bugfix: refactor alerts to accomodate for non-HA clusters #1010
+214
−16
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rexagod
force-pushed
the
KubeCPUOvercommit-SNO
branch
from
5b96fb5 to
5cd53d6
Compare
rexagod
commented
Jan 6, 2025
alerts/resource_alerts.libsonnet
Outdated
| and | ||
| (sum(kube_node_status_allocatable{%(kubeStateMetricsSelector)s,resource="cpu"}) by (%(clusterLabel)s) - max(kube_node_status_allocatable{%(kubeStateMetricsSelector)s,resource="cpu"}) by (%(clusterLabel)s)) > 0 | ||
| sum(namespace_cpu:kube_pod_container_resource_requests:sum{%(ignoringOverprovisionedWorkloadSelector)s}) by (%(clusterLabel)s) - | ||
| sum(kube_node_status_allocatable{%(kubeStateMetricsSelector)s,resource="cpu"}) by (%(clusterLabel)s) > 0) |
Collaborator
Author
There was a problem hiding this comment.
Suggested change
| sum(kube_node_status_allocatable{%(kubeStateMetricsSelector)s,resource="cpu"}) by (%(clusterLabel)s) > 0) | |
| 0.95 * sum(kube_node_status_allocatable{%(kubeStateMetricsSelector)s,resource="cpu"}) by (%(clusterLabel)s) > 0) |
Since a max(Q) buffer is not applicable in SNO, how about a numeric buffer of 5% (or more?)? That should help alert before things go out of budget.
skl
reviewed
Jan 7, 2025
rexagod
commented
Jan 21, 2025
rexagod
force-pushed
the
KubeCPUOvercommit-SNO
branch
from
984a0a3 to
3cd8f3c
Compare
skl
approved these changes
Jan 23, 2025
Collaborator
skl
left a comment
skl
left a comment
There was a problem hiding this comment.
@rexagod I added tests to your PR in eca85fe, hope you don't mind.
Also tested in a dev environment and compared the old rules with the new, I observed effectively the same behaviour - with the addition of support for single-node clusters.
I think the existing alert descriptions are self-explanatory, and imply action is required (reduce requests or increase capacity) regardless of number of nodes.
lgtm!
Collaborator
Author
|
Ah, sorry I completely missed adding the tests in my last commit. Thanks a bunch for the contribution! ❤️ I'll ask Simon to take a look here since with this patch we are essentially setting the trend for adapting such alerts for SNO, instead of dropping them as we have done internally (till now). |
rexagod
force-pushed
the
KubeCPUOvercommit-SNO
branch
from
77dc076 to
fc9fe6a
Compare
Collaborator
Author
|
@simonpasquier I've updated the PR to reflect only what upstream is concerned with, i.e., HA and non-HA, leaving logic for any OpenShift-specific variants outside of this patch. I believe following this trend upstream will be vendor-neutral and future-safe. |
Collaborator
Author
|
I noticed the tests are failing, will fix. |
rexagod
force-pushed
the
KubeCPUOvercommit-SNO
branch
3 times, most recently
from
899e369 to
725fe6b
Compare
Collaborator
Author
|
Hello again, @skl! 👋🏼 Apologies for the delay here, it seems this went under the radar after the discussions internally. In the latest revision for this patch, I've addressed the failing tests. PTAL, thank you! |
rexagod
force-pushed
the
KubeCPUOvercommit-SNO
branch
2 times, most recently
from
f899f9b to
e892fd2
Compare
skl
reviewed
Jul 22, 2025
rexagod
force-pushed
the
KubeCPUOvercommit-SNO
branch
2 times, most recently
from
75fcc1f to
4aea62b
Compare
skl
approved these changes
Jul 23, 2025
Collaborator
skl
left a comment
skl
left a comment
There was a problem hiding this comment.
lgtm, thanks for all the work here!
For the sake of brevity, let:
Q: kube_node_status_allocatable{job="kube-state-metrics",resource="cpu"} (allocable), and,
QQ: namespace_cpu:kube_pod_container_resource_requests:sum{} (requested), thus,
both quota alerts relevant here exist in the form: sum(QQ) by (cluster) - (sum(Q) by (cluster) - max(Q) by (cluster)) > 0 and (sum(Q) by (cluster) - max(Q) by (cluster)) > 0,
which, in case of a single-node cluster (sum(Q) by (cluster) = max(Q) by (cluster)), is reduced to,
sum(QQ) by (cluster) > 0, i.e., the alert will fire if *any* request limits exist.
To address this, drop the "max(Q) by (cluster)" buffer assumed in
non-SNO clusters from SNO, reducing the expression to: sum(QQ) by (cluster) - sum(Q) by (cluster) > 0 (total requeted - total allocable > 0 to trigger alert),
since there is only a single node, so a buffer of the same sort does not
make sense.
Signed-off-by: Pranshu Srivastava <[email protected]>
Use kube_node_role{role="control-plane"} (see [1] and [2]) to estimate if the cluster is HA or not.
* [1]: https://github.com/search?q=repo%3Akubernetes%2Fkube-state-metrics%20kube_node_role&type=code
* [2]: https://kubernetes.io/docs/reference/labels-annotations-taints/#node-role-kubernetes-io-control-plane
Also drop any thresholds as they would lead to false positives.
rexagod
changed the title
Signed-off-by: Pranshu Srivastava <[email protected]>
rexagod
force-pushed
the
KubeCPUOvercommit-SNO
branch
from
4aea62b to
4ae726c
Compare
rexagod
added a commit
to rexagod/cluster-monitoring-operator
that referenced
this pull request
Jul 29, 2025
Pulls in changes from [1], which refactors alerts to accomodate for non-HA cases. [1]: kubernetes-monitoring/kubernetes-mixin#1010 Signed-off-by: Pranshu Srivastava <[email protected]>
2 tasks
rexagod
added a commit
to rexagod/cluster-monitoring-operator
that referenced
this pull request
Jul 29, 2025
Pulls in changes from [1], which refactors alerts to accomodate for non-HA cases. [1]: kubernetes-monitoring/kubernetes-mixin#1010 Signed-off-by: Pranshu Srivastava <[email protected]>
rexagod
added a commit
to rexagod/cluster-monitoring-operator
that referenced
this pull request
Jul 29, 2025
Pulls in changes from [1], which refactors alerts to accomodate for non-HA cases. [1]: kubernetes-monitoring/kubernetes-mixin#1010 Signed-off-by: Pranshu Srivastava <[email protected]>
rexagod
added a commit
to rexagod/cluster-monitoring-operator
that referenced
this pull request
Aug 5, 2025
Pulls in changes from [1], which refactors alerts to accomodate for non-HA cases. [1]: kubernetes-monitoring/kubernetes-mixin#1010 Signed-off-by: Pranshu Srivastava <[email protected]>
rexagod
added a commit
to rexagod/cluster-monitoring-operator
that referenced
this pull request
Aug 12, 2025
Pulls in changes from [1], which refactors alerts to accomodate for non-HA cases. [1]: kubernetes-monitoring/kubernetes-mixin#1010 Signed-off-by: Pranshu Srivastava <[email protected]>
juzhao
pushed a commit
to juzhao/cluster-monitoring-operator
that referenced
this pull request
Sep 11, 2025
Pulls in changes from [1], which refactors alerts to accomodate for non-HA cases. [1]: kubernetes-monitoring/kubernetes-mixin#1010 Signed-off-by: Pranshu Srivastava <[email protected]>
rexagod
added a commit
to rexagod/cluster-monitoring-operator
that referenced
this pull request
Oct 11, 2025
Pulls in changes from [1], which refactors alerts to accomodate for non-HA cases. [1]: kubernetes-monitoring/kubernetes-mixin#1010 Signed-off-by: Pranshu Srivastava <[email protected]>
rexagod
added a commit
to rexagod/cluster-monitoring-operator
that referenced
this pull request
Oct 11, 2025
Pulls in changes from [1], which refactors alerts to accomodate for non-HA cases. [1]: kubernetes-monitoring/kubernetes-mixin#1010 Signed-off-by: Pranshu Srivastava <[email protected]>
openshift-merge-bot bot
pushed a commit
to openshift/cluster-monitoring-operator
that referenced
this pull request
Nov 6, 2025
#2656) * add networkpolicy settings for in-cluster monitoring * update thanos-querier.libsonnet for networkpolicy * update admission-webhook.libsonnet * fix typo in admission-webhook.libsonnet prometheus-operator.libsonnet * update monitoring-plugin.libsonnet and gofmt manifests.go * update format * update alertmanager.libsonnet * update manifests.go to add ThanosQuerierNetworkPolicy func * remove networkpolicy.yaml file under each component * add networkpolicy files back * update main.jsonnet to remove removeNetworkPolicy * fix error * fix errors * remove resources.adoc resources.md * add back resources.adoc resources.md main.jsonnet * revert change in resources.adoc resources.md * update networkpolicy files * add renameNetworkPolicy to rename networkPolicy to networkPolicyDownstream * update libsonnet * OCPBUGS-58475: Enforce secure TLS settings in CMO server Signed-off-by: Daniel Mellado <[email protected]> * OCPBUGS-34568,OCPBUGS-35095: non-HA alert cases Pulls in changes from [1], which refactors alerts to accomodate for non-HA cases. [1]: kubernetes-monitoring/kubernetes-mixin#1010 Signed-off-by: Pranshu Srivastava <[email protected]> * bugfix: opt-out of multi-cluster control plane rules * chore: `make generate` * chore: `make jsonnet-fmt` * chore: Indicate added alerts in CHANGELOG Post kubernetes-mixin's ab4cb2b bump. Signed-off-by: Pranshu Srivastava <[email protected]> * OCPBUGS-56158: Bump prometheus-operator to v0.85.0 Signed-off-by: Jayapriya Pai <[email protected]> * add networkpolicy settings for in-cluster monitoring * update thanos-querier.libsonnet for networkpolicy * update admission-webhook.libsonnet * fix typo in admission-webhook.libsonnet prometheus-operator.libsonnet * update monitoring-plugin.libsonnet and gofmt manifests.go * update format * update alertmanager.libsonnet * update manifests.go to add ThanosQuerierNetworkPolicy func * remove networkpolicy.yaml file under each component * add networkpolicy files back * update main.jsonnet to remove removeNetworkPolicy * fix error * fix errors * remove resources.adoc resources.md * add back resources.adoc resources.md main.jsonnet * revert change in resources.adoc resources.md * update networkpolicy files * add renameNetworkPolicy to rename networkPolicy to networkPolicyDownstream * Revert "add renameNetworkPolicy to rename networkPolicy to networkPolicyDownstream" This reverts commit 57c710c. * revert change * fix typo * remove remame-network-policy.libsonnet, file name is wrong * fix code error * rename networkpolicy file name * add labels for networkpolicy files to let generate job pass * add default deny networkpolicy to cluster-monitoring-operator.libsonnet * change libsonnet format * split networkpolicy * rename default deny networkpolicy file name * update networkpolicy yaml file format * rename networkpolicy file name to component name * add code to deploy networkpolicy files for in-cluster monitoring * fix type check error to use NetworkingV1 func * fix error * fix error * fix error * grant sa cluster-monitoring-operator get networkpolicies permission * update 0000_50_cluster-monitoring-operator_02-role.yaml * update 0000_50_cluster-monitoring-operator_02-role.yaml * update component clsuter-role yaml to grant access to networkpolicy * update component libsonnet to add networkpolicy permission * update CMO 02-namespaced-cluster-role.yaml and 02-role.yaml * update permission * remove unnecessary component networkpolicy permission * change deploy networkpolicy task to beginning of each task * update prometheus 10901 port from UDP to TCP * update code and add e2e tests for alertmanager * fix error * add e2e cases and update libsonnet and yaml files to reference port number * remove annotations from libsonnet and yaml files * remove comments * fix error * remvove egress for admission-webhook * update PR based on comments * remove no needed NetworkPolicy check for node-exporter * add networkpolicy for admission-webhook and update port for alertmanager --------- Signed-off-by: Daniel Mellado <[email protected]> Signed-off-by: Pranshu Srivastava <[email protected]> Signed-off-by: Jayapriya Pai <[email protected]> Co-authored-by: Daniel Mellado <[email protected]> Co-authored-by: Pranshu Srivastava <[email protected]> Co-authored-by: Jayapriya Pai <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For the sake of brevity, let:
thus, both quota alert expressions relevant here (
KubeCPUOvercommitandKubeMemoryOvercommit) exist in the form:sum(QQ) by (cluster) - (sum(Q) by (cluster) - max(Q) by (cluster)) > 0 and (sum(Q) by (cluster) - max(Q) by (cluster)) > 0, which, in case of a single-node cluster (sum(Q) by (cluster)=max(Q) by (cluster)), is reduced to,sum(QQ) by (cluster) > 0, i.e., the alert will fire if any request limits exist.To address this, drop the
max(Q) by (cluster)buffer assumed in non-SNO clusters from SNO, reducing the expression to:sum(QQ) by (cluster) - sum(Q) by (cluster) > 0(total requeted - total allocable > 0 to trigger alert), since there is only a single node, so a buffer of the same sort does not make sense.