Shape the future of software security and make your voice heard by taking the 2021 State of DevOps survey.

Monitoring metrics

This document describes how to use Cloud Monitoring for Binary Authorization for Anthos clusters on VMware. Learn more about Anthos clusters on VMware logging and monitoring.

Before you begin

  1. You must run Anthos clusters on VMware 1.4 or later for Binary Authorization in order to view Binary Authorization for Anthos clusters on VMware metrics.

  2. To use Cloud Monitoring, make sure the stackdriver section of your User cluster cluster configuration file is filled in.

Set up Cloud Monitoring queries for Binary Authorization

This section shows you how to access Cloud Monitoring and select the Cloud Logging project that stores your Anthos clusters on VMware logs.

  1. In the Workspace combo box, select the project ID from the stackdriver section of your User cluster cluster configuration.

  2. View Cloud Monitoring:

    In the Google Cloud Console, go to Monitoring > Metrics Explorer or use the following button:

    Go to Monitoring

  3. Select the Google Cloud project that you use to store logs and metrics. You can find the Google Cloud project in the stackdriver.projectID field of your user cluster configuration file.

  4. Click Query editor.

  5. Enter a query into the query editor. You can find Binary Authorization for Anthos clusters on VMware queries in the following sections.

Example queries

This section provides example monitoring query language (MQL) queries you can use to monitor Binary Authorization for Anthos clusters on VMware metrics. To learn more about MQL, see Introduction to Monitoring Query Language.

Query for rejected deployments

To view deployment requests that were rejected by the Binary Authorization enforcer, use the following query:

fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_rejection_count'
| filter
    (metric.error_type == 'no_error'
     && metric.name == 'binaryauthorization.googleapis.com')

Query for system failures

This section describes how to monitor for system failures that prevent normal operation of Binary Authorization for Anthos clusters on VMware.

To monitor for system failures, use the following query:

fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_rejection_count'
| filter
    (metric.error_type == 'calling_webhook_error'
     && metric.name == 'binaryauthorization.googleapis.com')

To view the total number of webhook calls relating to Binary Authorization, use the following query:

fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_admission_duration_seconds'
| filter (metric.name == 'binaryauthorization.googleapis.com')
| align delta(1m)
| every 1m
| group_by []
| count

What's next