OpenShift
Security Monitoring is now available Security Monitoring is now available

OpenShift

Agent Check Agent Check

Supported OS: Linux

Overview

Red Hat OpenShift is an open source container application platform based on the Kubernetes container orchestrator for enterprise application development and deployment.

There is currently no separate openshift check, this README describes the necessary configuration to enable collection of OpenShift specific metrics in the Agent. Data described here are collected by the kubernetes_apiserver check, setting up this check is necessary to collect the openshift.* metrics.

Setup

Installation

To install the Agent, refer to the Agent installation instructions for kubernetes. The default configuration targets OpenShift 3.7.0+ and OpenShift 4.0+, as it relies on features and endpoints introduced in this version.

Configuration

Starting with version 6.1, the Datadog Agent supports monitoring OpenShift Origin and Enterprise clusters. Depending on your needs and the security constraints of your cluster, three deployment scenarios are supported:

Security Context ConstraintsRestrictedHost networkCustom
Kubernetes layer monitoring
Kubernetes-based Autodiscovery
Dogstatsd intake🔶
APM trace intake🔶
Logs network intake🔶
Host network metrics
Docker layer monitoring
Container logs collection
Live Container monitoring
Live Process monitoring
OpenShift 4.0+: If you used the OpenShift installer on a supported cloud provider, you must deploy the Agent with hostNetwork: true in the datadog.yaml configuration file to get host tags and aliases. Access to metadata servers from the PODs network is otherwise restricted.

Log collection

Refer to the Kubernetes Log Collection documentation for further information.

Restricted SCC operations

This mode does not require granting special permissions to the datadog-agent daemonset, other than the RBAC permissions needed to access the kubelet and the APIserver. You can get started with this kubelet-only template.

The recommended ingestion method for Dogstatsd, APM, and logs is to bind the Datadog Agent to a host port. This way, the target IP is constant and easily discoverable by your applications. As the default restricted OpenShift SCC does not allow to bind to host port, you can set the Agent to listen on it’s own IP, but you will need to handle the discovery of that IP from your application.

The Agent suports working on a sidecar run mode, to enable running the Agent in your application’s pod for easier discoverability.

Host network SCC operations

Add the allowHostPorts permission to the pod (either via the standard hostnetwork or hostaccess SCC, or by creating your own). In this case, you can add the relevant port bindings in your pod specs:

ports:
  - containerPort: 8125
    name: dogstatsdport
    protocol: UDP
  - containerPort: 8126
    name: traceport
    protocol: TCP

Custom Datadog SCC for all features

If SELinux is in permissive mode or disabled, enable the hostaccess SCC to benefit from all features. If SELinux is in enforcing mode, it is recommended to grant the spc_t type to the datadog-agent pod. In order to deploy the agent you can use the following datadog-agent SCC that can be applied after creating the datadog-agent service account. It grants the following permissions:

  • allowHostPorts: true: Binds Dogstatsd / APM / Logs intakes to the node’s IP.
  • allowHostPID: true: Enables Origin Detection for Dogstatsd metrics submitted by Unix Socket.
  • volumes: hostPath: Accesses the Docker socket and the host’s proc and cgroup folders, for metric collection.
  • SELinux type: spc_t: Accesses the Docker socket and all processes’ proc and cgroup folders, for metric collection. You can read more about this type in this Red Hat article.
Do not forget to add a datadog-agent service account to the newly created datadog-agent SCC by adding system:serviceaccount:: to the users section.
OpenShift 4.0+: If you used the OpenShift installer on a supported cloud provider, you must deploy the Agent with allowHostNetwork: true in the datadog.yaml configuration file to get host tags and aliases. Access to metadata servers from the PODs network is otherwise restricted.

Note: The Docker socket is owned by the root group, so you may need to elevate the Agent’s privileges to pull in Docker metrics. To run the Agent process as a root user, you can configure your SCC with the following:

runAsUser:
  type: RunAsAny

Validation

See kubernetes_apiserver

Data Collected

Metrics

openshift.clusterquota.cpu.used
(gauge)
Observed cpu usage by cluster resource quota for all namespaces
Shown as cpu
openshift.clusterquota.cpu.limit
(gauge)
Hard limit for cpu by cluster resource quota for all namespaces
Shown as cpu
openshift.clusterquota.cpu.remaining
(gauge)
Remaining available cpu by cluster resource quota for all namespaces
Shown as cpu
openshift.clusterquota.memory.used
(gauge)
Observed memory usage by cluster resource quota for all namespaces
Shown as byte
openshift.clusterquota.memory.limit
(gauge)
Hard limit for memory by cluster resource quota for all namespaces
Shown as byte
openshift.clusterquota.memory.remaining
(gauge)
Remaining available memory by cluster resource quota for all namespaces
Shown as byte
openshift.clusterquota.pods.used
(gauge)
Observed pods usage by cluster resource quota for all namespaces
openshift.clusterquota.pods.limit
(gauge)
Hard limit for pods by cluster resource quota for all namespaces
openshift.clusterquota.pods.remaining
(gauge)
Remaining available pods by cluster resource quota for all namespaces
openshift.clusterquota.services.used
(gauge)
Observed services usage by cluster resource quota for all namespaces
openshift.clusterquota.services.limit
(gauge)
Hard limit for services by cluster resource quota for all namespaces
openshift.clusterquota.services.remaining
(gauge)
Remaining available services by cluster resource quota for all namespaces
openshift.clusterquota.persistentvolumeclaims.used
(gauge)
Observed persistent volume claims usage by cluster resource quota for all namespaces
openshift.clusterquota.persistentvolumeclaims.limit
(gauge)
Hard limit for persistent volume claims by cluster resource quota for all namespaces
openshift.clusterquota.persistentvolumeclaims.remaining
(gauge)
Remaining available persistent volume claims by cluster resource quota for all namespaces
openshift.clusterquota.services.nodeports.used
(gauge)
Observed service node ports usage by cluster resource quota for all namespaces
openshift.clusterquota.services.nodeports.limit
(gauge)
Hard limit for service node ports by cluster resource quota for all namespaces
openshift.clusterquota.services.nodeports.remaining
(gauge)
Remaining available service node ports by cluster resource quota for all namespaces
openshift.clusterquota.services.loadbalancers.used
(gauge)
Observed service load balancers usage by cluster resource quota for all namespaces
openshift.clusterquota.services.loadbalancers.limit
(gauge)
Hard limit for service load balancers by cluster resource quota for all namespaces
openshift.clusterquota.services.loadbalancers.remaining
(gauge)
Remaining available service load balancers by cluster resource quota for all namespaces
openshift.appliedclusterquota.cpu.used
(gauge)
Observed cpu usage by cluster resource quota and namespace
Shown as cpu
openshift.appliedclusterquota.cpu.limit
(gauge)
Hard limit for cpu by cluster resource quota and namespace
Shown as cpu
openshift.appliedclusterquota.cpu.remaining
(gauge)
Remaining available cpu by cluster resource quota and namespace
Shown as cpu
openshift.appliedclusterquota.memory.used
(gauge)
Observed memory usage by cluster resource quota and namespace
Shown as byte
openshift.appliedclusterquota.memory.limit
(gauge)
Hard limit for memory by cluster resource quota and namespace
Shown as byte
openshift.appliedclusterquota.memory.remaining
(gauge)
Remaining available memory by cluster resource quota and namespace
Shown as byte
openshift.appliedclusterquota.pods.used
(gauge)
Observed pods usage by cluster resource quota and namespace
openshift.appliedclusterquota.pods.limit
(gauge)
Hard limit for pods by cluster resource quota and namespace
openshift.appliedclusterquota.pods.remaining
(gauge)
Remaining available pods by cluster resource quota and namespace
openshift.appliedclusterquota.services.used
(gauge)
Observed services usage by cluster resource quota and namespace
openshift.appliedclusterquota.services.limit
(gauge)
Hard limit for services by cluster resource quota and namespace
openshift.appliedclusterquota.services.remaining
(gauge)
Remaining available services by cluster resource quota and namespace
openshift.appliedclusterquota.persistentvolumeclaims.used
(gauge)
Observed persistent volume claims usage by cluster resource quota and namespace
openshift.appliedclusterquota.persistentvolumeclaims.limit
(gauge)
Hard limit for persistent volume claims by cluster resource quota and namespace
openshift.appliedclusterquota.persistentvolumeclaims.remaining
(gauge)
Remaining available persistent volume claims by cluster resource quota and namespace
openshift.appliedclusterquota.services.nodeports.used
(gauge)
Observed service node ports usage by cluster resource quota and namespace
openshift.appliedclusterquota.services.nodeports.limit
(gauge)
Hard limit for service node ports by cluster resource quota and namespace
openshift.appliedclusterquota.services.nodeports.remaining
(gauge)
Remaining available service node ports by cluster resource quota and namespace
openshift.appliedclusterquota.services.loadbalancers.used
(gauge)
Observed service load balancers usage by cluster resource quota and namespace
openshift.appliedclusterquota.services.loadbalancers.limit
(gauge)
Hard limit for service load balancers by cluster resource quota and namespace
openshift.appliedclusterquota.services.loadbalancers.remaining
(gauge)
Remaining available service load balancers by cluster resource quota and namespace

Events

The OpenShift check does not include any events.

Service Checks

The OpenShift check does not include any Service Checks.

Troubleshooting

Need help? Contact Datadog support.