Container Service for Kubernetes (ACK) provides the alert management feature to allow you to centrally configure alerting for containers. You can configure alert rules to get notified when a service exception occurs or one of the following metrics exceeds the threshold: key metrics of basic cluster resources, metrics of core cluster components, and application metrics. You can modify the default alert rules of a cluster by deploying CustomResourceDefinitions (CRDs) in the cluster. This allows you to detect abnormal changes in the cluster.
Feature introduction
Alerts that are triggered by events of cluster exceptions. The event data is synchronized from the event center of ACK. You must enable the Kubernetes event center feature of Simple Log Service and Managed Service for Prometheus. For more information, see Event monitoring and Managed Service for Prometheus.
Alerts that are triggered when the key metrics of basic cluster resources exceed thresholds. The metrics are synchronized from CloudMonitor. For more information, see Monitor basic resources.
Scenarios
Cluster O&M
You can configure alert rule sets to detect exceptions in cluster management, storage, networks, and elastic scaling at the earliest opportunity:
Alert rule set for resource exceptions: notifies you when the key metrics of basic cluster resources exceed thresholds. Alerts are triggered when key metrics, such as CPU usage, memory usage, and network latency, exceed the specified thresholds. If you receive alert notifications, you can take measures to ensure cluster stability.
Alert rule set for cluster exceptions: notifies you of node or container exceptions. Alerts are triggered upon events such as Docker process exceptions, node process exceptions, or pod startup failures.
Alert rule set for storage exceptions: notifies you of storage changes and exceptions.
Alert rule set for network exceptions: notifies you of network changes and exceptions.
Alert rule set for O&M exceptions: notifies you of changes and exceptions that are related to cluster control.
Application development
You can configure alert rules to get notified of exceptions and abnormal metrics of running applications in the cluster. For example, you can configure alert rules to receive notifications about exceptions of pod replicas and when the CPU and memory usage of a Deployment exceeds the thresholds. You can use the default alert rule template to quickly set up alerts to receive notifications about exceptions of pod replicas in the cluster. For example, you can configure and enable the alert rule set for pod exceptions to get notified of exceptions in the pods of your application.
Application management
To get notified of the issues that occur throughout the lifecycle of an application, we recommend that you take note of application health, capacity planning, cluster stability, exceptions, and errors. You can configure and enable the alert rule set for critical events to get notified of warnings and errors in the cluster. You can configure and enable the alert rule set for resource exceptions to get notified of abnormal resource usage in the cluster and optimize capacity planning.
Multi-cluster management
When you manage multiple clusters, you may find it a complex task to configure and synchronize alert rules across the clusters. ACK allows you to deploy CRDs in the cluster to manage alert rules. You can configure the same CRDs to synchronize alert rules across multiple clusters.
Step 1: Enable alert management
You can enable alert management only for ACK managed clusters and ACK dedicated clusters.
Enable Managed Service for Prometheus when you create a cluster
On the Component Configurations wizard page, select Use Default Alert Rule Template on the right of Alerts and select a contact group. For more information, see Create an ACK managed cluster.
After the cluster is created, the system automatically enables default alert rules for the cluster and sends notifications to the default contact group when the default alert rules are triggered. You can modify the information of an alert contact or alert contact group. For more information, see Modify an alert contact or alert contact group.
Enable Managed Service for Prometheus for an existing cluster
To enable Managed Service for Prometheus for an existing cluster, perform the following steps:
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose .
On the Alerts page, follow the on-screen instructions to install and update the required components.
The ACK console automatically checks whether the cluster meets the following conditions and provides instructions on how to activate, install, and update the required components.
If not all conditions are met, follow the on-screen instructions to install or update the required components.
Simple Log Service is activated. If Log Service is not activated, log on to the Log Service console and follow the on-screen instructions to activate the service.
For more information about the billing rules of Simple Log Service, see Billable items of pay-by-feature.
Event Center is installed. For more information, see Event monitoring.
The alicloud-monitor-controller component is updated to the latest version. For more information, see alicloud-monitor-controller.
After you install and update the required components, you can configure alert rules on the Alerts page.
On the Alert Rules tab, select an alert rule set and turn on Status to enable the alert rule set. You can click Modify Contacts to specify the contact groups to which the alerts are sent.
By default, ACK provides an alert rule template that you can use to generate alerts based on exceptions and metrics.
Alert rules are classified into several alert rule sets. You can enable an alert rule set, disable an alert rule set, and configure multiple alert contact groups for an alert rule set.
An alert rule set contains multiple alert rules. Each alert rule corresponds to an alert item. You can create a YAML file to configure multiple alert rule sets in a cluster. You can also modify the YAML file to update alert rules.
For more information about how to configure alert rules by using a YAML file, see Step 2: Configure alert rules by using CRDs. For more information about the default alert rule template, see Default alert rule template.
The following table describes the tabs on the Alerts page.
Tab
Description
Alert History
You can view up to 100 historical alerts. You can select an alert and click the link in the Alert Rule column to view rule details in the monitoring system. You can click Details to go to the resource page on which the alert is triggered. The alert may be triggered by an exception or an abnormal metric.
Alert Contacts
You can create, edit, or delete alert contacts.
The alert rule set for resource exceptions includes alert rules for basic node resources. Before an alert contact can receive alerts on basic cluster resources, the mobile phone number and email address of the contact must be verified in the CloudMonitor console. You can view and update information about an alert contact in the CloudMonitor console. If the verification has expired, delete the contact in the CloudMonitor console, and then refresh the Alert Contacts page in the ACK console.
Alert Contact Groups
You can create, edit, or delete alert contact groups. If no alert contact group exists, the ACK console automatically creates a default alert contact group based on the information that you provided during registration.
Before you enable alert management and use the default alert rules in an ACK dedicated cluster, you must grant the required permissions to the worker Resource Access Management (RAM) role of the cluster.
The system automatically grants ACK managed clusters the permissions to access resources that are related to the alerting feature of Simple Log Service.
1. Grant permissions to the worker RAM role
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, click Cluster Information.
On the Cluster Information page, copy the role name on the right of Worker RAM Role in the Cluster Resources section and click the name to go to the role details page in the RAM console. You can grant permissions to the role in the RAM console.
Create a custom RAM policy based on the following code block. For more information, see Create a custom policy on the JSON tab.
{ "Action": [ "log:*", "arms:*", "cms:*", "cs:UpdateContactGroup" ], "Resource": [ "*" ], "Effect": "Allow" }
On the Roles page, find the worker RAM role of the cluster and attach the preceding custom policy to the role. For more information, see Method 1: Grant permissions to a RAM role by clicking Grant Permission on the Roles page.
Check the component logs to verify that the permissions are granted.
In the left-side navigation pane of the details page, choose .
Set Namespace to kube-system, find alicloud-monitor-controller in the Deployments list, and then click the link in the Name column.
Click the Logs tab and check whether the logs include information that indicates successful authorization.
2. Enable alert management and configure the default alert rules.
In the left-side navigation pane, choose Operations > Alerts.
On the Alerts page, perform the following operations to configure the default alert rules:
On the Alert Rules tab, select an alert rule set and turn on Status to enable the alert rule set. You can click Modify Contacts to specify the contact groups to which the alerts are sent.
By default, ACK provides an alert rule template that you can use to generate alerts based on exceptions and metrics.
Alert rules are classified into several alert rule sets. You can enable an alert rule set, disable an alert rule set, and configure multiple alert contact groups for an alert rule set.
An alert rule set contains multiple alert rules. Each alert rule corresponds to an alert item. You can create a YAML file to configure multiple alert rule sets in a cluster. You can also modify the YAML file to update alert rules.
For more information about how to configure alert rules by using a YAML file, see Step 2: Configure alert rules by using CRDs. For more information about the default alert rule template, see Default alert rule template.
The following table describes the tabs on the Alerts page.
Tab
Description
Alert History
You can view up to 100 historical alerts. You can select an alert and click the link in the Alert Rule column to view rule details in the monitoring system. You can click Details to go to the resource page on which the alert is triggered. The alert may be triggered by an exception or an abnormal metric.
Alert Contacts
You can create, edit, or delete alert contacts.
The alert rule set for resource exceptions includes alert rules for basic node resources. Before an alert contact can receive alerts on basic cluster resources, the mobile phone number and email address of the contact must be verified in the CloudMonitor console. You can view and update information about an alert contact in the CloudMonitor console. If the verification has expired, delete the contact in the CloudMonitor console, and then refresh the Alert Contacts page in the ACK console.
Alert Contact Groups
You can create, edit, or delete alert contact groups. If no alert contact group exists, the ACK console automatically creates a default alert contact group based on the information that you provided during registration.
Step 2: Configure alert rules by using CRDs
When the alerting feature is enabled, the system automatically creates an AckAlertRule object in the kube-system namespace. The AckAlertRule object contains the default alert rule template. You modify the AckAlertRule object to modify the default alert rules based on your business requirements.
Default alert rule template
The following table describes the alert rules in the default alert rule template.
Configure alert rules
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose .
In the upper-right corner of the Alert Rules tab, click Configure Alert Rule. In the Alert Rules panel, click YAML in the Actions column to view the configuration of the AckAlertRule object.
You can modify the YAML file based on the preceding description of the default alert rule template.
Example:
apiVersion: alert.alibabacloud.com/v1beta1 kind: AckAlertRule metadata: name: default spec: groups: # The following code is a sample alert rule based on cluster events. - name: pod-exceptions # The name of the alert rule set. This parameter corresponds to the Group_Name field in the alert rule template. rules: - name: pod-oom # The name of the alert rule. type: event # The type of the alert rule, which corresponds to the Rule_Type parameter. Valid values: event and metric-cms. expression: sls.app.ack.pod.oom # The alert rule expression. If you set the rule type to event, the expression is set to the value of Rule_Expression_Id in the default alert rule template. enable: enable # The status of the alert rule. Valid values: enable and disable. - name: pod-failed type: event expression: sls.app.ack.pod.failed enable: enable # The following code is a sample alert rule for basic cluster resources. - name: res-exceptions # The name of the alert rule set. This parameter corresponds to the Group_Name field in the alert rule template. rules: - name: node_cpu_util_high # The name of the alert rule. type: metric-cms # The type of the alert rule, which corresponds to the Rule_Type parameter. Valid values: event and metric-cms. expression: cms.host.cpu.utilization # The alert rule expression. If you set the rule type to event, the expression is set to the value of Rule_Expression_Id in the default alert rule template. contactGroups: # The contact group that is associated with the alert rule. The contacts created by an Alibaba Cloud account are shared by all clusters within the account. enable: enable # The status of the alert rule. Valid values: enable and disable. thresholds: # The alert threshold. For more information, see the "Modify the alert threshold for basic cluster resources" section of this topic. - key: CMS_ESCALATIONS_CRITICAL_Threshold unit: percent value: '1'
Example - Modify the alert threshold for basic cluster resources by using a CRD
The rule type of the alert rule set for resource exceptions is metric-cms, which indicates that the rules are synchronized from CloudMonitor. The following example shows how to add the thresholds
parameter to the CRD created for the alert rule set to which the Node - CPU usage rule belongs. You can use this parameter to configure the alert threshold, the number of times that the CPU usage exceeds the threshold before an alert is triggered, and the silence period after an alert is triggered.
apiVersion: alert.alibabacloud.com/v1beta1
kind: AckAlertRule
metadata:
name: default
spec:
groups:
# The following code is a sample alert rule for basic cluster resources.
- name: res-exceptions # The name of the alert rule set. This parameter corresponds to the Group_Name field in the alert rule template.
rules:
- name: node_cpu_util_high # The name of the alert rule.
type: metric-cms # The type of the alert rule. Valid values: event and metric-cms.
expression: cms.host.cpu.utilization # The alert rule expression. If you set the rule type to event, the expression is set to the value of Rule_Expression_Id in the default alert rule template.
contactGroups: # The contact group associated with the alert rule. You can add contact groups in the ACK console. The contacts created by an Alibaba Cloud account are shared by all clusters within the account.
enable: enable # The status of the alert rule. Valid values: enable and disable.
thresholds: # The alert threshold. For more information, see Configure alert rules by using CRDs.
- key: CMS_ESCALATIONS_CRITICAL_Threshold
unit: percent
value: '1'
- key: CMS_ESCALATIONS_CRITICAL_Times
value: '3'
- key: CMS_RULE_SILENCE_SEC
value: '900'
Parameter | Description | Default |
Parameter | Description | Default |
| The alert threshold.
This parameter is required. If you leave this parameter empty, the modification does not take effect and the alert rule is disabled. | The default value is the same as the default value specified in the default alert rule template. |
| The number of times that the alert threshold is exceeded before an alert is triggered. This parameter is optional. If you leave this parameter empty, the default value is used. | 3 |
| The silence period after an alert is triggered. This parameter is used to prevent frequent alerting. Unit: seconds. This parameter is optional. If you leave this parameter empty, the default value is used. | 900 |
FAQ
What do I do if I fail to update an alert rule and the following error message is returned: The Project does not exist : k8s-log-xxx?
Issue:
When the system updates an alert rule, the following error message is returned: The Project does not exist : k8s-log-xxx
.
Cause:
You did not create an event center in Simple Log Service for your cluster.
Solution:
Go to the Simple Log Service console. Check whether the number of projects has reached the quota limit. If the quota limit is reached, delete excessive projects or submit a ticket to apply for a quota increase. For more information about how to delete a Simple Log Service project, see Manage a project.
Reinstall ack-node-problem-detector.
In the left-side navigation pane of the cluster details page in the ACK console, choose .
If you want to reinstall ack-node-problem-detector by using a YAML file, perform the following steps to obtain a copy of the YAML template of ack-node-problem-detector:
On the Helm page, find ack-node-problem-detector and click Update in the Actions column. After ack-node-problem-detector is updated, click View Details in the Actions column. On the details page of ack-node-problem-detector, select a resource and click View in YAML to copy the YAML content to your on-premises machine. Perform the same operation for each resource to obtain a copy of the YAML template.
On the Helm page, select ack-node-problem-detector and click Delete in the Actions column.
In the left-side navigation pane of the details page, choose
.Click the Log and Monitoring tab, find ack-node-problem-detector, and then click Install.
In the Note message, confirm the versions of the plug-ins and click OK. After ack-node-problem-detector is installed, the word "Installed" and the version information are displayed in the ack-node-problem-detector section.
What do I do if I fail to update an alert rule because no contact group subscribes to the alert rule?
Issue:
When the system updates an alert rule, the following error message is returned: this rule have no xxx contact groups reference
.
Cause:
No contact group subscribes to the alert rule.
Solution:
Create a contact group and add contacts.
Find the alert rule and click Modify Contacts. In the Modify Contacts panel, add the contact group that you created as the subscriber.