Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Alert if an image used in Kubernetes cannot be pulled from container registry

License

NotificationsYou must be signed in to change notification settings

deckhouse/k8s-image-availability-exporter

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Go ReferenceArtifact Hub

k8s-image-availability-exporter (ork8s-iae for short) is a Prometheus exporter that warns you proactively about images that are defined in Kubernetes objects (e.g., animage field in the Deployment) but are not available in the container registry (such as Docker Registry, etc.).

Receiving alerts when container images related to running Kubernetes controllers are missing helps you to solve the problem before it manifests itself. For more details on the reasons behind k8s-iae and how it works, please readthis article.

Deploying

Container image

Ready-to-use container images are available in the Deckhouse registry:

docker pull registry.deckhouse.io/k8s-image-availability-exporter/k8s-image-availability-exporter:latest

Helm Chart

The helm chart is available onartifacthub. Follow instructions on the page to install it.

Prometheus integration

Here's how you can configure Prometheus or prometheus-operator to scrape metrics fromk8s-image-availability-exporter.

Prometheus

-job_name:image-availability-exporterhonor_labels:truemetrics_path:'/metrics'scheme:httpkubernetes_sd_configs:  -role:podnamespaces:names:      -kube-systemrelabel_configs:  -source_labels:[__meta_kubernetes_pod_label_app]regex:image-availability-exporteraction:keep

prometheus-operator

apiVersion:monitoring.coreos.com/v1kind:PodMonitormetadata:name:image-availability-exporternamespace:kube-systemspec:podMetricsEndpoints:  -port:http-metricsscheme:httphonorLabels:truescrapeTimeout:10sselector:matchLabels:app:image-availability-exporternamespaceSelector:matchNames:    -kube-system

Alerting

Here's how to alert based on these metrics:

Prometheus

groups:  -alert:DeploymentImageUnavailableexpr:|      max by (namespace, name, container, image) (        k8s_image_availability_exporter_available{kind="deployment"} == 0      )annotations:message:>        Image {{`{{ $labels.image }}`}} from container {{`{{ $labels.container }}`}}        in deployment {{`{{ $labels.name }}`}}        from namespace {{`{{ $labels.namespace }}`}}        is not available in docker registry.labels:severity:critical  -alert:StatefulSetImageUnavailableexpr:|      max by (namespace, name, container, image) (        k8s_image_availability_exporter_available{kind="statefulset"} == 0      )annotations:message:>        Image {{`{{ $labels.image }}`}} from container {{`{{ $labels.container }}`}}        in statefulSet {{`{{ $labels.name }}`}}        from namespace {{`{{ $labels.namespace }}`}}        is not available in docker registry.labels:severity:critical  -alert:DaemonSetImageUnavailableexpr:|      max by (namespace, name, container, image) (        k8s_image_availability_exporter_available{kind="daemonset"} == 0      )annotations:message:>        Image {{`{{ $labels.image }}`}} from container {{`{{ $labels.container }}`}}        in daemonSet {{`{{ $labels.name }}`}}        from namespace {{`{{ $labels.namespace }}`}}        is not available in docker registry.labels:severity:critical  -alert:CronJobImageUnavailableexpr:|      max by (namespace, name, container, image) (        k8s_image_availability_exporter_available{kind="cronjob"} == 0      )annotations:message:>        Image {{`{{ $labels.image }}`}} from container {{`{{ $labels.container }}`}}        in cronJob {{`{{ $labels.name }}`}}        from namespace {{`{{ $labels.namespace }}`}}        is not available in docker registry.labels:severity:critical

Configuration

Command-line options

Usage of k8s-image-availability-exporter:  -allow-plain-http    whether to fallback to HTTP scheme for registries that don't support HTTPS  -bind-address string    address:port to bind /metrics endpoint to (default ":8080")  -capath value    path to a file that contains CA certificates in the PEM format  -check-interval duration    image re-check interval (default 1m0s)  -default-registry string    default registry to use in absence of a fully qualified image name, defaults to "index.docker.io"  -force-check-disabled-controllers value    comma-separated list of controller kinds for which image is forcibly checked, even when workloads are disabled or suspended. Acceptable values include "Deployment", "StatefulSet", "DaemonSet", "Cronjob" or "*" for all kinds (this option is case-insensitive)  -ignored-images string    tilde-separated image regexes to ignore, each image will be checked against this list of regexes  -image-mirror value    Add a mirror repository (format: original=mirror)  -namespace-label string    namespace label for checks  -skip-registry-cert-verification    whether to skip registries' certificate verification

Metrics

The following metrics for Prometheus are provided:

  • k8s_image_availability_exporter_available — non-zero indicatessuccessful image check.
  • k8s_image_availability_exporter_absent — non-zero indicates an image's manifest absence from container registry.
  • k8s_image_availability_exporter_bad_image_format — non-zero indicates incorrectimage field format.
  • k8s_image_availability_exporter_registry_unavailable — non-zero indicates general registry unavailiability, perhaps, due to network outage.
  • k8s_image_availability_exporter_authentication_failure — non-zero indicates authentication error to container registry, verify imagePullSecrets.
  • k8s_image_availability_exporter_authorization_failure — non-zero indicates authorization error to container registry, verify imagePullSecrets.
  • k8s_image_availability_exporter_unknown_error — non-zero indicates an error that failed to be classified, consult exporter's logs for additional information.

Each metric has the following labels:

  • namespace - namespace name
  • container - container name
  • image - image URL in the registry
  • kind - Kubernetes controller kind, namelydeployment,statefulset,daemonset orcronjob
  • name - controller name

Compatibility

k8s-image-availability-exporter is compatible with Kubernetes 1.15+ and Docker Registry V2 compliant container registries.

Since the exporter operates as a Deployment, itdoes not support container registries that should be accessed via authorization on a node.

About

Alert if an image used in Kubernetes cannot be pulled from container registry

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors24

[8]ページ先頭
©2009-2025 Movatter.jp