Preparing to configure core platform monitoring stack

The OpenShift Container Platform installation program provides only a low number of configuration options before installation. Configuring most OpenShift Container Platform framework components, including the cluster monitoring stack, happens after the installation.

This section explains which monitoring components can be configured and how to prepare for configuring the monitoring stack.

Important

• Not all configuration parameters for the monitoring stack are exposed. Only the parameters and fields listed in the Config map reference for the Cluster Monitoring Operator are supported for configuration.

• The monitoring stack imposes additional resource requirements. Consult the computing resources recommendations in Scaling the Cluster Monitoring Operator and verify that you have sufficient resources.

Configurable monitoring components

This table shows the monitoring components you can configure and the keys used to specify the components in the cluster-monitoring-config config map.

Table 1. Configurable core platform monitoring components

Component	cluster-monitoring-config config map key
Prometheus Operator	prometheusOperator
Prometheus	prometheusK8s
Alertmanager	alertmanagerMain
Thanos Querier	thanosQuerier
kube-state-metrics	kubeStateMetrics
monitoring-plugin	monitoringPlugin
openshift-state-metrics	openshiftStateMetrics
Telemeter Client	telemeterClient
Metrics Server	metricsServer

Warning

Different configuration changes to the ConfigMap object result in different outcomes:

• The pods are not redeployed. Therefore, there is no service outage.

• The affected pods are redeployed:

  • For single-node clusters, this results in temporary service outage.

  • For multi-node clusters, because of high-availability, the affected pods are gradually rolled out and the monitoring stack remains available.

  • Configuring and resizing a persistent volume always results in a service outage, regardless of high availability.

Each procedure that requires a change in the config map includes its expected outcome.

Creating a cluster monitoring config map

You can configure the core OpenShift Container Platform monitoring components by creating and updating the cluster-monitoring-config config map in the openshift-monitoring project. The Cluster Monitoring Operator (CMO) then configures the core components of the monitoring stack.

Prerequisites

• You have access to the cluster as a user with the cluster-admin cluster role.

• You have installed the OpenShift CLI (oc).

Procedure

1. Check whether the cluster-monitoring-config ConfigMap object exists:

   $ oc -n openshift-monitoring get configmap cluster-monitoring-config

2. If the ConfigMap object does not exist:

   1. Create the following YAML manifest. In this example the file is called cluster-monitoring-config.yaml:

      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: cluster-monitoring-config
        namespace: openshift-monitoring
      data:
        config.yaml: |

   2. Apply the configuration to create the ConfigMap object:

      $ oc apply -f cluster-monitoring-config.yaml

Granting users permissions for core platform monitoring

As a cluster administrator, you can monitor all core OpenShift Container Platform and user-defined projects.

You can also grant developers and other users different permissions for core platform monitoring. You can grant the permissions by assigning one of the following monitoring roles or cluster roles:

Name	Description	Project
cluster-monitoring-metrics-api	Users with this role have the ability to access Thanos Querier API endpoints. Additionally, it grants access to the core platform Prometheus API and user-defined Thanos Ruler API endpoints.	openshift-monitoring
cluster-monitoring-operator-alert-customization	Users with this role can manage AlertingRule and AlertRelabelConfig resources for core platform monitoring. These permissions are required for the alert customization feature.	openshift-monitoring
monitoring-alertmanager-edit	Users with this role can manage the Alertmanager API for core platform monitoring. They can also manage alert silences in the OpenShift Container Platform web console.	openshift-monitoring
monitoring-alertmanager-view	Users with this role can monitor the Alertmanager API for core platform monitoring. They can also view alert silences in the OpenShift Container Platform web console.	openshift-monitoring
cluster-monitoring-view	Users with this cluster role have the same access rights as cluster-monitoring-metrics-api role, with additional permissions, providing access to the /federate endpoint for the user-defined Prometheus.	Must be bound with ClusterRoleBinding to gain access to the /federate endpoint for the user-defined Prometheus.

Additional resources

• Resources reference for the Cluster Monitoring Operator

• CMO services resources

Granting user permissions by using the web console

You can grant users permissions for the openshift-monitoring project or their own projects, by using the OpenShift Container Platform web console.

Prerequisites

• You have access to the cluster as a user with the cluster-admin cluster role.

• The user account that you are assigning the role to already exists.

Procedure

1. In the OpenShift Container Platform web console, go to User Management → RoleBindings → Create binding.

2. In the Binding Type section, select the Namespace Role Binding type.

3. In the Name field, enter a name for the role binding.

4. In the Namespace field, select the project where you want to grant the access.

   Important

   The monitoring role or cluster role permissions that you grant to a user by using this procedure apply only to the project that you select in the Namespace field.

5. Select a monitoring role or cluster role from the Role Name list.

6. In the Subject section, select User.

7. In the Subject Name field, enter the name of the user.

8. Select Create to apply the role binding.

Granting user permissions by using the CLI

You can grant users permissions for the openshift-monitoring project or their own projects, by using the OpenShift CLI (oc).

Important

Whichever role or cluster role you choose, you must bind it against a specific project as a cluster administrator.

Prerequisites

• You have access to the cluster as a user with the cluster-admin cluster role.

• The user account that you are assigning the role to already exists.

• You have installed the OpenShift CLI (oc).

Procedure

• To assign a monitoring role to a user for a project, enter the following command:

  $ oc adm policy add-role-to-user <role> <user> -n <namespace> --role-namespace <namespace> 

  1. Substitute <role> with the wanted monitoring role, <user> with the user to whom you want to assign the role, and <namespace> with the project where you want to grant the access.

• To assign a monitoring cluster role to a user for a project, enter the following command:

  $ oc adm policy add-cluster-role-to-user <cluster-role> <user> -n <namespace> 

  1. Substitute <cluster-role> with the wanted monitoring cluster role, <user> with the user to whom you want to assign the cluster role, and <namespace> with the project where you want to grant the access.