openshift
diff --git a/‎modules/nodes-pods-autoscaling-custom-about.adoc
Lines changed: 10 additions & 4 deletions b/‎modules/nodes-pods-autoscaling-custom-about.adoc
Lines changed: 10 additions & 4 deletions
diff --git a/‎modules/nodes-pods-autoscaling-custom-audit.adoc
Lines changed: 177 additions & 0 deletions b/‎modules/nodes-pods-autoscaling-custom-audit.adoc
Lines changed: 177 additions & 0 deletions
@@ -6,17 +6,21 @@
 [id="nodes-pods-autoscaling-custom-about_{context}"]
 = Understanding the custom metrics autoscaler
 
-The custom metrics autoscaler uses the Kubernetes-based Event Driven Autoscaler (KEDA) and is built on top of the {product-title} horizontal pod autoscaler (HPA).
+The Custom Metrics Autoscaler Operator scales your pods up and down based on custom, external metrics from specific applications. Your other applications continue to use other scaling methods. You configure _triggers_, also known as scalers, which are the source of events and metrics that the custom metrics autoscaler uses to determine how to scale. The custom metrics autoscaler uses a metrics API to convert the external metrics to a form that {product-title} can use. The custom metrics autoscaler creates a horizontal pod autoscaler (HPA) that performs the actual scaling. 
 
-The Custom Metrics Autoscaler Operator scales your pods up and down based on custom, external metrics from specific applications. Your other applications continue to use other scaling methods. You configure _triggers_, also known as scalers, which are the source of events and metrics that the custom metrics autoscaler uses to determine how to scale. The custom metrics autoscaler uses a metrics API to convert the external metrics to a form that {product-title} can use. The custom metrics autoscaler creates a horizontal pod autoscaler (HPA) that performs the actual scaling. The custom metrics autoscaler currently supports only the Prometheus trigger, which can use the installed {product-title} monitoring or an external Prometheus server as the metrics source.  
-
-To use the custom metrics autoscaler, you create a `ScaledObject` or `ScaledJob` object, which defines the scaling metadata. You specify the deployment or job to scale, the source of the metrics to scale on (trigger), and other parameters such as the minimum and maximum replica counts allowed. 
+To use the custom metrics autoscaler, you create a `ScaledObject` or `ScaledJob` object, which is a custom resource (CR) that defines the scaling metadata. You specify the deployment or job to scale, the source of the metrics to scale on (trigger), and other parameters such as the minimum and maximum replica counts allowed. 
 
 [NOTE]
 ====
 You can create only one scaled object or scaled job for each workload that you want to scale. Also, you cannot use a scaled object or scaled job and the horizontal pod autoscaler (HPA) on the same workload.
 ==== 
 
+The custom metrics autoscaler, unlike the HPA, can scale to zero. If you set the `minReplicaCount` value in the custom metrics autoscaler CR to `0`, the custom metrics autoscaler scales the workload down from 1 to 0 replicas to or up from 0 replicas to 1. This is known as the _activation phase_. After scaling up to 1 replica, the HPA takes control of the scaling. This is known as the _scaling phase_. 
+
+Some triggers allow you to change the number of replicas that are scaled by the cluster metrics autoscaler.  In all cases, the parameter to configure the activation phase always uses the same phrase, prefixed with _activation_. For example, if the `threshold` parameter configures scaling, `activationThreshold` would configure activation. Configuring the activation and scaling phases allows you more flexibility with your scaling policies. For example, you could configure a higher activation phase to prevent scaling up or down if the metric is particularly low.  
+
+The activation value has more priority than the scaling value in case of different decisions for each. For example, if the `threshold` is set to `10`, and the `activationThreshold` is `50`, if the metric reports `40`, the scaler is not active and the pods are scaled to zero even if the HPA requires 4 instances.
+
 ////
 [NOTE]
 ====
@@ -35,3 +39,5 @@ Successfully set ScaleTarget replica count
 ----
 Successfully updated ScaleTarget
 ---- 
+
+You can temporarily pause the autoscaling of a workload object, if needed. For example, you could pause autoscaling before performing cluster maintenance.
@@ -0,0 +1,177 @@
+// Module included in the following assemblies:
+//
+// * nodes/nodes-pods-autoscaling-custom.adoc
+
+:_content-type: PROCEDURE
+[id="nodes-pods-autoscaling-custom-audit_{context}"]
+= Configuring audit logging
+
+// Text borrowed from gathering-cluster-data.adoc. Make into snippet?
+
+You can gather audit logs, which are a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system.
+
+For example, audit logs can help you understand where an autoscaling request is coming from. This is key information when backends are getting overloaded by autoscaling requests made by user applications and you need to determine which is the troublesome application. You can configure auditing for the Custom Metrics Autoscaler Operator by editing the `KedaController` custom resource. The logs are sent to an audit log file on a volume that is secured by using a persistent volume claim in the `KedaController` CR. 
+
+// You can view the audit log file directly or use the `oc adm must-gather` CLI. The `oc adm must-gather` CLI collects the log along with other information from your cluster that is most likely needed for debugging issues, such as resource definitions and service logs.
+
+.Prerequisites
+
+* The Custom Metrics Autoscaler Operator must be installed.
+
+.Procedure
+
+. Edit the `KedaController` custom resource to add the `auditConfig` stanza:
++
+[source,yaml]
+----
+kind: KedaController
+apiVersion: keda.sh/v1alpha1
+metadata:
+  name: keda
+  namespace: openshift-keda
+spec:
+ ...
+  metricsServer:
+ ...
+    auditConfig:
+      logFormat: "json" <1>
+      logOutputVolumeClaim: "pvc-audit-log" <2>
+      policy:
+        rules: <3>
+        - level: Metadata
+        omitStages: "RequestReceived" <4>
+        omitManagedFields: false <5>
+      lifetime: <6>
+        maxAge: "2"
+        maxBackup: "1"
+        maxSize: "50"
+----
+<1> Specifies the output format of the audit log, either `legacy` or `json`.
+<2> Specifies an existing persistent volume claim for storing the log data. All requests coming to the API server are logged to this persistent volume claim. If you leave this field empty, the log data is sent to stdout.
+<3> Specifies which events should be recorded and what data they should include:
++
+* `None`: Do not log events.
+* `Metadata`: Log only the metadata for the request, such as user, timestamp, and so forth. Do not log the request text and the response text. This is the default.
+* `Request`: Log only the metadata and the request text but not the response text. This option does not apply for non-resource requests.
+* `RequestResponse`: Log event metadata, request text, and response text. This option does not apply for non-resource requests.
++
+<4> Specifies stages for which no event is created.
+<5> Specifies whether to omit the managed fields of the request and response bodies from being written to the API audit log, either `true` to omit the fields or `false` to include the fields.
+<6> Specifies the size and lifespan of the audit logs.
++
+* `maxAge`: The maximum number of days to retain audit log files, based on the timestamp encoded in their filename.
+* `maxBackup`: The maximum number of audit log files to retain. Set to `0` to retain all audit log files.
+* `maxSize`: The maximum size in megabytes of an audit log file before it gets rotated.
+
+.Verification
+
+////
+. Use the `oc adm must-gather` CLI to collect the audit log file:
++
+[source,terminal]
+----
+oc adm must-gather -- /usr/bin/gather_audit_logs
+---- 
+////
+
+. View the audit log file directly:
+
+.. Obtain the name of the `keda-metrics-apiserver-*` pod:
++
+[source,terminal]
+----
+oc get pod -n openshift-keda
+----
++
+.Example output
++
+[source,terminal]
+----
+NAME                                                  READY   STATUS    RESTARTS   AGE
+custom-metrics-autoscaler-operator-5cb44cd75d-9v4lv   1/1     Running   0          8m20s
+keda-metrics-apiserver-65c7cc44fd-rrl4r               1/1     Running   0          2m55s
+keda-operator-776cbb6768-zpj5b                        1/1     Running   0          2m55s
+----
+
+.. View the log data by using a command similar to the following:
++
+[source,terminal]
+----
+$ oc logs keda-metrics-apiserver-<hash>|grep -i metadata <1>
+----
+<1> Optional: You can use the `grep` command to specify the log level to display: `Metadata`, `Request`, `RequestResponse`.
++
+For example:
++
+[source,terminal]
+----
+$ oc logs keda-metrics-apiserver-65c7cc44fd-rrl4r|grep -i metadata
+----
++
+.Example output
++
+[source,terminal]
+----
+ ...
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"4c81d41b-3dab-4675-90ce-20b87ce24013","stage":"ResponseComplete","requestURI":"/healthz","verb":"get","user":{"username":"system:anonymous","groups":["system:unauthenticated"]},"sourceIPs":["10.131.0.1"],"userAgent":"kube-probe/1.26","responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-02-16T13:00:03.554567Z","stageTimestamp":"2023-02-16T13:00:03.555032Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
+ ...
+----
+
+. Alternatively, you can view a specific log:
++
+.. Use a command similar to the following to log into the `keda-metrics-apiserver-*` pod:
++
+[source,terminal]
+----
+$ oc rsh pod/keda-metrics-apiserver-<hash> -n openshift-keda
+----
++
+For example:
++
+[source,terminal]
+----
+$ oc rsh pod/keda-metrics-apiserver-65c7cc44fd-rrl4r -n openshift-keda
+----
+
+.. Change to the `/var/audit-policy/` directory: 
++
+[source,terminal]
+----
+sh-4.4$ cd /var/audit-policy/
+----
+
+.. List the available logs:
++
+[source,terminal]
+----
+sh-4.4$ ls
+----
++
+.Example output
++
+[source,terminal]
+----
+log-2023.02.17-14:50  policy.yaml
+----
+
+.. View the log, as needed:
++
+[source,terminal]
+----
+sh-4.4$ cat <log_name>/<pvc_name>|grep -i <log_level> <1>
+----
+<1> Optional: You can use the `grep` command to specify the log level to display: `Metadata`, `Request`, `RequestResponse`.
++
+For example:
++
+[source,terminal]
+----
+sh-4.4$ cat log-2023.02.17-14:50/pvc-audit-log|grep -i Request
+----
++
+.Example output
+----
+ ...
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"63e7f68c-04ec-4f4d-8749-bf1656572a41","stage":"ResponseComplete","requestURI":"/openapi/v2","verb":"get","user":{"username":"system:aggregator","groups":["system:authenticated"]},"sourceIPs":["10.128.0.1"],"responseStatus":{"metadata":{},"code":304},"requestReceivedTimestamp":"2023-02-17T13:12:55.035478Z","stageTimestamp":"2023-02-17T13:12:55.038346Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""}}
+ ...
+----