In a previous article, I show you how you can deploy a OPA Gatekeeper solution in your AKS cluster. We saw together how we can monitor the number of OPA gatekeeper violation in a second article.
In this article I will show how you can deploy a dashboard to monitor your OPA Gatekeeper violations. I will recommend you to use the solution Gatekeeper Policy Manager (GPM) created by Sighupio.
It’s very easy to deploy this solution, please clone the following repository and run this command to deploy the solution:
kubectl apply -k .
Once you’ve deployed the application, if you haven’t set up an ingress, you can access the web-UI using port-forward:
In this article, I would to show you a new feature of AKS, the goal of this feature is to automate the upgrade of your AKS cluster.
4 channels are available:
Channel
Action
Example
none
disables auto-upgrades and keeps the cluster at its current version of Kubernetes
Default setting if left unchanged
patch
automatically upgrade the cluster to the latest supported patch version when it becomes available while keeping the minor version the same.
For example, if a cluster is running version 1.17.7 and versions 1.17.9, 1.18.4, 1.18.6, and 1.19.1 are available, your cluster is upgraded to 1.17.9
stable
automatically upgrade the cluster to the latest supported patch release on minor version N-1, where N is the latest supported minor version.
For example, if a cluster is running version 1.17.7 and versions 1.17.9, 1.18.4, 1.18.6, and 1.19.1 are available, your cluster is upgraded to 1.18.6.
rapid
automatically upgrade the cluster to the latest supported patch release on the latest supported minor version.
In cases where the cluster is at a version of Kubernetes that is at an N-2 minor version where N is the latest supported minor version, the cluster first upgrades to the latest supported patch version on N-1 minor version. For example, if a cluster is running version 1.17.7 and versions 1.17.9, 1.18.4, 1.18.6, and 1.19.1 are available, your cluster first is upgraded to 1.18.6, then is upgraded to 1.19.1.
# - Requirements
az feature register --namespace Microsoft.ContainerService -n AutoUpgradePreview
az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AutoUpgradePreview')].{Name:name,State:properties.state}"
az provider register --namespace Microsoft.ContainerService
# - Create a new cluster with the auto-upgrade feature
az aks create --resource-group myResourceGroup --name myAKSCluster --auto-upgrade-channel stable --generate-ssh-keys
# - Update an existing cluster with the auto-upgrade feature
az aks update --resource-group myResourceGroup --name myAKSCluster --auto-upgrade-channel stable
In this article, I will show you how you can configure a Prometheus and Grafana solution to monitor your OPA Gatekeeper policies. The requirement is to have an existing Prometheus and Grafana stack deployed. If you don’t have an OPA Gatekeeper deployed in your AKS cluster, please follow the step of this article.
By default, when you deploy OPA Gatekeeper inside your kubernetes cluster, some OPA Gatekeeper metrics are already exposed for you! The idea is to consume these metrics via Prometheus and use Grafana to create a dashboard. In this example, we will create a new Grafana Dashboard to expose the number of violation of our dry-run OPA policies.
We will use the prometheus scrape feature to collect the OPA metrics. I will recommend you to edit the configuration of the OPA gatekeeper audit pod and add these following configuration lines:
In conclusion, we saw how you can configure Prometheus and Grafana to monitor the number of OPA gatekeeper violations. Do not hesitate to read the official documentation of OPA gatekeeper, other metrics are available to help you to monitor your OPA gatekeeper solution (Current number of known constraints, Number of observed constraint templates, …).