Monitoring metrics

This document describes how to use Cloud Monitoring for Binary Authorization for GKE on-prem. Learn more about GKE on-prem logging and monitoring.

Before you begin

  1. You must run GKE on-prem 1.4 or later for Binary Authorization in order to view Binary Authorization for GKE on-prem metrics.

  2. To use Cloud Monitoring, make sure the stackdriver section of your User cluster cluster configuration file is filled in.

Set up Cloud Monitoring queries for Binary Authorization

This section shows you how to access Cloud Monitoring and select the Cloud Logging project that stores your GKE on-prem logs.

  1. In the Workspace combo box, select the project ID from the stackdriver section of your User cluster cluster configuration.

  2. View Cloud Monitoring:

    In the Google Cloud Console, go to Monitoring > Metrics Explorer or use the following button:

    Go to Monitoring

  3. Select the Google Cloud project that you use to store logs and metrics. You can find the Google Cloud project in the stackdriver.projectID field of your user cluster configuration file.

  4. Click Query editor.

  5. Enter a query into the query editor. You can find Binary Authorization for GKE on-prem queries in the following sections.

Example queries

This section provides example monitoring query language (MQL) queries you can use to monitor Binary Authorization for GKE on-prem metrics. To learn more about MQL, see Introduction to Monitoring Query Language.

Query for rejected deployments

To view deployment requests that were rejected by the Binary Authorization enforcer, use the following query:

fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_rejection_count'
| filter
    (metric.error_type == 'no_error'
     && metric.name == 'binaryauthorization.googleapis.com')

Query for system failures

This section describes how to monitor for system failures that prevent normal operation of Binary Authorization for GKE on-prem.

To monitor for system failures, use the following query:

fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_rejection_count'
| filter
    (metric.error_type == 'calling_webhook_error'
     && metric.name == 'binaryauthorization.googleapis.com')

To view the total number of webhook calls relating to Binary Authorization, use the following query:

fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_admission_duration_seconds'
| filter (metric.name == 'binaryauthorization.googleapis.com')
| align delta(1m)
| every 1m
| group_by []
| count

What's next