Monitor metrics for GKE clusters

This document describes how to use Cloud Monitoring for Binary Authorization for GKE clusters. Learn more about GKE clusters logging and monitoring.

Before you begin

  1. To view Binary Authorization for GKE clusters metrics, you must use supported environments:

  2. To use Cloud Monitoring, make sure the stackdriver section of your User cluster configuration file is filled in.

Set up Cloud Monitoring queries for Binary Authorization

This section shows you how to access Cloud Monitoring and select the Cloud Logging project that stores your GKE cluster logs.

  1. In the Workspace combo box, select the project ID from the stackdriver section of your User cluster cluster configuration.

  2. View Cloud Monitoring:

    In the Google Cloud console, go to Monitoring > Metrics Explorer or use the following button:

    Go to Monitoring

  3. Select the Google Cloud project that you use to store logs and metrics. You can find the Google Cloud project in the stackdriver.projectID field of your user cluster configuration file.

  4. Click Query editor.

  5. Enter a query into the query editor. You can find Binary Authorization for GKE clusters queries in the following sections.

Example queries

This section provides example monitoring query language (MQL) queries you can use to monitor Binary Authorization for GKE clusters metrics. To learn more about MQL, see Introduction to Monitoring Query Language.

Query for rejected deployments

To view deployment requests that were rejected by the Binary Authorization enforcer, use the following query:

fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_rejection_count'
| filter
    (metric.error_type == 'no_error'
     && metric.name == 'binaryauthorization.googleapis.com')

Query for system failures

This section describes how to monitor for system failures that prevent normal operation of Binary Authorization for GKE clusters.

To monitor for system failures, use the following query:

fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_rejection_count'
| filter
    (metric.error_type == 'calling_webhook_error'
     && metric.name == 'binaryauthorization.googleapis.com')

To view the total number of webhook calls relating to Binary Authorization, use the following query:

fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_admission_duration_seconds'
| filter (metric.name == 'binaryauthorization.googleapis.com')
| align delta(1m)
| every 1m
| group_by []
| count

What's next