Stay organized with collections Save and categorize content based on your preferences.

Use Policy Controller metrics

This page explains how to use OpenCensus metrics to monitor Policy Controller.

Policy Controller uses OpenCensus to create and record metrics related to its processes. Policy Controller can be configured to export these metrics to Prometheus and Cloud Monitoring.

Configure metrics export

In Anthos Config Management versions 1.12.0 and later, you can configure how Policy Controller exports its metrics. You can choose Prometheus, Cloud Monitoring, both, or neither when installing Policy Controller. By default, Policy Controller attempts to export metrics to both Prometheus and Cloud Monitoring.

In Anthos Config Management versions earlier than 1.12.0, Policy Controller exports metrics to Prometheus only.

Export metrics to Cloud Monitoring

If Policy Controller is running inside a Google Cloud environment that has a default service account, Policy Controller automatically exports metrics to Cloud Monitoring in Anthos Config Management versions 1.12.0 and later.

If Workload Identity is enabled, complete the following steps:

  1. Bind the Kubernetes service account gatekeeper-admin in the namespace gatekeeper-system to a Google service account with the metric writer role:

    gcloud iam service-accounts add-iam-policy-binding \
        --role roles/iam.workloadIdentityUser \
        --member "serviceAccount:PROJECT_ID.svc.id.goog[gatekeeper-system/gatekeeper-admin]" \
        GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
    

    Replace the following:

    • PROJECT_ID: your project ID.
    • GSA_NAME: the Google service account with the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role.

    This action requires iam.serviceAccounts.setIamPolicy permission on the project.

  2. Annotate the Kubernetes service account using the email address of the Google service account:

    kubectl annotate serviceaccount \
        --namespace gatekeeper-system \
        gatekeeper-admin \
        iam.gke.io/gcp-service-account=GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
    
  3. Restart the gatekeeper-controller-manager Pod:

    kubectl rollout restart deployment gatekeeper-controller-manager -n gatekeeper-system
    

For examples on how to view these metrics, see Read OpenCensus metrics in Cloud Monitoring.

Export metrics to Prometheus

Policy Controller exports metrics for Prometheus on port 8675 by default. You can also configure Cloud Monitoring to pull custom metrics from Prometheus. For more information, see Managed Prometheus.

Available metrics

If Policy Controller is enabled on your cluster, you can query the following metrics (all prefixed with OpenCensus/):

Name Type Labels Description
OpenCensus/audit_duration_seconds Cumulative Audit cycle duration distribution
OpenCensus/audit_last_run_time Gauge The epoch timestamp since the last audit runtime, given as seconds in floating-point
OpenCensus/constraint_template_ingestion_count Cumulative status Total number of constraint template ingestion actions
OpenCensus/constraint_template_ingestion_duration_seconds Cumulative status Constraint Template ingestion duration distribution
OpenCensus/constraint_templates Gauge status Current number of constraint templates
OpenCensus/validation_request_count Counter admission_status Count of admission requests from the API server
OpenCensus/validation_request_duration_seconds Cumulative admission_status Admission request duration distribution
OpenCensus/violations Gauge enforcement_action Number of audit violations detected in the last audit cycle
OpenCensus/watch_manager_intended_watch_gvk Gauge How many unique GroupVersionKinds Policy Controller is meant to be watching. This metric is a combination of synced resources and constraints. Not currently implemented
OpenCensus/watch_manager_watched_gvk Gauge How many unique GroupVersionKinds Policy Controller is actually watching. This metric is meant to converge on being equal to OpenCensus/watch_manager_intended_watch_gvk. Not currently implemented