lens icon indicating copy to clipboard operation
lens copied to clipboard

Published 20 hours ago verified publisher icon lensapp

Support for metrics on a private (GKE) cluster

Open Nadavpe opened this issue 3 years ago • 9 comments

What would you like to be added: Support for metrics on a private (GKE) cluster

Why is this needed: On a private cluster, services of type "Cluster-IP" are not visible outside of the cluster even if you have VPN or other network connectivity in place. The metric services deployed by lens are of type "Cluster-IP" and thus not visible to lens.

A possible implementation would be to deploy the metric services as node-port services. Then whenever lens loses connectivity, it would need to re-query for the current port and the current active nodes, and connect to the node-port on any available node (or even better, connect to a node that's running the relevant metric service, that would save a hop ...)

Environment you are Lens application on: Not sure what this means.

  • Kubernetes distribution: We use GKE, but this is probably applicable to other providers...
  • Desktop OS: Windows 10

Nadavpe avatar Oct 25 '21 13:10 Nadavpe

While the described method should work for any K8s cluster (not just private ones), it may be better to add this as a user-selectable option, thus leaving the current default implementation unchanged.

Nadavpe avatar Oct 27 '21 06:10 Nadavpe

Another option: Add support for an http/s query format.

Have the operator provide an http/s address to Prometheus which is accessible to Lens by whatever means. This will allow administrators to provide a route to the metrics provided by whatever is available. An additional headers field would be beneficial to allow passing authentication tokens or whatever is needed to secure the metrics.

Is there a chance that any of these features be implemented in the near future ?

Nadavpe avatar Nov 11 '21 21:11 Nadavpe

This! Would solve quite a lot of issues in my eyes - at least all of the following are related to that:

#561 #2441 #4264 #4128 #3509

Either proxy directly to the prometheus service (likewise clicking on the 9090 link) or directly by providing a http/https URL (which would allow "outside of cluster" prometheus instances as well) ...

MaxWagener avatar Nov 17 '21 14:11 MaxWagener

Upvoting the issue

Gaen avatar Feb 02 '22 11:02 Gaen

Upvoting the issue +1

balakumarpg avatar Feb 17 '22 20:02 balakumarpg

Upvoting this too +1

yonatan-ess avatar Feb 18 '22 11:02 yonatan-ess

Upvoting the issue +1

OmriKeret avatar Feb 18 '22 20:02 OmriKeret

Upvoting the issue +1

sapirost avatar Feb 21 '22 09:02 sapirost

For anyone else finding this in the future, you can just add a google firewall rule for TCP port 9090 to allow lens to read the metrics.

The source IPv4 ranges is the CIDR block you defined for the private config, targets wise you can just add a new tag to your nodepool to apply to all the nodes and that can be the target tag for the firewall rule.

Example gcloud command: gcloud compute firewall-rules create private-cluster-prometheus --project=my-google-project --direction=INGRESS --priority=1000 --network=private-gke-network --action=ALLOW --rules=tcp:9090 --source-ranges=10.100.0.0/28 --target-tags=prometheus

laurencee avatar Dec 17 '22 19:12 laurencee