Release V2.19.3 #41

Merged
stefan merged 11 commits from master into stable 2021-04-16 20:32:55 +00:00
73 changed files with 430 additions and 138 deletions

1
.gitignore vendored
View File

@ -8,3 +8,4 @@
# Breaks Helm V3 dependencies in Argo # Breaks Helm V3 dependencies in Argo
Chart.lock Chart.lock
kubezero-repo.???

View File

@ -0,0 +1,2 @@
*.sh
*.md

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubeadm name: kubeadm
description: KubeZero Kubeadm golden config description: KubeZero Kubeadm golden config
type: application type: application
version: 1.19.9 version: 1.20.0
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:

View File

@ -42,6 +42,7 @@ apiServer:
audit-log-maxage: "7" audit-log-maxage: "7"
audit-log-maxsize: "100" audit-log-maxsize: "100"
audit-log-maxbackup: "3" audit-log-maxbackup: "3"
audit-log-compress: "true"
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
{{- if eq .Values.platform "aws" }} {{- if eq .Values.platform "aws" }}

View File

@ -1,3 +1,4 @@
# https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/
apiVersion: kubelet.config.k8s.io/v1beta1 apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration kind: KubeletConfiguration
metadata: metadata:
@ -22,14 +23,15 @@ featureGates: {{ include "kubeadm.featuregates" ( dict "return" "map" "platform"
podsPerCore: 20 podsPerCore: 20
# cpuCFSQuotaPeriod: 10ms # cpuCFSQuotaPeriod: 10ms
# Basic OS on Ubuntu 20.04 incl. crio # Basic OS on Ubuntu 20.04 incl. crio
#systemReserved: systemReserved:
# memory: 256Mi memory: 256Mi
# This should be dynamic based on number of maxpods and available cores ephemeral-storage: "2Gi"
# https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture#memory_cpu # kubelet memory should be static as runc,conmon are added to each pod's cgroup
# Below are default minimal for 2 cores and minimum kubelet
kubeReserved: kubeReserved:
cpu: 70m cpu: 70m
# memory: 128Mi memory: 128Mi
# Lets use below to reserve memory for system processes as kubeReserved/sytemReserved doesnt go well with systemd it seems # Lets use below to reserve memory for system processes as kubeReserved/sytemReserved doesnt go well with systemd it seems
evictionHard: #evictionHard:
memory.available: "484Mi" # memory.available: "484Mi"
imageGCLowThresholdPercent: 70
kernelMemcgNotification: true

View File

@ -0,0 +1,2 @@
# aws-iam-authenticator
- https://github.com/kubernetes-sigs/aws-iam-authenticator

View File

@ -2,17 +2,14 @@
Feature gates for all control plane components Feature gates for all control plane components
*/ -}} */ -}}
{{- define "kubeadm.featuregates" -}} {{- define "kubeadm.featuregates" -}}
{{- $gates := dict "DefaultPodTopologySpread" "true" "CustomCPUCFSQuotaPeriod" "true" "GenericEphemeralVolume" "true" }} {{- $gates := list "CustomCPUCFSQuotaPeriod" "GenericEphemeralVolume" "CSIMigrationAWSComplete" "CSIMigrationAzureDiskComplete" "CSIMigrationAzureFileComplete" "CSIMigrationGCEComplete" "CSIMigrationOpenStackComplete" "CSIMigrationvSphereComplete" }}
{{- if eq .platform "aws" }}
{{- $gates = merge $gates ( dict "CSIMigrationAWS" "true" "CSIMigrationAWSComplete" "true") }}
{{- end }}
{{- if eq .return "csv" }} {{- if eq .return "csv" }}
{{- range $key, $val := $gates }} {{- range $key := $gates }}
{{- $key }}={{- $val }}, {{- $key }}=true,
{{- end }} {{- end }}
{{- else }} {{- else }}
{{- range $key, $val := $gates }} {{- range $key := $gates }}
{{ $key }}: {{ $val }} {{ $key }}: true
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end -}} {{- end -}}

View File

@ -0,0 +1,8 @@
# Create IAM role for ECR read-only access
- Attach managed policy: `AmazonEC2ContainerRegistryReadOnly`
# Create secret for IAM user for ecr-renew
`kubectl create secret -n kube-system generic ecr-renew-cred --from-literal=AWS_REGION=<AWS_REGION> --from-literal=AWS_ACCESS_KEY_ID=<AWS_SECRET_ID> --from-literal=AWS_SECRET_ACCESS_KEY=<AWS_SECRET_KEY>
# Resources
- https://github.com/nabsul/k8s-ecr-login-renew

View File

@ -0,0 +1,40 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
namespace: kube-system
name: ecr-renew
labels:
app: ecr-renew
spec:
schedule: "0 */6 * * *"
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 5
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
serviceAccountName: ecr-renew
containers:
- name: ecr-renew
image: nabsul/k8s-ecr-login-renew:v1.4
env:
- name: DOCKER_SECRET_NAME
value: ecr-login
- name: TARGET_NAMESPACE
value: "*"
- name: AWS_REGION
valueFrom:
secretKeyRef:
name: ecr-renew-cred
key: AWS_REGION
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: ecr-renew-cred
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: ecr-renew-cred
key: AWS_SECRET_ACCESS_KEY

View File

@ -0,0 +1,31 @@
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: kube-system
name: ecr-renew
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ecr-renew
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "update", "get", "delete"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
namespace: kube-system
name: ecr-renew
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ecr-renew
subjects:
- kind: ServiceAccount
name: ecr-renew
namespace: kube-system

View File

@ -3,5 +3,5 @@ spec:
- name: etcd - name: etcd
resources: resources:
requests: requests:
cpu: 250m cpu: 200m
memory: 192Mi memory: 192Mi

View File

@ -3,5 +3,5 @@ spec:
- name: kube-apiserver - name: kube-apiserver
resources: resources:
requests: requests:
cpu: 250m cpu: 200m
memory: 1Gi memory: 1Gi

View File

@ -3,5 +3,5 @@ spec:
- name: kube-controller-manager - name: kube-controller-manager
resources: resources:
requests: requests:
cpu: 200m cpu: 100m
memory: 128Mi memory: 128Mi

View File

@ -0,0 +1,8 @@
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: crio
handler: runc
overhead:
podFixed:
memory: 16Mi

View File

@ -13,5 +13,4 @@ systemd: true
protectKernelDefaults: true protectKernelDefaults: true
WorkerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode" WorkerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode"
WorkerIamRole: "arn:aws:iam::000000000000:role/KubernetesNode"
KubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode" KubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode"

View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio-ingress name: kubezero-istio-ingress
description: KubeZero Umbrella Chart for Istio based Ingress description: KubeZero Umbrella Chart for Istio based Ingress
type: application type: application
version: 0.5.1 version: 0.5.2
appVersion: 1.9.2 appVersion: 1.9.3
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -16,9 +16,9 @@ dependencies:
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: istio-ingress - name: istio-ingress
version: 1.9.2 version: 1.9.3
condition: istio-ingress.enabled condition: istio-ingress.enabled
- name: istio-private-ingress - name: istio-private-ingress
version: 1.9.2 version: 1.9.3
condition: istio-private-ingress.enabled condition: istio-private-ingress.enabled
kubeVersion: ">= 1.18.0" kubeVersion: ">= 1.18.0"

View File

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
name: istio-ingress name: istio-ingress
version: 1.9.2 version: 1.9.3
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways description: Helm chart for deploying Istio gateways
keywords: keywords:

View File

@ -174,7 +174,7 @@ global:
hub: docker.io/istio hub: docker.io/istio
# Default tag for Istio images. # Default tag for Istio images.
tag: 1.9.2 tag: 1.9.3
# Specify image pull policy if default behavior isn't desired. # Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent. # Default behavior: latest images will be Always else IfNotPresent.

View File

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
name: istio-private-ingress name: istio-private-ingress
version: 1.9.2 version: 1.9.3
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio gateways description: Helm chart for deploying Istio gateways
keywords: keywords:

View File

@ -174,7 +174,7 @@ global:
hub: docker.io/istio hub: docker.io/istio
# Default tag for Istio images. # Default tag for Istio images.
tag: 1.9.2 tag: 1.9.3
# Specify image pull policy if default behavior isn't desired. # Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent. # Default behavior: latest images will be Always else IfNotPresent.

View File

@ -1,7 +1,7 @@
# Make sure these values match kuberzero-istio !!! # Make sure these values match kuberzero-istio !!!
global: global:
#hub: docker.io/istio #hub: docker.io/istio
#tag: 1.9.0 #tag: 1.9.3
logAsJson: true logAsJson: true
jwtPolicy: first-party-jwt jwtPolicy: first-party-jwt
@ -23,10 +23,11 @@ istio-ingress:
replicaCount: 1 replicaCount: 1
resources: resources:
requests: requests:
cpu: 50m
memory: 64Mi memory: 64Mi
limits: limits:
# cpu: 100m # cpu: 100m
memory: 256Mi memory: 512Mi
externalTrafficPolicy: Local externalTrafficPolicy: Local
podAntiAffinityLabelSelector: podAntiAffinityLabelSelector:
- key: app - key: app
@ -37,7 +38,6 @@ istio-ingress:
env: env:
TERMINATION_DRAIN_DURATION_SECONDS: '"60"' TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
# ISTIO_META_HTTP10: '"1"' # ISTIO_META_HTTP10: '"1"'
# The node selector is normally the list of nodeports, see CloudBender # The node selector is normally the list of nodeports, see CloudBender
nodeSelector: nodeSelector:
node.kubernetes.io/ingress.public: "30080_30443" node.kubernetes.io/ingress.public: "30080_30443"
@ -87,11 +87,11 @@ istio-private-ingress:
replicaCount: 1 replicaCount: 1
resources: resources:
requests: requests:
cpu: 100m cpu: 50m
memory: 64Mi memory: 64Mi
limits: limits:
# cpu: 100m # cpu: 100m
memory: 256Mi memory: 512Mi
externalTrafficPolicy: Local externalTrafficPolicy: Local
podAntiAffinityLabelSelector: podAntiAffinityLabelSelector:
- key: app - key: app
@ -102,7 +102,6 @@ istio-private-ingress:
env: env:
TERMINATION_DRAIN_DURATION_SECONDS: '"60"' TERMINATION_DRAIN_DURATION_SECONDS: '"60"'
# ISTIO_META_HTTP10: '"1"' # ISTIO_META_HTTP10: '"1"'
nodeSelector: nodeSelector:
node.kubernetes.io/ingress.private: "31080_31443" node.kubernetes.io/ingress.private: "31080_31443"
#nodeSelector: "31080_31443_31671_31672_31224" #nodeSelector: "31080_31443_31671_31672_31224"

View File

@ -2,8 +2,8 @@ apiVersion: v2
name: kubezero-istio name: kubezero-istio
description: KubeZero Umbrella Chart for Istio description: KubeZero Umbrella Chart for Istio
type: application type: application
version: 0.5.1 version: 0.5.3
appVersion: 1.9.2 appVersion: 1.9.3
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -16,7 +16,7 @@ dependencies:
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: base - name: base
version: 1.9.2 version: 1.9.3
- name: istio-discovery - name: istio-discovery
version: 1.9.2 version: 1.9.3
kubeVersion: ">= 1.18.0" kubeVersion: ">= 1.18.0"

View File

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
name: base name: base
version: 1.9.2 version: 1.9.3
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
description: Helm chart for deploying Istio cluster resources and CRDs description: Helm chart for deploying Istio cluster resources and CRDs
keywords: keywords:

View File

@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
name: istio-discovery name: istio-discovery
version: 1.9.2 version: 1.9.3
tillerVersion: ">=2.7.2" tillerVersion: ">=2.7.2"
description: Helm chart for istio control plane description: Helm chart for istio control plane
keywords: keywords:

View File

@ -232,7 +232,7 @@ global:
# Dev builds from prow are on gcr.io # Dev builds from prow are on gcr.io
hub: docker.io/istio hub: docker.io/istio
# Default tag for Istio images. # Default tag for Istio images.
tag: 1.9.2 tag: 1.9.3
# Specify image pull policy if default behavior isn't desired. # Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent. # Default behavior: latest images will be Always else IfNotPresent.

View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
set -ex set -ex
export ISTIO_VERSION=1.9.2 export ISTIO_VERSION=1.9.3
if [ ! -d istio-$ISTIO_VERSION ]; then if [ ! -d istio-$ISTIO_VERSION ]; then
NAME="istio-$ISTIO_VERSION" NAME="istio-$ISTIO_VERSION"

View File

@ -35,6 +35,10 @@ istio-discovery:
enabled: false enabled: false
meshConfig: meshConfig:
defaultConfig:
terminationDrainDuration: 60s
# proxyMetadata:
# ISTIO_META_HTTP10: '"1"'
accessLogFile: /dev/stdout accessLogFile: /dev/stdout
accessLogEncoding: 'JSON' accessLogEncoding: 'JSON'
h2UpgradePolicy: 'DO_NOT_UPGRADE' h2UpgradePolicy: 'DO_NOT_UPGRADE'

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-metrics name: kubezero-metrics
description: KubeZero Umbrella Chart for prometheus-operator description: KubeZero Umbrella Chart for prometheus-operator
type: application type: application
version: 0.3.4 version: 0.3.5
home: https://kubezero.com home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords: keywords:
@ -16,7 +16,7 @@ dependencies:
version: ">= 0.1.3" version: ">= 0.1.3"
repository: https://zero-down-time.github.io/kubezero/ repository: https://zero-down-time.github.io/kubezero/
- name: kube-prometheus-stack - name: kube-prometheus-stack
version: 14.3.0 version: 14.9.0
# Switch back to upstream once all alerts are fixed eg. etcd gpcr # Switch back to upstream once all alerts are fixed eg. etcd gpcr
# repository: https://prometheus-community.github.io/helm-charts # repository: https://prometheus-community.github.io/helm-charts
- name: prometheus-adapter - name: prometheus-adapter

View File

@ -0,0 +1,66 @@
diff -turN charts/kube-prometheus-stack/templates/prometheus/rules-1.14/etcd.yaml charts/kube-prometheus-stack.zdt/templates/prometheus/rules-1.14/etcd.yaml
--- charts/kube-prometheus-stack/templates/prometheus/rules-1.14/etcd.yaml 2021-04-14 22:13:29.000000000 +0200
+++ charts/kube-prometheus-stack.zdt/templates/prometheus/rules-1.14/etcd.yaml 2021-04-15 14:43:03.074281889 +0200
@@ -54,34 +54,6 @@
{{- if .Values.defaultRules.additionalRuleLabels }}
{{ toYaml .Values.defaultRules.additionalRuleLabels | indent 8 }}
{{- end }}
- - alert: etcdHighNumberOfFailedGRPCRequests
- annotations:
- message: 'etcd cluster "{{`{{`}} $labels.job {{`}}`}}": {{`{{`}} $value {{`}}`}}% of requests for {{`{{`}} $labels.grpc_method {{`}}`}} failed on etcd instance {{`{{`}} $labels.instance {{`}}`}}.'
- expr: |-
- 100 * sum(rate(grpc_server_handled_total{job=~".*etcd.*", grpc_code!="OK"}[5m])) BY (job, instance, grpc_service, grpc_method)
- /
- sum(rate(grpc_server_handled_total{job=~".*etcd.*"}[5m])) BY (job, instance, grpc_service, grpc_method)
- > 1
- for: 10m
- labels:
- severity: warning
-{{- if .Values.defaultRules.additionalRuleLabels }}
-{{ toYaml .Values.defaultRules.additionalRuleLabels | indent 8 }}
-{{- end }}
- - alert: etcdHighNumberOfFailedGRPCRequests
- annotations:
- message: 'etcd cluster "{{`{{`}} $labels.job {{`}}`}}": {{`{{`}} $value {{`}}`}}% of requests for {{`{{`}} $labels.grpc_method {{`}}`}} failed on etcd instance {{`{{`}} $labels.instance {{`}}`}}.'
- expr: |-
- 100 * sum(rate(grpc_server_handled_total{job=~".*etcd.*", grpc_code!="OK"}[5m])) BY (job, instance, grpc_service, grpc_method)
- /
- sum(rate(grpc_server_handled_total{job=~".*etcd.*"}[5m])) BY (job, instance, grpc_service, grpc_method)
- > 5
- for: 5m
- labels:
- severity: critical
-{{- if .Values.defaultRules.additionalRuleLabels }}
-{{ toYaml .Values.defaultRules.additionalRuleLabels | indent 8 }}
-{{- end }}
- alert: etcdGRPCRequestsSlow
annotations:
message: 'etcd cluster "{{`{{`}} $labels.job {{`}}`}}": gRPC requests to {{`{{`}} $labels.grpc_method {{`}}`}} are taking {{`{{`}} $value {{`}}`}}s on etcd instance {{`{{`}} $labels.instance {{`}}`}}.'
diff -turN charts/kube-prometheus-stack/templates/prometheus/rules-1.14/node-exporter.yaml charts/kube-prometheus-stack.zdt/templates/prometheus/rules-1.14/node-exporter.yaml
--- charts/kube-prometheus-stack/templates/prometheus/rules-1.14/node-exporter.yaml 2021-04-14 22:13:29.000000000 +0200
+++ charts/kube-prometheus-stack.zdt/templates/prometheus/rules-1.14/node-exporter.yaml 2021-04-15 14:49:41.614282790 +0200
@@ -30,7 +30,7 @@
summary: Filesystem is predicted to run out of space within the next 24 hours.
expr: |-
(
- node_filesystem_avail_bytes{job="node-exporter",fstype!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!=""} * 100 < 40
+ node_filesystem_avail_bytes{job="node-exporter",fstype!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!=""} * 100 < 25
and
predict_linear(node_filesystem_avail_bytes{job="node-exporter",fstype!=""}[6h], 24*60*60) < 0
and
@@ -48,7 +48,7 @@
summary: Filesystem is predicted to run out of space within the next 4 hours.
expr: |-
(
- node_filesystem_avail_bytes{job="node-exporter",fstype!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!=""} * 100 < 15
+ node_filesystem_avail_bytes{job="node-exporter",fstype!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!=""} * 100 < 10
and
predict_linear(node_filesystem_avail_bytes{job="node-exporter",fstype!=""}[6h], 4*60*60) < 0
and
@@ -259,4 +259,4 @@
{{- if .Values.defaultRules.additionalRuleLabels }}
{{ toYaml .Values.defaultRules.additionalRuleLabels | indent 8 }}
{{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}

View File

@ -15,11 +15,11 @@ dependencies:
- condition: nodeExporter.enabled - condition: nodeExporter.enabled
name: prometheus-node-exporter name: prometheus-node-exporter
repository: https://prometheus-community.github.io/helm-charts repository: https://prometheus-community.github.io/helm-charts
version: 1.16.* version: 1.17.*
- condition: grafana.enabled - condition: grafana.enabled
name: grafana name: grafana
repository: https://grafana.github.io/helm-charts repository: https://grafana.github.io/helm-charts
version: 6.6.* version: 6.7.*
description: kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator. description: kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.
home: https://github.com/prometheus-operator/kube-prometheus home: https://github.com/prometheus-operator/kube-prometheus
icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png
@ -44,4 +44,4 @@ sources:
- https://github.com/prometheus-community/helm-charts - https://github.com/prometheus-community/helm-charts
- https://github.com/prometheus-operator/kube-prometheus - https://github.com/prometheus-operator/kube-prometheus
type: application type: application
version: 14.3.0 version: 14.9.0

View File

@ -1,5 +1,5 @@
apiVersion: v2 apiVersion: v2
appVersion: 7.4.3 appVersion: 7.5.3
description: The leading tool for querying and visualizing time series and metrics. description: The leading tool for querying and visualizing time series and metrics.
home: https://grafana.net home: https://grafana.net
icon: https://raw.githubusercontent.com/grafana/grafana/master/public/img/logo_transparent_400x.png icon: https://raw.githubusercontent.com/grafana/grafana/master/public/img/logo_transparent_400x.png
@ -19,4 +19,4 @@ name: grafana
sources: sources:
- https://github.com/grafana/grafana - https://github.com/grafana/grafana
type: application type: application
version: 6.6.3 version: 6.7.4

View File

@ -59,8 +59,8 @@ This version requires Helm >= 3.1.0.
| `securityContext` | Deployment securityContext | `{"runAsUser": 472, "runAsGroup": 472, "fsGroup": 472}` | | `securityContext` | Deployment securityContext | `{"runAsUser": 472, "runAsGroup": 472, "fsGroup": 472}` |
| `priorityClassName` | Name of Priority Class to assign pods | `nil` | | `priorityClassName` | Name of Priority Class to assign pods | `nil` |
| `image.repository` | Image repository | `grafana/grafana` | | `image.repository` | Image repository | `grafana/grafana` |
| `image.tag` | Image tag (`Must be >= 5.0.0`) | `7.4.3` | | `image.tag` | Image tag (`Must be >= 5.0.0`) | `7.4.5` |
| `image.sha` | Image sha (optional) | `16dc29783ec7d4a23fa19207507586344c6797023604347eb3e8ea5ae431e181` | | `image.sha` | Image sha (optional) | `2b56f6106ddc376bb46d974230d530754bf65a640dfbc5245191d72d3b49efc6` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` | | `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Image pull secrets | `{}` | | `image.pullSecrets` | Image pull secrets | `{}` |
| `service.type` | Kubernetes service type | `ClusterIP` | | `service.type` | Kubernetes service type | `ClusterIP` |
@ -242,6 +242,9 @@ ingress:
### Example of extraVolumeMounts ### Example of extraVolumeMounts
Volume can be type persistentVolumeClaim or hostPath but not both at same time.
If none existingClaim or hostPath argument is givent then type is emptyDir.
```yaml ```yaml
- extraVolumeMounts: - extraVolumeMounts:
- name: plugins - name: plugins
@ -249,6 +252,10 @@ ingress:
subPath: configs/grafana/plugins subPath: configs/grafana/plugins
existingClaim: existing-grafana-claim existingClaim: existing-grafana-claim
readOnly: false readOnly: false
- name: dashboards
mountPath: /var/lib/grafana/dashboards
hostPath: /usr/shared/grafana/dashboards
readOnly: false
``` ```
## Import dashboards ## Import dashboards

View File

@ -479,8 +479,15 @@ volumes:
{{- end }} {{- end }}
{{- range .Values.extraVolumeMounts }} {{- range .Values.extraVolumeMounts }}
- name: {{ .name }} - name: {{ .name }}
{{- if .existingClaim }}
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ .existingClaim }} claimName: {{ .existingClaim }}
{{- else if .hostPath }}
hostPath:
path: {{ .hostPath }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }} {{- end }}
{{- range .Values.extraEmptyDirMounts }} {{- range .Values.extraEmptyDirMounts }}
- name: {{ .name }} - name: {{ .name }}

View File

@ -17,19 +17,8 @@ spec:
privileged: false privileged: false
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
requiredDropCapabilities: requiredDropCapabilities:
# Default set from Docker, without DAC_OVERRIDE or CHOWN # Default set from Docker, with DAC_OVERRIDE and CHOWN
- FOWNER - ALL
- FSETID
- KILL
- SETGID
- SETUID
- SETPCAP
- NET_BIND_SERVICE
- NET_RAW
- SYS_CHROOT
- MKNOD
- AUDIT_WRITE
- SETFCAP
volumes: volumes:
- 'configMap' - 'configMap'
- 'emptyDir' - 'emptyDir'
@ -42,12 +31,20 @@ spec:
hostIPC: false hostIPC: false
hostPID: false hostPID: false
runAsUser: runAsUser:
rule: 'RunAsAny' rule: 'MustRunAsNonRoot'
seLinux: seLinux:
rule: 'RunAsAny' rule: 'RunAsAny'
supplementalGroups: supplementalGroups:
rule: 'RunAsAny' rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup: fsGroup:
rule: 'RunAsAny' rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
{{- end }} {{- end }}

View File

@ -53,7 +53,7 @@ livenessProbe:
image: image:
repository: grafana/grafana repository: grafana/grafana
tag: 7.4.3 tag: 7.5.3
sha: "" sha: ""
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
@ -401,10 +401,14 @@ extraSecretMounts: []
## Additional grafana server volume mounts ## Additional grafana server volume mounts
# Defines additional volume mounts. # Defines additional volume mounts.
extraVolumeMounts: [] extraVolumeMounts: []
# - name: extra-volume # - name: extra-volume-0
# mountPath: /mnt/volume # mountPath: /mnt/volume0
# readOnly: true # readOnly: true
# existingClaim: volume-claim # existingClaim: volume-claim
# - name: extra-volume-1
# mountPath: /mnt/volume1
# readOnly: true
# hostPath: /usr/shared/
## Pass the plugins you want installed as a list. ## Pass the plugins you want installed as a list.
## ##

View File

@ -15,4 +15,4 @@ maintainers:
name: kube-state-metrics name: kube-state-metrics
sources: sources:
- https://github.com/kubernetes/kube-state-metrics/ - https://github.com/kubernetes/kube-state-metrics/
version: 2.13.0 version: 2.13.2

View File

@ -1,4 +1,4 @@
{{- if and (eq $.Values.rbac.create true) (not .Values.rbac.useExistingRole) -}} {{- if and (eq $.Values.rbac.create true) (not .Values.rbac.useExistingRole) -}}
{{- if eq .Values.rbac.useClusterRole false }} {{- if eq .Values.rbac.useClusterRole false }}
{{- range (split "," $.Values.namespace) }} {{- range (split "," $.Values.namespace) }}
{{- end }} {{- end }}

View File

@ -1,7 +1,7 @@
{{- if and (eq .Values.rbac.create true) (eq .Values.rbac.useClusterRole false) -}} {{- if and (eq .Values.rbac.create true) (eq .Values.rbac.useClusterRole false) -}}
{{- range (split "," $.Values.namespace) }} {{- range (split "," $.Values.namespace) }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
labels: labels:

View File

@ -14,4 +14,4 @@ maintainers:
name: prometheus-node-exporter name: prometheus-node-exporter
sources: sources:
- https://github.com/prometheus/node_exporter/ - https://github.com/prometheus/node_exporter/
version: 1.16.2 version: 1.17.0

View File

@ -29,6 +29,10 @@ spec:
{{- if .Values.priorityClassName }} {{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }}
{{- end }} {{- end }}
{{- if .Values.extraInitContainers }}
initContainers:
{{ toYaml .Values.extraInitContainers | nindent 6 }}
{{- end }}
containers: containers:
- name: node-exporter - name: node-exporter
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

View File

@ -168,3 +168,7 @@ sidecarVolumeMount: []
## - name: collector-textfiles ## - name: collector-textfiles
## mountPath: /run/prometheus ## mountPath: /run/prometheus
## readOnly: false ## readOnly: false
## Additional InitContainers to initialize the pod
##
extraInitContainers: []

View File

@ -7,6 +7,10 @@ metadata:
labels: labels:
app: {{ template "kube-prometheus-stack.name" . }}-alertmanager app: {{ template "kube-prometheus-stack.name" . }}-alertmanager
{{ include "kube-prometheus-stack.labels" . | indent 4 }} {{ include "kube-prometheus-stack.labels" . | indent 4 }}
{{- if .Values.alertmanager.annotations }}
annotations:
{{ toYaml .Values.alertmanager.annotations | indent 4 }}
{{- end }}
spec: spec:
{{- if .Values.alertmanager.alertmanagerSpec.image }} {{- if .Values.alertmanager.alertmanagerSpec.image }}
image: {{ .Values.alertmanager.alertmanagerSpec.image.repository }}:{{ .Values.alertmanager.alertmanagerSpec.image.tag }} image: {{ .Values.alertmanager.alertmanagerSpec.image.repository }}:{{ .Values.alertmanager.alertmanagerSpec.image.tag }}

View File

@ -21,6 +21,9 @@ spec:
{{- if .Values.alertmanager.serviceMonitor.interval }} {{- if .Values.alertmanager.serviceMonitor.interval }}
interval: {{ .Values.alertmanager.serviceMonitor.interval }} interval: {{ .Values.alertmanager.serviceMonitor.interval }}
{{- end }} {{- end }}
{{- if .Values.alertmanager.serviceMonitor.proxyUrl }}
proxyUrl: {{ .Values.alertmanager.serviceMonitor.proxyUrl}}
{{- end }}
{{- if .Values.alertmanager.serviceMonitor.scheme }} {{- if .Values.alertmanager.serviceMonitor.scheme }}
scheme: {{ .Values.alertmanager.serviceMonitor.scheme }} scheme: {{ .Values.alertmanager.serviceMonitor.scheme }}
{{- end }} {{- end }}

View File

@ -21,6 +21,9 @@ spec:
{{- if .Values.coreDns.serviceMonitor.interval}} {{- if .Values.coreDns.serviceMonitor.interval}}
interval: {{ .Values.coreDns.serviceMonitor.interval }} interval: {{ .Values.coreDns.serviceMonitor.interval }}
{{- end }} {{- end }}
{{- if .Values.coreDns.serviceMonitor.proxyUrl }}
proxyUrl: {{ .Values.coreDns.serviceMonitor.proxyUrl}}
{{- end }}
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
{{- if .Values.coreDns.serviceMonitor.metricRelabelings }} {{- if .Values.coreDns.serviceMonitor.metricRelabelings }}
metricRelabelings: metricRelabelings:

View File

@ -13,6 +13,9 @@ spec:
{{- if .Values.kubeApiServer.serviceMonitor.interval }} {{- if .Values.kubeApiServer.serviceMonitor.interval }}
interval: {{ .Values.kubeApiServer.serviceMonitor.interval }} interval: {{ .Values.kubeApiServer.serviceMonitor.interval }}
{{- end }} {{- end }}
{{- if .Values.kubeApiServer.serviceMonitor.proxyUrl }}
proxyUrl: {{ .Values.kubeApiServer.serviceMonitor.proxyUrl}}
{{- end }}
port: https port: https
scheme: https scheme: https
{{- if .Values.kubeApiServer.serviceMonitor.metricRelabelings }} {{- if .Values.kubeApiServer.serviceMonitor.metricRelabelings }}

View File

@ -1,4 +1,4 @@
{{- if .Values.kubeControllerManager.enabled }} {{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.service.enabled }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if .Values.kubeControllerManager.enabled }} {{- if and .Values.kubeControllerManager.enabled .Values.kubeControllerManager.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:
@ -22,6 +22,9 @@ spec:
interval: {{ .Values.kubeControllerManager.serviceMonitor.interval }} interval: {{ .Values.kubeControllerManager.serviceMonitor.interval }}
{{- end }} {{- end }}
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
{{- if .Values.kubeControllerManager.serviceMonitor.proxyUrl }}
proxyUrl: {{ .Values.kubeControllerManager.serviceMonitor.proxyUrl}}
{{- end }}
{{- if .Values.kubeControllerManager.serviceMonitor.https }} {{- if .Values.kubeControllerManager.serviceMonitor.https }}
scheme: https scheme: https
tlsConfig: tlsConfig:

View File

@ -22,6 +22,9 @@ spec:
interval: {{ .Values.kubeDns.serviceMonitor.interval }} interval: {{ .Values.kubeDns.serviceMonitor.interval }}
{{- end }} {{- end }}
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
{{- if .Values.kubeDns.serviceMonitor.proxyUrl }}
proxyUrl: {{ .Values.kubeDns.serviceMonitor.proxyUrl}}
{{- end }}
{{- if .Values.kubeDns.serviceMonitor.dnsmasqMetricRelabelings }} {{- if .Values.kubeDns.serviceMonitor.dnsmasqMetricRelabelings }}
metricRelabelings: metricRelabelings:
{{ tpl (toYaml .Values.kubeDns.serviceMonitor.dnsmasqMetricRelabelings | indent 4) . }} {{ tpl (toYaml .Values.kubeDns.serviceMonitor.dnsmasqMetricRelabelings | indent 4) . }}

View File

@ -1,4 +1,4 @@
{{- if .Values.kubeEtcd.enabled }} {{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.service.enabled }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if .Values.kubeEtcd.enabled }} {{- if and .Values.kubeEtcd.enabled .Values.kubeEtcd.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:
@ -22,6 +22,9 @@ spec:
interval: {{ .Values.kubeEtcd.serviceMonitor.interval }} interval: {{ .Values.kubeEtcd.serviceMonitor.interval }}
{{- end }} {{- end }}
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
{{- if .Values.kubeEtcd.serviceMonitor.proxyUrl }}
proxyUrl: {{ .Values.kubeEtcd.serviceMonitor.proxyUrl}}
{{- end }}
{{- if eq .Values.kubeEtcd.serviceMonitor.scheme "https" }} {{- if eq .Values.kubeEtcd.serviceMonitor.scheme "https" }}
scheme: https scheme: https
tlsConfig: tlsConfig:

View File

@ -1,4 +1,4 @@
{{- if .Values.kubeProxy.enabled }} {{- if and .Values.kubeProxy.enabled .Values.kubeProxy.service.enabled }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if .Values.kubeProxy.enabled }} {{- if and .Values.kubeProxy.enabled .Values.kubeProxy.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:
@ -22,6 +22,9 @@ spec:
interval: {{ .Values.kubeProxy.serviceMonitor.interval }} interval: {{ .Values.kubeProxy.serviceMonitor.interval }}
{{- end }} {{- end }}
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
{{- if .Values.kubeProxy.serviceMonitor.proxyUrl }}
proxyUrl: {{ .Values.kubeProxy.serviceMonitor.proxyUrl}}
{{- end }}
{{- if .Values.kubeProxy.serviceMonitor.https }} {{- if .Values.kubeProxy.serviceMonitor.https }}
scheme: https scheme: https
tlsConfig: tlsConfig:

View File

@ -1,4 +1,4 @@
{{- if .Values.kubeScheduler.enabled }} {{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.service.enabled }}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:

View File

@ -1,4 +1,4 @@
{{- if .Values.kubeScheduler.enabled }} {{- if and .Values.kubeScheduler.enabled .Values.kubeScheduler.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:
@ -22,6 +22,9 @@ spec:
interval: {{ .Values.kubeScheduler.serviceMonitor.interval }} interval: {{ .Values.kubeScheduler.serviceMonitor.interval }}
{{- end }} {{- end }}
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
{{- if .Values.kubeScheduler.serviceMonitor.proxyUrl }}
proxyUrl: {{ .Values.kubeScheduler.serviceMonitor.proxyUrl}}
{{- end }}
{{- if .Values.kubeScheduler.serviceMonitor.https }} {{- if .Values.kubeScheduler.serviceMonitor.https }}
scheme: https scheme: https
tlsConfig: tlsConfig:

View File

@ -14,6 +14,9 @@ spec:
{{- if .Values.kubeStateMetrics.serviceMonitor.interval }} {{- if .Values.kubeStateMetrics.serviceMonitor.interval }}
interval: {{ .Values.kubeStateMetrics.serviceMonitor.interval }} interval: {{ .Values.kubeStateMetrics.serviceMonitor.interval }}
{{- end }} {{- end }}
{{- if .Values.kubeStateMetrics.serviceMonitor.proxyUrl }}
proxyUrl: {{ .Values.kubeStateMetrics.serviceMonitor.proxyUrl}}
{{- end }}
honorLabels: true honorLabels: true
{{- if .Values.kubeStateMetrics.serviceMonitor.metricRelabelings }} {{- if .Values.kubeStateMetrics.serviceMonitor.metricRelabelings }}
metricRelabelings: metricRelabelings:
@ -22,6 +25,11 @@ spec:
{{- if .Values.kubeStateMetrics.serviceMonitor.relabelings }} {{- if .Values.kubeStateMetrics.serviceMonitor.relabelings }}
relabelings: relabelings:
{{ toYaml .Values.kubeStateMetrics.serviceMonitor.relabelings | indent 4 }} {{ toYaml .Values.kubeStateMetrics.serviceMonitor.relabelings | indent 4 }}
{{- end }}
{{- if .Values.kubeStateMetrics.serviceMonitor.namespaceOverride }}
namespaceSelector:
matchNames:
- {{ .Values.kubeStateMetrics.serviceMonitor.namespaceOverride }}
{{- end }} {{- end }}
selector: selector:
matchLabels: matchLabels:

View File

@ -15,6 +15,9 @@ spec:
{{- if .Values.kubelet.serviceMonitor.interval }} {{- if .Values.kubelet.serviceMonitor.interval }}
interval: {{ .Values.kubelet.serviceMonitor.interval }} interval: {{ .Values.kubelet.serviceMonitor.interval }}
{{- end }} {{- end }}
{{- if .Values.kubelet.serviceMonitor.proxyUrl }}
proxyUrl: {{ .Values.kubelet.serviceMonitor.proxyUrl}}
{{- end }}
tlsConfig: tlsConfig:
caFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt caFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecureSkipVerify: true insecureSkipVerify: true

View File

@ -18,6 +18,9 @@ spec:
{{- if .Values.nodeExporter.serviceMonitor.interval }} {{- if .Values.nodeExporter.serviceMonitor.interval }}
interval: {{ .Values.nodeExporter.serviceMonitor.interval }} interval: {{ .Values.nodeExporter.serviceMonitor.interval }}
{{- end }} {{- end }}
{{- if .Values.kubeApiServer.serviceMonitor.proxyUrl }}
proxyUrl: {{ .Values.kubeApiServer.serviceMonitor.proxyUrl}}
{{- end }}
{{- if .Values.nodeExporter.serviceMonitor.scrapeTimeout }} {{- if .Values.nodeExporter.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.nodeExporter.serviceMonitor.scrapeTimeout }} scrapeTimeout: {{ .Values.nodeExporter.serviceMonitor.scrapeTimeout }}
{{- end }} {{- end }}

View File

@ -18,7 +18,7 @@ metadata:
namespace: {{ template "kube-prometheus-stack.namespace" . }} namespace: {{ template "kube-prometheus-stack.namespace" . }}
spec: spec:
secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert
duration: 43800h # 5y duration: 43800h0m0s # 5y
issuerRef: issuerRef:
name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer
commonName: "ca.webhook.kube-prometheus-stack" commonName: "ca.webhook.kube-prometheus-stack"
@ -43,7 +43,7 @@ metadata:
namespace: {{ template "kube-prometheus-stack.namespace" . }} namespace: {{ template "kube-prometheus-stack.namespace" . }}
spec: spec:
secretName: {{ template "kube-prometheus-stack.fullname" . }}-admission secretName: {{ template "kube-prometheus-stack.fullname" . }}-admission
duration: 8760h # 1y duration: 8760h0m0s # 1y
issuerRef: issuerRef:
{{- if .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef }} {{- if .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef }}
{{- toYaml .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef | nindent 4 }} {{- toYaml .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef | nindent 4 }}

View File

@ -150,14 +150,24 @@ spec:
{{ else }} {{ else }}
probeNamespaceSelector: {} probeNamespaceSelector: {}
{{- end }} {{- end }}
{{- if .Values.prometheus.prometheusSpec.remoteRead }} {{- if (or .Values.prometheus.prometheusSpec.remoteRead .Values.prometheus.prometheusSpec.additionalRemoteRead) }}
remoteRead: remoteRead:
{{- if .Values.prometheus.prometheusSpec.remoteRead }}
{{ toYaml .Values.prometheus.prometheusSpec.remoteRead | indent 4 }} {{ toYaml .Values.prometheus.prometheusSpec.remoteRead | indent 4 }}
{{- end }} {{- end }}
{{- if .Values.prometheus.prometheusSpec.remoteWrite }} {{- if .Values.prometheus.prometheusSpec.additionalRemoteRead }}
{{ toYaml .Values.prometheus.prometheusSpec.additionalRemoteRead | indent 4 }}
{{- end }}
{{- end }}
{{- if (or .Values.prometheus.prometheusSpec.remoteWrite .Values.prometheus.prometheusSpec.additionalRemoteWrite) }}
remoteWrite: remoteWrite:
{{- if .Values.prometheus.prometheusSpec.remoteWrite }}
{{ toYaml .Values.prometheus.prometheusSpec.remoteWrite | indent 4 }} {{ toYaml .Values.prometheus.prometheusSpec.remoteWrite | indent 4 }}
{{- end }} {{- end }}
{{- if .Values.prometheus.prometheusSpec.additionalRemoteWrite }}
{{ toYaml .Values.prometheus.prometheusSpec.additionalRemoteWrite | indent 4 }}
{{- end }}
{{- end }}
{{- if .Values.prometheus.prometheusSpec.securityContext }} {{- if .Values.prometheus.prometheusSpec.securityContext }}
securityContext: securityContext:
{{ toYaml .Values.prometheus.prometheusSpec.securityContext | indent 4 }} {{ toYaml .Values.prometheus.prometheusSpec.securityContext | indent 4 }}

View File

@ -30,7 +30,7 @@ spec:
summary: Filesystem is predicted to run out of space within the next 24 hours. summary: Filesystem is predicted to run out of space within the next 24 hours.
expr: |- expr: |-
( (
node_filesystem_avail_bytes{job="node-exporter",fstype!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!=""} * 100 < 40 node_filesystem_avail_bytes{job="node-exporter",fstype!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!=""} * 100 < 25
and and
predict_linear(node_filesystem_avail_bytes{job="node-exporter",fstype!=""}[6h], 24*60*60) < 0 predict_linear(node_filesystem_avail_bytes{job="node-exporter",fstype!=""}[6h], 24*60*60) < 0
and and
@ -48,7 +48,7 @@ spec:
summary: Filesystem is predicted to run out of space within the next 4 hours. summary: Filesystem is predicted to run out of space within the next 4 hours.
expr: |- expr: |-
( (
node_filesystem_avail_bytes{job="node-exporter",fstype!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!=""} * 100 < 15 node_filesystem_avail_bytes{job="node-exporter",fstype!=""} / node_filesystem_size_bytes{job="node-exporter",fstype!=""} * 100 < 10
and and
predict_linear(node_filesystem_avail_bytes{job="node-exporter",fstype!=""}[6h], 4*60*60) < 0 predict_linear(node_filesystem_avail_bytes{job="node-exporter",fstype!=""}[6h], 4*60*60) < 0
and and
@ -259,4 +259,4 @@ spec:
{{- if .Values.defaultRules.additionalRuleLabels }} {{- if .Values.defaultRules.additionalRuleLabels }}
{{ toYaml .Values.defaultRules.additionalRuleLabels | indent 8 }} {{ toYaml .Values.defaultRules.additionalRuleLabels | indent 8 }}
{{- end }} {{- end }}
{{- end }} {{- end }}

View File

@ -16,7 +16,7 @@ metadata:
{{- end }} {{- end }}
spec: spec:
type: {{ .Values.prometheus.thanosService.type }} type: {{ .Values.prometheus.thanosService.type }}
clusterIP: None clusterIP: {{ .Values.prometheus.thanosService.clusterIP }}
ports: ports:
- name: {{ .Values.prometheus.thanosService.portName }} - name: {{ .Values.prometheus.thanosService.portName }}
port: {{ .Values.prometheus.thanosService.port }} port: {{ .Values.prometheus.thanosService.port }}

View File

@ -117,6 +117,10 @@ alertmanager:
## ##
enabled: true enabled: true
## Annotations for Alertmanager
##
annotations: {}
## Api that prometheus will use to communicate with alertmanager. Possible values are v1, v2 ## Api that prometheus will use to communicate with alertmanager. Possible values are v1, v2
## ##
apiVersion: v2 apiVersion: v2
@ -194,7 +198,7 @@ alertmanager:
# *Graph:* <{{ .GeneratorURL }}|:chart_with_upwards_trend:> # *Graph:* <{{ .GeneratorURL }}|:chart_with_upwards_trend:>
# *Runbook:* <{{ .Annotations.runbook }}|:spiral_note_pad:> # *Runbook:* <{{ .Annotations.runbook }}|:spiral_note_pad:>
# *Details:* # *Details:*
# {{ range .Labels.SortedPairs }} *{{ .Name }}:* `{{ .Value }}` # {{ range .Labels.SortedPairs }} - *{{ .Name }}:* `{{ .Value }}`
# {{ end }} # {{ end }}
# {{ end }} # {{ end }}
# {{ end }} # {{ end }}
@ -345,6 +349,10 @@ alertmanager:
interval: "" interval: ""
selfMonitor: true selfMonitor: true
## proxyUrl: URL of a proxy that should be used for scraping.
##
proxyUrl: ""
## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.
scheme: "" scheme: ""
@ -375,7 +383,7 @@ alertmanager:
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#alertmanagerspec ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#alertmanagerspec
## ##
alertmanagerSpec: alertmanagerSpec:
## Standard objects metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata ## Standard object's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata
## Metadata Labels and Annotations gets propagated to the Alertmanager pods. ## Metadata Labels and Annotations gets propagated to the Alertmanager pods.
## ##
podMetadata: {} podMetadata: {}
@ -747,6 +755,10 @@ kubeApiServer:
## Scrape interval. If not set, the Prometheus default scrape interval is used. ## Scrape interval. If not set, the Prometheus default scrape interval is used.
## ##
interval: "" interval: ""
## proxyUrl: URL of a proxy that should be used for scraping.
##
proxyUrl: ""
jobLabel: component jobLabel: component
selector: selector:
matchLabels: matchLabels:
@ -771,6 +783,10 @@ kubelet:
## ##
interval: "" interval: ""
## proxyUrl: URL of a proxy that should be used for scraping.
##
proxyUrl: ""
## Enable scraping the kubelet over https. For requirements to enable this see ## Enable scraping the kubelet over https. For requirements to enable this see
## https://github.com/prometheus-operator/prometheus-operator/issues/926 ## https://github.com/prometheus-operator/prometheus-operator/issues/926
## ##
@ -891,16 +907,22 @@ kubeControllerManager:
## If using kubeControllerManager.endpoints only the port and targetPort are used ## If using kubeControllerManager.endpoints only the port and targetPort are used
## ##
service: service:
enabled: true
port: 10252 port: 10252
targetPort: 10252 targetPort: 10252
# selector: # selector:
# component: kube-controller-manager # component: kube-controller-manager
serviceMonitor: serviceMonitor:
enabled: true
## Scrape interval. If not set, the Prometheus default scrape interval is used. ## Scrape interval. If not set, the Prometheus default scrape interval is used.
## ##
interval: "" interval: ""
## proxyUrl: URL of a proxy that should be used for scraping.
##
proxyUrl: ""
## Enable scraping kube-controller-manager over https. ## Enable scraping kube-controller-manager over https.
## Requires proper certs (not self-signed) and delegated authentication/authorization checks ## Requires proper certs (not self-signed) and delegated authentication/authorization checks
## ##
@ -943,6 +965,10 @@ coreDns:
## ##
interval: "" interval: ""
## proxyUrl: URL of a proxy that should be used for scraping.
##
proxyUrl: ""
## metric relabel configs to apply to samples before ingestion. ## metric relabel configs to apply to samples before ingestion.
## ##
metricRelabelings: [] metricRelabelings: []
@ -978,6 +1004,10 @@ kubeDns:
## ##
interval: "" interval: ""
## proxyUrl: URL of a proxy that should be used for scraping.
##
proxyUrl: ""
## metric relabel configs to apply to samples before ingestion. ## metric relabel configs to apply to samples before ingestion.
## ##
metricRelabelings: [] metricRelabelings: []
@ -1024,6 +1054,7 @@ kubeEtcd:
## Etcd service. If using kubeEtcd.endpoints only the port and targetPort are used ## Etcd service. If using kubeEtcd.endpoints only the port and targetPort are used
## ##
service: service:
enabled: true
port: 2379 port: 2379
targetPort: 2379 targetPort: 2379
# selector: # selector:
@ -1041,9 +1072,13 @@ kubeEtcd:
## keyFile: /etc/prometheus/secrets/etcd-client-cert/etcd-client-key ## keyFile: /etc/prometheus/secrets/etcd-client-cert/etcd-client-key
## ##
serviceMonitor: serviceMonitor:
enabled: true
## Scrape interval. If not set, the Prometheus default scrape interval is used. ## Scrape interval. If not set, the Prometheus default scrape interval is used.
## ##
interval: "" interval: ""
## proxyUrl: URL of a proxy that should be used for scraping.
##
proxyUrl: ""
scheme: http scheme: http
insecureSkipVerify: false insecureSkipVerify: false
serverName: "" serverName: ""
@ -1084,15 +1119,20 @@ kubeScheduler:
## If using kubeScheduler.endpoints only the port and targetPort are used ## If using kubeScheduler.endpoints only the port and targetPort are used
## ##
service: service:
enabled: true
port: 10251 port: 10251
targetPort: 10251 targetPort: 10251
# selector: # selector:
# component: kube-scheduler # component: kube-scheduler
serviceMonitor: serviceMonitor:
enabled: true
## Scrape interval. If not set, the Prometheus default scrape interval is used. ## Scrape interval. If not set, the Prometheus default scrape interval is used.
## ##
interval: "" interval: ""
## proxyUrl: URL of a proxy that should be used for scraping.
##
proxyUrl: ""
## Enable scraping kube-scheduler over https. ## Enable scraping kube-scheduler over https.
## Requires proper certs (not self-signed) and delegated authentication/authorization checks ## Requires proper certs (not self-signed) and delegated authentication/authorization checks
## ##
@ -1135,16 +1175,22 @@ kubeProxy:
# - 10.141.4.24 # - 10.141.4.24
service: service:
enabled: true
port: 10249 port: 10249
targetPort: 10249 targetPort: 10249
# selector: # selector:
# k8s-app: kube-proxy # k8s-app: kube-proxy
serviceMonitor: serviceMonitor:
enabled: true
## Scrape interval. If not set, the Prometheus default scrape interval is used. ## Scrape interval. If not set, the Prometheus default scrape interval is used.
## ##
interval: "" interval: ""
## proxyUrl: URL of a proxy that should be used for scraping.
##
proxyUrl: ""
## Enable scraping kube-proxy over https. ## Enable scraping kube-proxy over https.
## Requires proper certs (not self-signed) and delegated authentication/authorization checks ## Requires proper certs (not self-signed) and delegated authentication/authorization checks
## ##
@ -1173,9 +1219,15 @@ kubeStateMetrics:
## Scrape interval. If not set, the Prometheus default scrape interval is used. ## Scrape interval. If not set, the Prometheus default scrape interval is used.
## ##
interval: "" interval: ""
## proxyUrl: URL of a proxy that should be used for scraping.
##
proxyUrl: ""
## Override serviceMonitor selector ## Override serviceMonitor selector
## ##
selectorOverride: {} selectorOverride: {}
## Override namespace selector
##
namespaceOverride: ""
## metric relabel configs to apply to samples before ingestion. ## metric relabel configs to apply to samples before ingestion.
## ##
@ -1217,6 +1269,10 @@ nodeExporter:
## ##
interval: "" interval: ""
## proxyUrl: URL of a proxy that should be used for scraping.
##
proxyUrl: ""
## How long until a scrape request times out. If not set, the Prometheus default scape timeout is used. ## How long until a scrape request times out. If not set, the Prometheus default scape timeout is used.
## ##
scrapeTimeout: "" scrapeTimeout: ""
@ -1527,6 +1583,7 @@ prometheus:
serviceAccount: serviceAccount:
create: true create: true
name: "" name: ""
annotations: {}
# Service for thanos service discovery on sidecar # Service for thanos service discovery on sidecar
# Enable this can make Thanos Query can use # Enable this can make Thanos Query can use
@ -1540,6 +1597,7 @@ prometheus:
portName: grpc portName: grpc
port: 10901 port: 10901
targetPort: "grpc" targetPort: "grpc"
clusterIP: "None"
## Service type ## Service type
## ##
@ -1814,7 +1872,7 @@ prometheus:
## ##
image: image:
repository: quay.io/prometheus/prometheus repository: quay.io/prometheus/prometheus
tag: v2.24.0 tag: v2.26.0
sha: "" sha: ""
## Tolerations for use with node taints ## Tolerations for use with node taints
@ -2035,7 +2093,7 @@ prometheus:
## ##
routePrefix: / routePrefix: /
## Standard objects metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata ## Standard object's metadata. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata
## Metadata Labels and Annotations gets propagated to the prometheus pods. ## Metadata Labels and Annotations gets propagated to the prometheus pods.
## ##
podMetadata: {} podMetadata: {}
@ -2072,11 +2130,15 @@ prometheus:
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#remotereadspec ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#remotereadspec
remoteRead: [] remoteRead: []
# - url: http://remote1/read # - url: http://remote1/read
## additionalRemoteRead is appended to remoteRead
additionalRemoteRead: []
## The remote_write spec configuration for Prometheus. ## The remote_write spec configuration for Prometheus.
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#remotewritespec ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#remotewritespec
remoteWrite: [] remoteWrite: []
# - url: http://remote1/push # - url: http://remote1/push
## additionalRemoteWrite is appended to remoteWrite
additionalRemoteWrite: []
## Enable/Disable Grafana dashboards provisioning for prometheus remote write feature ## Enable/Disable Grafana dashboards provisioning for prometheus remote write feature
remoteWriteDashboards: false remoteWriteDashboards: false

View File

@ -1,39 +0,0 @@
diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/etcd.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/etcd.yaml
index b430951..8358704 100644
--- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/etcd.yaml
+++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/rules-1.14/etcd.yaml
@@ -71,34 +71,6 @@ spec:
severity: warning
{{- if .Values.defaultRules.additionalRuleLabels }}
{{ toYaml .Values.defaultRules.additionalRuleLabels | indent 8 }}
-{{- end }}
- - alert: etcdHighNumberOfFailedGRPCRequests
- annotations:
- message: 'etcd cluster "{{`{{`}} $labels.job {{`}}`}}": {{`{{`}} $value {{`}}`}}% of requests for {{`{{`}} $labels.grpc_method {{`}}`}} failed on etcd instance {{`{{`}} $labels.instance {{`}}`}}.'
- expr: |-
- 100 * sum(rate(grpc_server_handled_total{job=~".*etcd.*", grpc_code!="OK"}[5m])) BY (job, instance, grpc_service, grpc_method)
- /
- sum(rate(grpc_server_handled_total{job=~".*etcd.*"}[5m])) BY (job, instance, grpc_service, grpc_method)
- > 1
- for: 10m
- labels:
- severity: warning
-{{- if .Values.defaultRules.additionalRuleLabels }}
-{{ toYaml .Values.defaultRules.additionalRuleLabels | indent 8 }}
-{{- end }}
- - alert: etcdHighNumberOfFailedGRPCRequests
- annotations:
- message: 'etcd cluster "{{`{{`}} $labels.job {{`}}`}}": {{`{{`}} $value {{`}}`}}% of requests for {{`{{`}} $labels.grpc_method {{`}}`}} failed on etcd instance {{`{{`}} $labels.instance {{`}}`}}.'
- expr: |-
- 100 * sum(rate(grpc_server_handled_total{job=~".*etcd.*", grpc_code!="OK"}[5m])) BY (job, instance, grpc_service, grpc_method)
- /
- sum(rate(grpc_server_handled_total{job=~".*etcd.*"}[5m])) BY (job, instance, grpc_service, grpc_method)
- > 5
- for: 5m
- labels:
- severity: critical
-{{- if .Values.defaultRules.additionalRuleLabels }}
-{{ toYaml .Values.defaultRules.additionalRuleLabels | indent 8 }}
{{- end }}
- alert: etcdGRPCRequestsSlow
annotations:

View File

@ -1,8 +1,10 @@
#!/bin/bash #!/bin/bash
VERSION=14.3.0 VERSION=14.9.0
rm -rf charts/kube-prometheus-stack rm -rf charts/kube-prometheus-stack
curl -L -s -o - https://github.com/prometheus-community/helm-charts/releases/download/kube-prometheus-stack-${VERSION}/kube-prometheus-stack-${VERSION}.tgz | tar xfz - -C charts curl -L -s -o - https://github.com/prometheus-community/helm-charts/releases/download/kube-prometheus-stack-${VERSION}/kube-prometheus-stack-${VERSION}.tgz | tar xfz - -C charts
patch -p3 -i remove_etcd_grpc_alerts.patch --no-backup-if-mismatch # The grpc alerts could be re-enabled with etcd 3.5
# https://github.com/etcd-io/etcd/pull/12196
patch -p0 -i adjust_alarms.patch --no-backup-if-mismatch

View File

@ -126,6 +126,8 @@ kube-prometheus-stack:
enabled: true enabled: true
size: 4Gi size: 4Gi
storageClassName: ebs-sc-gp2-xfs storageClassName: ebs-sc-gp2-xfs
deploymentStrategy:
type: Recreate
plugins: plugins:
- grafana-piechart-panel - grafana-piechart-panel
service: service:

View File

@ -1,4 +1,10 @@
{{- define "istio-ingress-values" }} {{- define "istio-ingress-values" }}
{{- with index .Values "istio-ingress" "global" }}
global:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- if index .Values "istio-ingress" "public" }} {{- if index .Values "istio-ingress" "public" }}
istio-ingress: istio-ingress:
enabled: {{ index .Values "istio-ingress" "public" "enabled" }} enabled: {{ index .Values "istio-ingress" "public" "enabled" }}

View File

@ -1,7 +1,15 @@
{{- define "istio-values" }} {{- define "istio-values" }}
{{- if .Values.HighAvailableControlplane }}
global:
defaultPodDisruptionBudget:
enabled: true
istio-discovery: istio-discovery:
pilot: pilot:
replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }} replicaCount: 2
{{- end }}
{{- end }} {{- end }}

@ -1 +0,0 @@
Subproject commit 25b8ebe3cc2af88643a4674a63e651e9c31245cb

8
scripts/exec_each_node.sh Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
NODES=$(kubectl get nodes -o json | jq -rc .items[].status.addresses[0].address)
for n in $NODES; do
>&2 echo "Node: $n"
ssh -q $n "$@"
done

View File

@ -0,0 +1,9 @@
#!/bin/bash
NAME=$1
POD_ID="$(crictl pods --name $NAME -q)"
CGROUP_PATH=$(crictl inspectp -o=json $POD_ID | jq -rc .info.runtimeSpec.linux.cgroupsPath)
echo -n "cgroup memory limit in bytes for $NAME: "
cat /sys/fs/cgroup/memory/$(dirname $CGROUP_PATH)/memory.limit_in_bytes