Monitor metrics for Distributed Cloud

This document describes how to use Cloud Monitoring for Binary Authorization for Google Distributed Cloud software. Learn more about Distributed Cloud logging and monitoring.

Before you begin

1. To view Binary Authorization for Distributed Cloud metrics, you must use supported environments:

   • Distributed Cloud for bare metal 1.14 or later
   • Distributed Cloud for VMware 1.4 or later

2. To use Cloud Monitoring, make sure the stackdriver section of your User cluster configuration file is filled in.

Set up Cloud Monitoring queries for Binary Authorization

This section shows you how to access Cloud Monitoring and select the Cloud Logging project that stores your GKE cluster logs.

1. In the Workspace combo box, select the project ID from the stackdriver section of your User cluster cluster configuration.

2. View Cloud Monitoring:

   In the Google Cloud console, go to Monitoring > Metrics Explorer or use the following button:

   Go to Monitoring

3. Select the Google Cloud project that you use to store logs and metrics. You can find the Google Cloud project in the stackdriver.projectID field of your user cluster configuration file.

4. Click Query editor.

5. Enter a query into the query editor. You can find Binary Authorization for Distributed Cloud queries in the following sections.

Example queries

This section provides example monitoring query language (MQL) queries you can use to monitor Binary Authorization for Distributed Cloud metrics. To learn more about MQL, see Introduction to Monitoring Query Language.

Query for rejected deployments

To view deployment requests that were rejected by the Binary Authorization enforcer, use the following query:

fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_rejection_count'
| filter
    (metric.error_type == 'no_error'
     && metric.name == 'binaryauthorization.googleapis.com')

Query for system failures

This section describes how to monitor for system failures that prevent normal operation of Binary Authorization for Distributed Cloud.

To monitor for system failures, use the following query:

fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_rejection_count'
| filter
    (metric.error_type == 'calling_webhook_error'
     && metric.name == 'binaryauthorization.googleapis.com')

Sum the number of webhook calls related to Binary Authorization

To view the total number of webhook calls relating to Binary Authorization, use the following query:

fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_admission_duration_seconds'
| filter (metric.name == 'binaryauthorization.googleapis.com')
| align delta(1m)
| every 1m
| group_by []
| count

What's next

• Introduction to Cloud Monitoring
• Introduction to Monitoring Query Language
• View Binary Authorization for Distributed Cloud audit log entries