$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
×
Configuring the monitoring stack
- Maintenance and support for monitoring
- Configuring the monitoring stack
- Configurable monitoring components
- Using node selectors to move monitoring components
- Assigning tolerations to monitoring components
- Configuring a dedicated service monitor
- Configuring persistent storage
- Configuring remote write storage
- Adding cluster ID labels to metrics
- Controlling the impact of unbound metrics attributes in user-defined projects
- Configuring external Alertmanager instances
- Configuring secrets for Alertmanager
- Attaching additional labels to your time series and alerts
- Configuring pod topology spread constraints for monitoring
- Setting log levels for monitoring components
- Enabling the query log file for Prometheus
This section explains what configuration is supported, shows how to configure the monitoring stack for user-defined projects, and demonstrates several common configuration scenarios.
Maintenance and support for monitoring
The supported way of configuring OpenShift Dedicated Monitoring is by configuring it using the options described in this document. Do not use other configurations, as they are unsupported. Configuration paradigms might change across Prometheus releases, and such cases can only be handled gracefully if all configuration possibilities are controlled. If you use configurations other than those described in this section, your changes will disappear because the cluster-monitoring-operator reconciles any differences. The Operator resets everything to the defined state by default and by design.
|
Installing another Prometheus instance is not supported by the Red Hat Site Reliability Engineers (SRE). |
Support considerations for monitoring
The following modifications are explicitly not supported:
-
Installing custom Prometheus instances on OpenShift Dedicated. A custom instance is a Prometheus custom resource (CR) managed by the Prometheus Operator.
-
Modifying the default platform monitoring components. You should not modify any of the components defined in the
cluster-monitoring-configconfig map. Red Hat SRE uses these components to monitor the core cluster components and Kubernetes services.
Configuring the monitoring stack
In OpenShift Dedicated, you can configure the stack that monitors workloads for user-defined projects by using the user-workload-monitoring-config ConfigMap object. Config maps configure the Cluster Monitoring Operator (CMO), which in turn configures the components of the stack.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc).
Procedure
-
Edit the
ConfigMapobject.-
Edit the
user-workload-monitoring-configConfigMapobject in theopenshift-user-workload-monitoringproject: -
Add your configuration under
data/config.yamlas a key-value pair<component_name>: <component_configuration>:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | <component>: <configuration_for_the_component>Substitute
<component>and<configuration_for_the_component>accordingly.The following example
ConfigMapobject configures a data retention period and minimum container resource requests for Prometheus. This relates to the Prometheus instance that monitors user-defined projects only:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: (1) retention: 24h (2) resources: requests: cpu: 200m (3) memory: 2Gi (4)1 Defines the Prometheus component and the subsequent lines define its configuration. 2 Configures a twenty-four hour data retention period for the Prometheus instance that monitors user-defined projects. 3 Defines a minimum resource request of 200 millicores for the Prometheus container. 4 Defines a minimum pod resource request of 2 GiB of memory for the Prometheus container.
-
-
Save the file to apply the changes to the
ConfigMapobject. The pods affected by the new configuration are restarted automatically.When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted.
Additional resources
-
Configuration reference for the
user-workload-monitoring-configconfig map
Configurable monitoring components
This table shows the monitoring components you can configure and the keys used to specify the components in the
user-workload-monitoring-config ConfigMap objects.
|
Do not modify the monitoring components in the |
| Component | user-workload-monitoring-config config map key |
|---|---|
Alertmanager |
|
Prometheus Operator |
|
Prometheus |
|
Thanos Ruler |
|
Using node selectors to move monitoring components
By using the nodeSelector constraint with labeled nodes, you can move any of the monitoring stack components to specific nodes.
By doing so, you can control the placement and distribution of the monitoring components across a cluster.
By controlling placement and distribution of monitoring components, you can optimize system resource use, improve performance, and segregate workloads based on specific requirements or policies.
How node selectors work with other constraints
If you move monitoring components by using node selector constraints, be aware that other constraints to control pod scheduling might exist for a cluster:
-
Topology spread constraints might be in place to control pod placement.
-
Hard anti-affinity rules are in place for Prometheus, Thanos Querier, Alertmanager, and other monitoring components to ensure that multiple pods for these components are always spread across different nodes and are therefore always highly available.
When scheduling pods onto nodes, the pod scheduler tries to satisfy all existing constraints when determining pod placement. That is, all constraints compound when the pod scheduler determines which pods will be placed on which nodes.
Therefore, if you configure a node selector constraint but existing constraints cannot all be satisfied, the pod scheduler cannot match all constraints and will not schedule a pod for placement onto a node.
To maintain resilience and high availability for monitoring components, ensure that enough nodes are available and match all constraints when you configure a node selector constraint to move a component.
Moving monitoring components to different nodes
You can move any of the components that monitor workloads for user-defined projects to specific worker nodes. It is not permitted to move components to control plane or infrastructure nodes.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc).
Procedure
-
If you have not done so yet, add a label to the nodes on which you want to run the monitoring components:
$ oc label nodes <node-name> <node-label> -
Edit the
ConfigMapobject:-
Edit the
user-workload-monitoring-configConfigMapobject in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
Specify the node labels for the
nodeSelectorconstraint for the component underdata/config.yaml:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | <component>: (1) nodeSelector: <node-label-1> (2) <node-label-2> (3) <...>1 Substitute <component>with the appropriate monitoring stack component name.2 Substitute <node-label-1>with the label you added to the node.3 Optional: Specify additional labels. If you specify additional labels, the pods for the component are only scheduled on the nodes that contain all of the specified labels. If monitoring components remain in a
Pendingstate after configuring thenodeSelectorconstraint, check the pod events for errors relating to taints and tolerations.
-
-
Save the file to apply the changes. The components specified in the new configuration are moved to the new nodes automatically.
When you save changes to a monitoring config map, the pods and other resources in the project might be redeployed. The running monitoring processes in that project might also restart.
Additional resources
-
See the Kubernetes documentation for details on the
nodeSelectorconstraint
Assigning tolerations to monitoring components
You can assign tolerations to the components that monitor user-defined projects, to enable moving them to tainted worker nodes. Scheduling is not permitted on control plane or infrastructure nodes.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists in theopenshift-user-workload-monitoringnamespace. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc).
Procedure
-
Edit the
ConfigMapobject:-
Edit the
user-workload-monitoring-configConfigMapobject in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
Specify
tolerationsfor the component:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | <component>: tolerations: <toleration_specification>Substitute
<component>and<toleration_specification>accordingly.For example,
oc adm taint nodes node1 key1=value1:NoScheduleadds a taint tonode1with the keykey1and the valuevalue1. This prevents monitoring components from deploying pods onnode1unless a toleration is configured for that taint. The following example configures thethanosRulercomponent to tolerate the example taint:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | thanosRuler: tolerations: - key: "key1" operator: "Equal" value: "value1" effect: "NoSchedule"
-
-
Save the file to apply the changes. The new component placement configuration is applied automatically.
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted.
Additional resources
-
See the Kubernetes documentation on taints and tolerations
Configuring a dedicated service monitor
You can configure OpenShift Dedicated core platform monitoring to use dedicated service monitors to collect metrics for the resource metrics pipeline.
When enabled, a dedicated service monitor exposes two additional metrics from the kubelet endpoint and sets the value of the honorTimestamps field to true.
By enabling a dedicated service monitor, you can improve the consistency of Prometheus Adapter-based CPU usage measurements used by, for example, the oc adm top pod command or the Horizontal Pod Autoscaler.
Enabling a dedicated service monitor
You can configure core platform monitoring to use a dedicated service monitor by configuring the dedicatedServiceMonitors key in the cluster-monitoring-config ConfigMap object in the openshift-monitoring namespace.
Prerequisites
-
You have installed the OpenShift CLI (
oc). -
You have access to the cluster as a user with the
cluster-admincluster role. -
You have created the
cluster-monitoring-configConfigMapobject.
Procedure
-
Edit the
cluster-monitoring-configConfigMapobject in theopenshift-monitoringnamespace:$ oc -n openshift-monitoring edit configmap cluster-monitoring-config -
Add an
enabled: truekey-value pair as shown in the following sample:apiVersion: v1 kind: ConfigMap metadata: name: cluster-monitoring-config namespace: openshift-monitoring data: config.yaml: | k8sPrometheusAdapter: dedicatedServiceMonitors: enabled: true (1)1 Set the value of the enabledfield totrueto deploy a dedicated service monitor that exposes the kubelet/metrics/resourceendpoint. -
Save the file to apply the changes automatically.
When you save changes to a
cluster-monitoring-configconfig map, the pods and other resources in theopenshift-monitoringproject might be redeployed. The running monitoring processes in that project might also restart.
Configuring persistent storage
Running cluster monitoring with persistent storage means that your metrics are stored to a persistent volume (PV) and can survive a pod being restarted or recreated. This is ideal if you require your metrics or alerting data to be guarded from data loss. For production environments, it is highly recommended to configure persistent storage. Because of the high IO demands, it is advantageous to use local storage.
Configuring a persistent volume claim
For monitoring components to use a persistent volume (PV), you must configure a persistent volume claim (PVC).
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc).
Procedure
-
Edit the
ConfigMapobject:-
Edit the
user-workload-monitoring-configConfigMapobject in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
Add your PVC configuration for the component under
data/config.yaml:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | <component>: volumeClaimTemplate: spec: storageClassName: <storage_class> resources: requests: storage: <amount_of_storage>See the Kubernetes documentation on PersistentVolumeClaims for information on how to specify
volumeClaimTemplate.The following example configures a PVC that claims persistent storage for the Prometheus instance that monitors user-defined projects:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: volumeClaimTemplate: spec: storageClassName: gp3 resources: requests: storage: 40GiThe above example uses the
gp3storage class.The following example configures a PVC that claims persistent storage for Thanos Ruler:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | thanosRuler: volumeClaimTemplate: spec: storageClassName: gp3 resources: requests: storage: 10GiStorage requirements for the
thanosRulercomponent depend on the number of rules that are evaluated and how many samples each rule generates.
-
-
Save the file to apply the changes. The pods affected by the new configuration are restarted automatically and the new storage configuration is applied.
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted.
Modifying the retention time and size for Prometheus metrics data
By default, Prometheus automatically retains metrics data for 15 days. You can modify the retention time for the Prometheus instance that monitors user-defined projects, to change how soon the data is deleted. You can also set the maximum amount of disk space the retained metrics data uses. If the data reaches this size limit, Prometheus deletes the oldest data first until the disk space used is again below the limit.
Note the following behaviors of these data retention settings:
-
The size-based retention policy applies to all data block directories in the
/prometheusdirectory, including persistent blocks, write-ahead log (WAL) data, and m-mapped chunks. -
Data in the
/waland/head_chunksdirectories counts toward the retention size limit, but Prometheus never purges data from these directories based on size- or time-based retention policies. Thus, if you set a retention size limit lower than the maximum size set for the/waland/head_chunksdirectories, you have configured the system not to retain any data blocks in the/prometheusdata directories. -
The size-based retention policy is applied only when Prometheus cuts a new data block, which occurs every two hours after the WAL contains at least three hours of data.
-
If you do not explicitly define values for either
retentionorretentionSize, retention time defaults to 15 days, and retention size is not set. -
If you define values for both
retentionandretentionSize, both values apply. If any data blocks exceed the defined retention time or the defined size limit, Prometheus purges these data blocks. -
If you define a value for
retentionSizeand do not defineretention, only theretentionSizevalue applies. -
If you do not define a value for
retentionSizeand only define a value forretention, only theretentionvalue applies.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc).
Procedure
-
Edit the
ConfigMapobject:-
Edit the
user-workload-monitoring-configConfigMapobject in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
Add the retention time and size configuration under
data/config.yaml:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: retention: <time_specification> (1) retentionSize: <size_specification> (2)1 The retention time: a number directly followed by ms(milliseconds),s(seconds),m(minutes),h(hours),d(days),w(weeks), ory(years). You can also combine time values for specific times, such as1h30m15s.2 The retention size: a number directly followed by B(bytes),KB(kilobytes),MB(megabytes),GB(gigabytes),TB(terabytes),PB(petabytes), orEB(exabytes).The following example sets the retention time to 24 hours and the retention size to 10 gigabytes for the Prometheus instance that monitors user-defined projects:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: retention: 24h retentionSize: 10GB
-
-
Save the file to apply the changes. The pods affected by the new configuration restart automatically.
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted.
Modifying the retention time for Thanos Ruler metrics data
By default, for user-defined projects, Thanos Ruler automatically retains metrics data for 24 hours. You can modify the retention time to change how long this data is retained by specifying a time value in the user-workload-monitoring-config config map in the openshift-user-workload-monitoring namespace.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc).
Procedure
-
Edit the
user-workload-monitoring-configConfigMapobject in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
Add the retention time configuration under
data/config.yaml:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | thanosRuler: retention: <time_specification> (1)1 Specify the retention time in the following format: a number directly followed by ms(milliseconds),s(seconds),m(minutes),h(hours),d(days),w(weeks), ory(years). You can also combine time values for specific times, such as1h30m15s. The default is24h.The following example sets the retention time to 10 days for Thanos Ruler data:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | thanosRuler: retention: 10d -
Save the file to apply the changes. The pods affected by the new configuration automatically restart.
Saving changes to a monitoring config map might restart monitoring processes and redeploy the pods and other resources in the related project. The running monitoring processes in that project might also restart.
Additional resources
Configuring remote write storage
You can configure remote write storage to enable Prometheus to send ingested metrics to remote systems for long-term storage. Doing so has no impact on how or for how long Prometheus stores metrics.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc). -
You have set up a remote write compatible endpoint (such as Thanos) and know the endpoint URL. See the Prometheus remote endpoints and storage documentation for information about endpoints that are compatible with the remote write feature.
-
You have set up authentication credentials in a
Secretobject for the remote write endpoint. You must create the secret in theopenshift-user-workload-monitoringnamespace.To reduce security risks, use HTTPS and authentication to send metrics to an endpoint.
Procedure
-
Edit the
ConfigMapobject:-
Edit the
user-workload-monitoring-configConfigMapobject in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
Add a
remoteWrite:section underdata/config.yaml/prometheus. -
Add an endpoint URL and authentication credentials in this section:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: remoteWrite: - url: "https://remote-write-endpoint.example.com" (1) <endpoint_authentication_credentials> (2)1 The URL of the remote write endpoint. 2 The authentication method and credentials for the endpoint. Currently supported authentication methods are AWS Signature Version 4, authentication using HTTP an Authorizationrequest header, basic authentication, OAuth 2.0, and TLS client. See Supported remote write authentication settings below for sample configurations of supported authentication methods. -
Add write relabel configuration values after the authentication credentials:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: remoteWrite: - url: "https://remote-write-endpoint.example.com" <endpoint_authentication_credentials> <write_relabel_configs> (1)1 The write relabel configuration settings. For
<write_relabel_configs>substitute a list of write relabel configurations for metrics that you want to send to the remote endpoint.The following sample shows how to forward a single metric called
my_metric:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: remoteWrite: - url: "https://remote-write-endpoint.example.com" writeRelabelConfigs: - sourceLabels: [__name__] regex: 'my_metric' action: keepSee the Prometheus relabel_config documentation for information about write relabel configuration options.
-
-
Save the file to apply the changes. The pods affected by the new configuration restart automatically.
Saving changes to a monitoring
ConfigMapobject might redeploy the pods and other resources in the related project. Saving changes might also restart the running monitoring processes in that project.
Supported remote write authentication settings
You can use different methods to authenticate with a remote write endpoint. Currently supported authentication methods are AWS Signature Version 4, basic authentication, authorization, OAuth 2.0, and TLS client. The following table provides details about supported authentication methods for use with remote write.
| Authentication method | Config map field | Description |
|---|---|---|
AWS Signature Version 4 |
|
This method uses AWS Signature Version 4 authentication to sign requests. You cannot use this method simultaneously with authorization, OAuth 2.0, or Basic authentication. |
Basic authentication |
|
Basic authentication sets the authorization header on every remote write request with the configured username and password. |
authorization |
|
Authorization sets the |
OAuth 2.0 |
|
An OAuth 2.0 configuration uses the client credentials grant type.
Prometheus fetches an access token from |
TLS client |
|
A TLS client configuration specifies the CA certificate, the client certificate, and the client key file information used to authenticate with the remote write endpoint server using TLS. The sample configuration assumes that you have already created a CA certificate file, a client certificate file, and a client key file. |
Example remote write authentication settings
The following samples show different authentication settings you can use to connect to a remote write endpoint. Each sample also shows how to configure a corresponding Secret object that contains authentication credentials and other relevant settings. Each sample configures authentication for use with
monitoring user-defined projects
in the openshift-user-workload-monitoring namespace.
Example 1. Sample YAML for AWS Signature Version 4 authentication
The following shows the settings for a sigv4 secret named sigv4-credentials in the openshift-user-workload-monitoring namespace.
apiVersion: v1
kind: Secret
metadata:
name: sigv4-credentials
namespace: openshift-user-workload-monitoring
stringData:
accessKey: <AWS_access_key> (1)
secretKey: <AWS_secret_key> (2)
type: Opaque| 1 | The AWS API access key. |
| 2 | The AWS API secret key. |
The following shows sample AWS Signature Version 4 remote write authentication settings that use a Secret object named sigv4-credentials in the openshift-user-workload-monitoring namespace:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
remoteWrite:
- url: "https://authorization.example.com/api/write"
sigv4:
region: <AWS_region> (1)
accessKey:
name: sigv4-credentials (2)
key: accessKey (3)
secretKey:
name: sigv4-credentials (2)
key: secretKey (4)
profile: <AWS_profile_name> (5)
roleArn: <AWS_role_arn> (6)| 1 | The AWS region. |
| 2 | The name of the Secret object containing the AWS API access credentials. |
| 3 | The key that contains the AWS API access key in the specified Secret object. |
| 4 | The key that contains the AWS API secret key in the specified Secret object. |
| 5 | The name of the AWS profile that is being used to authenticate. |
| 6 | The unique identifier for the Amazon Resource Name (ARN) assigned to your role. |
Example 2. Sample YAML for basic authentication
The following shows sample basic authentication settings for a Secret object named rw-basic-auth in the openshift-user-workload-monitoring namespace:
apiVersion: v1
kind: Secret
metadata:
name: rw-basic-auth
namespace: openshift-user-workload-monitoring
stringData:
user: <basic_username> (1)
password: <basic_password> (2)
type: Opaque| 1 | The username. |
| 2 | The password. |
The following sample shows a basicAuth remote write configuration that uses a Secret object named rw-basic-auth in the openshift-user-workload-monitoring namespace.
It assumes that you have already set up authentication credentials for the endpoint.
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
remoteWrite:
- url: "https://basicauth.example.com/api/write"
basicAuth:
username:
name: rw-basic-auth (1)
key: user (2)
password:
name: rw-basic-auth (1)
key: password (3)| 1 | The name of the Secret object that contains the authentication credentials. |
| 2 | The key that contains the username in the specified Secret object. |
| 3 | The key that contains the password in the specified Secret object. |
Example 3. Sample YAML for authentication with a bearer token using a
Secret ObjectThe following shows bearer token settings for a Secret object named rw-bearer-auth in the openshift-user-workload-monitoring namespace:
apiVersion: v1
kind: Secret
metadata:
name: rw-bearer-auth
namespace: openshift-user-workload-monitoring
stringData:
token: <authentication_token> (1)
type: Opaque| 1 | The authentication token. |
The following shows sample bearer token config map settings that use a Secret object named rw-bearer-auth in the openshift-user-workload-monitoring namespace:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
enableUserWorkload: true
prometheus:
remoteWrite:
- url: "https://authorization.example.com/api/write"
authorization:
type: Bearer (1)
credentials:
name: rw-bearer-auth (2)
key: token (3)| 1 | The authentication type of the request. The default value is Bearer. |
| 2 | The name of the Secret object that contains the authentication credentials. |
| 3 | The key that contains the authentication token in the specified Secret object. |
Example 4. Sample YAML for OAuth 2.0 authentication
The following shows sample OAuth 2.0 settings for a Secret object named oauth2-credentials in the openshift-user-workload-monitoring namespace:
apiVersion: v1
kind: Secret
metadata:
name: oauth2-credentials
namespace: openshift-user-workload-monitoring
stringData:
id: <oauth2_id> (1)
secret: <oauth2_secret> (2)
token: <oauth2_authentication_token> (3)
type: Opaque| 1 | The Oauth 2.0 ID. |
| 2 | The OAuth 2.0 secret. |
| 3 | The OAuth 2.0 token. |
The following shows an oauth2 remote write authentication sample configuration that uses a Secret object named oauth2-credentials in the openshift-user-workload-monitoring namespace:
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
remoteWrite:
- url: "https://test.example.com/api/write"
oauth2:
clientId:
secret:
name: oauth2-credentials (1)
key: id (2)
clientSecret:
name: oauth2-credentials (1)
key: secret (2)
tokenUrl: https://example.com/oauth2/token (3)
scopes: (4)
- <scope_1>
- <scope_2>
endpointParams: (5)
param1: <parameter_1>
param2: <parameter_2>| 1 | The name of the corresponding Secret object. Note that ClientId can alternatively refer to a ConfigMap object, although clientSecret must refer to a Secret object. |
| 2 | The key that contains the OAuth 2.0 credentials in the specified Secret object. |
| 3 | The URL used to fetch a token with the specified clientId and clientSecret. |
| 4 | The OAuth 2.0 scopes for the authorization request. These scopes limit what data the tokens can access. |
| 5 | The OAuth 2.0 authorization request parameters required for the authorization server. |
Example 5. Sample YAML for TLS client authentication
The following shows sample TLS client settings for a tls Secret object named mtls-bundle in the openshift-user-workload-monitoring namespace.
apiVersion: v1
kind: Secret
metadata:
name: mtls-bundle
namespace: openshift-user-workload-monitoring
data:
ca.crt: <ca_cert> (1)
client.crt: <client_cert> (2)
client.key: <client_key> (3)
type: tls| 1 | The CA certificate in the Prometheus container with which to validate the server certificate. |
| 2 | The client certificate for authentication with the server. |
| 3 | The client key. |
The following sample shows a tlsConfig remote write authentication configuration that uses a TLS Secret object named mtls-bundle.
apiVersion: v1
kind: ConfigMap
metadata:
name: user-workload-monitoring-config
namespace: openshift-user-workload-monitoring
data:
config.yaml: |
prometheus:
remoteWrite:
- url: "https://remote-write-endpoint.example.com"
tlsConfig:
ca:
secret:
name: mtls-bundle (1)
key: ca.crt (2)
cert:
secret:
name: mtls-bundle (1)
key: client.crt (3)
keySecret:
name: mtls-bundle (1)
key: client.key (4)| 1 | The name of the corresponding Secret object that contains the TLS authentication credentials. Note that ca and cert can alternatively refer to a ConfigMap object, though keySecret must refer to a Secret object. |
| 2 | The key in the specified Secret object that contains the CA certificate for the endpoint. |
| 3 | The key in the specified Secret object that contains the client certificate for the endpoint. |
| 4 | The key in the specified Secret object that contains the client key secret. |
Additional resources
-
See Setting up remote write compatible endpoints for steps to create a remote write compatible endpoint (such as Thanos).
-
See Tuning remote write settings for information about how to optimize remote write settings for different use cases.
Adding cluster ID labels to metrics
If you manage multiple OpenShift Dedicated clusters and use the remote write feature to send metrics data from these clusters to an external storage location, you can add cluster ID labels to identify the metrics data coming from different clusters. You can then query these labels to identify the source cluster for a metric and distinguish that data from similar metrics data sent by other clusters.
This way, if you manage many clusters for multiple customers and send metrics data to a single centralized storage system, you can use cluster ID labels to query metrics for a particular cluster or customer.
Creating and using cluster ID labels involves three general steps:
-
Configuring the write relabel settings for remote write storage.
-
Adding cluster ID labels to the metrics.
-
Querying these labels to identify the source cluster or customer for a metric.
Creating cluster ID labels for metrics
You can create cluster ID labels for metrics by editing the settings in the user-workload-monitoring-config config map in the openshift-user-workload-monitoring namespace.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMap object exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc). -
You have configured remote write storage.
Procedure
-
Edit the
ConfigMapobject:-
Edit the
user-workload-monitoring-configConfigMapobject in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
In the
writeRelabelConfigs:section underdata/config.yaml/prometheus/remoteWrite, add cluster ID relabel configuration values:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: remoteWrite: - url: "https://remote-write-endpoint.example.com" <endpoint_authentication_credentials> writeRelabelConfigs: (1) - <relabel_config> (2)1 Add a list of write relabel configurations for metrics that you want to send to the remote endpoint. 2 Substitute the label configuration for the metrics sent to the remote write endpoint. The following sample shows how to forward a metric with the cluster ID label
cluster_idin user-workload monitoring:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: remoteWrite: - url: "https://remote-write-endpoint.example.com" writeRelabelConfigs: - sourceLabels: - __tmp_openshift_cluster_id__ (1) targetLabel: cluster_id (2) action: replace (3)1 The system initially applies a temporary cluster ID source label named __tmp_openshift_cluster_id__. This temporary label gets replaced by the cluster ID label name that you specify.2 Specify the name of the cluster ID label for metrics sent to remote write storage. If you use a label name that already exists for a metric, that value is overwritten with the name of this cluster ID label. For the label name, do not use __tmp_openshift_cluster_id__. The final relabeling step removes labels that use this name.3 The replacewrite relabel action replaces the temporary label with the target label for outgoing metrics. This action is the default and is applied if no action is specified.
-
-
Save the file to apply the changes to the
ConfigMapobject. The pods affected by the updated configuration automatically restart.Saving changes to a monitoring
ConfigMapobject might redeploy the pods and other resources in the related project. Saving changes might also restart the running monitoring processes in that project.
Additional resources
-
For details about write relabel configuration, see Configuring remote write storage.
Controlling the impact of unbound metrics attributes in user-defined projects
Developers can create labels to define attributes for metrics in the form of key-value pairs. The number of potential key-value pairs corresponds to the number of possible values for an attribute. An attribute that has an unlimited number of potential values is called an unbound attribute. For example, a customer_id attribute is unbound because it has an infinite number of possible values.
Every assigned key-value pair has a unique time series. The use of many unbound attributes in labels can result in an exponential increase in the number of time series created. This can impact Prometheus performance and can consume a lot of disk space.
A dedicated-admin
can use the following measures to control the impact of unbound metrics attributes in user-defined projects:
-
Limit the number of samples that can be accepted per target scrape in user-defined projects
-
Limit the number of scraped labels, the length of label names, and the length of label values
-
Create alerts that fire when a scrape sample threshold is reached or when the target cannot be scraped
|
Limiting scrape samples can help prevent the issues caused by adding many unbound attributes to labels. Developers can also prevent the underlying cause by limiting the number of unbound attributes that they define for metrics. Using attributes that are bound to a limited set of possible values reduces the number of potential key-value pair combinations. |
Setting scrape sample and label limits for user-defined projects
You can limit the number of samples that can be accepted per target scrape in user-defined projects. You can also limit the number of scraped labels, the length of label names, and the length of label values.
|
If you set sample or label limits, no further sample data is ingested for that target scrape after the limit is reached. |
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc).
Procedure
-
Edit the
user-workload-monitoring-configConfigMapobject in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
Add the
enforcedSampleLimitconfiguration todata/config.yamlto limit the number of samples that can be accepted per target scrape in user-defined projects:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: enforcedSampleLimit: 50000 (1)1 A value is required if this parameter is specified. This enforcedSampleLimitexample limits the number of samples that can be accepted per target scrape in user-defined projects to 50,000. -
Add the
enforcedLabelLimit,enforcedLabelNameLengthLimit, andenforcedLabelValueLengthLimitconfigurations todata/config.yamlto limit the number of scraped labels, the length of label names, and the length of label values in user-defined projects:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: enforcedLabelLimit: 500 (1) enforcedLabelNameLengthLimit: 50 (2) enforcedLabelValueLengthLimit: 600 (3)1 Specifies the maximum number of labels per scrape. The default value is 0, which specifies no limit.2 Specifies the maximum length in characters of a label name. The default value is 0, which specifies no limit.3 Specifies the maximum length in characters of a label value. The default value is 0, which specifies no limit. -
Save the file to apply the changes. The limits are applied automatically.
When changes are saved to the
user-workload-monitoring-configConfigMapobject, the pods and other resources in theopenshift-user-workload-monitoringproject might be redeployed. The running monitoring processes in that project might also be restarted.
Configuring external Alertmanager instances
The OpenShift Dedicated monitoring stack includes a local Alertmanager instance that routes alerts from Prometheus. You can add external Alertmanager instances to route alerts for user-defined projects.
If you add the same external Alertmanager configuration for multiple clusters and disable the local instance for each cluster, you can then manage alert routing for multiple clusters by using a single external Alertmanager instance.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc).
Procedure
-
Edit the
ConfigMapobject.-
Edit the
user-workload-monitoring-configconfig map in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
Add a
<component>/additionalAlertmanagerConfigs:section underdata/config.yaml/. -
Add the configuration details for additional Alertmanagers in this section:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | <component>: additionalAlertmanagerConfigs: - <alertmanager_specification>For
<component>, substitute one of two supported external Alertmanager components:prometheusorthanosRuler.For
<alertmanager_specification>, substitute authentication and other configuration details for additional Alertmanager instances. Currently supported authentication methods are bearer token (bearerToken) and client TLS (tlsConfig). The following sample config map configures an additional Alertmanager using Thanos Ruler with a bearer token and client TLS authentication:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | thanosRuler: additionalAlertmanagerConfigs: - scheme: https pathPrefix: / timeout: "30s" apiVersion: v1 bearerToken: name: alertmanager-bearer-token key: token tlsConfig: key: name: alertmanager-tls key: tls.key cert: name: alertmanager-tls key: tls.crt ca: name: alertmanager-tls key: tls.ca staticConfigs: - external-alertmanager1-remote.com - external-alertmanager1-remote2.com
-
-
Save the file to apply the changes to the
ConfigMapobject. The new component placement configuration is applied automatically. -
Save the file to apply the changes to the
ConfigMapobject. The new component placement configuration is applied automatically.
Configuring secrets for Alertmanager
The OpenShift Dedicated monitoring stack includes Alertmanager, which routes alerts from Prometheus to endpoint receivers. If you need to authenticate with a receiver so that Alertmanager can send alerts to it, you can configure Alertmanager to use a secret that contains authentication credentials for the receiver.
For example, you can configure Alertmanager to use a secret to authenticate with an endpoint receiver that requires a certificate issued by a private Certificate Authority (CA).
You can also configure Alertmanager to use a secret to authenticate with a receiver that requires a password file for Basic HTTP authentication.
In either case, authentication details are contained in the Secret object rather than in the ConfigMap object.
Adding a secret to the Alertmanager configuration
You can add secrets to the Alertmanager configuration for user-defined projects by editing the user-workload-monitoring-config config map in the openshift-user-workload-monitoring project.
After you add a secret to the config map, the secret is mounted as a volume at /etc/alertmanager/secrets/<secret_name> within the alertmanager container for the Alertmanager pods.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have created the secret to be configured in Alertmanager in the
openshift-user-workload-monitoringproject. -
You have installed the OpenShift CLI (
oc).
Procedure
-
Edit the
ConfigMapobject.-
Edit the
user-workload-monitoring-configconfig map in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
Add a
secrets:section underdata/config.yaml/alertmanager/secretswith the following configuration:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | alertmanager: secrets: (1) - <secret_name_1> (2) - <secret_name_2>1 This section contains the secrets to be mounted into Alertmanager. The secrets must be located within the same namespace as the Alertmanager object. 2 The name of the Secretobject that contains authentication credentials for the receiver. If you add multiple secrets, place each one on a new line.The following sample config map settings configure Alertmanager to use two
Secretobjects namedtest-secretandtest-secret-api-token:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | alertmanager: enabled: true secrets: - test-secret - test-api-receiver-token
-
-
Save the file to apply the changes to the
ConfigMapobject. The new configuration is applied automatically.
Attaching additional labels to your time series and alerts
Using the external labels feature of Prometheus, you can attach custom labels to all time series and alerts leaving Prometheus.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc).
Procedure
-
Edit the
ConfigMapobject:-
Edit the
user-workload-monitoring-configConfigMapobject in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
Define a map of labels you want to add for every metric under
data/config.yaml:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: externalLabels: <key>: <value> (1)1 Substitute <key>: <value>with a map of key-value pairs where<key>is a unique name for the new label and<value>is its value.Do not use
prometheusorprometheus_replicaas key names, because they are reserved and will be overwritten.In the
openshift-user-workload-monitoringproject, Prometheus handles metrics and Thanos Ruler handles alerting and recording rules. SettingexternalLabelsforprometheusin theuser-workload-monitoring-configConfigMapobject will only configure external labels for metrics and not for any rules.For example, to add metadata about the region and environment to all time series and alerts related to user-defined projects, use:
apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: externalLabels: region: eu environment: prod
-
-
Save the file to apply the changes. The new configuration is applied automatically.
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted.
Configuring pod topology spread constraints for monitoring
You can use pod topology spread constraints to control how Thanos Ruler pods are spread across a network topology when OpenShift Dedicated pods are deployed in multiple availability zones.
Pod topology spread constraints are suitable for controlling pod scheduling within hierarchical topologies in which nodes are spread across different infrastructure levels, such as regions and zones within those regions. Additionally, by being able to schedule pods in different zones, you can improve network latency in certain scenarios.
Additional resources
Setting up pod topology spread constraints for Thanos Ruler
For user-defined monitoring, you can set up pod topology spread constraints for Thanos Ruler to fine tune how pod replicas are scheduled to nodes across zones. Doing so helps ensure that Thanos Ruler pods are highly available and run more efficiently, because workloads are spread across nodes in different data centers or hierarchical infrastructure zones.
You configure pod topology spread constraints for Thanos Ruler in the user-workload-monitoring-config config map.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc).
Procedure
-
Edit the
user-workload-monitoring-configconfig map in theopenshift-user-workload-monitoringnamespace:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
Add values for the following settings under
data/config.yaml/thanosRulerto configure pod topology spread constraints:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | thanosRuler: topologySpreadConstraints: - maxSkew: 1 (1) topologyKey: monitoring (2) whenUnsatisfiable: ScheduleAnyway (3) labelSelector: matchLabels: (4) app.kubernetes.io/name: thanos-ruler1 Specify a numeric value for maxSkew, which defines the degree to which pods are allowed to be unevenly distributed. This field is required, and the value must be greater than zero. The value specified has a different effect depending on what value you specify forwhenUnsatisfiable.2 Specify a key of node labels for topologyKey. This field is required. Nodes that have a label with this key and identical values are considered to be in the same topology. The scheduler will try to put a balanced number of pods into each domain.3 Specify a value for whenUnsatisfiable. This field is required. Available options areDoNotScheduleandScheduleAnyway. SpecifyDoNotScheduleif you want themaxSkewvalue to define the maximum difference allowed between the number of matching pods in the target topology and the global minimum. SpecifyScheduleAnywayif you want the scheduler to still schedule the pod but to give higher priority to nodes that might reduce the skew.4 Specify a value for matchLabels. This value is used to identify the set of matching pods to which to apply the constraints. -
Save the file to apply the changes automatically.
When you save changes to the
user-workload-monitoring-configconfig map, the pods and other resources in theopenshift-user-workload-monitoringproject might be redeployed. The running monitoring processes in that project might also restart.
Setting log levels for monitoring components
You can configure the log level for Alertmanager, Prometheus Operator, Prometheus, and Thanos Ruler.
The following log levels can be applied to the relevant component in the
user-workload-monitoring-config ConfigMap objects:
-
debug. Log debug, informational, warning, and error messages. -
info. Log informational, warning, and error messages. -
warn. Log warning and error messages only. -
error. Log error messages only.
The default log level is info.
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMapobject exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc).
Procedure
-
Edit the
ConfigMapobject:-
Edit the
user-workload-monitoring-configConfigMapobject in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
Add
logLevel: <log_level>for a component underdata/config.yaml:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | <component>: (1) logLevel: <log_level> (2)1 The monitoring stack component for which you are setting a log level. For user workload monitoring, available component values are alertmanager,prometheus,prometheusOperator, andthanosRuler.2 The log level to apply to the component. The available values are error,warn,info, anddebug. The default value isinfo.
-
-
Save the file to apply the changes. The pods for the component restart automatically when you apply the log-level change.
When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted.
-
Confirm that the log-level has been applied by reviewing the deployment or pod configuration in the related project. The following example checks the log level in the
prometheus-operatordeployment in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring get deploy prometheus-operator -o yaml | grep "log-level"Example output- --log-level=debug -
Check that the pods for the component are running. The following example lists the status of pods in the
openshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring get podsIf an unrecognized
logLevelvalue is included in theConfigMapobject, the pods for the component might not restart successfully.
Enabling the query log file for Prometheus
You can configure Prometheus to write all queries that have been run by the engine to a log file.
|
Because log rotation is not supported, only enable this feature temporarily when you need to troubleshoot an issue. After you finish troubleshooting, disable query logging by reverting the changes you made to the |
Prerequisites
-
You have access to the cluster as a user with the
dedicated-adminrole. -
The
user-workload-monitoring-configConfigMap object exists. This object is created by default when the cluster is created. -
You have installed the OpenShift CLI (
oc).
Procedure
-
Edit the
user-workload-monitoring-configConfigMapobject in theopenshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config -
Add
queryLogFile: <path>forprometheusunderdata/config.yaml:apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: | prometheus: queryLogFile: <path> (1)1 The full path to the file in which queries will be logged. -
Save the file to apply the changes.
When you save changes to a monitoring config map, pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted.
-
Verify that the pods for the component are running. The following example command lists the status of pods in the
openshift-user-workload-monitoringproject:$ oc -n openshift-user-workload-monitoring get pods -
Read the query log:
$ oc -n openshift-user-workload-monitoring exec prometheus-user-workload-0 -- cat <path>Revert the setting in the config map after you have examined the logged query information.