Kube-State-Metrics | Manuel RĂ¼gerhttps://manuelrueger.de/tags/kube-state-metrics/Kube-State-MetricsHugo Blox Builder (https://hugoblox.com)en-usMon, 19 Jun 2023 00:00:00 +0000https://manuelrueger.de/media/icon_hu_d95d4b5e989aed06.pngKube-State-Metricshttps://manuelrueger.de/tags/kube-state-metrics/Monitoring Open Policy Agent/Gatekeeper violations with kube-state-metricshttps://manuelrueger.de/blog/post/monitoring-open-policy-agent/gatekeeper-violations-with-kube-state-metrics/Mon, 19 Jun 2023 00:00:00 +0000https://manuelrueger.de/blog/post/monitoring-open-policy-agent/gatekeeper-violations-with-kube-state-metrics/<p>This article explains how kube-state-metrics can be used to monitor Open Policy Agent&rsquo;s Gatekeeper policy audit violations, what to take care about and where kube-state-metrics&rsquo; Custom Resource state might evolve to.</p> <details class="print:hidden xl:hidden" > <summary>Table of Contents</summary> <div class="text-sm"> <nav id="TableOfContents"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#exposing-violations-as-prometheus-metrics">Exposing Violations as Prometheus Metrics</a> <ul> <li><a href="#custom-resource-definitions-in-gatekeeper">Custom Resource Definitions in Gatekeeper</a></li> <li><a href="#custom-resource-state-in-kube-state-metrics">Custom Resource State in kube-state-metrics</a></li> <li><a href="#collecting-metrics-from-all-constraints-via-wildcard-matching">Collecting metrics from all constraints via wildcard matching</a></li> </ul> </li> <li><a href="#caveats-with-this-approach">Caveats with this approach</a> <ul> <li><a href="#unexposed-violations">Unexposed Violations</a></li> <li><a href="#high-cardinality-data">High Cardinality Data</a></li> <li><a href="#kubernetes-resource-version-upgrades">Kubernetes Resource Version Upgrades</a></li> </ul> </li> <li><a href="#summary">Summary</a></li> </ul> </nav> </div> </details> <h2 id="introduction">Introduction</h2> <p> is a policy engine that allows you to enforce policies on various systems. With , it provides a service, that utilizes an admission controller webhook to enforce policies on Kubernetes resources. This means, whenever a Kubernetes resource changes through a request to the Kubernetes API, a rule-based decision to allow or deny this action is made. To organize and manage these rules, Gatekeeper makes use of Kubernetes&rsquo; Custom Resource Definitions (CRDs). Gatekeeper does not only allow checking against its policies at admission. It also provides an audit service, that can regularly check resources in the Kubernetes cluster.</p> <p> is a microservice that makes the state of the Kubernetes&rsquo; REST API available as metrics. It queries the API and exposes the gathered information on a metrics HTTP endpoint. Recently, it gained support for . This is a flexible way to query and extract user-defined information from the Kubernetes API.</p> <h2 id="exposing-violations-as-prometheus-metrics">Exposing Violations as Prometheus Metrics</h2> <h3 id="custom-resource-definitions-in-gatekeeper">Custom Resource Definitions in Gatekeeper</h3> <p>Gatekeeper uses two custom resource definitions to manage policies. A ConstraintTemplate (group: templates.gatekeeper.sh), that contains the rule definition. A corresponding constraint (group: constraints.gatekeeper.sh) allows setting enforcement actions and stores information from the audit.</p> <p>Here is an of how this looks like according to the docs from Open Policy Agent:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">templates.gatekeeper.sh/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConstraintTemplate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">k8srequiredlabels</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">crd</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">K8sRequiredLabels</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="l">...</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l">admission.k8s.gatekeeper.sh</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rego</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> package k8srequiredlabels </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> violation[{&#34;msg&#34;: msg, &#34;details&#34;: {&#34;missing_labels&#34;: missing}}] { </span></span></span><span class="line"><span class="cl"><span class="sd"> provided := {label | input.review.object.metadata.labels[label]} </span></span></span><span class="line"><span class="cl"><span class="sd"> required := {label | label := input.parameters.labels[_]} </span></span></span><span class="line"><span class="cl"><span class="sd"> missing := required - provided </span></span></span><span class="line"><span class="cl"><span class="sd"> count(missing) &gt; 0 </span></span></span><span class="line"><span class="cl"><span class="sd"> msg := sprintf(&#34;you must provide labels: %v&#34;, [missing]) </span></span></span><span class="line"><span class="cl"><span class="sd"> }</span><span class="w"> </span></span></span></code></pre></div><p>This policy checks for specific metadata labels in the object. If the labels are not included in the object, it will return a violation.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">constraints.gatekeeper.sh/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">K8sRequiredLabels</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespaces-must-have-gatekeeper-label</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enforcementAction</span><span class="p">:</span><span class="w"> </span><span class="l">warn</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;Namespace&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Note that &#34;labels&#34; is now contained in an array item, rather than an object key under &#34;parameters&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">labels</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;gatekeeper&#34;</span><span class="p">]</span><span class="w"> </span></span></span></code></pre></div><p>This constraint will limit the policy enforcement to Kubernetes namespace objects and require a label with the key gatekeeper to be set. Its enforcement action is set to warn. This means it will omit a warning when applying a resource that violates the policy.</p> <p>If we run</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl get k8srequiredlabels.constraints.gatekeeper.sh/v1 namespaces-must-have-gatekeeper-label -o yaml </span></span></code></pre></div><p>we receive this output:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">constraints.gatekeeper.sh/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">K8sRequiredLabels</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">namespaces-must-have-gatekeeper-label</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="l">...</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">status</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">totalViolations</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">violations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">enforcementAction</span><span class="p">:</span><span class="w"> </span><span class="l">warn</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">message: &#39;you must provide labels</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;gatekeeper&#34;</span><span class="p">]</span><span class="l">&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="l">...</span><span class="w"> </span></span></span></code></pre></div><p>If you enable Gatekeeper to audit your objects regularly, this object will include besides the total number of violations, also a report from the latest audit run in the status key. Unfortunately, Gatekeeper does not expose this level of detail via a Prometheus exporter itself. There have been separate specialized exporters like built in the past. In the next paragraph, we will see how kube-state-metrics, as a generic exporter, can provide the same level of information.</p> <h3 id="custom-resource-state-in-kube-state-metrics">Custom Resource State in kube-state-metrics</h3> <p>If you run kube-state-metrics already in your cluster, you can now generate metrics on policy violations with the Custom Resource State. And if you don&rsquo;t run kube-state-metrics, this might be a good opportunity to it on your cluster to get better insights.</p> <p>Before we can expose Custom Resource State metrics, we need to define them via a configuration. kube-state-metrics supports the configuration of Custom Resource State via command line arguments or a config file. In this example, we assume you have a config file, so you can include the following snippets in it.</p> <p>Add the following paragraph to your kube-state-metrics&rsquo; Custom Resource State configuration:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">CustomResourceStateMetrics</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">groupVersionKind</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="l">constraints.gatekeeper.sh</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;K8sRequiredLabels&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;v1beta1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">metrics</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;gatekeeper_violations_total&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">help</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Number of violations&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">each</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Gauge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">gauge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">status, totalViolations]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;gatekeeper_violation_info&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">help</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Information about the detected violation&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">each</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Info</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">info</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">status, violations]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labelsFromPath</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enforcement_action</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">enforcementAction]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">violating_kind</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">kind]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">violating_message</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">message]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">violating_name</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">name]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">violating_namespace</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">namespace]</span><span class="w"> </span></span></span></code></pre></div><p>and the following metric series will be exported:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="c1"># HELP kube_customresource_gatekeeper_violations_total Number of violations</span> </span></span><span class="line"><span class="cl"><span class="c1"># TYPE kube_customresource_gatekeeper_violations_total gauge</span> </span></span><span class="line"><span class="cl"><span class="n">kube_customresource_gatekeeper_violations_total</span><span class="p">{</span><span class="n">customresource_group</span><span class="o">=</span><span class="s2">&#34;constraints.gatekeeper.sh&#34;</span><span class="p">,</span><span class="n">customresource_kind</span><span class="o">=</span><span class="s2">&#34;k8srequiredlabels&#34;</span><span class="p">,</span><span class="n">customresource_version</span><span class="o">=</span><span class="s2">&#34;v1beta1&#34;</span><span class="p">}</span> <span class="mi">35</span> </span></span><span class="line"><span class="cl"><span class="c1"># HELP kube_customresource_gatekeeper_violation Violations detected</span> </span></span><span class="line"><span class="cl"><span class="c1"># TYPE kube_customresource_gatekeeper_violation gauge</span> </span></span><span class="line"><span class="cl"><span class="n">kube_customresource_gatekeeper_violation</span><span class="p">{</span><span class="n">customresource_group</span><span class="o">=</span><span class="s2">&#34;constraints.gatekeeper.sh&#34;</span><span class="p">,</span><span class="n">customresource_kind</span><span class="o">=</span><span class="s2">&#34;Namespace&#34;</span><span class="p">,</span><span class="n">customresource_version</span><span class="o">=</span><span class="s2">&#34;v1&#34;</span><span class="p">,</span><span class="n">enforcementAction</span><span class="o">=</span><span class="s2">&#34;warn&#34;</span><span class="p">,</span><span class="n">violating_message</span><span class="o">=</span><span class="s2">&#34;you must provide labels: [</span><span class="se">\&#34;</span><span class="s2">gatekeeper</span><span class="se">\&#34;</span><span class="s2">]&#34;</span><span class="p">,</span><span class="n">violating_kind</span><span class="o">=</span><span class="s2">&#34;Namespace&#34;</span><span class="p">,</span> <span class="n">violating_name</span><span class="o">=</span><span class="s2">&#34;kube-system&#34;</span><span class="p">}</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="o">...</span> </span></span></code></pre></div><p>These metric series can now be ingested into Prometheus or a similar TSDB and be used for alerting or visualizing violations on a dashboard.</p> <h3 id="collecting-metrics-from-all-constraints-via-wildcard-matching">Collecting metrics from all constraints via wildcard matching</h3> <p>With kube-state-metrics v2.9.2 and later, another helpful feature around Custom Resource State got included: kube-state-metrics supports wildcards for the kind as well as version keys now. This allows to collect every violation from every constraint CRD created by gatekeeper with the following configuration:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">CustomResourceStateMetrics</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">groupVersionKind</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;constraints.gatekeeper.sh&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;v1beta1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">metrics</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;gatekeeper_violations_total&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">help</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Number of violations&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">each</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Gauge</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">gauge</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">status, totalViolations]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;gatekeeper_violation_info&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">help</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Information about the detected violation&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">each</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">Info</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">info</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">status, violations]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labelsFromPath</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enforcement_action</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">enforcementAction]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">violating_kind</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">kind]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">violating_message</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">message]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">violating_name</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">name]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">violating_namespace</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">namespace]</span><span class="w"> </span></span></span></code></pre></div><p>As you might have already spotted, this time the namespace is included in the labelsFromPath map. Objects violating policy can be namespaced or non-namespaced. If the specified path - in this case, the namespace key - does not exist, no label will be added to the metric series. If the path exists, you will see the label appear in the metric series.</p> <p>Add a new Constraint to your cluster. This time a &ldquo;team&rdquo; label on Deployments is desired:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">constraints.gatekeeper.sh/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">K8sRequiredLabels</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployments-must-have-team-label</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enforcementAction</span><span class="p">:</span><span class="w"> </span><span class="l">warn</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;Deployment&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Note that &#34;labels&#34; is now contained in an array item, rather than an object key under &#34;parameters&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">labels</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;team&#34;</span><span class="p">]</span><span class="w"> </span></span></span></code></pre></div><p>This will generate the following metrics:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="c1"># HELP kube_customresource_gatekeeper_violations_total Number of violations</span> </span></span><span class="line"><span class="cl"><span class="c1"># TYPE kube_customresource_gatekeeper_violations_total gauge</span> </span></span><span class="line"><span class="cl"><span class="n">kube_customresource_gatekeeper_violations_total</span><span class="p">{</span><span class="n">customresource_group</span><span class="o">=</span><span class="s2">&#34;constraints.gatekeeper.sh&#34;</span><span class="p">,</span><span class="n">customresource_kind</span><span class="o">=</span><span class="s2">&#34;k8srequiredlabels&#34;</span><span class="p">,</span><span class="n">customresource_version</span><span class="o">=</span><span class="s2">&#34;v1&#34;</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="s2">&#34;namespaces-must-have-gatekeeper-label&#34;</span><span class="p">}</span> <span class="mi">35</span> </span></span><span class="line"><span class="cl"><span class="n">kube_customresource_gatekeeper_violations_total</span><span class="p">{</span><span class="n">customresource_group</span><span class="o">=</span><span class="s2">&#34;constraints.gatekeeper.sh&#34;</span><span class="p">,</span><span class="n">customresource_kind</span><span class="o">=</span><span class="s2">&#34;k8srequiredlabels&#34;</span><span class="p">,</span><span class="n">customresource_version</span><span class="o">=</span><span class="s2">&#34;v1&#34;</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="s2">&#34;deployments-must-have-team-label&#34;</span><span class="p">}</span> <span class="mi">39</span> </span></span><span class="line"><span class="cl"><span class="c1"># HELP kube_customresource_gatekeeper_violation Violations detected</span> </span></span><span class="line"><span class="cl"><span class="c1"># TYPE kube_customresource_gatekeeper_violation info</span> </span></span><span class="line"><span class="cl"><span class="n">kube_customresource_gatekeeper_violation</span><span class="p">{</span><span class="n">customresource_group</span><span class="o">=</span><span class="s2">&#34;constraints.gatekeeper.sh&#34;</span><span class="p">,</span><span class="n">customresource_kind</span><span class="o">=</span><span class="s2">&#34;k8srequiredlabels&#34;</span><span class="p">,</span><span class="n">customresource_version</span><span class="o">=</span><span class="s2">&#34;v1&#34;</span><span class="p">,</span><span class="n">enforcementAction</span><span class="o">=</span><span class="s2">&#34;warn&#34;</span><span class="p">,</span><span class="n">violating_message</span><span class="o">=</span><span class="s2">&#34;you must provide labels: [</span><span class="se">\&#34;</span><span class="s2">gatekeeper</span><span class="se">\&#34;</span><span class="s2">]&#34;</span><span class="p">,</span><span class="n">violating_kind</span><span class="o">=</span><span class="s2">&#34;Namespace&#34;</span><span class="p">,</span><span class="n">violating_name</span><span class="o">=</span><span class="s2">&#34;kube-system&#34;</span><span class="p">}</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="n">kube_customresource_gatekeeper_violation</span><span class="p">{</span><span class="n">customresource_group</span><span class="o">=</span><span class="s2">&#34;constraints.gatekeeper.sh&#34;</span><span class="p">,</span><span class="n">customresource_kind</span><span class="o">=</span><span class="s2">&#34;k8srequiredlabels&#34;</span><span class="p">,</span><span class="n">customresource_version</span><span class="o">=</span><span class="s2">&#34;v1&#34;</span><span class="p">,</span><span class="n">enforcementAction</span><span class="o">=</span><span class="s2">&#34;warn&#34;</span><span class="p">,</span><span class="n">violating_message</span><span class="o">=</span><span class="s2">&#34;you must provide labels: [</span><span class="se">\&#34;</span><span class="s2">team</span><span class="se">\&#34;</span><span class="s2">]&#34;</span><span class="p">,</span><span class="n">violating_kind</span><span class="o">=</span><span class="s2">&#34;Deployment&#34;</span><span class="p">,</span><span class="n">violating_name</span><span class="o">=</span><span class="s2">&#34;coredns&#34;</span><span class="p">,</span><span class="n">violating_namespace</span><span class="o">=</span><span class="s2">&#34;kube-system} 1</span> </span></span><span class="line"><span class="cl"><span class="o">...</span> </span></span></code></pre></div><h2 id="caveats-with-this-approach">Caveats with this approach</h2> <p>When using custom resource state metrics, there are a couple of things to keep in mind, as they might cause issues on your cluster or confusion for consumers.</p> <h3 id="unexposed-violations">Unexposed Violations</h3> <p>Gatekeeper has a flag called <code>--constraint-violations-limit</code> which limits the number of violations added to the Constraint custom resource. You might need to increase it to get more data on violations. Be aware that Kubernetes limits how big a custom resource object can grow. This does not affect the total count of violations, which is always showing the correct count.</p> <h3 id="high-cardinality-data">High Cardinality Data</h3> <p>With this approach, there is a chance to feed data with high cardinality into Prometheus. This means, if you decide to expose values like Pod IDs or other values that change a lot, Prometheus&rsquo; database will grow in space and queries might take longer.</p> <h3 id="kubernetes-resource-version-upgrades">Kubernetes Resource Version Upgrades</h3> <p>Using a wildcard for the version of the resource you want to monitor does not provide a useful benefit as Kubernetes automatically upgrades the version before exposing it on its API.</p> <h2 id="summary">Summary</h2> <p>To sum it all up, in this example we have seen that Custom Resource State is a powerful tool to collect metrics from Custom Resources and its configuration offers a great flexibility to the user. We can define individual metric series to be extracted from the Kubernetes API and customize metric series labels to meet specific needs as well as apply it over multiple kinds and different versions of the same CRD group.</p> <p>If you are interested in more Custom Resource State configurations, I have started a repository to collect more .</p> <p>Finally, I want to thank , , , and for their work on the implementation in kube-state-metrics.</p>