kube-icinga will automatically deploy icinga objects to monitor your kubernetes services. It has built-in autodiscovery and will work out of the box. However you can change various default configurations and deploy custom icinga objects or disable/enable kubernetes objects to monitor.
Multiple watchers are bootstraped and listen for any kubernetes changes. Those changes will reflect immediately on icinga2.
- Kubernetes namespaces will result in icinga service groups and host groups
- Nodes will result in host objects
- Ingresses will result in dummy icinga host objects (hostname ist taken from metadata.name) whereas ingress paths will get deployed as icinga services related to the ingress host object
Note: You may change this behaviour by attaching the services (ingress paths) to all kubernetes worker nodes by setting
kubernetes.ingresses.attachToNodestotrue. (This will result in many more services and checks depending on the size of your cluster!)
- Services (ClusterIP, NodePort, LoadBalanacer) will also result in icinga host objects and service ports are icinga services.
Note: NodePort services will always be attached to each kubernetes worker node. See NodePort services for more information.
Since there is no such thing as hosts in the world of moving and containers. The host object (kubernetes metadata.name) on icinga may just be a dummy and will not get checked if the service can not be attached to kubernetes nodes.
You may wonder where your pods are in this setup. Well it does not make any sense to monitor single pods. Pods are mortal and (always) moving. The important thing is to monitor your services as an entity.
- Description
- How does it work?
- Requirements
- Setup icinga2 api user
- Deployment
- Configuration
- Advanced topics
- A running kubernetes cluster (or minikube)
- Icinga2 server with enabled API module
kube-icina requires an icinga api user which first must be created. You can either create it manually or using the icinga2 command utility.
icinga2 api user --user kube-icinga --password kube-icingaUse another password!
The recommended (and logical) way to deploy kube-icinga is deplyoing kube-icinga on kubernetes itself using the gyselroth/kube-icinga docker image.
The kubernetes deployment can simply be added like this:
kubectl -f https://raw.githubusercontent.com/gyselroth/kube-icinga/master/kube-icinga.yamlExample YAML for kubernetes: (Change the secret password and ICINGA_ADDRESS value accordingly):
apiVersion: v1
kind: Secret
metadata:
name: icinga-credentials
namespace: kube-system
type: Opaque
data:
username: a3ViZS1pY2luZ2E=
password: a3ViZS1pY2luZ2E=
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kube-icinga
subjects:
- kind: ServiceAccount
name: kube-icinga
namespace: kube-system
roleRef:
kind: ClusterRole
name: kube-icinga
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kube-icinga
labels:
k8s-app: kube-icinga
rules:
- apiGroups: [""] # "" indicates the core API group
resources:
- namespaces
- ingresses
- services
- nodes
verbs:
- get
- watch
- list
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-icinga
namespace: kube-system
labels:
k8s-app: kube-icinga
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
k8s-app: kube-icinga
name: kube-icinga
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: kube-icinga
template:
metadata:
labels:
k8s-app: kube-icinga
spec:
containers:
- image: gyselroth/kube-icinga:latest
imagePullPolicy: Always
name: kube-icinga
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
env:
- name: ICINGA_ADDRESS
value: icinga_address
- name: ICINGA_API_USER
valueFrom:
secretKeyRef:
name: icinga-credentials
key: username
- name: ICINGA_API_PASSWORD
valueFrom:
secretKeyRef:
name: icinga-credentials
key: password
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: kube-icinga
serviceAccountName: kube-icinga
terminationGracePeriodSeconds: 30kube-icinga itself can be configured via environment variables however you may also deploy and change the config.json file instead of environement variables.
List of configurable values:
| Setting | Description | Environment Variable | Default Value |
|---|---|---|---|
logger.level |
Loglevel for winston logger | LOG_LEVEL |
debug |
icinga.address |
Icinga2 address | ICINGA_ADDRESS |
127.0.01 |
icinga.port |
Icinga2 API port | ICINGA_PORT |
5665 |
icinga.apiUser |
Icinga2 API username | ICINGA_API_USERNAME |
admin |
icinga.apiPassword |
Icinga2 API password | ICINGA_API_PASSWORD |
admin |
cleanup |
If true all kubernetes objects get removed from icinga at startup |
CLEANUP |
true |
kubernetes.nodes.discover |
Deploy kubernetes ingress objects | KUBERNETES_NODES_DISCOVER |
true |
kubernetes.nodes.hostDefinition |
You may overwrite specific attributes of the icinga host definiton. | ICINGA_NODES_HOST_DEFINITION |
{} |
kubernetes.nodes.hostTemplates |
Specify a list of host templates | ICINGA_NODES_HOST_TEMPLATES |
['generic-host'] |
kubernetes.ingresses.discover |
Deploy kubernetes ingress objects | KUBERNETES_INGRESSES_DISCOVER |
true |
kubernetes.ingresses.serviceDefinition |
You may overwrite specific attributes of the icinga service definiton. | ICINGA_INGRESSES_SERVICE_DEFINITION |
'{}' |
kubernetes.ingresses.hostDefinition |
You may overwrite specific attributes of the icinga host definiton. | ICINGA_INGRESSES_SERVICE_DEFINITION |
{} |
kubernetes.ingresses.serviceTemplates |
Specify a list of icinga service templates | ICINGA_INGRESSES_SERVICE_TEMPLATES |
['generic-service'] |
kubernetes.ingresses.hostTemplates |
Specify a list of host templates | ICINGA_INGRESSES_HOST_TEMPLATES |
['generic-host'] |
kubernetes.ingresses.applyServices |
Apply ingress paths as icinga services attached to the icinga ingress host | KUBERNETES_INGRESSES_APPLYSERVICES |
true |
kubernetes.ingresses.attachToNodes |
If true instead attaching port services to a dummy host object metadata.name all services get attached to each kubernetes worker node! |
KUBERNETES_INGRESSES_ATTACHTONODES |
false |
kubernetes.services.ClusterIP.discover |
Deploy kubernetes service objects | KUBERNETES_SERVICES_TYPE_DISCOVER |
false |
kubernetes.services.ClusterIP.serviceDefinition |
You may overwrite specific attributes of the icinga service definiton. | ICINGA_SERVICES_SERVICE_DEFINITION |
{} |
kubernetes.services.ClusterIP.hostDefinition |
You may overwrite specific attributes of the icinga host definiton. | ICINGA_SERVICES_CLUSTERIP_HOST_DEFINITION |
{} |
kubernetes.services.ClusterIP.serviceTemplates |
Specify a list of icinga service templates | ICINGA_SERVICES_CLUSTERIP_SERVICE_TEMPLATES |
['generic-service'] |
kubernetes.services.ClusterIP.hostTemplates |
Specify a list of host templates | ICINGA_SERVICES_CLUSTERIP_HOST_TEMPLATES |
['generic-host'] |
kubernetes.services.ClusterIP.applyServices |
URI of LDAP server | KUBERNETES_SERVICES_CLUSTERIP_APPLYSERVICES |
true |
kubernetes.services.ClusterIP.portNameAsCommand |
Creates an icinga service with the port name as check_command. Example: If the port name is mongodb then the service gets checked via check_mongodb. If false the port protocl gets used which is usually TCP or UDP. >Note: It will fallback to the port protocol if the icinga plugin was not found as specified in the name. |
KUBERNETES_SERVICES_CLUSTERIP_PORTNAMEASCOMMAND |
true |
kubernetes.services.NodePort.discover |
Deploy kubernetes service objects | KUBERNETES_SERVICES_TYPE_DISCOVER |
true |
kubernetes.services.NodePort.serviceDefinition |
You may overwrite specific attributes of the icinga service definiton. | ICINGA_SERVICES_SERVICE_DEFINITION |
{} |
kubernetes.services.NodePort.hostDefinition |
You may overwrite specific attributes of the icinga host definiton. | ICINGA_SERVICES_NODEPORT_HOST_DEFINITION |
{} |
kubernetes.services.NodePort.serviceTemplates |
Specify a list of icinga service templates | ICINGA_SERVICES_NODEPORT_SERVICE_TEMPLATES |
['generic-service'] |
kubernetes.services.NodePort.hostTemplates |
Specify a list of host templates | ICINGA_SERVICES_NODEPORT_HOST_TEMPLATES |
['generic-host'] |
kubernetes.services.NodePort.applyServices |
URI of LDAP server | KUBERNETES_SERVICES_NODEPORT_APPLYSERVICES |
true |
kubernetes.services.NodePort.portNameAsCommand |
Creates an icinga service with the port name as check_command. Example: If the port name is mongodb then the service gets checked via check_mongodb. If false the port protocl gets used which is usually TCP or UDP. >Note: It will fallback to the port protocol if the icinga plugin was not found as specified in the name. |
KUBERNETES_SERVICES_NODEPORT_PORTNAMEASCOMMAND |
true |
kubernetes.services.LoadBalancer.discover |
Deploy kubernetes service objects | KUBERNETES_SERVICES_TYPE_DISCOVER |
true |
kubernetes.services.LoadBalancer.serviceDefinition |
You may overwrite specific attributes of the icinga service definiton. | ICINGA_SERVICES_SERVICE_DEFINITION |
{} |
kubernetes.services.LoadBalancer.hostDefinition |
You may overwrite specific attributes of the icinga host definiton. | ICINGA_SERVICES_LOADBALANCER_HOST_DEFINITION |
{} |
kubernetes.services.LoadBalancer.serviceTemplates |
Specify a list of icinga service templates | ICINGA_SERVICES_LOADBALANCER_SERVICE_TEMPLATES |
['generic-service'] |
kubernetes.services.LoadBalancer.hostTemplates |
Specify a list of host templates | ICINGA_SERVICES_LOADBALANCER_HOST_TEMPLATES |
['generic-host'] |
kubernetes.services.LoadBalancer.applyServices |
URI of LDAP server | KUBERNETES_SERVICES_LOADBALANCER_APPLYSERVICES |
true |
kubernetes.services.LoadBalancer.portNameAsCommand |
Creates an icinga service with the port name as check_command. Example: If the port name is mongodb then the service gets checked via check_mongodb. If false the port protocl gets used which is usually TCP or UDP. >Note: It will fallback to the port protocol if the icinga plugin was not found as specified in the name. |
KUBERNETES_SERVICES_LOADBALANCER_PORTNAMEASCOMMAND |
true |
Ingresses, NodePort and Load Balancer services will expose your kubernetes services to the public but not ClusterIP services. ClusterIP services (Which is the default) are only internal kubernetes services and not available from outside the cluster. If your icinga2 setup lives outside the cluster you only have to options, either disable deployment for those objects or setup an icinga satelite container which will live in kubernetes. Of course you may also deploy an entire icinga2 setup on kubernetes if you do not have an existing one.
You certainly can use icinga2 apply rules. You may disable auto service deployments via applyServices for ingresses and services and define your own services via apply rules.
Of course you can also setup a mixed deployment. Automatically let kube-icinga deploy services and apply additional services via apply rules.
Note: Since icinga apply rules are not triggered if an object gets updated kube-icinga will delete and recreate those objects.
All icinga host object are created with all kubernetes data available packed in the variable vars.kubernetes. Therefore you can apply rules with this data, for example this will create an icinga service for all objects with a kubernetes label foo=bar.
It is possible to set custom options for the icinga objects during creation. You might set custom values via kubernetes.ingresses.hostTemplates or kubernetes.ingresses.serviceTemplate`. The same can also be done for services. For example it might be crucial to set a custom zone for ClusterIP services since they are only reachable within the cluster and shall be monitored by an icinga satelite node. Any valid setting for a specific icinga object can be set.
{
"kubernetes": {
"services": {
"ClusterIP":
"discover": true,
"serviceDefiniton": {
"zone": "my_custom_icinga_zone"
"vars.a_custom_icinga_variable": ["foo", "bar"]
},
}
}
}
}