachingEnforcedSamplesLimit
alert fires when the defined scrape sample threshold is exceeded and lasts for the specifiedfor
duration. - 8
- The message that is displayed when the
ApproachingEnforcedSamplesLimit
alert fires. - 9
- The threshold for the
ApproachingEnforcedSamplesLimit
alert. In this example, the alert fires when the number of ingested samples exceeds 90% of the configured limit. - 10
- The conditions for the
ApproachingEnforcedSamplesLimit
alert must be true for this duration before the alert is fired. - 11
- Defines the severity for the
ApproachingEnforcedSamplesLimit
alert.
Apply the configuration to the user-defined project:
$ oc apply -f monitoring-stack-alerts.yaml
Additionally, you can check if a target has hit the configured limit:
In the Administrator perspective of the web console, go to Observe
Targets and select an endpoint with a Down
status that you want to check.The Scrape failed: sample limit exceeded message is displayed if the endpoint failed because of an exceeded sample limit.
Additional resources
- Creating a user-defined workload monitoring config map
- Enabling monitoring for user-defined projects
- See Determining why Prometheus is consuming a lot of disk space for steps to query which metrics have the highest number of scrape samples.