Chapter 13. Monitoring with Prometheus
Prometheus is an open-source monitoring and alerting platform. You can use it to monitor health and availability of Central and Sensor components of Red Hat Advanced Cluster Security for Kubernetes (RHACS). When you enable monitoring, RHACS creates a new monitoring service on port number 9090
and a network policy allowing inbound connections to that port.
13.1. Monitoring Central services using the RHACS Operator
You can monitor Central services, Central and Scanner, by changing the configuration of the Central
custom resource.
Procedure
- On the OpenShift Container Platform web console, go to the Operators → Installed Operators page.
- Select the Red Hat Advanced Cluster Security for Kubernetes Operator from the list of installed Operators.
- Click on the Central tab.
- From the list of Central instances, click on a Central instance for which you want to enable monitoring for.
Click on the YAML tab and update the YAML configuration:
For monitoring Central, enable the
central.monitoring.exposeEndpoint
configuration option for theCentral
custom resource.apiVersion: platform.stackrox.io/v1alpha1 kind: Central ... spec: central: monitoring: exposeEndpoint: Enabled ...
For monitoring Scanner, enable the
scanner.monitoring.exposeEndpoint
configuration option for theCentral
custom resource.apiVersion: platform.stackrox.io/v1alpha1 kind: Central ... spec: scanner: monitoring: exposeEndpoint: Enabled ...
- Click Save.
Additional resources
13.2. Monitoring Central services using Helm charts
You can monitor Central services, Central and Scanner, by changing the configuration options in the central-services
Helm chart.
Procedure
Update the
values-public.yaml
configuration file with the following values:central.exposeMonitoring: true scanner.exposeMonitoring: true
Run the
helm upgrade
command and specify the configuration files using the-f
option:$ helm upgrade -n stackrox \ stackrox-central-services rhacs/central-services \ -f <path_to_values_public.yaml>
NoteYou can also specify configuration values using the
--set
or--set-file
parameters. However, these options are not saved, and it requires you to manually specify all the options again whenever you make changes.
Additional resources
13.3. Monitoring Central using Prometheus service monitor
If you are using the Prometheus Operator, you can use a service monitor to scrape the metrics from Red Hat Advanced Cluster Security for Kubernetes (RHACS).
If you are not using the Prometheus operator, you must edit the Prometheus configuration files to receive the data from RHACS.
Procedure
Create a new
servicemonitor.yaml
file with the following content:apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: prometheus-stackrox namespace: stackrox spec: endpoints: - interval: 30s port: monitoring scheme: http selector: matchLabels: app.kubernetes.io/name: <stackrox-service> 1
- 1
- The labels must match with the
Service
resource that you want to monitor. For example,central
orscanner
.
Apply the YAML to the cluster:
$ oc apply -f servicemonitor.yaml 1
- 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
Verification
Run the following command to check the status of service monitor:
$ oc get servicemonitor --namespace stackrox 1
- 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
13.4. Manually enable monitoring
If you have already enabled monitoring using central.monitoring.exposeEndpoint: Enabled
or by using the central.exposeMonitoring: true
Helm chart customization option, do not run the commands in this section.
Before you can monitor Red Hat Advanced Cluster Security for Kubernetes, you must enable monitoring.
Procedure
Patch the services to expose the port number
9090
.Patch the Sensor service:
$ oc -n stackrox patch svc/sensor -p '{"spec":{"ports":[{"name":"monitoring","port":9090,"protocol":"TCP","targetPort":9090}]}}' 1
- 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
Patch the Central service:
$ oc -n stackrox patch svc/central -p '{"spec":{"ports":[{"name":"monitoring","port":9090,"protocol":"TCP","targetPort":9090}]}}'
Modify network policies to allow ingress.
$ oc apply -f - <<EOF 1 apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: app.kubernetes.io/name: stackrox name: allow-monitoring namespace: stackrox spec: ingress: - ports: - port: 9090 protocol: TCP podSelector: matchExpressions: - {key: app, operator: In, values: [central, sensor, collector]} policyTypes: - Ingress EOF
- 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
13.5. Customizing the default port
To customize the port used for Prometheus metrics in Red Hat Advanced Cluster Security for Kubernetes Central and Sensor, you can use the ROX_METRICS_PORT
environment variable.
Procedure
Set the
ROX_METRICS_PORT
environment variable:$ oc -n stackrox set env deploy/central ROX_METRICS_PORT=<value> 1
- 1
- If you use Kubernetes, enter
kubectl
instead ofoc
.
You can specify the <value>
for the ROX_METRICS_PORT
environment variable as:
-
disabled
to disable monitoring. -
:<port_number>
to bind it to a wildcard address. -
<address>:<port_number>
to use specific address and port number. You can also specify an IPv6 address by using square brackets, for example,[2001:db8::1234]:9090
.