k8s-image-availability-exporter
k8s-image-availability-exporter (or k8s-iae for short) is a Prometheus exporter that warns you proactively about images that are defined in Kubernetes objects (e.g., an image field in the Deployment) but are not available in the container registry (such as Docker Registry, etc.).
Receiving alerts when container images related to running Kubernetes controllers are missing helps you to solve the problem before it manifests itself. For more details on the reasons behind k8s-iae and how it works, please read this article.
- Deploying / Installing k8s-iae in your Kubernetes cluster
- Prometheus integration to scrape metrics
- Alerting based on k8s-iae metrics
- Configuration
- Metrics for Prometheus provided by k8s-iae
- Compatibility
Deploying
After cloning this repo:
kubectl apply -f deploy/
Prometheus integration
Here's how you can configure Prometheus or prometheus-operator to scrape metrics from k8s-image-availability-exporter.
Prometheus
- job_name: image-availability-exporter
honor_labels: true
metrics_path: '/metrics'
scheme: http
kubernetes_sd_configs:
- role: pod
namespaces:
names:
- kube-system
relabel_configs:
- source_labels: [__meta_kubernetes_pod_label_app]
regex: image-availability-exporter
action: keepprometheus-operator
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: image-availability-exporter
namespace: kube-system
spec:
podMetricsEndpoints:
- port: http-metrics
scheme: http
honorLabels: true
scrapeTimeout: 10s
selector:
matchLabels:
app: image-availability-exporter
namespaceSelector:
matchNames:
- kube-systemAlerting
Here's how to alert based on these metrics:
Prometheus
groups:
- name: image-availability-exporter.rules
rules:
- alert: DeploymentImageUnavailable
expr: |
max by (namespace, deployment, container, image) (
k8s_image_availability_exporter_deployment_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in Deployment `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.
- alert: StatefulSetImageUnavailable
expr: |
max by (namespace, statefulset, container, image) (
k8s_image_availability_exporter_statefulset_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in StatefulSet `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.
- alert: DaemonSetImageUnavailable
expr: |
max by (namespace, daemonset, container, image) (
k8s_image_availability_exporter_daemonset_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in DaemonSet `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.
- alert: CronJobImageUnavailable
expr: |
max by (namespace, cronjob, container, image) (
k8s_image_availability_exporter_cronjob_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in CronJob `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.prometheus-operator
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: image-availability-exporter-alerts
namespace: kube-system
spec:
groups:
- name: image-availability-exporter.rules
rules:
- alert: DeploymentImageUnavailable
expr: |
max by (namespace, deployment, container, image) (
k8s_image_availability_exporter_deployment_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in Deployment `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable.
- alert: StatefulSetImageUnavailable
expr: |
max by (namespace, statefulset, container, image) (
k8s_image_availability_exporter_statefulset_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in StatefulSet `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.
- alert: DaemonSetImageUnavailable
expr: |
max by (namespace, daemonset, container, image) (
k8s_image_availability_exporter_daemonset_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in DaemonSet `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.
- alert: CronJobImageUnavailable
expr: |
max by (namespace, cronjob, container, image) (
k8s_image_availability_exporter_cronjob_available == 0
)
annotations:
description: >
Check image's `{{ $labels.image }}` availability in container registry
in Namespace `{{ $labels.namespace }}`
in CronJob `{{ $labels.owner_name }}`
in container `{{ $labels.container }}` in registry.
summary: Image `{{ $labels.image }}` is unavailable in container registry.Configuration
Command-line options
--bind-address— IP address and port to bind to.- Default:
:8080
- Default:
--check-interval— interval for checking absent images. In Gotimeformat.- Default:
5m
- Default:
--ignored-images— comma-separated list of images to ignore while checking absent images.--skip-registry-cert-verification— whether to skip registries' certificate verification.--namespace— inspect specific namespace instead of whole k8s cluster.
Metrics
The following metrics for Prometheus are provided:
k8s_image_availability_exporter_<TYPE>_available— non-zero indicates successful image check.k8s_image_availability_exporter_<TYPE>_bad_image_format— non-zero indicates incorrectimagefield format.k8s_image_availability_exporter_<TYPE>_absent— non-zero indicates an image's manifest absence from container registry.k8s_image_availability_exporter_<TYPE>_registry_unavailable— non-zero indicates general registry unavailiability, perhaps, due to network outage.k8s_image_availability_exporter_deployment_registry_v1_api_not_supported— non-zero indicates v1 Docker Registry API, these images are best ignored with--ignored-imagescmdline parameter.k8s_image_availability_exporter_<TYPE>_authentication_failure— non-zero indicates authentication error to container registry, verify imagePullSecrets.k8s_image_availability_exporter_<TYPE>_authorization_failure— non-zero indicates authorization error to container registry, verify imagePullSecrets.k8s_image_availability_exporter_<TYPE>_unknown_error— non-zero indicates an error that failed to be classified, consult exporter's logs for additional information.
Each <TYPE> in the exporter's metrics name is replaced with the following values:
deploymentstatefulsetdaemonsetcronjob
Compatibility
k8s-image-availability-exporter is compatible with Kubernetes 1.15+ and Docker Registry V2 compliant container registries.
Since the exporter operates as a Deployment, it does not support container registries that should be accessed via authorization on a node.