SlideShare a Scribd company logo

Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.

Download as PPTX, PDF
Opcito Technologies
Opcito Technologies

Opcito Technologies is a proud partner with Kubernetes, an open-source system for container orchestration. We will be talking about: • Features of Kubernetes 1.6 • RBAC Configurations • RBAC Use Cases • Running Prometheus in Kubernetes • Prometheus Operator - Deployment, Cluster & Service Monitoring

Technology
1 of 30
1 Securing and monitoring your K8s cluster (RBAC + Prometheus)
2 What’s new in 1.6?
3 What’s new in 1.6? – Alpha features •Per pod eviction •Pod Injection Policy •Custom Metrics support in the Horizontal Pod Autoscaler
4 RBAC in Kubernetes 1.6 RBAC – Role Based Access Control • Allows fine-grained authorization configuration • Configurable via API • Permissions are purely additive, there are no deny permissions • Uses concepts of Role and Role Bindings to create assign and enforce permissions • Permissions can be scoped to: • Namespaces • Nodes • Control plane • Enabled by starting the API server with the flag • --authorization-mode=RBAC
5 RBAC - Attributes A request has the following attributes that can be considered for authorization: • user (the user-string which a user was authenticated as). • group (the list of group names the authenticated user is a member of). • “extra” (a map of arbitrary string keys to string values, provided by the authentication layer) • whether the request is for an API resource. • the request path. • allows authorizing access to miscellaneous non-resource endpoints like /api or /healthz (see kubectl).
6 RBAC - Attributes • The request verb. • API verbs get, list, create, update, patch, watch, proxy, redirect, delete, and deletecollection are used for resource requests • HTTP verbs get, post, put, and delete are used for non- resource requests • What resource is being accessed (for resource requests only) • What subresource is being accessed (for resource requests only) • The namespace of the object being accessed (for namespaced resource requests only) • The API group being accessed (for resource requests only); an empty string designates the core API Group
7 RBAC – API Overview Declares 4 top level types that can be interacted with via the API or kubectl • Role • Cluster Role • RoleBinding • ClusterRoleBinding
8 RBAC – Role kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: default name: pod-reader rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"]
9 RBAC – RoleBinding to Role # This role binding allows "jane" to read pods in the "default" namespace. kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-pods namespace: default subjects: - kind: User name: jane apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
10 RBAC – ClusterRole kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: # "namespace" omitted since ClusterRoles are not namespaced name: secret-reader rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"]
11 RBAC – RoleBinding to ClusterRole # This role binding allows "dave" to read secrets in the "development" namespace. kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-secrets namespace: development # This only grants permissions within the "development" namespace. subjects: - kind: User name: dave apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io
12 RBAC – ClusterRoleBinding # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-secrets-global subjects: - kind: Group name: manager apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io
13 RBAC – Use Cases • Limit user access to specific namespaces • Limit user permissions relative to their Role • Group users based on their Roles and assign permissions to the group • Pre-assign special hardware nodes to certain user groups and workloads • Segment your continuous deployment pipeline with permissions to deploy in to only specific namespaces.
14 Hierarchy of reliability - Monitoring
15 Prometheus What is Prometheus? • Monitoring system and time series database • Inspired by BorgMon • Not BorgMon • Opensource – developed at SoundCloud initially • How does it work? • Collects metrics at scale via HTTP • Easy scaling • Can handle thousands of targets, millions of timeseries
16 Prometheus - Features • Multi-dimensional data model • Flexible query language to leverage dimensionality • No reliance on distributed storage, autonomous single server nodes • Collection happens via a pull model over HTTP • Push is also supported via an intermediary gateway • Targets can be discovered statically or via service discovery • Good graphing and dashboarding support
17 Prometheus Architecture
18 Running Prometheus in Kubernetes • What we need • Pod specification defining how to run Prometheus • Load and manage configuration • Service specification to access Prometheus on stable IP • Options • Write own pod+service+petset+... manifests • Kubernetes Helm chart in the making https://github.com/kubernetes/charts/pull/151 • CoreOS wrote an Operator managing Prometheus and its configuration https://github.com/coreos/kube-prometheus
19 Prometheus Operator by CoreOS • What is an Operator? • Builds on basic Kubernetes resource and controller concepts • Included application domain knowledge and best practices • Frees you from deployment and lifecycle management details • Prometheus Operator by CoreOS • Single command install • Configure manage instances using a single declarative configuration • Configuration drives the creation, configuration and management of Prometheus instances
20 Prometheus Operator - Features • Create/Destroy • Simple Configuration • Target Services via Labels
21 Prometheus Operator – How does it work? The Operator defines 2 Third Party Resources(TPR) • Prometheus Resource • Data Retention • Persistent Volume Claims • Number of replicas • Version • Alert Managers • Service Monitor
22 Prometheus Operator – How does it work?
23 Prometheus Operator - Deployment Deploy the operator $ kubectl create -f https://coreos.com/operators/prometheus/latest/prometheus -operator.yaml deployment "prometheus-operator" created Create the Prometheus TPR apiVersion: monitoring.coreos.com/v1alpha1 kind: Prometheus metadata: name: prometheus-k8s labels: prometheus: k8s spec: version: v1.3.0 $ kubectl create -f https://coreos.com/operators/prometheus/latest/prometheus -k8s.yaml
24 Prometheus Operator – Cluster Monitoring Deploy exporters providing metrics on cluster nodes and Kubernetes business logic $ kubectl create -f https://coreos.com/operators/prometheus/latest/exporters. yaml deployment "kube-state-metrics" created service "kube-state-metrics" created daemonset "node-exporter" created service "node-exporter" created Create the ConfigMap containing the Prometheus configuration $ kubectl apply -f https://coreos.com/operators/prometheus/latest/prometheus -k8s-cm.yaml configmap "prometheus-k8s" configured
25 Prometheus Operator – Cluster Monitoring
26 Prometheus Operator – Service Monitoring Define how a service should be monitored apiVersion: monitoring.coreos.com/v1alpha1 kind: ServiceMonitor metadata: name: frontend labels: tier: frontend spec: selector: matchLabels: tier: frontend endpoints: - port: web # works for different port numbers as long as the name matches interval: 10s # scrape the endpoint every 10 seconds
27 Prometheus Operator – Service Monitoring Create a Prometheus instance that includes this ServiceMonitor apiVersion: monitoring.coreos.com/v1alpha1 kind: Prometheus metadata: name: prometheus-frontend labels: prometheus: frontend spec: version: v1.3.0 # Define that all ServiceMonitor TPRs with the label `tier = frontend` should be included # into the server's configuration. serviceMonitors: - selector: matchLabels: tier: frontend
28 Create the Service monitor and Prometheus Objects $ kubectl create -f https://coreos.com/operators/prometheus/latest/servicemon itor-frontend.yaml servicemonitor "frontend" created $ kubectl create -f https://coreos.com/operators/prometheus/latest/prometheus -frontend.yaml prometheus "prometheus-frontend" created service "prometheus-frontend" created Prometheus Operator – Service Monitoring
29 Prometheus Operator – Service Monitoring Deploy an application that matches the label tier = frontend $ kubectl create –f ./example-app.yaml
30 Thank You

Recommended

Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Etsuji Nakai
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Crevise Technologies
 
Kubernetes 101 for Developers
Kubernetes 101 for DevelopersKubernetes 101 for Developers
Kubernetes 101 for Developers
Ross Kukulinski
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
K8S in prod
K8S in prodK8S in prod
K8S in prod
Mageshwaran Rajendran
 
Container Orchestration
Container OrchestrationContainer Orchestration
Container Orchestration
dfilppi
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Martin Danielsson
 
Building stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with RookBuilding stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with Rook
Roberto Hashioka
 

Recommended

Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Etsuji Nakai
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Crevise Technologies
 
Kubernetes 101 for Developers
Kubernetes 101 for DevelopersKubernetes 101 for Developers
Kubernetes 101 for Developers
Ross Kukulinski
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
K8S in prod
K8S in prodK8S in prod
K8S in prod
Mageshwaran Rajendran
 
Container Orchestration
Container OrchestrationContainer Orchestration
Container Orchestration
dfilppi
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Martin Danielsson
 
Building stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with RookBuilding stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with Rook
Roberto Hashioka
 
The Operator Pattern - Managing Stateful Services in Kubernetes
The Operator Pattern - Managing Stateful Services in KubernetesThe Operator Pattern - Managing Stateful Services in Kubernetes
The Operator Pattern - Managing Stateful Services in Kubernetes
QAware GmbH
 
OpenStack High Availability
OpenStack High AvailabilityOpenStack High Availability
OpenStack High Availability
Jakub Pavlik
 
Kubernetes Node Deep Dive
Kubernetes Node Deep DiveKubernetes Node Deep Dive
Kubernetes Node Deep Dive
Lei (Harry) Zhang
 
How to Develop OpenStack
How to Develop OpenStackHow to Develop OpenStack
How to Develop OpenStack
Mehdi Ali Soltani
 
Comparison of control plane deployment architectures in the scope of hypercon...
Comparison of control plane deployment architectures in the scope of hypercon...Comparison of control plane deployment architectures in the scope of hypercon...
Comparison of control plane deployment architectures in the scope of hypercon...
Miroslav Halas
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
Bob Killen
 
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G coreTối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Vietnam Open Infrastructure User Group
 
Fully automated kubernetes deployment and management
Fully automated kubernetes deployment and managementFully automated kubernetes deployment and management
Fully automated kubernetes deployment and management
LinuxCon ContainerCon CloudOpen China
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 
K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210
Che-Chia Chang
 
Status of Embedded Linux
Status of Embedded LinuxStatus of Embedded Linux
Status of Embedded Linux
LinuxCon ContainerCon CloudOpen China
 
KuberNETes - meetup
KuberNETes - meetupKuberNETes - meetup
KuberNETes - meetup
Nathan Ness
 
Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling
LinuxCon ContainerCon CloudOpen China
 
Dockerizing OpenStack for High Availability
Dockerizing OpenStack for High AvailabilityDockerizing OpenStack for High Availability
Dockerizing OpenStack for High Availability
Daniel Krook
 
Serverless technologies with Kubernetes
Serverless technologies with KubernetesServerless technologies with Kubernetes
Serverless technologies with Kubernetes
Provectus
 
Cloudfoundry Overview
Cloudfoundry OverviewCloudfoundry Overview
Cloudfoundry Overview
rajdeep
 
Topologies of OpenStack
Topologies of OpenStackTopologies of OpenStack
Topologies of OpenStack
haribabu kasturi
 
Testing kubernetes and_open_shift_at_scale_20170209
Testing kubernetes and_open_shift_at_scale_20170209Testing kubernetes and_open_shift_at_scale_20170209
Testing kubernetes and_open_shift_at_scale_20170209
mffiedler
 
Scale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesScale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 services
LinuxCon ContainerCon CloudOpen China
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Vietnam Open Infrastructure User Group
 
Kubernetes fundamentals
Kubernetes fundamentalsKubernetes fundamentals
Kubernetes fundamentals
Victor Morales
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)
Allan Naim
 

More Related Content

What's hot

The Operator Pattern - Managing Stateful Services in Kubernetes
The Operator Pattern - Managing Stateful Services in KubernetesThe Operator Pattern - Managing Stateful Services in Kubernetes
The Operator Pattern - Managing Stateful Services in Kubernetes
QAware GmbH
 
OpenStack High Availability
OpenStack High AvailabilityOpenStack High Availability
OpenStack High Availability
Jakub Pavlik
 
Kubernetes Node Deep Dive
Kubernetes Node Deep DiveKubernetes Node Deep Dive
Kubernetes Node Deep Dive
Lei (Harry) Zhang
 
How to Develop OpenStack
How to Develop OpenStackHow to Develop OpenStack
How to Develop OpenStack
Mehdi Ali Soltani
 
Comparison of control plane deployment architectures in the scope of hypercon...
Comparison of control plane deployment architectures in the scope of hypercon...Comparison of control plane deployment architectures in the scope of hypercon...
Comparison of control plane deployment architectures in the scope of hypercon...
Miroslav Halas
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
Bob Killen
 
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G coreTối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Vietnam Open Infrastructure User Group
 
Fully automated kubernetes deployment and management
Fully automated kubernetes deployment and managementFully automated kubernetes deployment and management
Fully automated kubernetes deployment and management
LinuxCon ContainerCon CloudOpen China
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 
K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210
Che-Chia Chang
 
Status of Embedded Linux
Status of Embedded LinuxStatus of Embedded Linux
Status of Embedded Linux
LinuxCon ContainerCon CloudOpen China
 
KuberNETes - meetup
KuberNETes - meetupKuberNETes - meetup
KuberNETes - meetup
Nathan Ness
 
Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling
LinuxCon ContainerCon CloudOpen China
 
Dockerizing OpenStack for High Availability
Dockerizing OpenStack for High AvailabilityDockerizing OpenStack for High Availability
Dockerizing OpenStack for High Availability
Daniel Krook
 
Serverless technologies with Kubernetes
Serverless technologies with KubernetesServerless technologies with Kubernetes
Serverless technologies with Kubernetes
Provectus
 
Cloudfoundry Overview
Cloudfoundry OverviewCloudfoundry Overview
Cloudfoundry Overview
rajdeep
 
Topologies of OpenStack
Topologies of OpenStackTopologies of OpenStack
Topologies of OpenStack
haribabu kasturi
 
Testing kubernetes and_open_shift_at_scale_20170209
Testing kubernetes and_open_shift_at_scale_20170209Testing kubernetes and_open_shift_at_scale_20170209
Testing kubernetes and_open_shift_at_scale_20170209
mffiedler
 
Scale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesScale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 services
LinuxCon ContainerCon CloudOpen China
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Vietnam Open Infrastructure User Group
 

What's hot (20)

The Operator Pattern - Managing Stateful Services in Kubernetes
The Operator Pattern - Managing Stateful Services in KubernetesThe Operator Pattern - Managing Stateful Services in Kubernetes
The Operator Pattern - Managing Stateful Services in Kubernetes
 
OpenStack High Availability
OpenStack High AvailabilityOpenStack High Availability
OpenStack High Availability
 
Kubernetes Node Deep Dive
Kubernetes Node Deep DiveKubernetes Node Deep Dive
Kubernetes Node Deep Dive
 
How to Develop OpenStack
How to Develop OpenStackHow to Develop OpenStack
How to Develop OpenStack
 
Comparison of control plane deployment architectures in the scope of hypercon...
Comparison of control plane deployment architectures in the scope of hypercon...Comparison of control plane deployment architectures in the scope of hypercon...
Comparison of control plane deployment architectures in the scope of hypercon...
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
 
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G coreTối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
Tối ưu hiệu năng đáp ứng các yêu cầu của hệ thống 4G core
 
Fully automated kubernetes deployment and management
Fully automated kubernetes deployment and managementFully automated kubernetes deployment and management
Fully automated kubernetes deployment and management
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210
 
Status of Embedded Linux
Status of Embedded LinuxStatus of Embedded Linux
Status of Embedded Linux
 
KuberNETes - meetup
KuberNETes - meetupKuberNETes - meetup
KuberNETes - meetup
 
Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling
 
Dockerizing OpenStack for High Availability
Dockerizing OpenStack for High AvailabilityDockerizing OpenStack for High Availability
Dockerizing OpenStack for High Availability
 
Serverless technologies with Kubernetes
Serverless technologies with KubernetesServerless technologies with Kubernetes
Serverless technologies with Kubernetes
 
Cloudfoundry Overview
Cloudfoundry OverviewCloudfoundry Overview
Cloudfoundry Overview
 
Topologies of OpenStack
Topologies of OpenStackTopologies of OpenStack
Topologies of OpenStack
 
Testing kubernetes and_open_shift_at_scale_20170209
Testing kubernetes and_open_shift_at_scale_20170209Testing kubernetes and_open_shift_at_scale_20170209
Testing kubernetes and_open_shift_at_scale_20170209
 
Scale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesScale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 services
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
 

Similar to Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.

Kubernetes fundamentals
Kubernetes fundamentalsKubernetes fundamentals
Kubernetes fundamentals
Victor Morales
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)
Allan Naim
 
01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware
01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware
01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware
VMUG IT
 
Meetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on KubernetesMeetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on Kubernetes
dtoledo67
 
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
UA DevOps Conference
 
Centralizing Kubernetes and Container Operations
Centralizing Kubernetes and Container OperationsCentralizing Kubernetes and Container Operations
Centralizing Kubernetes and Container Operations
Kublr
 
OSDC 2018 | Monitoring Kubernetes at Scale by Monica Sarbu
OSDC 2018 | Monitoring Kubernetes at Scale by Monica SarbuOSDC 2018 | Monitoring Kubernetes at Scale by Monica Sarbu
OSDC 2018 | Monitoring Kubernetes at Scale by Monica Sarbu
NETWAYS
 
Mastering MongoDB on Kubernetes, the power of operators
Mastering MongoDB on Kubernetes, the power of operators Mastering MongoDB on Kubernetes, the power of operators
Mastering MongoDB on Kubernetes, the power of operators
DoKC
 
Elastic Kubernetes Services (EKS)
Elastic Kubernetes Services (EKS)Elastic Kubernetes Services (EKS)
Elastic Kubernetes Services (EKS)
sriram_rajan
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetes
Gigi Sayfan
 
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
HostedbyConfluent
 
REST APIs
REST APIsREST APIs
REST APIs
Arthur De Magalhaes
 
[DevDay 2017] OpenShift Enterprise - Speaker: Linh Do - DevOps Engineer at Ax...
[DevDay 2017] OpenShift Enterprise - Speaker: Linh Do - DevOps Engineer at Ax...[DevDay 2017] OpenShift Enterprise - Speaker: Linh Do - DevOps Engineer at Ax...
[DevDay 2017] OpenShift Enterprise - Speaker: Linh Do - DevOps Engineer at Ax...
DevDay.org
 
Kubernetes intro public - kubernetes meetup 4-21-2015
Kubernetes intro public - kubernetes meetup 4-21-2015Kubernetes intro public - kubernetes meetup 4-21-2015
Kubernetes intro public - kubernetes meetup 4-21-2015
Rohit Jnagal
 
Kubernetes intro public - kubernetes user group 4-21-2015
Kubernetes intro public - kubernetes user group 4-21-2015Kubernetes intro public - kubernetes user group 4-21-2015
Kubernetes intro public - kubernetes user group 4-21-2015
reallavalamp
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
Faculty of Technical Sciences, University of Novi Sad
 
Kubernetes basics
Kubernetes basicsKubernetes basics
Kubernetes basics
Robert te Kaat
 
Riga Dev Day 2016 - Microservices with Apache Camel & fabric8 on Kubernetes
Riga Dev Day 2016 - Microservices with Apache Camel & fabric8 on KubernetesRiga Dev Day 2016 - Microservices with Apache Camel & fabric8 on Kubernetes
Riga Dev Day 2016 - Microservices with Apache Camel & fabric8 on Kubernetes
Claus Ibsen
 
Kubernetes #1 intro
Kubernetes #1 introKubernetes #1 intro
Kubernetes #1 intro
Terry Cho
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
CloudOps2005
 

Similar to Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”. (20)

Kubernetes fundamentals
Kubernetes fundamentalsKubernetes fundamentals
Kubernetes fundamentals
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)
 
01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware
01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware
01 - VMUGIT - Lecce 2018 - Fabio Rapposelli, VMware
 
Meetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on KubernetesMeetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on Kubernetes
 
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
ОЛЕГ МАЦЬКІВ «Crash course on Operator Framework» Lviv DevOps Conference 2019
 
Centralizing Kubernetes and Container Operations
Centralizing Kubernetes and Container OperationsCentralizing Kubernetes and Container Operations
Centralizing Kubernetes and Container Operations
 
OSDC 2018 | Monitoring Kubernetes at Scale by Monica Sarbu
OSDC 2018 | Monitoring Kubernetes at Scale by Monica SarbuOSDC 2018 | Monitoring Kubernetes at Scale by Monica Sarbu
OSDC 2018 | Monitoring Kubernetes at Scale by Monica Sarbu
 
Mastering MongoDB on Kubernetes, the power of operators
Mastering MongoDB on Kubernetes, the power of operators Mastering MongoDB on Kubernetes, the power of operators
Mastering MongoDB on Kubernetes, the power of operators
 
Elastic Kubernetes Services (EKS)
Elastic Kubernetes Services (EKS)Elastic Kubernetes Services (EKS)
Elastic Kubernetes Services (EKS)
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetes
 
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
Team Collaboration in Kafka Clusters With Maria Berinde-Tampanariu | Current ...
 
REST APIs
REST APIsREST APIs
REST APIs
 
[DevDay 2017] OpenShift Enterprise - Speaker: Linh Do - DevOps Engineer at Ax...
[DevDay 2017] OpenShift Enterprise - Speaker: Linh Do - DevOps Engineer at Ax...[DevDay 2017] OpenShift Enterprise - Speaker: Linh Do - DevOps Engineer at Ax...
[DevDay 2017] OpenShift Enterprise - Speaker: Linh Do - DevOps Engineer at Ax...
 
Kubernetes intro public - kubernetes meetup 4-21-2015
Kubernetes intro public - kubernetes meetup 4-21-2015Kubernetes intro public - kubernetes meetup 4-21-2015
Kubernetes intro public - kubernetes meetup 4-21-2015
 
Kubernetes intro public - kubernetes user group 4-21-2015
Kubernetes intro public - kubernetes user group 4-21-2015Kubernetes intro public - kubernetes user group 4-21-2015
Kubernetes intro public - kubernetes user group 4-21-2015
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
 
Kubernetes basics
Kubernetes basicsKubernetes basics
Kubernetes basics
 
Riga Dev Day 2016 - Microservices with Apache Camel & fabric8 on Kubernetes
Riga Dev Day 2016 - Microservices with Apache Camel & fabric8 on KubernetesRiga Dev Day 2016 - Microservices with Apache Camel & fabric8 on Kubernetes
Riga Dev Day 2016 - Microservices with Apache Camel & fabric8 on Kubernetes
 
Kubernetes #1 intro
Kubernetes #1 introKubernetes #1 intro
Kubernetes #1 intro
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
 

Recently uploaded

TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 

Recently uploaded (20)

TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 

Securing & Monitoring Your K8s Cluster with RBAC and Prometheus”.

  • 1. 1 Securing and monitoring your K8s cluster (RBAC + Prometheus)
  • 3. 3 What’s new in 1.6? – Alpha features •Per pod eviction •Pod Injection Policy •Custom Metrics support in the Horizontal Pod Autoscaler
  • 4. 4 RBAC in Kubernetes 1.6 RBAC – Role Based Access Control • Allows fine-grained authorization configuration • Configurable via API • Permissions are purely additive, there are no deny permissions • Uses concepts of Role and Role Bindings to create assign and enforce permissions • Permissions can be scoped to: • Namespaces • Nodes • Control plane • Enabled by starting the API server with the flag • --authorization-mode=RBAC
  • 5. 5 RBAC - Attributes A request has the following attributes that can be considered for authorization: • user (the user-string which a user was authenticated as). • group (the list of group names the authenticated user is a member of). • “extra” (a map of arbitrary string keys to string values, provided by the authentication layer) • whether the request is for an API resource. • the request path. • allows authorizing access to miscellaneous non-resource endpoints like /api or /healthz (see kubectl).
  • 6. 6 RBAC - Attributes • The request verb. • API verbs get, list, create, update, patch, watch, proxy, redirect, delete, and deletecollection are used for resource requests • HTTP verbs get, post, put, and delete are used for non- resource requests • What resource is being accessed (for resource requests only) • What subresource is being accessed (for resource requests only) • The namespace of the object being accessed (for namespaced resource requests only) • The API group being accessed (for resource requests only); an empty string designates the core API Group
  • 7. 7 RBAC – API Overview Declares 4 top level types that can be interacted with via the API or kubectl • Role • Cluster Role • RoleBinding • ClusterRoleBinding
  • 8. 8 RBAC – Role kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: default name: pod-reader rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"]
  • 9. 9 RBAC – RoleBinding to Role # This role binding allows "jane" to read pods in the "default" namespace. kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-pods namespace: default subjects: - kind: User name: jane apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
  • 10. 10 RBAC – ClusterRole kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: # "namespace" omitted since ClusterRoles are not namespaced name: secret-reader rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"]
  • 11. 11 RBAC – RoleBinding to ClusterRole # This role binding allows "dave" to read secrets in the "development" namespace. kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-secrets namespace: development # This only grants permissions within the "development" namespace. subjects: - kind: User name: dave apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io
  • 12. 12 RBAC – ClusterRoleBinding # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: read-secrets-global subjects: - kind: Group name: manager apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: secret-reader apiGroup: rbac.authorization.k8s.io
  • 13. 13 RBAC – Use Cases • Limit user access to specific namespaces • Limit user permissions relative to their Role • Group users based on their Roles and assign permissions to the group • Pre-assign special hardware nodes to certain user groups and workloads • Segment your continuous deployment pipeline with permissions to deploy in to only specific namespaces.
  • 15. 15 Prometheus What is Prometheus? • Monitoring system and time series database • Inspired by BorgMon • Not BorgMon • Opensource – developed at SoundCloud initially • How does it work? • Collects metrics at scale via HTTP • Easy scaling • Can handle thousands of targets, millions of timeseries
  • 16. 16 Prometheus - Features • Multi-dimensional data model • Flexible query language to leverage dimensionality • No reliance on distributed storage, autonomous single server nodes • Collection happens via a pull model over HTTP • Push is also supported via an intermediary gateway • Targets can be discovered statically or via service discovery • Good graphing and dashboarding support
  • 18. 18 Running Prometheus in Kubernetes • What we need • Pod specification defining how to run Prometheus • Load and manage configuration • Service specification to access Prometheus on stable IP • Options • Write own pod+service+petset+... manifests • Kubernetes Helm chart in the making https://github.com/kubernetes/charts/pull/151 • CoreOS wrote an Operator managing Prometheus and its configuration https://github.com/coreos/kube-prometheus
  • 19. 19 Prometheus Operator by CoreOS • What is an Operator? • Builds on basic Kubernetes resource and controller concepts • Included application domain knowledge and best practices • Frees you from deployment and lifecycle management details • Prometheus Operator by CoreOS • Single command install • Configure manage instances using a single declarative configuration • Configuration drives the creation, configuration and management of Prometheus instances
  • 20. 20 Prometheus Operator - Features • Create/Destroy • Simple Configuration • Target Services via Labels
  • 21. 21 Prometheus Operator – How does it work? The Operator defines 2 Third Party Resources(TPR) • Prometheus Resource • Data Retention • Persistent Volume Claims • Number of replicas • Version • Alert Managers • Service Monitor
  • 22. 22 Prometheus Operator – How does it work?
  • 23. 23 Prometheus Operator - Deployment Deploy the operator $ kubectl create -f https://coreos.com/operators/prometheus/latest/prometheus -operator.yaml deployment "prometheus-operator" created Create the Prometheus TPR apiVersion: monitoring.coreos.com/v1alpha1 kind: Prometheus metadata: name: prometheus-k8s labels: prometheus: k8s spec: version: v1.3.0 $ kubectl create -f https://coreos.com/operators/prometheus/latest/prometheus -k8s.yaml
  • 24. 24 Prometheus Operator – Cluster Monitoring Deploy exporters providing metrics on cluster nodes and Kubernetes business logic $ kubectl create -f https://coreos.com/operators/prometheus/latest/exporters. yaml deployment "kube-state-metrics" created service "kube-state-metrics" created daemonset "node-exporter" created service "node-exporter" created Create the ConfigMap containing the Prometheus configuration $ kubectl apply -f https://coreos.com/operators/prometheus/latest/prometheus -k8s-cm.yaml configmap "prometheus-k8s" configured
  • 25. 25 Prometheus Operator – Cluster Monitoring
  • 26. 26 Prometheus Operator – Service Monitoring Define how a service should be monitored apiVersion: monitoring.coreos.com/v1alpha1 kind: ServiceMonitor metadata: name: frontend labels: tier: frontend spec: selector: matchLabels: tier: frontend endpoints: - port: web # works for different port numbers as long as the name matches interval: 10s # scrape the endpoint every 10 seconds
  • 27. 27 Prometheus Operator – Service Monitoring Create a Prometheus instance that includes this ServiceMonitor apiVersion: monitoring.coreos.com/v1alpha1 kind: Prometheus metadata: name: prometheus-frontend labels: prometheus: frontend spec: version: v1.3.0 # Define that all ServiceMonitor TPRs with the label `tier = frontend` should be included # into the server's configuration. serviceMonitors: - selector: matchLabels: tier: frontend
  • 28. 28 Create the Service monitor and Prometheus Objects $ kubectl create -f https://coreos.com/operators/prometheus/latest/servicemon itor-frontend.yaml servicemonitor "frontend" created $ kubectl create -f https://coreos.com/operators/prometheus/latest/prometheus -frontend.yaml prometheus "prometheus-frontend" created service "prometheus-frontend" created Prometheus Operator – Service Monitoring
  • 29. 29 Prometheus Operator – Service Monitoring Deploy an application that matches the label tier = frontend $ kubectl create –f ./example-app.yaml