oc process -f operator/fuse-prometheus-operator.yml -o yaml -p NAMESPACE=<prometheus project> | oc apply -f -
Prometheus needs access to pod and service metadata in other projects via the Kubernetes API. A rolebinding template is provided.
Example command:
oc process -f role-binding/rolebinding.yml -p PROMETHEUS_NAMESPACE=application-monitoring | oc apply -n dev -f -
When your cluster is configured to use the ovs-multitenant SDN plug-in, you can manage the separate pod overlay networks for projects using the administrator CLI. So, if one Prometheus instance is intended to monitor any/all application projects, it may be suitable to make the Prometheus namespace global. Note that this involves some trade-offs from an environment isolation perspective and may contradict some best practices. TODO: describe risks associated with this strategy
oc adm pod-network make-projects-global application-monitoring
This will allow service monitors to target any namespace in the cluster.
Depending on requirements, it may be a better choice to explicitly join the Prometheus namespace to the monitored namespace(s), rather than setting the project network to global on the Prometheus namespace.
oc adm pod-network join-projects --to=application-monitoring dev
oc adm pod-network join-projects --to=application-monitoring test
Note that you want to specify the Prometheus namespace as the --to
. This way the Network ID of the Prometheus namespace remains
constant, and you will be able to add new projects to the network over time without listing all projects in the same join command. Note that this also involves some trade-offs from an environment isolation perspective and may contradict some best practices. TODO: describe risks associated with this strategy
To view which projects share the same Network ID, run:
oc get netnamespaces
If the numbers from the NETID column match, then those project networks are joined.
More info here: OpenShift 3.11 - Managing Networking
Important: Arguably, the ideal architecture involves a separate Prometheus instance for each monitored namespace, when the Multitenant is the cluster SDN implementation. The NetworkPolicy SDN implementation offers some more robust configuration options. Here's a blog on NetworkPolicies and Microsegmentation for an intro.
Create a Fuse service monitor:
oc process -f service-monitors/fuse-servicemonitor.yml -p FUSE_SERVICE_NAME=my-service | oc apply -f -
The target service must have a port exposed that matches the endpoint section of the ServiceMonitor
- apiVersion: v1
kind: Service
metadata:
name: example-fuse
labels:
app: example-fuse
spec:
selector:
app: example-fuse
ports:
- name: prometheus
port: 9779
TODO: Revisit this. Is it necessary to add a service port for Prometheus? I'm not fully understanding what a service has to do with anything. We are targeting pods individually. Need to research.
oc process -f grafana/deployment.yml -o yaml -p NAMESPACE=<prometheus project> | oc apply -f -
When you first connect your browser to Grafana, you'll need to provide a data source. Select "Prometheus" and use http://prometheus:9090
.
You can import sample dahsboards from the dashboards directory in this repo.
Choose one of the rules samples and apply in your Prometheus project, for example:
oc apply -f rules/high-heap-usage.yml
Make sure you are in your Prometheus project.
The following secret contains all alert manager config including SMTP connection data, email templates and routing rules.
oc create secret generic alertmanager-main --from-file=alert-manager/alertmanager.yaml
oc apply -f alert-manager/deployment.yml