otomi-core icon indicating copy to clipboard operation
otomi-core copied to clipboard

Published 20 hours ago verified publisher icon redkubes

Grafana/Prometheus multitenancy

Open staticvoid255 opened this issue 2 years ago • 9 comments

At GU we are running 8+ different instances of Grafana corresponding to each team instance of Prometheus - with monitoring now becoming a priority we are looking to implement a SPOG

Describe the solution you'd like

Use Grafana Orgs and/or Teams to separate users from different teams

staticvoid255 avatar Jun 29 '22 10:06 staticvoid255

I will implement this once Grafana 9 is added to kube-prometheus-stack

staticvoid255 avatar Jun 30 '22 13:06 staticvoid255

You are only referring to grafana having access to platform prom source. There is more to this.

We provide prom instances when isMultitenant, so teams can publish serviceMonitors which are then scraped by those instances.

RBAC is not problematic at the moment and changing it does not functionally change anything or gives us anything from architecture/networking perspective.

Morriz avatar Jul 02 '22 10:07 Morriz

Implementing RBAC would prevent having to run a separate instance of Grafana for every team, which is a big resource hog. Overall manageability is also much better with RBAC, especially when it comes to dashboard and datasource management, as well as, critically, backups. I think that leveraging Grafana's in-built multi-tenant capabilities is much better than implementing our own multi-tenancy layer.

staticvoid255 avatar Jul 11 '22 08:07 staticvoid255

@staticvoid255 Could you clarify how to setup scope for team in Grafana? So team cannot see metrics from platform and other teams ?

j-zimnowoda avatar Jul 11 '22 08:07 j-zimnowoda

Here you go, so we'd manage access to datasources, dashboard folders etc with those scopes depending on whether dashboards are generic or team-specific. So dashboards with filterable datasources are covered by datasource scope, then team metrics on folder scope.

staticvoid255 avatar Jul 11 '22 09:07 staticvoid255

Note: Available in Grafana Enterprise and Grafana Cloud Advanced.

Did you read this?

Morriz avatar Aug 02 '22 08:08 Morriz

We can always revive this once we have in-app upgrades options, but that is a long way for now. Please stick with FOSS until then.

Morriz avatar Aug 02 '22 08:08 Morriz

Did you read this?

That wasn't there when I was researching this or I obviously would have seen it. Grafana's release docs for 9.0 implied it would be available for OSS users, and there has been a lot of scrutiny in the community over this.

Regardless, I can still achieve the same result with Teams and Orgs in Grafana, which is how people usually do it in FOSS

staticvoid255 avatar Aug 03 '22 07:08 staticvoid255

Did you read this?

That wasn't there when I was researching this or I obviously would have seen it.

Grafana's release docs for 9.0 implied it would be available for OSS users, and there has been a lot of scrutiny in the community over this.

Let's be sure and maybe ask them if it is FOSS?

Regardless, I can still achieve the same result with Teams and Orgs in Grafana, which is how people usually do it in FOSS

I believe teams and orgs are also not FOSS. We already do use their authz scripting approach, but that does not yet govern access to datasources. If we could publish datasources to be only accessible by teams with that approach we have solved the initial problem (one grafana instance vs multiple).

Morriz avatar Aug 05 '22 19:08 Morriz

closing in favour of redkubes/unassigned-issues#504

staticvoid255 avatar Jan 12 '23 09:01 staticvoid255

@staticvoid255 can you edit that link? It is pointing to the wrong issue. (Wrong repo? You can target other org repos like this: redkubes/otomi-console#123)

Morriz avatar Jan 12 '23 16:01 Morriz

Whoops my bad, cheers

staticvoid255 avatar Jan 12 '23 16:01 staticvoid255