Configuring the monitoring stack

Prerequisites
Maintenance and support for monitoring
- Support considerations for monitoring
- Support policy for monitoring Operators
Preparing to configure the monitoring stack
- Creating a cluster monitoring config map
- Creating a user-defined workload monitoring config map
Configuring the monitoring stack
Configurable monitoring components
Moving monitoring components to different nodes
Assigning tolerations to monitoring components
Setting the body size limit for metrics scraping
Configuring persistent storage
- Persistent storage prerequisites
- Configuring a local persistent volume claim
- Resizing a persistent storage volume
- Modifying the retention time and size for Prometheus metrics data
- Modifying the retention time for Thanos Ruler metrics data
Configuring remote write storage
- Supported remote write authentication settings
Adding cluster ID labels to metrics
- Creating cluster ID labels for metrics
Controlling the impact of unbound metrics attributes in user-defined projects
- Setting scrape sample and label limits for user-defined projects
- Creating scrape sample alerts
Configuring external alertmanager instances
Attaching additional labels to your time series and alerts
Configuring pod topology spread constraints for monitoring
- Setting up pod topology spread constraints for Prometheus
- Setting up pod topology spread constraints for Alertmanager
- Setting up pod topology spread constraints for Thanos Ruler
Setting log levels for monitoring components
Enabling the query log file for Prometheus
Enabling query logging for Thanos Querier
Setting audit log levels for the Prometheus Adapter
Disabling the local Alertmanager
Next steps

The OKD 4 installation program provides only a low number of configuration options before installation. Configuring most OKD framework components, including the cluster monitoring stack, happens post-installation.

This section explains what configuration is supported, shows how to configure the monitoring stack, and demonstrates several common configuration scenarios.

Prerequisites

The monitoring stack imposes additional resource requirements. Consult the computing resources recommendations in Scaling the Cluster Monitoring Operator and verify that you have sufficient resources.

Maintenance and support for monitoring

The supported way of configuring OKD Monitoring is by configuring it using the options described in this document. Do not use other configurations, as they are unsupported. Configuration paradigms might change across Prometheus releases, and such cases can only be handled gracefully if all configuration possibilities are controlled. If you use configurations other than those described in this section, your changes will disappear because the cluster-monitoring-operator reconciles any differences. The Operator resets everything to the defined state by default and by design.

Support considerations for monitoring

The following modifications are explicitly not supported:

Creating additional ServiceMonitor, PodMonitor, and PrometheusRule objects in the openshift-* and kube-* projects.

Modifying any resources or objects deployed in the openshift-monitoring or openshift-user-workload-monitoring projects. The resources created by the OKD monitoring stack are not meant to be used by any other resources, as there are no guarantees about their backward compatibility.

The Alertmanager configuration is deployed as a secret resource in the openshift-monitoring namespace. If you have enabled a separate Alertmanager instance for user-defined alert routing, an Alertmanager configuration is also deployed as a secret resource in the openshift-user-workload-monitoring namespace. To configure additional routes for any instance of Alertmanager, you need to decode, modify, and then encode that secret. This procedure is a supported exception to the preceding statement.

Modifying resources of the stack. The OKD monitoring stack ensures its resources are always in the state it expects them to be. If they are modified, the stack will reset them.
Deploying user-defined workloads to openshift-*, and kube-* projects. These projects are reserved for Red Hat provided components and they should not be used for user-defined workloads.
Installing custom Prometheus instances on OKD. A custom instance is a Prometheus custom resource (CR) managed by the Prometheus Operator.
Enabling symptom based monitoring by using the Probe custom resource definition (CRD) in Prometheus Operator.

Backward compatibility for metrics, recording rules, or alerting rules is not guaranteed.

Support policy for monitoring Operators

Monitoring Operators ensure that OKD monitoring resources function as designed and tested. If Cluster Version Operator (CVO) control of an Operator is overridden, the Operator does not respond to configuration changes, reconcile the intended state of cluster objects, or receive updates.

While overriding CVO control for an Operator can be helpful during debugging, this is unsupported and the cluster administrator assumes full control of the individual component configurations and upgrades.

Overriding the Cluster Version Operator

The spec.overrides parameter can be added to the configuration for the CVO to allow administrators to provide a list of overrides to the behavior of the CVO for a component. Setting the spec.overrides[].unmanaged parameter to true for a component blocks cluster upgrades and alerts the administrator after a CVO override has been set:

Disabling ownership via cluster version overrides prevents upgrades. Please remove overrides before continuing.

Setting a CVO override puts the entire cluster in an unsupported state and prevents the monitoring stack from being reconciled to its intended state. This impacts the reliability features built into Operators and prevents updates from being received. Reported issues must be reproduced after removing any overrides for support to proceed.

Preparing to configure the monitoring stack

You can configure the monitoring stack by creating and updating monitoring config maps.

Creating a cluster monitoring config map

To configure core OKD monitoring components, you must create the cluster-monitoring-config ConfigMap object in the openshift-monitoring project.

When you save your changes to the cluster-monitoring-config ConfigMap object, some or all of the pods in the openshift-monitoring project might be redeployed. It can sometimes take a while for these components to redeploy.

Prerequisites

You have access to the cluster as a user with the cluster-admin role.
You have installed the OpenShift CLI (oc).

Procedure

Check whether the cluster-monitoring-config ConfigMap object exists:

$ oc -n openshift-monitoring get configmap cluster-monitoring-config

If the ConfigMap object does not exist:

Create the following YAML manifest. In this example the file is called cluster-monitoring-config.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |

Apply the configuration to create the ConfigMap object:
```
$ oc apply -f cluster-monitoring-config.yaml
```

Creating a user-defined workload monitoring config map

To configure the components that monitor user-defined projects, you must create the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project.

When you save your changes to the user-workload-monitoring-config ConfigMap object, some or all of the pods in the openshift-user-workload-monitoring project might be redeployed. It can sometimes take a while for these components to redeploy. You can create and configure the config map before you first enable monitoring for user-defined projects, to prevent having to redeploy the pods often.

Prerequisites

You have access to the cluster as a user with the cluster-admin role.
You have installed the OpenShift CLI (oc).

Procedure

Check whether the user-workload-monitoring-config ConfigMap object exists:

$ oc -n openshift-user-workload-monitoring get configmap user-workload-monitoring-config

If the user-workload-monitoring-config ConfigMap object does not exist:
1. Create the following YAML manifest. In this example the file is called user-workload-monitoring-config.yaml:
  apiVersion: v1 kind: ConfigMap metadata: name: user-workload-monitoring-config namespace: openshift-user-workload-monitoring data: config.yaml: |
2. Apply the configuration to create the ConfigMap object:
  $ oc apply -f user-workload-monitoring-config.yaml
  Configurations applied to the user-workload-monitoring-config ConfigMap object are not activated unless a cluster administrator has enabled monitoring for user-defined projects.

Additional resources

Enabling monitoring for user-defined projects

In OKD 4.12, you can configure the monitoring stack using the cluster-monitoring-config or user-workload-monitoring-config ConfigMap objects. Config maps configure the Cluster Monitoring Operator (CMO), which in turn configures the components of the stack.

Prerequisites

If you are configuring core OKD monitoring components:
- You have access to the cluster as a user with the cluster-admin role.
- You have created the cluster-monitoring-config ConfigMap object.
If you are configuring components that monitor user-defined projects:
- You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
- You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).

Procedure

Edit the ConfigMap object.

To configure core OKD monitoring components:

Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
```
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
```

Add your configuration under data/config.yaml as a key-value pair <component_name>: <component_configuration>:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    <component>:
      <configuration_for_the_component>

Substitute <component> and <configuration_for_the_component> accordingly.

The following example ConfigMap object configures a persistent volume claim (PVC) for Prometheus. This relates to the Prometheus instance that monitors core OKD components only:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s: (1)
      volumeClaimTemplate:
        spec:
          storageClassName: fast
          volumeMode: Filesystem
          resources:
            requests:
              storage: 40Gi

1	Defines the Prometheus component and the subsequent lines define its configuration.

To configure components that monitor user-defined projects:

Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
```
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
```

Add your configuration under data/config.yaml as a key-value pair <component_name>: <component_configuration>:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    <component>:
      <configuration_for_the_component>

Substitute <component> and <configuration_for_the_component> accordingly.

The following example ConfigMap object configures a data retention period and minimum container resource requests for Prometheus. This relates to the Prometheus instance that monitors user-defined projects only:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    prometheus: (1)
      retention: 24h (2)
      resources:
        requests:
          cpu: 200m (3)
          memory: 2Gi (4)

1	Defines the Prometheus component and the subsequent lines define its configuration.
2	Configures a twenty-four hour data retention period for the Prometheus instance that monitors user-defined projects.
3	Defines a minimum resource request of 200 millicores for the Prometheus container.
4	Defines a minimum pod resource request of 2 GiB of memory for the Prometheus container.

The Prometheus config map component is called prometheusK8s in the cluster-monitoring-config ConfigMap object and prometheus in the user-workload-monitoring-config ConfigMap object.

Save the file to apply the changes to the ConfigMap object. The pods affected by the new configuration are restarted automatically.

Configurations applied to the user-workload-monitoring-config ConfigMap object are not activated unless a cluster administrator has enabled monitoring for user-defined projects.

When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted.

Additional resources

See Preparing to configure the monitoring stack for steps to create monitoring config maps
Enabling monitoring for user-defined projects

Configurable monitoring components

This table shows the monitoring components you can configure and the keys used to specify the components in the cluster-monitoring-config and user-workload-monitoring-config ConfigMap objects:

Table 1. Configurable monitoring components
Component	cluster-monitoring-config config map key	user-workload-monitoring-config config map key
Prometheus Operator	`prometheusOperator`	`prometheusOperator`
Prometheus	`prometheusK8s`	`prometheus`
Alertmanager	`alertmanagerMain`	`alertmanager`
kube-state-metrics	`kubeStateMetrics`
openshift-state-metrics	`openshiftStateMetrics`
Telemeter Client	`telemeterClient`
Prometheus Adapter	`k8sPrometheusAdapter`
Thanos Querier	`thanosQuerier`
Thanos Ruler		`thanosRuler`

The Prometheus key is called prometheusK8s in the cluster-monitoring-config ConfigMap object and prometheus in the user-workload-monitoring-config ConfigMap object.

Moving monitoring components to different nodes

You can move any of the monitoring stack components to specific nodes.

Prerequisites

If you are configuring core OKD monitoring components:
- You have access to the cluster as a user with the cluster-admin role.
- You have created the cluster-monitoring-config ConfigMap object.
If you are configuring components that monitor user-defined projects:
- You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
- You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).

Procedure

Edit the ConfigMap object:

To move a component that monitors core OKD projects:

Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
```
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
```

Specify the nodeSelector constraint for the component under data/config.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    <component>:
      nodeSelector:
        <node_key>: <node_value>
        <node_key>: <node_value>
        <...>

Substitute <component> accordingly and substitute <node_key>: <node_value> with the map of key-value pairs that specifies a group of destination nodes. Often, only a single key-value pair is used.

The component can only run on nodes that have each of the specified key-value pairs as labels. The nodes can have additional labels as well.

Many of the monitoring components are deployed by using multiple pods across different nodes in the cluster to maintain high availability. When moving monitoring components to labeled nodes, ensure that enough matching nodes are available to maintain resilience for the component. If only one label is specified, ensure that enough nodes contain that label to distribute all of the pods for the component across separate nodes. Alternatively, you can specify multiple labels each relating to individual nodes.

If monitoring components remain in a Pending state after configuring the nodeSelector constraint, check the pod logs for errors relating to taints and tolerations.

For example, to move monitoring components for core OKD projects to specific nodes that are labeled nodename: controlplane1, nodename: worker1, nodename: worker2, and nodename: worker2, use:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusOperator:
      nodeSelector:
        nodename: controlplane1
    prometheusK8s:
      nodeSelector:
        nodename: worker1
        nodename: worker2
    alertmanagerMain:
      nodeSelector:
        nodename: worker1
        nodename: worker2
    kubeStateMetrics:
      nodeSelector:
        nodename: worker1
    telemeterClient:
      nodeSelector:
        nodename: worker1
    k8sPrometheusAdapter:
      nodeSelector:
        nodename: worker1
        nodename: worker2
    openshiftStateMetrics:
      nodeSelector:
        nodename: worker1
    thanosQuerier:
      nodeSelector:
        nodename: worker1
        nodename: worker2

To move a component that monitors user-defined projects:

Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
```
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
```

Specify the nodeSelector constraint for the component under data/config.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    <component>:
      nodeSelector:
        <node_key>: <node_value>
        <node_key>: <node_value>
        <...>

Substitute <component> accordingly and substitute <node_key>: <node_value> with the map of key-value pairs that specifies the destination nodes. Often, only a single key-value pair is used.

The component can only run on nodes that have each of the specified key-value pairs as labels. The nodes can have additional labels as well.

If monitoring components remain in a Pending state after configuring the nodeSelector constraint, check the pod logs for errors relating to taints and tolerations.

For example, to move monitoring components for user-defined projects to specific worker nodes labeled nodename: worker1, nodename: worker2, and nodename: worker2, use:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    prometheusOperator:
      nodeSelector:
        nodename: worker1
    prometheus:
      nodeSelector:
        nodename: worker1
        nodename: worker2
    thanosRuler:
      nodeSelector:
        nodename: worker1
        nodename: worker2

Save the file to apply the changes. The components affected by the new configuration are moved to the new nodes automatically.

Configurations applied to the user-workload-monitoring-config ConfigMap object are not activated unless a cluster administrator has enabled monitoring for user-defined projects.

When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted.

Additional resources

See Preparing to configure the monitoring stack for steps to create monitoring config maps
Enabling monitoring for user-defined projects
Understanding how to update labels on nodes
Placing pods on specific nodes using node selectors
See the Kubernetes documentation for details on the nodeSelector constraint

Assigning tolerations to monitoring components

You can assign tolerations to any of the monitoring stack components to enable moving them to tainted nodes.

Prerequisites

If you are configuring core OKD monitoring components:
- You have access to the cluster as a user with the cluster-admin role.
- You have created the cluster-monitoring-config ConfigMap object.
If you are configuring components that monitor user-defined projects:
- You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
- You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).

Procedure

Edit the ConfigMap object:

To assign tolerations to a component that monitors core OKD projects:

Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
```
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
```

Specify tolerations for the component:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    <component>:
      tolerations:
        <toleration_specification>

Substitute <component> and <toleration_specification> accordingly.

For example, oc adm taint nodes node1 key1=value1:NoSchedule adds a taint to node1 with the key key1 and the value value1. This prevents monitoring components from deploying pods on node1 unless a toleration is configured for that taint. The following example configures the alertmanagerMain component to tolerate the example taint:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    alertmanagerMain:
      tolerations:
      - key: "key1"
        operator: "Equal"
        value: "value1"
        effect: "NoSchedule"

To assign tolerations to a component that monitors user-defined projects:

Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
```
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
```

Specify tolerations for the component:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    <component>:
      tolerations:
        <toleration_specification>

Substitute <component> and <toleration_specification> accordingly.

For example, oc adm taint nodes node1 key1=value1:NoSchedule adds a taint to node1 with the key key1 and the value value1. This prevents monitoring components from deploying pods on node1 unless a toleration is configured for that taint. The following example configures the thanosRuler component to tolerate the example taint:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    thanosRuler:
      tolerations:
      - key: "key1"
        operator: "Equal"
        value: "value1"
        effect: "NoSchedule"

Save the file to apply the changes. The new component placement configuration is applied automatically.

Configurations applied to the user-workload-monitoring-config ConfigMap object are not activated unless a cluster administrator has enabled monitoring for user-defined projects.

When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted.

Additional resources

See Preparing to configure the monitoring stack for steps to create monitoring config maps
Enabling monitoring for user-defined projects
See the OKD documentation on taints and tolerations
See the Kubernetes documentation on taints and tolerations

Setting the body size limit for metrics scraping

By default, no limit exists for the uncompressed body size for data returned from scraped metrics targets. You can set a body size limit to help avoid situations in which Prometheus consumes excessive amounts of memory when scraped targets return a response that contains a large amount of data. In addition, by setting a body size limit, you can reduce the impact that a malicious target might have on Prometheus and on the cluster as a whole.

After you set a value for enforcedBodySizeLimit, the alert PrometheusScrapeBodySizeLimitHit fires when at least one Prometheus scrape target replies with a response body larger than the configured value.

If metrics data scraped from a target has an uncompressed body size exceeding the configured size limit, the scrape fails. Prometheus then considers this target to be down and sets its up metric value to 0, which can trigger the TargetDown alert.

Prerequisites

You have access to the cluster as a user with the cluster-admin role.
You have installed the OpenShift CLI (oc).

Procedure

Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring namespace:
```
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
```

Add a value for enforcedBodySizeLimit to data/config.yaml/prometheusK8s to limit the body size that can be accepted per target scrape:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |-
    prometheusK8s:
      enforcedBodySizeLimit: 40MB (1)

1 Specify the maximum body size for scraped metrics targets. This enforcedBodySizeLimit example limits the uncompressed size per target scrape to 40 megabytes. Valid numeric values use the Prometheus data size format: B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes), TB (terabytes), PB (petabytes), and EB (exabytes). The default value is 0, which specifies no limit. You can also set the value to automatic to calculate the limit automatically based on cluster capacity.

Save the file to apply the changes automatically.

When you save changes to a cluster-monitoring-config config map, the pods and other resources in the openshift-monitoring project might be redeployed. The running monitoring processes in that project might also restart.

Additional resources

Prometheus scrape configuration documentation

Configuring persistent storage

Running cluster monitoring with persistent storage means that your metrics are stored to a persistent volume (PV) and can survive a pod being restarted or recreated. This is ideal if you require your metrics or alerting data to be guarded from data loss. For production environments, it is highly recommended to configure persistent storage. Because of the high IO demands, it is advantageous to use local storage.

Persistent storage prerequisites

Dedicate sufficient local persistent storage to ensure that the disk does not become full. How much storage you need depends on the number of pods.
Verify that you have a persistent volume (PV) ready to be claimed by the persistent volume claim (PVC), one PV for each replica. Because Prometheus and Alertmanager both have two replicas, you need four PVs to support the entire monitoring stack. The PVs are available from the Local Storage Operator, but not if you have enabled dynamically provisioned storage.

Use Filesystem as the storage type value for the volumeMode parameter when you configure the persistent volume.

If you use a local volume for persistent storage, do not use a raw block volume, which is described with volumeMode: Block in the LocalVolume object. Prometheus cannot use raw block volumes.

Configuring a local persistent volume claim

For monitoring components to use a persistent volume (PV), you must configure a persistent volume claim (PVC).

Prerequisites

If you are configuring core OKD monitoring components:
- You have access to the cluster as a user with the cluster-admin role.
- You have created the cluster-monitoring-config ConfigMap object.
If you are configuring components that monitor user-defined projects:
- You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
- You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).

Procedure

Edit the ConfigMap object:

To configure a PVC for a component that monitors core OKD projects:

Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
```
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
```

Add your PVC configuration for the component under data/config.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    <component>:
      volumeClaimTemplate:
        spec:
          storageClassName: <storage_class>
          resources:
            requests:
              storage: <amount_of_storage>

See the Kubernetes documentation on PersistentVolumeClaims for information on how to specify volumeClaimTemplate.

The following example configures a PVC that claims local persistent storage for the Prometheus instance that monitors core OKD components:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      volumeClaimTemplate:
        spec:
          storageClassName: local-storage
          resources:
            requests:
              storage: 40Gi

In the above example, the storage class created by the Local Storage Operator is called local-storage.

The following example configures a PVC that claims local persistent storage for Alertmanager:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    alertmanagerMain:
      volumeClaimTemplate:
        spec:
          storageClassName: local-storage
          resources:
            requests:
              storage: 10Gi

To configure a PVC for a component that monitors user-defined projects:

Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
```
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
```

Add your PVC configuration for the component under data/config.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    <component>:
      volumeClaimTemplate:
        spec:
          storageClassName: <storage_class>
          resources:
            requests:
              storage: <amount_of_storage>

See the Kubernetes documentation on PersistentVolumeClaims for information on how to specify volumeClaimTemplate.

The following example configures a PVC that claims local persistent storage for the Prometheus instance that monitors user-defined projects:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    prometheus:
      volumeClaimTemplate:
        spec:
          storageClassName: local-storage
          resources:
            requests:
              storage: 40Gi

In the above example, the storage class created by the Local Storage Operator is called local-storage.

The following example configures a PVC that claims local persistent storage for Thanos Ruler:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    thanosRuler:
      volumeClaimTemplate:
        spec:
          storageClassName: local-storage
          resources:
            requests:
              storage: 10Gi

Storage requirements for the thanosRuler component depend on the number of rules that are evaluated and how many samples each rule generates.

Save the file to apply the changes. The pods affected by the new configuration are restarted automatically and the new storage configuration is applied.

Configurations applied to the user-workload-monitoring-config ConfigMap object are not activated unless a cluster administrator has enabled monitoring for user-defined projects.

When changes are saved to a monitoring config map, the pods and other resources in the related project might be redeployed. The running monitoring processes in that project might also be restarted.

Resizing a persistent storage volume

OKD does not support resizing an existing persistent storage volume used by StatefulSet resources, even if the underlying StorageClass resource used supports persistent volume sizing. Therefore, even if you update the storage field for an existing persistent volume claim (PVC) with a larger size, this setting will not be propagated to the associated persistent volume (PV).

However, resizing a PV is still possible by using a manual process. If you want to resize a PV for a monitoring component such as Prometheus, Thanos Ruler, or Alertmanager, you can update the appropriate config map in which the component is configured. Then, patch the PVC, and delete and orphan the pods. Orphaning the pods recreates the StatefulSet resource immediately and automatically updates the size of the volumes mounted in the pods with the new PVC settings. No service disruption occurs during this process.

Prerequisites

You have installed the OpenShift CLI (oc).
If you are configuring core OKD monitoring components:
- You have access to the cluster as a user with the cluster-admin role.
- You have created the cluster-monitoring-config ConfigMap object.
- You have configured at least one PVC for core OKD monitoring components.
If you are configuring components that monitor user-defined projects:
- You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
- You have created the user-workload-monitoring-config ConfigMap object.
- You have configured at least one PVC for components that monitor user-defined projects.

Procedure

Edit the ConfigMap object:

To resize a PVC for a component that monitors core OKD projects:

Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
```
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
```

Add a new storage size for the PVC configuration for the component under data/config.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    <component>: (1)
      volumeClaimTemplate:
        spec:
          storageClassName: <storage_class> (2)
          resources:
            requests:
              storage: <amount_of_storage> (3)

1	Specify the core monitoring component.
2	Specify the storage class.
3	Specify the new size for the storage volume.

The following example configures a PVC that sets the local persistent storage to 100 gigabytes for the Prometheus instance that monitors core OKD components:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      volumeClaimTemplate:
        spec:
          storageClassName: local-storage
          resources:
            requests:
              storage: 100Gi

The following example configures a PVC that sets the local persistent storage for Alertmanager to 40 gigabytes:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    alertmanagerMain:
      volumeClaimTemplate:
        spec:
          storageClassName: local-storage
          resources:
            requests:
              storage: 40Gi

To resize a PVC for a component that monitors user-defined projects:

You can resize the volumes for the Thanos Ruler and Prometheus instances that monitor user-defined projects.

Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
```
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
```

Update the PVC configuration for the monitoring component under data/config.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    <component>: (1)
      volumeClaimTemplate:
        spec:
          storageClassName: <storage_class> (2)
          resources:
            requests:
              storage: <amount_of_storage> (3)

1	Specify the core monitoring component.
2	Specify the storage class.
3	Specify the new size for the storage volume.

The following example configures the PVC size to 100 gigabytes for the Prometheus instance that monitors user-defined projects:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    prometheus:
      volumeClaimTemplate:
        spec:
          storageClassName: local-storage
          resources:
            requests:
              storage: 100Gi

The following example sets the PVC size to 20 gigabytes for Thanos Ruler:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    thanosRuler:
      volumeClaimTemplate:
        spec:
          storageClassName: local-storage
          resources:
            requests:
              storage: 20Gi

Storage requirements for the thanosRuler component depend on the number of rules that are evaluated and how many samples each rule generates.

Save the file to apply the changes. The pods affected by the new configuration restart automatically.

When you save changes to a monitoring config map, the pods and other resources in the related project might be redeployed. The monitoring processes running in that project might also be restarted.

Manually patch every PVC with the updated storage request. The following example resizes the storage size for the Prometheus component in the openshift-monitoring namespace to 100Gi:

$ for p in $(oc -n openshift-monitoring get pvc -l app.kubernetes.io/name=prometheus -o jsonpath='{range .items[*]}{.metadata.name} {end}'); do \
  oc -n openshift-monitoring patch pvc/${p} --patch '{"spec": {"resources": {"requests": {"storage":"100Gi"}}}}'; \
  done

Delete the underlying StatefulSet with the --cascade=orphan parameter:

$ oc delete statefulset -l app.kubernetes.io/name=prometheus --cascade=orphan

Modifying the retention time and size for Prometheus metrics data

By default, Prometheus automatically retains metrics data for 15 days. You can modify the retention time to change how soon data is deleted by specifying a time value in the retention field. You can also configure the maximum amount of disk space the retained metrics data uses by specifying a size value in the retentionSize field. If the data reaches this size limit, Prometheus deletes the oldest data first until the disk space used is again below the limit.

Note the following behaviors of these data retention settings:

The size-based retention policy applies to all data block directories in the /prometheus directory, including persistent blocks, write-ahead log (WAL) data, and m-mapped chunks.
Data in the /wal and /head_chunks directories counts toward the retention size limit, but Prometheus never purges data from these directories based on size- or time-based retention policies. Thus, if you set a retention size limit lower than the maximum size set for the /wal and /head_chunks directories, you have configured the system not to retain any data blocks in the /prometheus data directories.
The size-based retention policy is applied only when Prometheus cuts a new data block, which occurs every two hours after the WAL contains at least three hours of data.
If you do not explicitly define values for either retention or retentionSize, retention time defaults to 15 days, and retention size is not set.
If you define values for both retention and retentionSize, both values apply. If any data blocks exceed the defined retention time or the defined size limit, Prometheus purges these data blocks.
If you define a value for retentionSize and do not define retention, only the retentionSize value applies.
If you do not define a value for retentionSize and only define a value for retention, only the retention value applies.

Prerequisites

If you are configuring core OKD monitoring components:
- You have access to the cluster as a user with the cluster-admin role.
- You have created the cluster-monitoring-config ConfigMap object.
If you are configuring components that monitor user-defined projects:
- A cluster administrator has enabled monitoring for user-defined projects.
- You have access to the cluster as a user with the cluster-admin role, or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
- You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).

Saving changes to a monitoring config map might restart monitoring processes and redeploy the pods and other resources in the related project. The running monitoring processes in that project might also restart.

Procedure

Edit the ConfigMap object:

To modify the retention time and size for the Prometheus instance that monitors core OKD projects:

Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
```
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
```

Add the retention time and size configuration under data/config.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      retention: <time_specification> (1)
      retentionSize: <size_specification> (2)

1	The retention time: a number directly followed by `ms` (milliseconds), `s` (seconds), `m` (minutes), `h` (hours), `d` (days), `w` (weeks), or `y` (years). You can also combine time values for specific times, such as `1h30m15s`.
2	The retention size: a number directly followed by `B` (bytes), `KB` (kilobytes), `MB` (megabytes), `GB` (gigabytes), `TB` (terabytes), `PB` (petabytes), and `EB` (exabytes).

The following example sets the retention time to 24 hours and the retention size to 10 gigabytes for the Prometheus instance that monitors core OKD components:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      retention: 24h
      retentionSize: 10GB

To modify the retention time and size for the Prometheus instance that monitors user-defined projects:

Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
```
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
```

Add the retention time and size configuration under data/config.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    prometheus:
      retention: <time_specification> (1)
      retentionSize: <size_specification> (2)

1	The retention time: a number directly followed by `ms` (milliseconds), `s` (seconds), `m` (minutes), `h` (hours), `d` (days), `w` (weeks), or `y` (years). You can also combine time values for specific times, such as `1h30m15s`.
2	The retention size: a number directly followed by `B` (bytes), `KB` (kilobytes), `MB` (megabytes), `GB` (gigabytes), `TB` (terabytes), `PB` (petabytes), or `EB` (exabytes).

The following example sets the retention time to 24 hours and the retention size to 10 gigabytes for the Prometheus instance that monitors user-defined projects:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    prometheus:
      retention: 24h
      retentionSize: 10GB

Save the file to apply the changes. The pods affected by the new configuration restart automatically.

Modifying the retention time for Thanos Ruler metrics data

By default, for user-defined projects, Thanos Ruler automatically retains metrics data for 24 hours. You can modify the retention time to change how long this data is retained by specifying a time value in the user-workload-monitoring-config config map in the openshift-user-workload-monitoring namespace.

Prerequisites

You have installed the OpenShift CLI (oc).
A cluster administrator has enabled monitoring for user-defined projects.
You have access to the cluster as a user with the cluster-admin role or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
You have created the user-workload-monitoring-config ConfigMap object.

Procedure

Edit the user-workload-monitoring-config ConfigMap object in the openshift-user-workload-monitoring project:
```
$ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config
```

Add the retention time configuration under data/config.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    thanosRuler:
      retention: <time_specification> (1)

1	Specify the retention time in the following format: a number directly followed by `ms` (milliseconds), `s` (seconds), `m` (minutes), `h` (hours), `d` (days), `w` (weeks), or `y` (years). You can also combine time values for specific times, such as `1h30m15s`. The default is `24h`.

The following example sets the retention time to 10 days for Thanos Ruler data:

apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    thanosRuler:
      retention: 10d

Save the file to apply the changes. The pods affected by the new configuration automatically restart.

Additional resources

Configuring remote write storage

You can configure remote write storage to enable Prometheus to send ingested metrics to remote systems for long-term storage. Doing so has no impact on how or for how long Prometheus stores metrics.

Prerequisites

If you are configuring core OKD monitoring components:
- You have access to the cluster as a user with the cluster-admin role.
- You have created the cluster-monitoring-config ConfigMap object.
If you are configuring components that monitor user-defined projects:
- You have access to the cluster as a user with the cluster-admin role or as a user with the user-workload-monitoring-config-edit role in the openshift-user-workload-monitoring project.
- You have created the user-workload-monitoring-config ConfigMap object.
You have installed the OpenShift CLI (oc).
You have set up a remote write compatible endpoint (such as Thanos) and know the endpoint URL. See the Prometheus remote endpoints and storage documentation for information about endpoints that are compatible with the remote write feature.
You have set up authentication credentials in a Secret object for the remote write endpoint. You must create the secret in the same namespace as the Prometheus object for which you configure remote write: the openshift-monitoring namespace for default platform monitoring or the openshift-user-workload-monitoring namespace for user workload monitoring.

To reduce security risks, use HTTPS and authentication to send metrics to an endpoint.

Procedure

Follow these steps to configure remote write for default platform monitoring in the cluster-monitoring-config config map in the openshift-monitoring namespace.

If you configure remote write for the Prometheus instance that monitors user-defined projects, make similar edits to the user-workload-monitoring-config config map in the openshift-user-workload-monitoring namespace. Note that the Prometheus config map component is called prometheus in the user-workload-monitoring-config ConfigMap object and not prometheusK8s, as it is in the cluster-monitoring-config ConfigMap object.

Edit the cluster-monitoring-config ConfigMap object in the openshift-monitoring project:
```
$ oc -n openshift-monitoring edit configmap cluster-monitoring-config
```
Add a remoteWrite: section under data/config.yaml/prometheusK8s.

Add an endpoint URL and authentication credentials in this section:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://remote-write-endpoint.example.com" (1)
        <endpoint_authentication_credentials> (2)

1	The URL of the remote write endpoint.
2	The authentication method and credentials for the endpoint. Currently supported authentication methods are AWS Signature Version 4, authentication using HTTP an `Authorization` request header, basic authentication, OAuth 2.0, and TLS client. See Supported remote write authentication settings below for sample configurations of supported authentication methods.

Add write relabel configuration values after the authentication credentials:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://remote-write-endpoint.example.com"
        <endpoint_authentication_credentials>
        <write_relabel_configs> (1)

1	The write relabel configuration settings.

For <write_relabel_configs> substitute a list of write relabel configurations for metrics that you want to send to the remote endpoint.

The following sample shows how to forward a single metric called my_metric:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://remote-write-endpoint.example.com"
        writeRelabelConfigs:
        - sourceLabels: [__name__]
          regex: 'my_metric'
          action: keep

See the Prometheus relabel_config documentation for information about write relabel configuration options.

Save the file to apply the changes to the ConfigMap object. The pods affected by the new configuration restart automatically.

Configurations applied to the user-workload-monitoring-config ConfigMap object are not activated unless a cluster administrator has enabled monitoring for user-defined projects.

Saving changes to a monitoring ConfigMap object might redeploy the pods and other resources in the related project. Saving changes might also restart the running monitoring processes in that project.

Supported remote write authentication settings

You can use different methods to authenticate with a remote write endpoint. Currently supported authentication methods are AWS Signature Version 4, basic authentication, authorization, OAuth 2.0, and TLS client. The following table provides details about supported authentication methods for use with remote write.

Authentication method Config map field Description

Authentication method	Config map field	Description
AWS Signature Version 4	`sigv4`	This method uses AWS Signature Version 4 authentication to sign requests. You cannot use this method simultaneously with authorization, OAuth 2.0, or basic authentication.
basic authentication	`basicAuth`	Basic authentication sets the authorization header on every remote write request with the configured username and password.
authorization	`authorization`	Authorization sets the `Authorization` header on every remote write request using the configured token.
OAuth 2.0	`oauth2`	An OAuth 2.0 configuration uses the client credentials grant type. Prometheus fetches an access token from `tokenUrl` with the specified client ID and client secret to access the remote write endpoint. You cannot use this method simultaneously with authorization, AWS Signature Version 4, or basic authentication.
TLS client	`tlsConfig`	A TLS client configuration specifies the CA certificate, the client certificate, and the client key file information used to authenticate with the remote write endpoint server using TLS. The sample configuration assumes that you have already created a CA certificate file, a client certificate file, and a client key file.

AWS Signature Version 4

sigv4

This method uses AWS Signature Version 4 authentication to sign requests. You cannot use this method simultaneously with authorization, OAuth 2.0, or basic authentication.

basic authentication

basicAuth

Basic authentication sets the authorization header on every remote write request with the configured username and password.

authorization

authorization

Authorization sets the Authorization header on every remote write request using the configured token.

OAuth 2.0

oauth2

An OAuth 2.0 configuration uses the client credentials grant type. Prometheus fetches an access token from tokenUrl with the specified client ID and client secret to access the remote write endpoint. You cannot use this method simultaneously with authorization, AWS Signature Version 4, or basic authentication.

TLS client

tlsConfig

A TLS client configuration specifies the CA certificate, the client certificate, and the client key file information used to authenticate with the remote write endpoint server using TLS. The sample configuration assumes that you have already created a CA certificate file, a client certificate file, and a client key file.

Config map location for authentication settings

The following shows the location of the authentication configuration in the ConfigMap object for default platform monitoring.

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://remote-write-endpoint.example.com" (1)
        <endpoint_authentication_details> (2)

1	The URL of the remote write endpoint.
2	The required configuration details for the authentication method for the endpoint. Currently supported authentication methods are Amazon Web Services (AWS) Signature Version 4, authorization, basic authentication, OAuth 2.0, and TLS client.

If you configure remote write for the Prometheus instance that monitors user-defined projects, edit the user-workload-monitoring-config config map in the openshift-user-workload-monitoring namespace. Note that the Prometheus config map component is called prometheus in the user-workload-monitoring-config ConfigMap object and not prometheusK8s, as it is in the cluster-monitoring-config ConfigMap object.

Example remote write authentication settings

The following samples show different authentication settings you can use to connect to a remote write endpoint. Each sample also shows how to configure a corresponding Secret object that contains authentication credentials and other relevant settings. Each sample configures authentication for use with default platform monitoring in the openshift-monitoring namespace.

Sample YAML for AWS Signature Version 4 authentication

The following shows the settings for a sigv4 secret named sigv4-credentials in the openshift-monitoring namespace.

apiVersion: v1
kind: Secret
metadata:
  name: sigv4-credentials
  namespace: openshift-monitoring
stringData:
  accessKey: <AWS_access_key> (1)
  secretKey: <AWS_secret_key> (2)
type: Opaque

1	The AWS API access key.
2	The AWS API secret key.

The following shows sample AWS Signature Version 4 remote write authentication settings that use a Secret object named sigv4-credentials in the openshift-monitoring namespace:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://authorization.example.com/api/write"
        sigv4:
          region: <AWS_region> (1)
          accessKey:
            name: sigv4-credentials (2)
            key: accessKey (3)
          secretKey:
            name: sigv4-credentials (2)
            key: secretKey (4)
          profile: <AWS_profile_name> (5)
          roleArn: <AWS_role_arn> (6)

1	The AWS region.
2	The name of the `Secret` object containing the AWS API access credentials.
3	The key that contains the AWS API access key in the specified `Secret` object.
4	The key that contains the AWS API secret key in the specified `Secret` object.
5	The name of the AWS profile that is being used to authenticate.
6	The unique identifier for the Amazon Resource Name (ARN) assigned to your role.

Sample YAML for basic authentication

The following shows sample basic authentication settings for a Secret object named rw-basic-auth in the openshift-monitoring namespace:

apiVersion: v1
kind: Secret
metadata:
  name: rw-basic-auth
  namespace: openshift-monitoring
stringData:
  user: <basic_username> (1)
  password: <basic_password> (2)
type: Opaque

1	The username.
2	The password.

The following sample shows a basicAuth remote write configuration that uses a Secret object named rw-basic-auth in the openshift-monitoring namespace. It assumes that you have already set up authentication credentials for the endpoint.

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    prometheusK8s:
      remoteWrite:
      - url: "https://basicauth.example.com/api/write"
        basicAuth:
          username:
            name: rw-basic-auth (1)
            key: user (2)
          password:
            name: rw-basic-auth (1)
            key: password (3)

1	The name of the `Secret` object that contains the authentication credentials.
2	The key that contains the username in the specified `Secret` object.
3	The key that contains the password in the specified `Secret` object.

Sample YAML for authentication with a bearer token using a Secret Object

The following shows bearer token settings for a Secret object named rw-bearer-auth in the openshift-monitoring namespace:

apiVersion: v1
kind: Secret
metadata:
  name: rw-bearer-auth
  namespace: openshift-monitoring
stringData:
  token: <authentication_token> (1)
type: Opaque

1	The authentication token.

The following shows sample bearer token config map settings that use a Secret object named