This is a fork aiming at fixing or at least circumventing the problems described in Issue #7 of the upstream repository.
As the upstream repo uses private build infrastructure, the CI process has been adapted and the master branch of this repo should not be merged into the upstream repo for this reason.
To add a feature in this repository: Create a new branch in from the upstream repo as described here.
Then, merge your feature branch in both this repositories and the upstream master branches.
k8s-image-availability-exporter (or k8s-iae for short) is a Prometheus exporter that warns you proactively about images that are defined in Kubernetes objects (e.g., an image field in the Deployment) but are not available in the container registry (such as Docker Registry, etc.).
Receiving alerts when container images related to running Kubernetes controllers are missing helps you to solve the problem before it manifests itself. For more details on the reasons behind k8s-iae and how it works, please read this article.
- Deploying / Installing k8s-iae in your Kubernetes cluster
- Prometheus integration to scrape metrics
- Alerting based on k8s-iae metrics
- Configuration
- Metrics for Prometheus provided by k8s-iae
- Compatibility
After cloning this repo:
kubectl apply -f deploy/
Here's how you can configure Prometheus or prometheus-operator to scrape metrics from k8s-image-availability-exporter.
- job_name: image-availability-exporter
honor_labels: true
metrics_path: '/metrics'
scheme: http
kubernetes_sd_configs:
- role: pod
namespaces:
names:
- kube-system
relabel_configs:
- source_labels: [__meta_kubernetes_pod_label_app]
regex: image-availability-exporter
action: keepapiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: image-availability-exporter
namespace: kube-system
spec:
podMetricsEndpoints:
- port: http-metrics
scheme: http
honorLabels: true
scrapeTimeout: 10s
selector:
matchLabels:
app: image-availability-exporter
namespaceSelector:
matchNames:
- kube-systemHere's how to alert based on these metrics:
groups:
- name: image-availability-exporter.rules
rules:
- alert: DeploymentImageUnavailable
expr: |
max by (namespace, deployment, container, image) (
k8s_image_availability_exporter_deployment_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in Deployment `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.
- alert: StatefulSetImageUnavailable
expr: |
max by (namespace, statefulset, container, image) (
k8s_image_availability_exporter_statefulset_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in StatefulSet `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.
- alert: DaemonSetImageUnavailable
expr: |
max by (namespace, daemonset, container, image) (
k8s_image_availability_exporter_daemonset_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in DaemonSet `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.
- alert: CronJobImageUnavailable
expr: |
max by (namespace, cronjob, container, image) (
k8s_image_availability_exporter_cronjob_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in CronJob `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: image-availability-exporter-alerts
namespace: kube-system
spec:
groups:
- name: image-availability-exporter.rules
rules:
- alert: DeploymentImageUnavailable
expr: |
max by (namespace, deployment, container, image) (
k8s_image_availability_exporter_deployment_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in Deployment `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable.
- alert: StatefulSetImageUnavailable
expr: |
max by (namespace, statefulset, container, image) (
k8s_image_availability_exporter_statefulset_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in StatefulSet `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.
- alert: DaemonSetImageUnavailable
expr: |
max by (namespace, daemonset, container, image) (
k8s_image_availability_exporter_daemonset_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in DaemonSet `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.
- alert: CronJobImageUnavailable
expr: |
max by (namespace, cronjob, container, image) (
k8s_image_availability_exporter_cronjob_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in CronJob `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.--bind-address— IP address and port to bind to.- Default:
:8080
- Default:
--check-interval— interval for checking absent images. In Gotimeformat.- Default:
5m
- Default:
--ignored-images— comma-separated list of images to ignore while checking absent images.--skip-registry-cert-verification— whether to skip registries' certificate verification.--namespace— inspect specific namespace instead of whole k8s cluster.
The following metrics for Prometheus are provided:
k8s_image_availability_exporter_<TYPE>_available— non-zero indicates successful image check.k8s_image_availability_exporter_<TYPE>_bad_image_format— non-zero indicates incorrectimagefield format.k8s_image_availability_exporter_<TYPE>_absent— non-zero indicates an image's manifest absence from container registry.k8s_image_availability_exporter_<TYPE>_registry_unavailable— non-zero indicates general registry unavailiability, perhaps, due to network outage.k8s_image_availability_exporter_deployment_registry_v1_api_not_supported— non-zero indicates v1 Docker Registry API, these images are best ignored with--ignored-imagescmdline parameter.k8s_image_availability_exporter_<TYPE>_authentication_failure— non-zero indicates authentication error to container registry, verify imagePullSecrets.k8s_image_availability_exporter_<TYPE>_authorization_failure— non-zero indicates authorization error to container registry, verify imagePullSecrets.k8s_image_availability_exporter_<TYPE>_unknown_error— non-zero indicates an error that failed to be classified, consult exporter's logs for additional information.
Each <TYPE> in the exporter's metrics name is replaced with the following values:
deploymentstatefulsetdaemonsetcronjob
k8s-image-availability-exporter is compatible with Kubernetes 1.15+ and Docker Registry V2 compliant container registries.
Since the exporter operates as a Deployment, it does not support container registries that should be accessed via authorization on a node.