• KubeDB

    Run Production-Grade Databases on Kubernetes

    arrow_forward
    Stash

    Backup and Recovery Solution for Kubernetes

    arrow_forward
    KubeVault

    Run Production-Grade Vault on Kubernetes

    arrow_forward
    Voyager

    Secure Ingress Controller for Kubernetes

    arrow_forward
    ConfigSyncer

    Kubernetes Configuration Syncer

    arrow_forward
    Guard

    Kubernetes Authentication WebHook Server

    arrow_forward
    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • task_altLower administrative burden
    • task_altNative Kubernetes Support
    • task_altPerformance
    • task_altAvailability and durability
    • task_altManageability
    • task_altCost-effectiveness
    • task_altSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • task_altDeclarative API
    • task_altBackup Kubernetes Volumes
    • task_altBackup Database
    • task_altMultiple Storage Support
    • task_altDeduplication
    • task_altData Encryption
    • task_altVolume Snapshot
    • task_altPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • task_altVault Kubernetes Deployment
    • task_altAuto Initialization & Unsealing
    • task_altVault Backup & Restore
    • task_altConsume KubeVault Secrets with CSI
    • task_altManage DB Users Privileges
    • task_altStorage Backend
    • task_altAuthentication Method
    • task_altDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • task_altHTTP & TCP
    • task_altSSL
    • task_altPlatform support
    • task_altHAProxy
    • task_altPrometheus
    • task_altLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • task_altConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • task_altIdentity Providers
    • task_altCLI
    • task_altRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
1-Dec-2022

Filter Panopticon Metrics by Namespaces

author-image
Pulak Kanti Bhowmick

Senior Software Engineer

AppsCode Inc.

Filter Panopticon Metrics by Namespaces

Monitoring is an essential part of applications deployed in Kubernetes. We have a tool called Panopticon to collect metrics from Kubernetes native and custom resources. In this blog post, we’ll briefly describe how you can configure Panopticon or Prometheus Service Monitor to filter Panopticon metrics by namespaces.

Here is the outline of this post:

  • Panopticon
  • Install Panopticon in Kubernetes
  • Filter metrics using Panopticon
  • Filter metrics using Prometheus Service Monitor

Panopticon

Panopticon is a generic state metrics exporter for Kubernetes resources. It can generate Prometheus metrics from both Kubernetes native and custom resources. Generated metrics are exposed in /metrics path for the Prometheus server to scrape. If you want to know more about Panopticon, you can check out this blog post .

Install Panopticon in Kubernetes

Panopticon is an enterprise product. It needs a license to run it. To grab a trial license, please visit here .

If you already have an enterprise license for KubeDB or Stash, you do not need to issue a new license for Panopticon. Your existing KubeDB or Stash license will work with Panopticon.

To install Panopticon in Kubernetes using helm please follow the below commands:

$ helm repo add appscode https://charts.appscode.com/stable/
$ helm repo update

$ helm install panopticon appscode/panopticon -n kubeops \
    --create-namespace \
    --version v2022.06.14 \
    --set monitoring.enabled=true \
    --set monitoring.agent=prometheus.io/operator \
    --set monitoring.serviceMonitor.labels.release=<prometheus-service-monitor-selector-label> \
    --set-file license=/path/to/license-file.txt

Filter metrics using Panopticon

Panopticon provides a custom resource definition called MetricsConfiguration. It holds the target resource’s group, version, kind, and a list of metrics to collect from the target resources. Be default, Panopticon collects metrics from resources from all namespaces. It was not possible before to restrict Panopticon to expose metrics for a subset of Kubernetes namespaces.

Recently we have added namespace selector support in Panopticon. Now you can restrict Panopticon to expose metrics for a subset of Kubernetes namespaces. To do so, you have to set namespaceSelector value while installing Panopticon. namespaceSelector accepts any valid Kubernetes label selector string. This feature can be used to expose only Rancher project specific metrics to the project Prometheus server.

$ helm install panopticon appscode/panopticon -n kubeops \
    --create-namespace \
    --version v2022.06.14 \
    --set monitoring.enabled=true \
    --set monitoring.agent=prometheus.io/operator \
    --set monitoring.serviceMonitor.labels.release=<prometheus-service-monitor-selector-label> \
    --set namespaceSelector='environment in (production)' \
    --set-file license=kubedb-license.txt \
    --set apiserver.enableValidatingWebhook=false

Pros:

  • Panopticon will only generate metrics for the resources in the selected namespaces. Other resource metrics are entirely skipped from Panopticon.
  • Prometheus can’t scrape other namespaces metrics as they are not generated.

Cons:

  • As Panopticon only collects metrics from resources in the selected namespaces, resource metrics from other namespace is skipped.
  • Users can not collect those metrics without changing the configuration. To collect metrics from other namespaces, users have to add a label to the namespace object according to namespaceSelector, upgrade helm installation with updated namespaceSelector or deploy Panopticon separetely using a different namespaceSelector.

Filter metrics using Prometheus Service Monitor

If you are running Prometheus in Kubernetes for scraping metrics, you can filter metrics by namespaces using metricsRelabelings configuration in Service Monitor. In this method, you don’t need to provide any namespaceSelector flag while installing Panopticon. So, Panopticon will collect metrics from all the namespaces.

Panopticon helm chart comes with a Service Monitor configuration out of the box.

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    release: prometheus
  name: panopticon
  namespace: kubeops
spec:
  endpoints:
  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
    interval: 10s
    port: api
    relabelings:
    - action: labeldrop
      regex: (pod|service|endpoint|namespace)
    scheme: https
    tlsConfig:
      ca:
        secret:
          key: tls.crt
          name: panopticon-apiserver-cert
      serverName: panopticon.kubeops.svc
  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
    interval: 10s
    port: telemetry
    scheme: http
  namespaceSelector:
    matchNames:
    - kubeops
  selector:
    matchLabels:
      app.kubernetes.io/instance: panopticon
      app.kubernetes.io/name: panopticon

You can create a new ServiceMonitor by copying the above example and add metricsRelabelings config in api endpoint to filter metrics by namespaces.

metricRelabelings:
- action: keep
    regex: (demo|kubeops)
    sourceLabels:
    - namespace

The above metricRelabelings configuration will keep Panopticon metrics from the demo and kubeops namespace and drop metrics from other namespaces. You can modify or add such metricsRelabelings according to your need. Please visit here to know more about metrics relabel configs.

The Service Monitor object yaml after adding the above metricRelabelings configuration looks like the below:

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    release: prometheus
  name: panopticon
  namespace: kubeops
spec:
  endpoints:
  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
    interval: 10s
    port: api
    metricRelabelings:  # added metrics relabeling configuration
    - action: keep
      regex: (demo|kubeops)
      sourceLabels:
      - namespace
    relabelings:
    - action: labeldrop
      regex: (pod|service|endpoint|namespace)
    scheme: https
    tlsConfig:
      ca:
        secret:
          key: tls.crt
          name: panopticon-apiserver-cert
      serverName: panopticon.kubeops.svc
  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
    interval: 10s
    port: telemetry
    scheme: http
  namespaceSelector:
    matchNames:
    - kubeops
  selector:
    matchLabels:
      app.kubernetes.io/instance: panopticon
      app.kubernetes.io/name: panopticon

Pros:

  • Panopticon collects metrics from the target resources from all the namespaces. Users can isolate metrics by namespaces at the Prometheus level.
  • If users run multiple Prometheus for a single Panopticon instance and want to use different service monitor objects for each Prometheus then it will become possible to isolate Panopticon metrics over namespaces to different Prometheus.

Cons:

  • Metrics for target resources from all the namespaces are available to Panopticon. It might be possible for Prometheus to scrape all the metrics for misconfiguration.
  • If users want to collect metrics from a newly created namespace or don’t want to collect metrics from a namespace anymore, users need to update the existing Service Monitor relabeling config every time.

Support

To speak with us, please leave a message on our website .

To receive product announcements, follow us on Twitter .

If you have found a bug with KubeDB or want to request for new features, please file an issue .

TAGS

filtering kubedb kubernetes metrics monitoring namespace panopticon prometheus

Get Up and Running Quickly

Deploy, manage, upgrade Kubernetes on any cloud and automate deployment, scaling, and management of containerized applications.

CONTACT US