You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to achieve an isolation based on namespaces. So the X-Scope-OrgID header will be set to the name of the namespace. Then Prometheus is sending this header with the scraped data to Cortex.
A small overview of our current infrastructure:
We have multiple K8-clusters:
management
test
dev
prod
On the management cluster on which Cortex will land, we deployed all the apps which are supporting and managing the other clusters. On management we also get all the metrics data from the various exporters running on the other clusters. In addition we have a Grafana pod running on our management cluster on which our customers can login and see metric data.
And there is our problem, customers can see also metrics from all the namespaces, not only their own namespace. Since we deploy customers in their own namespace.
I have read that the X-Scope-OrgID header can be used to achieve multi-tenancy isolation. So, I want to to implement a solution that customers can only see data for their own namespace.
I have already tested it and getting it working with multiple prometheus servers (Too simulate multiple tenants), but still see all the metrics from all namespaces, which is not our intention. We want to be able to use a single Prometheus in our management cluster.
So our main goal is to achieve isolation based on namespaces and not on cluster level. So, in Grafana you set the X-Scope-OrgID to the name of the namespace and then you'll see only the metric data for apps running in that namespace.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi All,
I have a question about isolation of tenancies.
I am trying to achieve an isolation based on namespaces. So the
X-Scope-OrgIDheader will be set to the name of the namespace. Then Prometheus is sending this header with the scraped data to Cortex.A small overview of our current infrastructure:
We have multiple K8-clusters:
On the management cluster on which Cortex will land, we deployed all the apps which are supporting and managing the other clusters. On management we also get all the metrics data from the various exporters running on the other clusters. In addition we have a Grafana pod running on our management cluster on which our customers can login and see metric data.
And there is our problem, customers can see also metrics from all the namespaces, not only their own namespace. Since we deploy customers in their own namespace.
I have read that the
X-Scope-OrgIDheader can be used to achieve multi-tenancy isolation. So, I want to to implement a solution that customers can only see data for their own namespace.I have already tested it and getting it working with multiple prometheus servers (Too simulate multiple tenants), but still see all the metrics from all namespaces, which is not our intention. We want to be able to use a single Prometheus in our management cluster.
So our main goal is to achieve isolation based on namespaces and not on cluster level. So, in Grafana you set the
X-Scope-OrgIDto the name of the namespace and then you'll see only the metric data for apps running in that namespace.Is this possible with Cortex?
Beta Was this translation helpful? Give feedback.
All reactions