This is unreleased documentation for Admission Controller 1.30-next.

Monitoring

Rancher has a Cluster Tool for monitoring that leverages Grafana and Prometheus. You can use this tool, integrating it with SUSE Security Admission Controller, to view overall metrics for a Policy Server or metrics for a given policy.

You need a cluster with at least 4 cores to install the Monitoring tool.

Prerequisites

You need the Prometheus Operator. Follow these instructions to install it.

Install

Create the ServiceMonitors

  • Import the manifest to create the ServiceMonitors.

  • You need to specify the Admission Controller installation namespace

These steps are an adpatation from the telemetry metrics instructions.

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: kubewarden-controller
  namespace: cattle-kubewarden-system
spec:
  endpoints:
    - interval: 10s
      port: metrics
  namespaceSelector:
    matchNames:
      - cattle-kubewarden-system
  selector:
    matchLabels:
      app.kubernetes.io/name: kubewarden-controller
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: kubewarden-policy-server
  namespace: cattle-kubewarden-system
spec:
  endpoints:
    - interval: 10s
      port: metrics
  namespaceSelector:
    matchNames:
      - cattle-kubewarden-system
  selector:
    matchLabels:
      app: kubewarden-policy-server-default

Enable telemetry for your rancher-kubewarden-controller resource

  • Navigate to Apps & Marketplace → Installed Apps.

  • Select the Edit/Upgrade action for your rancher-kubewarden-controller resource.

  • Edit the YAML for telemetry to be enabled: "true" and verify that the metrics port is correct.

telemetry:
  metrics: true
  mode: sidecar
  sidecar:
    metrics:
      port: 8080

You may need to redeploy your Monitoring resources for the new ConfigMap to load. You can do this from Workloads → Deployments. Select all the resources in the cattle-monitoring-system namespace and select the Redeploy action.

Create the Grafana dashboard ConfigMap for Policies and Policy Server

This method is suitable for air-gapped installations.

The dashboards are unique between Policy Server and Policies, so you need to separate creation.

Within the detail view for a Policy Server or a specific Policy:

  • Navigate to the "Metrics" tab.

  • Follow the prompt to create the ConfigMap.

  • Reload the page to update the Grafana view (Grafana may be slow to acknowledge the new dashboard).

You should be able to view the metrics for a Policy Server, or any given Policy on the detail page for each respective resource. You can also view the Admission Controller dashboards within the Grafana UI, or the events from the Prometheus UI.