This is a cache of https://docs.okd.io/4.12/observability/monitoring/configuring-the-monitoring-stack.html. It is a snapshot of the page at 2024-11-17T19:03:15.739+0000.
Configuring the monitoring stack - Monitoring | Observability | OKD 4.12
×

The OKD installation program provides only a low number of configuration options before installation. Configuring most OKD framework components, including the cluster monitoring stack, happens after the installation.

This section explains what configuration is supported, shows how to configure the monitoring stack, and demonstrates several common configuration scenarios.

Not all configuration parameters for the monitoring stack are exposed. Only the parameters and fields listed in the Config map reference for the Cluster Monitoring Operator are supported for configuration.

Prerequisites

  • The monitoring stack imposes additional resource requirements. Consult the computing resources recommendations in Scaling the Cluster Monitoring Operator and verify that you have sufficient resources.

Maintenance and support for monitoring

Not all configuration options for the monitoring stack are exposed. The only supported way of configuring OKD monitoring is by configuring the Cluster Monitoring Operator (CMO) using the options described in the Config map reference for the Cluster Monitoring Operator. Do not use other configurations, as they are unsupported.

Configuration paradigms might change across Prometheus releases, and such cases can only be handled gracefully if all configuration possibilities are controlled. If you use configurations other than those described in the Config map reference for the Cluster Monitoring Operator, your changes will disappear because the CMO automatically reconciles any differences and resets any unsupported changes back to the originally defined state by default and by design.

Installing another Prometheus instance is not supported by the Red Hat Site Reliability Engineers (SRE).

Support considerations for monitoring

Backward compatibility for metrics, recording rules, or alerting rules is not guaranteed.

The following modifications are explicitly not supported:

  • Creating additional ServiceMonitor, PodMonitor, and PrometheusRule objects in the openshift-* and kube-* projects.

  • Modifying any resources or objects deployed in the openshift-monitoring or openshift-user-workload-monitoring projects. The resources created by the OKD monitoring stack are not meant to be used by any other resources, as there are no guarantees about their backward compatibility.

    The Alertmanager configuration is deployed as the alertmanager-main secret resource in the openshift-monitoring namespace. If you have enabled a separate Alertmanager instance for user-defined alert routing, an Alertmanager configuration is also deployed as the alertmanager-user-workload secret resource in the openshift-user-workload-monitoring namespace. To configure additional routes for any instance of Alertmanager, you need to decode, modify, and then encode that secret. This procedure is a supported exception to the preceding statement.

  • Modifying resources of the stack. The OKD monitoring stack ensures its resources are always in the state it expects them to be. If they are modified, the stack will reset them.

  • Deploying user-defined workloads to openshift-*, and kube-* projects. These projects are reserved for Red Hat provided components and they should not be used for user-defined workloads.

  • Manually deploying monitoring resources into namespaces that have the openshift.io/cluster-monitoring: "true" label.

  • Adding the openshift.io/cluster-monitoring: "true" label to namespaces. This label is reserved only for the namespaces with core OKD components and Red Hat certified components.

  • Installing custom Prometheus instances on OKD. A custom instance is a Prometheus custom resource (CR) managed by the Prometheus Operator.

  • Enabling symptom based monitoring by using the Probe custom resource definition (CRD) in Prometheus Operator.

  • Installing custom Prometheus instances on OKD. A custom instance is a Prometheus custom resource (CR) managed by the Prometheus Operator.

  • Modifying the default platform monitoring components. You should not modify any of the components defined in the cluster-monitoring-config config map. Red Hat SRE uses these components to monitor the core cluster components and Kubernetes services.

Support policy for monitoring Operators

Monitoring Operators ensure that OKD monitoring resources function as designed and tested. If Cluster Version Operator (CVO) control of an Operator is overridden, the Operator does not respond to configuration changes, reconcile the intended state of cluster objects, or receive updates.

While overriding CVO control for an Operator can be helpful during debugging, this is unsupported and the cluster administrator assumes full control of the individual component configurations and upgrades.

Overriding the Cluster Version Operator

The spec.overrides parameter can be added to the configuration for the CVO to allow administrators to provide a list of overrides to the behavior of the CVO for a component. Setting the spec.overrides[].unmanaged parameter to true for a component blocks cluster upgrades and alerts the administrator after a CVO override has been set:

Disabling ownership via cluster version overrides prevents upgrades. Please remove overrides before continuing.

Setting a CVO override puts the entire cluster in an unsupported state and prevents the monitoring stack from being reconciled to its intended state. This impacts the reliability features built into Operators and prevents updates from being received. Reported issues must be reproduced after removing any overrides for support to proceed.

Support version matrix for monitoring components

The following matrix contains information about versions of monitoring components for OKD 4.10 and later releases:

Table 1. OKD and component versions
OKD Prometheus Operator Prometheus Prometheus Adapter Alertmanager kube-state-metrics agent node-exporter agent Thanos

4.12

0.60.1

2.39.1

0.10.0

0.24.0

2.6.0

1.4.0

0.28.1

4.11

0.57.0

2.36.2

0.9.1

0.24.0

2.5.0

1.3.1

0.26.0

4.10

0.53.1

2.32.1

0.9.1

0.23.0

2.3.0

1.3.1

0.23.2

The openshift-state-metrics agent and Telemeter Client are OpenShift-specific components. Therefore, their versions correspond with the versions of OKD.

Preparing to configure the monitoring stack

You can configure the monitoring stack by creating and updating monitoring config maps. These config maps configure the Cluster Monitoring Operator (CMO), which in turn configures the components of the monitoring stack.

Creating a cluster monitoring config map

You can configure the core OKD monitoring components by creating the cluster-monitoring-config configmap object in the openshift-monitoring project. The Cluster Monitoring Operator (CMO) then configures the core components of the monitoring stack.

Prerequisites
  • You have access to the cluster as a user with the cluster-admin cluster role.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. Check whether the cluster-monitoring-config configmap object exists:

    $ oc -n openshift-monitoring get configmap cluster-monitoring-config
  2. If the configmap object does not exist:

    1. Create the following YAML manifest. In this example the file is called cluster-monitoring-config.yaml:

      apiVersion: v1
      kind: configmap
      metadata:
        name: cluster-monitoring-config
        namespace: openshift-monitoring
      data:
        config.yaml: |
    2. Apply the configuration to create the configmap object:

      $ oc apply -f cluster-monitoring-config.yaml

Creating a user-defined workload monitoring config map

You can configure the user workload monitoring components with the user-workload-monitoring-config configmap object in the openshift-user-workload-monitoring project. The Cluster Monitoring Operator (CMO) then configures the components that monitor user-defined projects.

  • If you enable monitoring for user-defined projects, the user-workload-monitoring-config configmap object is created by default.

  • When you save your changes to the user-workload-monitoring-config configmap object, some or all of the pods in the openshift-user-workload-monitoring project might be redeployed. It can sometimes take a while for these components to redeploy.

Prerequisites
  • You have access to the cluster as a user with the cluster-admin cluster role.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. Check whether the user-workload-monitoring-config configmap object exists:

    $ oc -n openshift-user-workload-monitoring get configmap user-workload-monitoring-config
  2. If the user-workload-monitoring-config configmap object does not exist:

    1. Create the following YAML manifest. In this example the file is called user-workload-monitoring-config.yaml:

      apiVersion: v1
      kind: configmap
      metadata:
        name: user-workload-monitoring-config
        namespace: openshift-user-workload-monitoring
      data:
        config.yaml: |
    2. Apply the configuration to create the configmap object:

      $ oc apply -f user-workload-monitoring-config.yaml

      Configurations applied to the user-workload-monitoring-config configmap object are not activated unless a cluster administrator has enabled monitoring for user-defined projects.

Granting users permissions for core platform monitoring

As a cluster administrator, you can monitor all core OKD and user-defined projects.

You can also grant developers and other users different permissions for core platform monitoring. You can grant the permissions by assigning one of the following monitoring roles or cluster roles:

Name Description Project

cluster-monitoring-metrics-api

Users with this role have the ability to access Thanos Querier API endpoints. Additionally, it grants access to the core platform Prometheus API and user-defined Thanos Ruler API endpoints.

openshift-monitoring

cluster-monitoring-operator-alert-customization

Users with this role can manage AlertingRule and AlertRelabelConfig resources for core platform monitoring. These permissions are required for the alert customization feature.

openshift-monitoring

monitoring-alertmanager-edit

Users with this role can manage the Alertmanager API for core platform monitoring. They can also manage alert silences in the Administrator perspective of the OKD web console.

openshift-monitoring

monitoring-alertmanager-view

Users with this role can monitor the Alertmanager API for core platform monitoring. They can also view alert silences in the Administrator perspective of the OKD web console.

openshift-monitoring

cluster-monitoring-view

Users with this cluster role have the same access rights as cluster-monitoring-metrics-api role, with additional permissions, providing access to the /federate endpoint for the user-defined Prometheus.

Must be bound with ClusterRoleBinding to gain access to the /federate endpoint for the user-defined Prometheus.

Configuring the monitoring stack

In OKD 4.12, you can configure the monitoring stack using the cluster-monitoring-config or user-workload-monitoring-config configmap objects. Config maps configure the Cluster Monitoring Operator (CMO), which in turn configures the components of the stack.

Prerequisites
  • If you are configuring core OKD monitoring components:

    • You have access to the cluster as a user with the cluster-admin cluster role.

    • You have created the cluster-monitoring-config configmap object.

  • If you are configuring components that monitor user-defined projects:

    • You have access to the cluster as a user with the cluster-admin cluster role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

    • A cluster administrator has enabled monitoring for user-defined projects.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. Edit the configmap object.

    • To configure core OKD monitoring components:

      1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring project:

        $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
      2. Add your configuration under data/config.yaml as a key-value pair <component_name>: <component_configuration>:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            <component>:
              <configuration_for_the_component>

        Substitute <component> and <configuration_for_the_component> accordingly.

        The following example configmap object configures a persistent volume claim (PVC) for Prometheus. This relates to the Prometheus instance that monitors core OKD components only:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            prometheusK8s: (1)
              volumeClaimTemplate:
                spec:
                  storageClassName: fast
                  volumeMode: Filesystem
                  resources:
                    requests:
                      storage: 40Gi
        1 Defines the Prometheus component and the subsequent lines define its configuration.
    • To configure components that monitor user-defined projects:

      1. Edit the user-workload-monitoring-config configmap object in the openshift-user-workload-monitoring project:

        $ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
      2. Add your configuration under data/config.yaml as a key-value pair <component_name>: <component_configuration>:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            <component>:
              <configuration_for_the_component>

        Substitute <component> and <configuration_for_the_component> accordingly.

        The following example configmap object configures a data retention period and minimum container resource requests for Prometheus. This relates to the Prometheus instance that monitors user-defined projects only:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            prometheus: (1)
              retention: 24h (2)
              resources:
                requests:
                  cpu: 200m (3)
                  memory: 2Gi (4)
        1 Defines the Prometheus component and the subsequent lines define its configuration.
        2 Configures a twenty-four hour data retention period for the Prometheus instance that monitors user-defined projects.
        3 Defines a minimum resource request of 200 millicores for the Prometheus container.
        4 Defines a minimum pod resource request of 2 GiB of memory for the Prometheus container.

        The Prometheus config map component is called prometheusK8s in the cluster-monitoring-config configmap object and prometheus in the user-workload-monitoring-config configmap object.

  2. Save the file to apply the changes to the configmap object.

    Different configuration changes to the configmap object result in different outcomes:

    • The pods are not redeployed. Therefore, there is no service outage.

    • The affected pods are redeployed:

      • For single-node clusters, this results in temporary service outage.

      • For multi-node clusters, because of high-availability, the affected pods are gradually rolled out and the monitoring stack remains available.

      • Configuring and resizing a persistent volume always results in a service outage, regardless of high availability.

    Each procedure that requires a change in the config map includes its expected outcome.

Additional resources

Configurable monitoring components

This table shows the monitoring components you can configure and the keys used to specify the components in the cluster-monitoring-config and user-workload-monitoring-config configmap objects:

Table 2. Configurable monitoring components
Component cluster-monitoring-config config map key user-workload-monitoring-config config map key

Prometheus Operator

prometheusOperator

prometheusOperator

Prometheus

prometheusK8s

prometheus

Alertmanager

alertmanagerMain

alertmanager

kube-state-metrics

kubeStateMetrics

openshift-state-metrics

openshiftStateMetrics

Telemeter Client

telemeterClient

Prometheus Adapter

k8sPrometheusAdapter

Thanos Querier

thanosQuerier

Thanos Ruler

thanosRuler

The Prometheus key is called prometheusK8s in the cluster-monitoring-config configmap object and prometheus in the user-workload-monitoring-config configmap object.

Using node selectors to move monitoring components

By using the nodeSelector constraint with labeled nodes, you can move any of the monitoring stack components to specific nodes. By doing so, you can control the placement and distribution of the monitoring components across a cluster.

By controlling placement and distribution of monitoring components, you can optimize system resource use, improve performance, and segregate workloads based on specific requirements or policies.

How node selectors work with other constraints

If you move monitoring components by using node selector constraints, be aware that other constraints to control pod scheduling might exist for a cluster:

  • Topology spread constraints might be in place to control pod placement.

  • Hard anti-affinity rules are in place for Prometheus, Thanos Querier, Alertmanager, and other monitoring components to ensure that multiple pods for these components are always spread across different nodes and are therefore always highly available.

When scheduling pods onto nodes, the pod scheduler tries to satisfy all existing constraints when determining pod placement. That is, all constraints compound when the pod scheduler determines which pods will be placed on which nodes.

Therefore, if you configure a node selector constraint but existing constraints cannot all be satisfied, the pod scheduler cannot match all constraints and will not schedule a pod for placement onto a node.

To maintain resilience and high availability for monitoring components, ensure that enough nodes are available and match all constraints when you configure a node selector constraint to move a component.

Moving monitoring components to different nodes

To specify the nodes in your cluster on which monitoring stack components will run, configure the nodeSelector constraint in the component’s configmap object to match labels assigned to the nodes.

You cannot add a node selector constraint directly to an existing scheduled pod.

Prerequisites
  • If you are configuring core OKD monitoring components:

    • You have access to the cluster as a user with the cluster-admin cluster role.

    • You have created the cluster-monitoring-config configmap object.

  • If you are configuring components that monitor user-defined projects:

    • You have access to the cluster as a user with the cluster-admin cluster role or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

    • A cluster administrator has enabled monitoring for user-defined projects.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. If you have not done so yet, add a label to the nodes on which you want to run the monitoring components:

    $ oc label nodes <node-name> <node-label>
  2. Edit the configmap object:

    • To move a component that monitors core OKD projects:

      1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring project:

        $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
      2. Specify the node labels for the nodeSelector constraint for the component under data/config.yaml:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            <component>: (1)
              nodeSelector:
                <node-label-1> (2)
                <node-label-2> (3)
                <...>
        1 Substitute <component> with the appropriate monitoring stack component name.
        2 Substitute <node-label-1> with the label you added to the node.
        3 Optional: Specify additional labels. If you specify additional labels, the pods for the component are only scheduled on the nodes that contain all of the specified labels.

        If monitoring components remain in a Pending state after configuring the nodeSelector constraint, check the pod events for errors relating to taints and tolerations.

    • To move a component that monitors user-defined projects:

      1. Edit the user-workload-monitoring-config configmap object in the openshift-user-workload-monitoring project:

        $ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
      2. Specify the node labels for the nodeSelector constraint for the component under data/config.yaml:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            <component>: (1)
              nodeSelector:
                <node-label-1> (2)
                <node-label-2> (3)
                <...>
        1 Substitute <component> with the appropriate monitoring stack component name.
        2 Substitute <node-label-1> with the label you added to the node.
        3 Optional: Specify additional labels. If you specify additional labels, the pods for the component are only scheduled on the nodes that contain all of the specified labels.

        If monitoring components remain in a Pending state after configuring the nodeSelector constraint, check the pod events for errors relating to taints and tolerations.

  3. Save the file to apply the changes. The components specified in the new configuration are automatically moved to the new nodes, and the pods affected by the new configuration are redeployed.

Additional resources

Assigning tolerations to monitoring components

You can assign tolerations to any of the monitoring stack components to enable moving them to tainted nodes.

Prerequisites
  • If you are configuring core OKD monitoring components:

    • You have access to the cluster as a user with the cluster-admin cluster role.

    • You have created the cluster-monitoring-config configmap object.

  • If you are configuring components that monitor user-defined projects:

    • You have access to the cluster as a user with the cluster-admin cluster role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

    • A cluster administrator has enabled monitoring for user-defined projects.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. Edit the configmap object:

    • To assign tolerations to a component that monitors core OKD projects:

      1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring project:

        $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
      2. Specify tolerations for the component:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            <component>:
              tolerations:
                <toleration_specification>

        Substitute <component> and <toleration_specification> accordingly.

        For example, oc adm taint nodes node1 key1=value1:NoSchedule adds a taint to node1 with the key key1 and the value value1. This prevents monitoring components from deploying pods on node1 unless a toleration is configured for that taint. The following example configures the alertmanagerMain component to tolerate the example taint:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            alertmanagerMain:
              tolerations:
              - key: "key1"
                operator: "Equal"
                value: "value1"
                effect: "NoSchedule"
    • To assign tolerations to a component that monitors user-defined projects:

      1. Edit the user-workload-monitoring-config configmap object in the openshift-user-workload-monitoring project:

        $ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
      2. Specify tolerations for the component:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            <component>:
              tolerations:
                <toleration_specification>

        Substitute <component> and <toleration_specification> accordingly.

        For example, oc adm taint nodes node1 key1=value1:NoSchedule adds a taint to node1 with the key key1 and the value value1. This prevents monitoring components from deploying pods on node1 unless a toleration is configured for that taint. The following example configures the thanosRuler component to tolerate the example taint:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            thanosRuler:
              tolerations:
              - key: "key1"
                operator: "Equal"
                value: "value1"
                effect: "NoSchedule"
  2. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.

Additional resources

Setting the body size limit for metrics scraping

By default, no limit exists for the uncompressed body size for data returned from scraped metrics targets. You can set a body size limit to help avoid situations in which Prometheus consumes excessive amounts of memory when scraped targets return a response that contains a large amount of data. In addition, by setting a body size limit, you can reduce the impact that a malicious target might have on Prometheus and on the cluster as a whole.

After you set a value for enforcedBodySizeLimit, the alert PrometheusScrapeBodySizeLimitHit fires when at least one Prometheus scrape target replies with a response body larger than the configured value.

If metrics data scraped from a target has an uncompressed body size exceeding the configured size limit, the scrape fails. Prometheus then considers this target to be down and sets its up metric value to 0, which can trigger the TargetDown alert.

Prerequisites
  • You have access to the cluster as a user with the cluster-admin cluster role.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring namespace:

    $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
  2. Add a value for enforcedBodySizeLimit to data/config.yaml/prometheusK8s to limit the body size that can be accepted per target scrape:

    apiVersion: v1
    kind: configmap
    metadata:
      name: cluster-monitoring-config
      namespace: openshift-monitoring
    data:
      config.yaml: |-
        prometheusK8s:
          enforcedBodySizeLimit: 40MB (1)
    1 Specify the maximum body size for scraped metrics targets. This enforcedBodySizeLimit example limits the uncompressed size per target scrape to 40 megabytes. Valid numeric values use the Prometheus data size format: B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes), TB (terabytes), PB (petabytes), and EB (exabytes). The default value is 0, which specifies no limit. You can also set the value to automatic to calculate the limit automatically based on cluster capacity.
  3. Save the file to apply the changes. The new configuration is applied automatically.

Configuring a dedicated service monitor

You can configure OKD core platform monitoring to use dedicated service monitors to collect metrics for the resource metrics pipeline.

When enabled, a dedicated service monitor exposes two additional metrics from the kubelet endpoint and sets the value of the honorTimestamps field to true.

By enabling a dedicated service monitor, you can improve the consistency of Prometheus Adapter-based CPU usage measurements used by, for example, the oc adm top pod command or the Horizontal Pod Autoscaler.

Enabling a dedicated service monitor

You can configure core platform monitoring to use a dedicated service monitor by configuring the dedicatedServiceMonitors key in the cluster-monitoring-config configmap object in the openshift-monitoring namespace.

Prerequisites
  • You have installed the OpenShift CLI (oc).

  • You have access to the cluster as a user with the cluster-admin cluster role.

  • You have created the cluster-monitoring-config configmap object.

Procedure
  1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring namespace:

    $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
  2. Add an enabled: true key-value pair as shown in the following sample:

    apiVersion: v1
    kind: configmap
    metadata:
      name: cluster-monitoring-config
      namespace: openshift-monitoring
    data:
      config.yaml: |
        k8sPrometheusAdapter:
          dedicatedServiceMonitors:
            enabled: true (1)
    1 Set the value of the enabled field to true to deploy a dedicated service monitor that exposes the kubelet /metrics/resource endpoint.
  3. Save the file to apply the changes automatically.

    When you save changes to a cluster-monitoring-config config map, the pods and other resources in the openshift-monitoring project might be redeployed. The running monitoring processes in that project might also restart.

Configuring persistent storage

Run cluster monitoring with persistent storage to gain the following benefits:

  • Protect your metrics and alerting data from data loss by storing them in a persistent volume (PV). As a result, they can survive pods being restarted or recreated.

  • Avoid getting duplicate notifications and losing silences for alerts when the Alertmanager pods are restarted.

For production environments, it is highly recommended to configure persistent storage.

In multi-node clusters, you must configure persistent storage for Prometheus, Alertmanager, and Thanos Ruler to ensure high availability.

Persistent storage prerequisites

  • Dedicate sufficient persistent storage to ensure that the disk does not become full.

  • Use Filesystem as the storage type value for the volumeMode parameter when you configure the persistent volume.

    • Do not use a raw block volume, which is described with volumeMode: Block in the PersistentVolume resource. Prometheus cannot use raw block volumes.

    • Prometheus does not support file systems that are not POSIX compliant. For example, some NFS file system implementations are not POSIX compliant. If you want to use an NFS file system for storage, verify with the vendor that their NFS implementation is fully POSIX compliant.

Configuring a persistent volume claim

To use a persistent volume (PV) for monitoring components, you must configure a persistent volume claim (PVC).

Prerequisites
  • If you are configuring core OKD monitoring components:

    • You have access to the cluster as a user with the cluster-admin cluster role.

    • You have created the cluster-monitoring-config configmap object.

  • If you are configuring components that monitor user-defined projects:

    • You have access to the cluster as a user with the cluster-admin cluster role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

    • A cluster administrator has enabled monitoring for user-defined projects.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. Edit the configmap object:

    • To configure a PVC for a component that monitors core OKD projects:

      1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring project:

        $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
      2. Add your PVC configuration for the component under data/config.yaml:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            <component>: (1)
              volumeClaimTemplate:
                spec:
                  storageClassName: <storage_class> (2)
                  resources:
                    requests:
                      storage: <amount_of_storage> (3)
        1 Specify the core monitoring component for which you want to configure the PVC.
        2 Specify an existing storage class. If a storage class is not specified, the default storage class is used.
        3 Specify the amount of required storage.

        See the Kubernetes documentation on PersistentVolumeClaims for information on how to specify volumeClaimTemplate.

        The following example configures a PVC that claims persistent storage for the Prometheus instance that monitors core OKD components:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            prometheusK8s:
              volumeClaimTemplate:
                spec:
                  storageClassName: my-storage-class
                  resources:
                    requests:
                      storage: 40Gi
    • To configure a PVC for a component that monitors user-defined projects:

      1. Edit the user-workload-monitoring-config configmap object in the openshift-user-workload-monitoring project:

        $ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
      2. Add your PVC configuration for the component under data/config.yaml:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            <component>: (1)
              volumeClaimTemplate:
                spec:
                  storageClassName: <storage_class> (2)
                  resources:
                    requests:
                      storage: <amount_of_storage> (3)
        1 Specify the component for user-defined monitoring for which you want to configure the PVC.
        2 Specify an existing storage class. If a storage class is not specified, the default storage class is used.
        3 Specify the amount of required storage.

        See the Kubernetes documentation on PersistentVolumeClaims for information on how to specify volumeClaimTemplate.

        The following example configures a PVC that claims persistent storage for Thanos Ruler:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            thanosRuler:
              volumeClaimTemplate:
                spec:
                  storageClassName: my-storage-class
                  resources:
                    requests:
                      storage: 10Gi

        Storage requirements for the thanosRuler component depend on the number of rules that are evaluated and how many samples each rule generates.

  2. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed and the new storage configuration is applied.

    When you update the config map with a PVC configuration, the affected StatefulSet object is recreated, resulting in a temporary service outage.

Resizing a persistent volume

You can resize a persistent volume (PV) for monitoring components, such as Prometheus, Thanos Ruler, or Alertmanager. You need to manually expand a persistent volume claim (PVC), and then update the config map in which the component is configured.

You can only expand the size of the PVC. Shrinking the storage size is not possible.

Prerequisites
  • You have installed the OpenShift CLI (oc).

  • If you are configuring core OKD monitoring components:

    • You have access to the cluster as a user with the cluster-admin cluster role.

    • You have created the cluster-monitoring-config configmap object.

    • You have configured at least one PVC for core OKD monitoring components.

  • If you are configuring components that monitor user-defined projects:

    • You have access to the cluster as a user with the cluster-admin cluster role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

    • A cluster administrator has enabled monitoring for user-defined projects.

    • You have configured at least one PVC for components that monitor user-defined projects.

Procedure
  1. Manually expand a PVC with the updated storage request. For more information, see "Expanding persistent volume claims (PVCs) with a file system" in Expanding persistent volumes.

  2. Edit the configmap object:

    • If you are configuring core OKD monitoring components:

      1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring project:

        $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
      2. Add a new storage size for the PVC configuration for the component under data/config.yaml:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            <component>: (1)
              volumeClaimTemplate:
                spec:
                  resources:
                    requests:
                      storage: <amount_of_storage> (2)
        1 The component for which you want to change the storage size.
        2 Specify the new size for the storage volume. It must be greater than the previous value.

        The following example sets the new PVC request to 100 gigabytes for the Prometheus instance that monitors core OKD components:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            prometheusK8s:
              volumeClaimTemplate:
                spec:
                  resources:
                    requests:
                      storage: 100Gi
    • If you are configuring components that monitor user-defined projects:

      You can resize the volumes for the Thanos Ruler and for instances of Alertmanager and Prometheus that monitor user-defined projects.

      1. Edit the user-workload-monitoring-config configmap object in the openshift-user-workload-monitoring project:

        $ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
      2. Update the PVC configuration for the monitoring component under data/config.yaml:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            <component>: (1)
              volumeClaimTemplate:
                spec:
                  resources:
                    requests:
                      storage: <amount_of_storage> (2)
        1 The component for which you want to change the storage size.
        2 Specify the new size for the storage volume. It must be greater than the previous value.

        The following example sets the new PVC request to 20 gigabytes for Thanos Ruler:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            thanosRuler:
              volumeClaimTemplate:
                spec:
                  resources:
                    requests:
                      storage: 20Gi

        Storage requirements for the thanosRuler component depend on the number of rules that are evaluated and how many samples each rule generates.

  3. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.

    When you update the config map with a new storage size, the affected StatefulSet object is recreated, resulting in a temporary service outage.

Modifying the retention time and size for Prometheus metrics data

By default, Prometheus retains metrics data for the following durations:

  • Core platform monitoring: 15 days

  • Monitoring for user-defined projects: 24 hours

You can modify the retention time to change how soon data is deleted by specifying a time value in the retention field. You can also configure the maximum amount of disk space the retained metrics data uses by specifying a size value in the retentionSize field. If the data reaches this size limit, Prometheus deletes the oldest data first until the disk space used is again below the limit.

Note the following behaviors of these data retention settings:

  • The size-based retention policy applies to all data block directories in the /prometheus directory, including persistent blocks, write-ahead log (WAL) data, and m-mapped chunks.

  • Data in the /wal and /head_chunks directories counts toward the retention size limit, but Prometheus never purges data from these directories based on size- or time-based retention policies. Thus, if you set a retention size limit lower than the maximum size set for the /wal and /head_chunks directories, you have configured the system not to retain any data blocks in the /prometheus data directories.

  • The size-based retention policy is applied only when Prometheus cuts a new data block, which occurs every two hours after the WAL contains at least three hours of data.

  • If you do not explicitly define values for either retention or retentionSize, retention time defaults to 15 days for core platform monitoring and 24 hours for user-defined project monitoring. Retention size is not set.

  • If you define values for both retention and retentionSize, both values apply. If any data blocks exceed the defined retention time or the defined size limit, Prometheus purges these data blocks.

  • If you define a value for retentionSize and do not define retention, only the retentionSize value applies.

  • If you do not define a value for retentionSize and only define a value for retention, only the retention value applies.

  • If you set the retentionSize or retention value to 0, the default settings apply. The default settings set retention time to 15 days for core platform monitoring and 24 hours for user-defined project monitoring. By default, retention size is not set.

Data compaction occurs every two hours. Therefore, a persistent volume (PV) might fill up before compaction, potentially exceeding the retentionSize limit. In such cases, the KubePersistentVolumeFillingUp alert fires until the space on a PV is lower than the retentionSize limit.

Prerequisites
  • If you are configuring core OKD monitoring components:

    • You have access to the cluster as a user with the cluster-admin cluster role.

    • You have created the cluster-monitoring-config configmap object.

  • If you are configuring components that monitor user-defined projects:

    • You have access to the cluster as a user with the cluster-admin cluster role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

    • A cluster administrator has enabled monitoring for user-defined projects.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. Edit the configmap object:

    • To modify the retention time and size for the Prometheus instance that monitors core OKD projects:

      1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring project:

        $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
      2. Add the retention time and size configuration under data/config.yaml:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            prometheusK8s:
              retention: <time_specification> (1)
              retentionSize: <size_specification> (2)
        1 The retention time: a number directly followed by ms (milliseconds), s (seconds), m (minutes), h (hours), d (days), w (weeks), or y (years). You can also combine time values for specific times, such as 1h30m15s.
        2 The retention size: a number directly followed by B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes), TB (terabytes), PB (petabytes), and EB (exabytes).

        The following example sets the retention time to 24 hours and the retention size to 10 gigabytes for the Prometheus instance that monitors core OKD components:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            prometheusK8s:
              retention: 24h
              retentionSize: 10GB
    • To modify the retention time and size for the Prometheus instance that monitors user-defined projects:

      1. Edit the user-workload-monitoring-config configmap object in the openshift-user-workload-monitoring project:

        $ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
      2. Add the retention time and size configuration under data/config.yaml:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            prometheus:
              retention: <time_specification> (1)
              retentionSize: <size_specification> (2)
        1 The retention time: a number directly followed by ms (milliseconds), s (seconds), m (minutes), h (hours), d (days), w (weeks), or y (years). You can also combine time values for specific times, such as 1h30m15s.
        2 The retention size: a number directly followed by B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes), TB (terabytes), PB (petabytes), or EB (exabytes).

        The following example sets the retention time to 24 hours and the retention size to 10 gigabytes for the Prometheus instance that monitors user-defined projects:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            prometheus:
              retention: 24h
              retentionSize: 10GB
  2. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.

Modifying the retention time for Thanos Ruler metrics data

By default, for user-defined projects, Thanos Ruler automatically retains metrics data for 24 hours. You can modify the retention time to change how long this data is retained by specifying a time value in the user-workload-monitoring-config config map in the openshift-user-workload-monitoring namespace.

Prerequisites
  • You have installed the OpenShift CLI (oc).

  • A cluster administrator has enabled monitoring for user-defined projects.

  • You have access to the cluster as a user with the cluster-admin cluster role or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

Procedure
  1. Edit the user-workload-monitoring-config configmap object in the openshift-user-workload-monitoring project:

    $ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
  2. Add the retention time configuration under data/config.yaml:

    apiVersion: v1
    kind: configmap
    metadata:
      name: user-workload-monitoring-config
      namespace: openshift-user-workload-monitoring
    data:
      config.yaml: |
        thanosRuler:
          retention: <time_specification> (1)
    1 Specify the retention time in the following format: a number directly followed by ms (milliseconds), s (seconds), m (minutes), h (hours), d (days), w (weeks), or y (years). You can also combine time values for specific times, such as 1h30m15s. The default is 24h.

    The following example sets the retention time to 10 days for Thanos Ruler data:

    apiVersion: v1
    kind: configmap
    metadata:
      name: user-workload-monitoring-config
      namespace: openshift-user-workload-monitoring
    data:
      config.yaml: |
        thanosRuler:
          retention: 10d
  3. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.

Configuring remote write storage

You can configure remote write storage to enable Prometheus to send ingested metrics to remote systems for long-term storage. Doing so has no impact on how or for how long Prometheus stores metrics.

Prerequisites
  • If you are configuring core OKD monitoring components:

    • You have access to the cluster as a user with the cluster-admin cluster role.

    • You have created the cluster-monitoring-config configmap object.

  • If you are configuring components that monitor user-defined projects:

    • You have access to the cluster as a user with the cluster-admin cluster role or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

    • A cluster administrator has enabled monitoring for user-defined projects.

  • You have installed the OpenShift CLI (oc).

  • You have set up a remote write compatible endpoint (such as Thanos) and know the endpoint URL. See the Prometheus remote endpoints and storage documentation for information about endpoints that are compatible with the remote write feature.

    Red Hat only provides information for configuring remote write senders and does not offer guidance on configuring receiver endpoints. Customers are responsible for setting up their own endpoints that are remote-write compatible. Issues with endpoint receiver configurations are not included in Red Hat production support.

  • You have set up authentication credentials in a Secret object for the remote write endpoint. You must create the secret in the same namespace as the Prometheus object for which you configure remote write: the openshift-monitoring namespace for default platform monitoring or the openshift-user-workload-monitoring namespace for user workload monitoring.

    To reduce security risks, use HTTPS and authentication to send metrics to an endpoint.

Procedure

Follow these steps to configure remote write for default platform monitoring in the cluster-monitoring-config config map in the openshift-monitoring namespace.

If you configure remote write for the Prometheus instance that monitors user-defined projects, make similar edits to the user-workload-monitoring-config config map in the openshift-user-workload-monitoring namespace. Note that the Prometheus config map component is called prometheus in the user-workload-monitoring-config configmap object and not prometheusK8s, as it is in the cluster-monitoring-config configmap object.

  1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring project:

    $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
  2. Add a remoteWrite: section under data/config.yaml/prometheusK8s.

  3. Add an endpoint URL and authentication credentials in this section:

    apiVersion: v1
    kind: configmap
    metadata:
      name: cluster-monitoring-config
      namespace: openshift-monitoring
    data:
      config.yaml: |
        prometheusK8s:
          remoteWrite:
          - url: "https://remote-write-endpoint.example.com" (1)
            <endpoint_authentication_credentials> (2)
    1 The URL of the remote write endpoint.
    2 The authentication method and credentials for the endpoint. Currently supported authentication methods are AWS Signature Version 4, authentication using HTTP in an Authorization request header, Basic authentication, OAuth 2.0, and TLS client. See Supported remote write authentication settings for sample configurations of supported authentication methods.
  4. Add write relabel configuration values after the authentication credentials:

    apiVersion: v1
    kind: configmap
    metadata:
      name: cluster-monitoring-config
      namespace: openshift-monitoring
    data:
      config.yaml: |
        prometheusK8s:
          remoteWrite:
          - url: "https://remote-write-endpoint.example.com"
            <endpoint_authentication_credentials>
            <your_write_relabel_configs> (1)
    1 The write relabel configuration settings.

    For <your_write_relabel_configs> substitute a list of write relabel configurations for metrics that you want to send to the remote endpoint.

    The following sample shows how to forward a single metric called my_metric:

    apiVersion: v1
    kind: configmap
    metadata:
      name: cluster-monitoring-config
      namespace: openshift-monitoring
    data:
      config.yaml: |
        prometheusK8s:
          remoteWrite:
          - url: "https://remote-write-endpoint.example.com"
            writeRelabelConfigs:
            - sourceLabels: [__name__]
              regex: 'my_metric'
              action: keep

    See the Prometheus relabel_config documentation for information about write relabel configuration options.

  5. Save the file to apply the changes. The new configuration is applied automatically.

Supported remote write authentication settings

You can use different methods to authenticate with a remote write endpoint. Currently supported authentication methods are AWS Signature Version 4, Basic authentication, authentication using HTTP in an Authorization request header, OAuth 2.0, and TLS client. The following table provides details about supported authentication methods for use with remote write.

Authentication method Config map field Description

AWS Signature Version 4

sigv4

This method uses AWS Signature Version 4 authentication to sign requests. You cannot use this method simultaneously with authorization, OAuth 2.0, or Basic authentication.

Basic authentication

basicAuth

Basic authentication sets the authorization header on every remote write request with the configured username and password.

authorization

authorization

Authorization sets the Authorization header on every remote write request using the configured token.

OAuth 2.0

oauth2

An OAuth 2.0 configuration uses the client credentials grant type. Prometheus fetches an access token from tokenUrl with the specified client ID and client secret to access the remote write endpoint. You cannot use this method simultaneously with authorization, AWS Signature Version 4, or Basic authentication.

TLS client

tlsConfig

A TLS client configuration specifies the CA certificate, the client certificate, and the client key file information used to authenticate with the remote write endpoint server using TLS. The sample configuration assumes that you have already created a CA certificate file, a client certificate file, and a client key file.

Config map location for authentication settings

The following shows the location of the authentication configuration in the configmap object for default platform monitoring.

apiVersion: v1
kind: configmap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://remote-write-endpoint.example.com" (1)
        <endpoint_authentication_details> (2)
1 The URL of the remote write endpoint.
2 The required configuration details for the authentication method for the endpoint. Currently supported authentication methods are Amazon Web Services (AWS) Signature Version 4, authentication using HTTP in an Authorization request header, Basic authentication, OAuth 2.0, and TLS client.

If you configure remote write for the Prometheus instance that monitors user-defined projects, edit the user-workload-monitoring-config config map in the openshift-user-workload-monitoring namespace. Note that the Prometheus config map component is called prometheus in the user-workload-monitoring-config configmap object and not prometheusK8s, as it is in the cluster-monitoring-config configmap object.

Example remote write authentication settings

The following samples show different authentication settings you can use to connect to a remote write endpoint. Each sample also shows how to configure a corresponding Secret object that contains authentication credentials and other relevant settings. Each sample configures authentication for use with default platform monitoring in the openshift-monitoring namespace.

Sample YAML for AWS Signature Version 4 authentication

The following shows the settings for a sigv4 secret named sigv4-credentials in the openshift-monitoring namespace.

apiVersion: v1
kind: Secret
metadata:
  name: sigv4-credentials
  namespace: openshift-monitoring
stringData:
  accessKey: <AWS_access_key> (1)
  secretKey: <AWS_secret_key> (2)
type: Opaque
1 The AWS API access key.
2 The AWS API secret key.

The following shows sample AWS Signature Version 4 remote write authentication settings that use a Secret object named sigv4-credentials in the openshift-monitoring namespace:

apiVersion: v1
kind: configmap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://authorization.example.com/api/write"
        sigv4:
          region: <AWS_region> (1)
          accessKey:
            name: sigv4-credentials (2)
            key: accessKey (3)
          secretKey:
            name: sigv4-credentials (2)
            key: secretKey (4)
          profile: <AWS_profile_name> (5)
          roleArn: <AWS_role_arn> (6)
1 The AWS region.
2 The name of the Secret object containing the AWS API access credentials.
3 The key that contains the AWS API access key in the specified Secret object.
4 The key that contains the AWS API secret key in the specified Secret object.
5 The name of the AWS profile that is being used to authenticate.
6 The unique identifier for the Amazon Resource Name (ARN) assigned to your role.
Sample YAML for Basic authentication

The following shows sample Basic authentication settings for a Secret object named rw-basic-auth in the openshift-monitoring namespace:

apiVersion: v1
kind: Secret
metadata:
  name: rw-basic-auth
  namespace: openshift-monitoring
stringData:
  user: <basic_username> (1)
  password: <basic_password> (2)
type: Opaque
1 The username.
2 The password.

The following sample shows a basicAuth remote write configuration that uses a Secret object named rw-basic-auth in the openshift-monitoring namespace. It assumes that you have already set up authentication credentials for the endpoint.

apiVersion: v1
kind: configmap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://basicauth.example.com/api/write"
        basicAuth:
          username:
            name: rw-basic-auth (1)
            key: user (2)
          password:
            name: rw-basic-auth (1)
            key: password (3)
1 The name of the Secret object that contains the authentication credentials.
2 The key that contains the username in the specified Secret object.
3 The key that contains the password in the specified Secret object.
Sample YAML for authentication with a bearer token using a Secret Object

The following shows bearer token settings for a Secret object named rw-bearer-auth in the openshift-monitoring namespace:

apiVersion: v1
kind: Secret
metadata:
  name: rw-bearer-auth
  namespace: openshift-monitoring
stringData:
  token: <authentication_token> (1)
type: Opaque
1 The authentication token.

The following shows sample bearer token config map settings that use a Secret object named rw-bearer-auth in the openshift-monitoring namespace:

apiVersion: v1
kind: configmap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    enableUserWorkload: true
    prometheusK8s:
      remoteWrite:
      - url: "https://authorization.example.com/api/write"
        authorization:
          type: Bearer (1)
          credentials:
            name: rw-bearer-auth (2)
            key: token (3)
1 The authentication type of the request. The default value is Bearer.
2 The name of the Secret object that contains the authentication credentials.
3 The key that contains the authentication token in the specified Secret object.
Sample YAML for OAuth 2.0 authentication

The following shows sample OAuth 2.0 settings for a Secret object named oauth2-credentials in the openshift-monitoring namespace:

apiVersion: v1
kind: Secret
metadata:
  name: oauth2-credentials
  namespace: openshift-monitoring
stringData:
  id: <oauth2_id> (1)
  secret: <oauth2_secret> (2)
type: Opaque
1 The Oauth 2.0 ID.
2 The OAuth 2.0 secret.

The following shows an oauth2 remote write authentication sample configuration that uses a Secret object named oauth2-credentials in the openshift-monitoring namespace:

apiVersion: v1
kind: configmap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://test.example.com/api/write"
        oauth2:
          clientId:
            secret:
              name: oauth2-credentials (1)
              key: id (2)
          clientSecret:
            name: oauth2-credentials (1)
            key: secret (2)
          tokenUrl: https://example.com/oauth2/token (3)
          scopes: (4)
          - <scope_1>
          - <scope_2>
          endpointParams: (5)
            param1: <parameter_1>
            param2: <parameter_2>
1 The name of the corresponding Secret object. Note that ClientId can alternatively refer to a configmap object, although clientSecret must refer to a Secret object.
2 The key that contains the OAuth 2.0 credentials in the specified Secret object.
3 The URL used to fetch a token with the specified clientId and clientSecret.
4 The OAuth 2.0 scopes for the authorization request. These scopes limit what data the tokens can access.
5 The OAuth 2.0 authorization request parameters required for the authorization server.
Sample YAML for TLS client authentication

The following shows sample TLS client settings for a tls Secret object named mtls-bundle in the openshift-monitoring namespace.

apiVersion: v1
kind: Secret
metadata:
  name: mtls-bundle
  namespace: openshift-monitoring
data:
  ca.crt: <ca_cert> (1)
  client.crt: <client_cert> (2)
  client.key: <client_key> (3)
type: tls
1 The CA certificate in the Prometheus container with which to validate the server certificate.
2 The client certificate for authentication with the server.
3 The client key.

The following sample shows a tlsConfig remote write authentication configuration that uses a TLS Secret object named mtls-bundle.

apiVersion: v1
kind: configmap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://remote-write-endpoint.example.com"
        tlsConfig:
          ca:
            secret:
              name: mtls-bundle (1)
              key: ca.crt (2)
          cert:
            secret:
              name: mtls-bundle (1)
              key: client.crt (3)
          keySecret:
            name: mtls-bundle (1)
            key: client.key (4)
1 The name of the corresponding Secret object that contains the TLS authentication credentials. Note that ca and cert can alternatively refer to a configmap object, though keySecret must refer to a Secret object.
2 The key in the specified Secret object that contains the CA certificate for the endpoint.
3 The key in the specified Secret object that contains the client certificate for the endpoint.
4 The key in the specified Secret object that contains the client key secret.

Example remote write queue configuration

You can use the queueConfig object for remote write to tune the remote write queue parameters. The following example shows the queue parameters with their default values for default platform monitoring in the openshift-monitoring namespace.

Example configuration of remote write parameters with default values
apiVersion: v1
kind: configmap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://remote-write-endpoint.example.com"
        <endpoint_authentication_credentials>
        queueConfig:
          capacity: 10000 (1)
          minShards: 1 (2)
          maxShards: 50 (3)
          maxSamplesPerSend: 2000 (4)
          batchSendDeadline: 5s (5)
          minBackoff: 30ms (6)
          maxBackoff: 5s (7)
          retryOnRateLimit: false (8)
          sampleAgeLimit: 0s (9)
1 The number of samples to buffer per shard before they are dropped from the queue.
2 The minimum number of shards.
3 The maximum number of shards.
4 The maximum number of samples per send.
5 The maximum time for a sample to wait in buffer.
6 The initial time to wait before retrying a failed request. The time gets doubled for every retry up to the maxbackoff time.
7 The maximum time to wait before retrying a failed request.
8 Set this parameter to true to retry a request after receiving a 429 status code from the remote write storage.
9 The samples that are older than the sampleAgeLimit limit are dropped from the queue. If the value is undefined or set to 0s, the parameter is ignored.

Adding cluster ID labels to metrics

If you manage multiple OKD clusters and use the remote write feature to send metrics data from these clusters to an external storage location, you can add cluster ID labels to identify the metrics data coming from different clusters. You can then query these labels to identify the source cluster for a metric and distinguish that data from similar metrics data sent by other clusters.

This way, if you manage many clusters for multiple customers and send metrics data to a single centralized storage system, you can use cluster ID labels to query metrics for a particular cluster or customer.

Creating and using cluster ID labels involves three general steps:

  • Configuring the write relabel settings for remote write storage.

  • Adding cluster ID labels to the metrics.

  • Querying these labels to identify the source cluster or customer for a metric.

Creating cluster ID labels for metrics

You can create cluster ID labels for metrics for default platform monitoring and for user workload monitoring.

For default platform monitoring, you add cluster ID labels for metrics in the write_relabel settings for remote write storage in the cluster-monitoring-config config map in the openshift-monitoring namespace.

For user workload monitoring, you edit the settings in the user-workload-monitoring-config config map in the openshift-user-workload-monitoring namespace.

When Prometheus scrapes user workload targets that expose a namespace label, the system stores this label as exported_namespace. This behavior ensures that the final namespace label value is equal to the namespace of the target pod. You cannot override this default configuration by setting the value of the honorLabels field to true for PodMonitor or ServiceMonitor objects.

Prerequisites
  • You have installed the OpenShift CLI (oc).

  • You have configured remote write storage.

  • If you are configuring default platform monitoring components:

    • You have access to the cluster as a user with the cluster-admin cluster role.

    • You have created the cluster-monitoring-config configmap object.

  • If you are configuring components that monitor user-defined projects:

    • You have access to the cluster as a user with the cluster-admin cluster role or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

    • A cluster administrator has enabled monitoring for user-defined projects.

Procedure
  1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring project:

    $ oc -n openshift-monitoring edit configmap cluster-monitoring-config

    If you configure cluster ID labels for metrics for the Prometheus instance that monitors user-defined projects, edit the user-workload-monitoring-config config map in the openshift-user-workload-monitoring namespace. Note that the Prometheus component is called prometheus in this config map and not prometheusK8s, which is the name used in the cluster-monitoring-config config map.

  2. In the writeRelabelConfigs: section under data/config.yaml/prometheusK8s/remoteWrite, add cluster ID relabel configuration values:

    apiVersion: v1
    kind: configmap
    metadata:
      name: cluster-monitoring-config
      namespace: openshift-monitoring
    data:
      config.yaml: |
        prometheusK8s:
          remoteWrite:
          - url: "https://remote-write-endpoint.example.com"
            <endpoint_authentication_credentials>
            writeRelabelConfigs: (1)
              - <relabel_config> (2)
    1 Add a list of write relabel configurations for metrics that you want to send to the remote endpoint.
    2 Substitute the label configuration for the metrics sent to the remote write endpoint.

    The following sample shows how to forward a metric with the cluster ID label cluster_id in default platform monitoring:

    apiVersion: v1
    kind: configmap
    metadata:
      name: cluster-monitoring-config
      namespace: openshift-monitoring
    data:
      config.yaml: |
        prometheusK8s:
          remoteWrite:
          - url: "https://remote-write-endpoint.example.com"
            writeRelabelConfigs:
            - sourceLabels:
              - __tmp_openshift_cluster_id__ (1)
              targetLabel: cluster_id (2)
              action: replace (3)
    1 The system initially applies a temporary cluster ID source label named __tmp_openshift_cluster_id__. This temporary label gets replaced by the cluster ID label name that you specify.
    2 Specify the name of the cluster ID label for metrics sent to remote write storage. If you use a label name that already exists for a metric, that value is overwritten with the name of this cluster ID label. For the label name, do not use __tmp_openshift_cluster_id__. The final relabeling step removes labels that use this name.
    3 The replace write relabel action replaces the temporary label with the target label for outgoing metrics. This action is the default and is applied if no action is specified.
  3. Save the file to apply the changes. The new configuration is applied automatically.

Controlling the impact of unbound metrics attributes in user-defined projects

Developers can create labels to define attributes for metrics in the form of key-value pairs. The number of potential key-value pairs corresponds to the number of possible values for an attribute. An attribute that has an unlimited number of potential values is called an unbound attribute. For example, a customer_id attribute is unbound because it has an infinite number of possible values.

Every assigned key-value pair has a unique time series. Using many unbound attributes in labels can create exponentially more time series, which can impact Prometheus performance and available disk space.

Cluster administrators can use the following measures to control the impact of unbound metrics attributes in user-defined projects:

  • Limit the number of samples that can be accepted per target scrape in user-defined projects

  • Limit the number of scraped labels, the length of label names, and the length of label values.

  • Create alerts that fire when a scrape sample threshold is reached or when the target cannot be scraped

To prevent issues caused by adding many unbound attributes, limit the number of scrape samples, label names, and unbound attributes you define for metrics. Also reduce the number of potential key-value pair combinations by using attributes that are bound to a limited set of possible values.

Setting scrape sample and label limits for user-defined projects

You can limit the number of samples that can be accepted per target scrape in user-defined projects. You can also limit the number of scraped labels, the length of label names, and the length of label values.

If you set sample or label limits, no further sample data is ingested for that target scrape after the limit is reached.

Prerequisites
  • You have access to the cluster as a user with the cluster-admin cluster role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

  • A cluster administrator has enabled monitoring for user-defined projects.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. Edit the user-workload-monitoring-config configmap object in the openshift-user-workload-monitoring project:

    $ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
  2. Add the enforcedSampleLimit configuration to data/config.yaml to limit the number of samples that can be accepted per target scrape in user-defined projects:

    apiVersion: v1
    kind: configmap
    metadata:
      name: user-workload-monitoring-config
      namespace: openshift-user-workload-monitoring
    data:
      config.yaml: |
        prometheus:
          enforcedSampleLimit: 50000 (1)
    1 A value is required if this parameter is specified. This enforcedSampleLimit example limits the number of samples that can be accepted per target scrape in user-defined projects to 50,000.
  3. Add the enforcedLabelLimit, enforcedLabelNameLengthLimit, and enforcedLabelValueLengthLimit configurations to data/config.yaml to limit the number of scraped labels, the length of label names, and the length of label values in user-defined projects:

    apiVersion: v1
    kind: configmap
    metadata:
      name: user-workload-monitoring-config
      namespace: openshift-user-workload-monitoring
    data:
      config.yaml: |
        prometheus:
          enforcedLabelLimit: 500 (1)
          enforcedLabelNameLengthLimit: 50 (2)
          enforcedLabelValueLengthLimit: 600 (3)
    1 Specifies the maximum number of labels per scrape. The default value is 0, which specifies no limit.
    2 Specifies the maximum length in characters of a label name. The default value is 0, which specifies no limit.
    3 Specifies the maximum length in characters of a label value. The default value is 0, which specifies no limit.
  4. Save the file to apply the changes. The limits are applied automatically.

Creating scrape sample alerts

You can create alerts that notify you when:

  • The target cannot be scraped or is not available for the specified for duration

  • A scrape sample threshold is reached or is exceeded for the specified for duration

Prerequisites
  • You have access to the cluster as a user with the cluster-admin cluster role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

  • A cluster administrator has enabled monitoring for user-defined projects.

  • You have limited the number of samples that can be accepted per target scrape in user-defined projects, by using enforcedSampleLimit.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. Create a YAML file with alerts that inform you when the targets are down and when the enforced sample limit is approaching. The file in this example is called monitoring-stack-alerts.yaml:

    apiVersion: monitoring.coreos.com/v1
    kind: PrometheusRule
    metadata:
      labels:
        prometheus: k8s
        role: alert-rules
      name: monitoring-stack-alerts (1)
      namespace: ns1 (2)
    spec:
      groups:
      - name: general.rules
        rules:
        - alert: TargetDown (3)
          annotations:
            message: '{{ printf "%.4g" $value }}% of the {{ $labels.job }}/{{ $labels.service
              }} targets in {{ $labels.namespace }} namespace are down.' (4)
          expr: 100 * (count(up == 0) BY (job, namespace, service) / count(up) BY (job,
            namespace, service)) > 10
          for: 10m (5)
          labels:
            severity: warning (6)
        - alert: ApproachingEnforcedSamplesLimit (7)
          annotations:
            message: '{{ $labels.container }} container of the {{ $labels.pod }} pod in the {{ $labels.namespace }} namespace consumes {{ $value | humanizePercentage }} of the samples limit budget.' (8)
          expr: scrape_samples_scraped/50000 > 0.8 (9)
          for: 10m (10)
          labels:
            severity: warning (11)
    1 Defines the name of the alerting rule.
    2 Specifies the user-defined project where the alerting rule will be deployed.
    3 The TargetDown alert will fire if the target cannot be scraped or is not available for the for duration.
    4 The message that will be output when the TargetDown alert fires.
    5 The conditions for the TargetDown alert must be true for this duration before the alert is fired.
    6 Defines the severity for the TargetDown alert.
    7 The ApproachingEnforcedSamplesLimit alert will fire when the defined scrape sample threshold is reached or exceeded for the specified for duration.
    8 The message that will be output when the ApproachingEnforcedSamplesLimit alert fires.
    9 The threshold for the ApproachingEnforcedSamplesLimit alert. In this example the alert will fire when the number of samples per target scrape has exceeded 80% of the enforced sample limit of 50000. The for duration must also have passed before the alert will fire. The <number> in the expression scrape_samples_scraped/<number> > <threshold> must match the enforcedSampleLimit value defined in the user-workload-monitoring-config configmap object.
    10 The conditions for the ApproachingEnforcedSamplesLimit alert must be true for this duration before the alert is fired.
    11 Defines the severity for the ApproachingEnforcedSamplesLimit alert.
  2. Apply the configuration to the user-defined project:

    $ oc apply -f monitoring-stack-alerts.yaml

Configuring external alertmanager instances

The OKD monitoring stack includes a local Alertmanager instance that routes alerts from Prometheus. You can add external Alertmanager instances by configuring the cluster-monitoring-config config map in either the openshift-monitoring project or the user-workload-monitoring-config project.

If you add the same external Alertmanager configuration for multiple clusters and disable the local instance for each cluster, you can then manage alert routing for multiple clusters by using a single external Alertmanager instance.

Prerequisites
  • You have installed the OpenShift CLI (oc).

  • If you are configuring core OKD monitoring components in the openshift-monitoring project:

    • You have access to the cluster as a user with the cluster-admin cluster role.

    • You have created the cluster-monitoring-config config map.

  • If you are configuring components that monitor user-defined projects:

    • You have access to the cluster as a user with the cluster-admin cluster role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

    • A cluster administrator has enabled monitoring for user-defined projects.

Procedure
  1. Edit the configmap object.

    • To configure additional Alertmanagers for routing alerts from core OKD projects:

      1. Edit the cluster-monitoring-config config map in the openshift-monitoring project:

        $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
      2. Add an additionalAlertmanagerConfigs: section under data/config.yaml/prometheusK8s.

      3. Add the configuration details for additional Alertmanagers in this section:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            prometheusK8s:
              additionalAlertmanagerConfigs:
              - <alertmanager_specification>

        For <alertmanager_specification>, substitute authentication and other configuration details for additional Alertmanager instances. Currently supported authentication methods are bearer token (bearerToken) and client TLS (tlsConfig). The following sample config map configures an additional Alertmanager using a bearer token with client TLS authentication:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            prometheusK8s:
              additionalAlertmanagerConfigs:
              - scheme: https
                pathPrefix: /
                timeout: "30s"
                apiVersion: v1
                bearerToken:
                  name: alertmanager-bearer-token
                  key: token
                tlsConfig:
                  key:
                    name: alertmanager-tls
                    key: tls.key
                  cert:
                    name: alertmanager-tls
                    key: tls.crt
                  ca:
                    name: alertmanager-tls
                    key: tls.ca
                staticConfigs:
                - external-alertmanager1-remote.com
                - external-alertmanager1-remote2.com
    • To configure additional Alertmanager instances for routing alerts from user-defined projects:

      1. Edit the user-workload-monitoring-config config map in the openshift-user-workload-monitoring project:

        $ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
      2. Add a <component>/additionalAlertmanagerConfigs: section under data/config.yaml/.

      3. Add the configuration details for additional Alertmanagers in this section:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            <component>:
              additionalAlertmanagerConfigs:
              - <alertmanager_specification>

        For <component>, substitute one of two supported external Alertmanager components: prometheus or thanosRuler.

        For <alertmanager_specification>, substitute authentication and other configuration details for additional Alertmanager instances. Currently supported authentication methods are bearer token (bearerToken) and client TLS (tlsConfig). The following sample config map configures an additional Alertmanager using Thanos Ruler with a bearer token and client TLS authentication:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
           thanosRuler:
             additionalAlertmanagerConfigs:
            - scheme: https
              pathPrefix: /
              timeout: "30s"
              apiVersion: v1
              bearerToken:
                name: alertmanager-bearer-token
                key: token
              tlsConfig:
                key:
                  name: alertmanager-tls
                  key: tls.key
                cert:
                  name: alertmanager-tls
                  key: tls.crt
                ca:
                  name: alertmanager-tls
                  key: tls.ca
              staticConfigs:
              - external-alertmanager1-remote.com
              - external-alertmanager1-remote2.com
  2. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.

Attaching additional labels to your time series and alerts

You can attach custom labels to all time series and alerts leaving Prometheus by using the external labels feature of Prometheus.

Prerequisites
  • If you are configuring core OKD monitoring components:

    • You have access to the cluster as a user with the cluster-admin cluster role.

    • You have created the cluster-monitoring-config configmap object.

  • If you are configuring components that monitor user-defined projects:

    • You have access to the cluster as a user with the cluster-admin cluster role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

    • A cluster administrator has enabled monitoring for user-defined projects.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. Edit the configmap object:

    • To attach custom labels to all time series and alerts leaving the Prometheus instance that monitors core OKD projects:

      1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring project:

        $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
      2. Define a map of labels you want to add for every metric under data/config.yaml:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            prometheusK8s:
              externalLabels:
                <key>: <value> (1)
        1 Substitute <key>: <value> with a map of key-value pairs where <key> is a unique name for the new label and <value> is its value.
        • Do not use prometheus or prometheus_replica as key names, because they are reserved and will be overwritten.

        • Do not use cluster or managed_cluster as key names. Using them can cause issues where you are unable to see data in the developer dashboards.

        For example, to add metadata about the region and environment to all time series and alerts, use the following example:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            prometheusK8s:
              externalLabels:
                region: eu
                environment: prod
      3. Save the file to apply the changes. The new configuration is applied automatically.

    • To attach custom labels to all time series and alerts leaving the Prometheus instance that monitors user-defined projects:

      1. Edit the user-workload-monitoring-config configmap object in the openshift-user-workload-monitoring project:

        $ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
      2. Define a map of labels you want to add for every metric under data/config.yaml:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            prometheus:
              externalLabels:
                <key>: <value> (1)
        1 Substitute <key>: <value> with a map of key-value pairs where <key> is a unique name for the new label and <value> is its value.
        • Do not use prometheus or prometheus_replica as key names, because they are reserved and will be overwritten.

        • Do not use cluster or managed_cluster as key names. Using them can cause issues where you are unable to see data in the developer dashboards.

        In the openshift-user-workload-monitoring project, Prometheus handles metrics and Thanos Ruler handles alerting and recording rules. Setting externalLabels for prometheus in the user-workload-monitoring-config configmap object will only configure external labels for metrics and not for any rules.

        For example, to add metadata about the region and environment to all time series and alerts related to user-defined projects, use the following example:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            prometheus:
              externalLabels:
                region: eu
                environment: prod
      3. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.

Additional resources

Configuring pod topology spread constraints for monitoring

You can use pod topology spread constraints to control how Prometheus, Thanos Ruler, and Alertmanager pods are spread across a network topology when OKD pods are deployed in multiple availability zones.

Pod topology spread constraints are suitable for controlling pod scheduling within hierarchical topologies in which nodes are spread across different infrastructure levels, such as regions and zones within those regions. Additionally, by being able to schedule pods in different zones, you can improve network latency in certain scenarios.

Setting up pod topology spread constraints for Prometheus

For core OKD platform monitoring, you can set up pod topology spread constraints for Prometheus to fine tune how pod replicas are scheduled to nodes across zones. Doing so helps ensure that Prometheus pods are highly available and run more efficiently, because workloads are spread across nodes in different data centers or hierarchical infrastructure zones.

You configure pod topology spread constraints for Prometheus in the cluster-monitoring-config config map.

Prerequisites
  • You have installed the OpenShift CLI (oc).

  • You have access to the cluster as a user with the cluster-admin cluster role.

  • You have created the cluster-monitoring-config configmap object.

Procedure
  1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring namespace:

    $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
  2. Add values for the following settings under data/config.yaml/prometheusK8s to configure pod topology spread constraints:

    apiVersion: v1
    kind: configmap
    metadata:
      name: cluster-monitoring-config
      namespace: openshift-monitoring
    data:
      config.yaml: |
        prometheusK8s:
          topologySpreadConstraints:
          - maxSkew: 1 (1)
            topologyKey: monitoring (2)
            whenUnsatisfiable: DoNotSchedule (3)
            labelSelector:
              matchLabels: (4)
                app.kubernetes.io/name: prometheus
    1 Specify a numeric value for maxSkew, which defines the degree to which pods are allowed to be unevenly distributed. This field is required, and the value must be greater than zero. The value specified has a different effect depending on what value you specify for whenUnsatisfiable.
    2 Specify a key of node labels for topologyKey. This field is required. Nodes that have a label with this key and identical values are considered to be in the same topology. The scheduler will try to put a balanced number of pods into each domain.
    3 Specify a value for whenUnsatisfiable. This field is required. Available options are DoNotSchedule and ScheduleAnyway. Specify DoNotSchedule if you want the maxSkew value to define the maximum difference allowed between the number of matching pods in the target topology and the global minimum. Specify ScheduleAnyway if you want the scheduler to still schedule the pod but to give higher priority to nodes that might reduce the skew.
    4 Specify a value for matchLabels. This value is used to identify the set of matching pods to which to apply the constraints.
  3. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.

Setting up pod topology spread constraints for Alertmanager

For core OKD platform monitoring, you can set up pod topology spread constraints for Alertmanager to fine tune how pod replicas are scheduled to nodes across zones. Doing so helps ensure that Alertmanager pods are highly available and run more efficiently, because workloads are spread across nodes in different data centers or hierarchical infrastructure zones.

You configure pod topology spread constraints for Alertmanager in the cluster-monitoring-config config map.

Prerequisites
  • You have installed the OpenShift CLI (oc).

  • You have access to the cluster as a user with the cluster-admin cluster role.

  • You have created the cluster-monitoring-config configmap object.

Procedure
  1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring namespace:

    $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
  2. Add values for the following settings under data/config.yaml/alertmanagermain to configure pod topology spread constraints:

    apiVersion: v1
    kind: configmap
    metadata:
      name: cluster-monitoring-config
      namespace: openshift-monitoring
    data:
      config.yaml: |
        alertmanagerMain:
          topologySpreadConstraints:
          - maxSkew: 1 (1)
            topologyKey: monitoring (2)
            whenUnsatisfiable: DoNotSchedule (3)
            labelSelector:
              matchLabels: (4)
                app.kubernetes.io/name: alertmanager
    1 Specify a numeric value for maxSkew, which defines the degree to which pods are allowed to be unevenly distributed. This field is required, and the value must be greater than zero. The value specified has a different effect depending on what value you specify for whenUnsatisfiable.
    2 Specify a key of node labels for topologyKey. This field is required. Nodes that have a label with this key and identical values are considered to be in the same topology. The scheduler will try to put a balanced number of pods into each domain.
    3 Specify a value for whenUnsatisfiable. This field is required. Available options are DoNotSchedule and ScheduleAnyway. Specify DoNotSchedule if you want the maxSkew value to define the maximum difference allowed between the number of matching pods in the target topology and the global minimum. Specify ScheduleAnyway if you want the scheduler to still schedule the pod but to give higher priority to nodes that might reduce the skew.
    4 Specify a value for matchLabels. This value is used to identify the set of matching pods to which to apply the constraints.
  3. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.

Setting up pod topology spread constraints for Thanos Ruler

For user-defined monitoring, you can set up pod topology spread constraints for Thanos Ruler to fine tune how pod replicas are scheduled to nodes across zones. Doing so helps ensure that Thanos Ruler pods are highly available and run more efficiently, because workloads are spread across nodes in different data centers or hierarchical infrastructure zones.

You configure pod topology spread constraints for Thanos Ruler in the user-workload-monitoring-config config map.

Prerequisites
  • You have installed the OpenShift CLI (oc).

  • A cluster administrator has enabled monitoring for user-defined projects.

  • You have access to the cluster as a user with the cluster-admin cluster role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

  • A cluster administrator has enabled monitoring for user-defined projects.

Procedure
  1. Edit the user-workload-monitoring-config config map in the openshift-user-workload-monitoring namespace:

    $ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
  2. Add values for the following settings under data/config.yaml/thanosRuler to configure pod topology spread constraints:

    apiVersion: v1
    kind: configmap
    metadata:
      name: user-workload-monitoring-config
      namespace: openshift-user-workload-monitoring
    data:
      config.yaml: |
        thanosRuler:
          topologySpreadConstraints:
          - maxSkew: 1 (1)
            topologyKey: monitoring (2)
            whenUnsatisfiable: ScheduleAnyway (3)
            labelSelector:
              matchLabels: (4)
                app.kubernetes.io/name: thanos-ruler
    1 Specify a numeric value for maxSkew, which defines the degree to which pods are allowed to be unevenly distributed. This field is required, and the value must be greater than zero. The value specified has a different effect depending on what value you specify for whenUnsatisfiable.
    2 Specify a key of node labels for topologyKey. This field is required. Nodes that have a label with this key and identical values are considered to be in the same topology. The scheduler will try to put a balanced number of pods into each domain.
    3 Specify a value for whenUnsatisfiable. This field is required. Available options are DoNotSchedule and ScheduleAnyway. Specify DoNotSchedule if you want the maxSkew value to define the maximum difference allowed between the number of matching pods in the target topology and the global minimum. Specify ScheduleAnyway if you want the scheduler to still schedule the pod but to give higher priority to nodes that might reduce the skew.
    4 Specify a value for matchLabels. This value is used to identify the set of matching pods to which to apply the constraints.
  3. Save the file to apply the changes automatically.

    When you save changes to the user-workload-monitoring-config config map, the pods and other resources in the openshift-user-workload-monitoring project might be redeployed. The running monitoring processes in that project might also restart.

Setting log levels for monitoring components

You can configure the log level for Alertmanager, Prometheus Operator, Prometheus, Thanos Querier, and Thanos Ruler.

The following log levels can be applied to the relevant component in the cluster-monitoring-config and user-workload-monitoring-config configmap objects:

  • debug. Log debug, informational, warning, and error messages.

  • info. Log informational, warning, and error messages.

  • warn. Log warning and error messages only.

  • error. Log error messages only.

The default log level is info.

Prerequisites
  • If you are setting a log level for Alertmanager, Prometheus Operator, Prometheus, or Thanos Querier in the openshift-monitoring project:

    • You have access to the cluster as a user with the cluster-admin cluster role.

    • You have created the cluster-monitoring-config configmap object.

  • If you are setting a log level for Prometheus Operator, Prometheus, or Thanos Ruler in the openshift-user-workload-monitoring project:

    • You have access to the cluster as a user with the cluster-admin cluster role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

    • A cluster administrator has enabled monitoring for user-defined projects.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. Edit the configmap object:

    • To set a log level for a component in the openshift-monitoring project:

      1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring project:

        $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
      2. Add logLevel: <log_level> for a component under data/config.yaml:

        apiVersion: v1
        kind: configmap
        metadata:
          name: cluster-monitoring-config
          namespace: openshift-monitoring
        data:
          config.yaml: |
            <component>: (1)
              logLevel: <log_level> (2)
        1 The monitoring stack component for which you are setting a log level. For default platform monitoring, available component values are prometheusK8s, alertmanagerMain, prometheusOperator, and thanosQuerier.
        2 The log level to set for the component. The available values are error, warn, info, and debug. The default value is info.
    • To set a log level for a component in the openshift-user-workload-monitoring project:

      1. Edit the user-workload-monitoring-config configmap object in the openshift-user-workload-monitoring project:

        $ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
      2. Add logLevel: <log_level> for a component under data/config.yaml:

        apiVersion: v1
        kind: configmap
        metadata:
          name: user-workload-monitoring-config
          namespace: openshift-user-workload-monitoring
        data:
          config.yaml: |
            <component>: (1)
              logLevel: <log_level> (2)
        1 The monitoring stack component for which you are setting a log level. For user workload monitoring, available component values are prometheus, prometheusOperator, and thanosRuler.
        2 The log level to set for the component. The available values are error, warn, info, and debug. The default value is info.
  2. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.

  3. Confirm that the log-level has been applied by reviewing the deployment or pod configuration in the related project. The following example checks the log level in the prometheus-operator deployment in the openshift-user-workload-monitoring project:

    $ oc -n openshift-user-workload-monitoring get deploy prometheus-operator -o yaml |  grep "log-level"
    Example output
            - --log-level=debug
  4. Check that the pods for the component are running. The following example lists the status of pods in the openshift-user-workload-monitoring project:

    $ oc -n openshift-user-workload-monitoring get pods

    If an unrecognized loglevel value is included in the configmap object, the pods for the component might not restart successfully.

Enabling the query log file for Prometheus

You can configure Prometheus to write all queries that have been run by the engine to a log file. You can do so for default platform monitoring and for user-defined workload monitoring.

Because log rotation is not supported, only enable this feature temporarily when you need to troubleshoot an issue. After you finish troubleshooting, disable query logging by reverting the changes you made to the configmap object to enable the feature.

Prerequisites
  • You have installed the OpenShift CLI (oc).

  • If you are enabling the query log file feature for Prometheus in the openshift-monitoring project:

    • You have access to the cluster as a user with the cluster-admin cluster role.

    • You have created the cluster-monitoring-config configmap object.

  • If you are enabling the query log file feature for Prometheus in the openshift-user-workload-monitoring project:

    • You have access to the cluster as a user with the cluster-admin cluster role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.

    • A cluster administrator has enabled monitoring for user-defined projects.

Procedure
  • To set the query log file for Prometheus in the openshift-monitoring project:

    1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring project:

      $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
    2. Add queryLogFile: <path> for prometheusK8s under data/config.yaml:

      apiVersion: v1
      kind: configmap
      metadata:
        name: cluster-monitoring-config
        namespace: openshift-monitoring
      data:
        config.yaml: |
          prometheusK8s:
            queryLogFile: <path> (1)
      1 The full path to the file in which queries will be logged.
    3. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.

    4. Verify that the pods for the component are running. The following sample command lists the status of pods in the openshift-monitoring project:

      $ oc -n openshift-monitoring get pods
    5. Read the query log:

      $ oc -n openshift-monitoring exec prometheus-k8s-0 -- cat <path>

      Revert the setting in the config map after you have examined the logged query information.

  • To set the query log file for Prometheus in the openshift-user-workload-monitoring project:

    1. Edit the user-workload-monitoring-config configmap object in the openshift-user-workload-monitoring project:

      $ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
    2. Add queryLogFile: <path> for prometheus under data/config.yaml:

      apiVersion: v1
      kind: configmap
      metadata:
        name: user-workload-monitoring-config
        namespace: openshift-user-workload-monitoring
      data:
        config.yaml: |
          prometheus:
            queryLogFile: <path> (1)
      1 The full path to the file in which queries will be logged.
    3. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.

    4. Verify that the pods for the component are running. The following example command lists the status of pods in the openshift-user-workload-monitoring project:

      $ oc -n openshift-user-workload-monitoring get pods
    5. Read the query log:

      $ oc -n openshift-user-workload-monitoring exec prometheus-user-workload-0 -- cat <path>

      Revert the setting in the config map after you have examined the logged query information.

Additional resources

Enabling query logging for Thanos Querier

For default platform monitoring in the openshift-monitoring project, you can enable the Cluster Monitoring Operator (CMO) to log all queries run by Thanos Querier.

Because log rotation is not supported, only enable this feature temporarily when you need to troubleshoot an issue. After you finish troubleshooting, disable query logging by reverting the changes you made to the configmap object to enable the feature.

Prerequisites
  • You have installed the OpenShift CLI (oc).

  • You have access to the cluster as a user with the cluster-admin cluster role.

  • You have created the cluster-monitoring-config configmap object.

Procedure

You can enable query logging for Thanos Querier in the openshift-monitoring project:

  1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring project:

    $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
  2. Add a thanosQuerier section under data/config.yaml and add values as shown in the following example:

    apiVersion: v1
    kind: configmap
    metadata:
      name: cluster-monitoring-config
      namespace: openshift-monitoring
    data:
      config.yaml: |
        thanosQuerier:
          enableRequestLogging: <value> (1)
          logLevel: <value> (2)
    1 Set the value to true to enable logging and false to disable logging. The default value is false.
    2 Set the value to debug, info, warn, or error. If no value exists for logLevel, the log level defaults to error.
  3. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.

Verification
  1. Verify that the Thanos Querier pods are running. The following sample command lists the status of pods in the openshift-monitoring project:

    $ oc -n openshift-monitoring get pods
  2. Run a test query using the following sample commands as a model:

    $ token=`oc create token prometheus-k8s -n openshift-monitoring`
    $ oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer $token" 'https://thanos-querier.openshift-monitoring.svc:9091/api/v1/query?query=cluster_version'
  3. Run the following command to read the query log:

    $ oc -n openshift-monitoring logs <thanos_querier_pod_name> -c thanos-query

    Because the thanos-querier pods are highly available (HA) pods, you might be able to see logs in only one pod.

  4. After you examine the logged query information, disable query logging by changing the enableRequestLogging value to false in the config map.

Additional resources

Setting audit log levels for the Prometheus Adapter

In default platform monitoring, you can configure the audit log level for the Prometheus Adapter.

Prerequisites
  • You have installed the OpenShift CLI (oc).

  • You have access to the cluster as a user with the cluster-admin cluster role.

  • You have created the cluster-monitoring-config configmap object.

Procedure

You can set an audit log level for the Prometheus Adapter in the default openshift-monitoring project:

  1. Edit the cluster-monitoring-config configmap object in the openshift-monitoring project:

    $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
  2. Add profile: in the k8sPrometheusAdapter/audit section under data/config.yaml:

    apiVersion: v1
    kind: configmap
    metadata:
      name: cluster-monitoring-config
      namespace: openshift-monitoring
    data:
      config.yaml: |
        k8sPrometheusAdapter:
          audit:
            profile: <audit_log_level> (1)
    1 The audit log level to apply to the Prometheus Adapter.
  3. Set the audit log level by using one of the following values for the profile: parameter:

    • None: Do not log events.

    • Metadata: Log only the metadata for the request, such as user, timestamp, and so forth. Do not log the request text and the response text. Metadata is the default audit log level.

    • Request: Log only the metadata and the request text but not the response text. This option does not apply for non-resource requests.

    • RequestResponse: Log event metadata, request text, and response text. This option does not apply for non-resource requests.

  4. Save the file to apply the changes. The pods affected by the new configuration are automatically redeployed.

Verification
  1. In the config map, under k8sPrometheusAdapter/audit/profile, set the log level to Request and save the file.

  2. Confirm that the pods for the Prometheus Adapter are running. The following example lists the status of pods in the openshift-monitoring project:

    $ oc -n openshift-monitoring get pods
  3. Confirm that the audit log level and audit log file path are correctly configured:

    $ oc -n openshift-monitoring get deploy prometheus-adapter -o yaml
    Example output
    ...
      - --audit-policy-file=/etc/audit/request-profile.yaml
      - --audit-log-path=/var/log/adapter/audit.log
  4. Confirm that the correct log level has been applied in the prometheus-adapter deployment in the openshift-monitoring project:

    $ oc -n openshift-monitoring exec deploy/prometheus-adapter -c prometheus-adapter -- cat /etc/audit/request-profile.yaml
    Example output
    "apiVersion": "audit.k8s.io/v1"
    "kind": "Policy"
    "metadata":
      "name": "Request"
    "omitStages":
    - "RequestReceived"
    "rules":
    - "level": "Request"

    If you enter an unrecognized profile value for the Prometheus Adapter in the configmap object, no changes are made to the Prometheus Adapter, and an error is logged by the Cluster Monitoring Operator.

  5. Review the audit log for the Prometheus Adapter:

    $ oc -n openshift-monitoring exec -c <prometheus_adapter_pod_name> -- cat /var/log/adapter/audit.log
Additional resources

Disabling the local Alertmanager

A local Alertmanager that routes alerts from Prometheus instances is enabled by default in the openshift-monitoring project of the OKD monitoring stack.

If you do not need the local Alertmanager, you can disable it by configuring the cluster-monitoring-config config map in the openshift-monitoring project.

Prerequisites
  • You have access to the cluster as a user with the cluster-admin cluster role.

  • You have created the cluster-monitoring-config config map.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. Edit the cluster-monitoring-config config map in the openshift-monitoring project:

    $ oc -n openshift-monitoring edit configmap cluster-monitoring-config
  2. Add enabled: false for the alertmanagerMain component under data/config.yaml:

    apiVersion: v1
    kind: configmap
    metadata:
      name: cluster-monitoring-config
      namespace: openshift-monitoring
    data:
      config.yaml: |
        alertmanagerMain:
          enabled: false
  3. Save the file to apply the changes. The Alertmanager instance is disabled automatically when you apply the change.