Scraping Istio metrics from Prometheus Operator (e.g. using ServiceMonitor)

Ghazgkull · June 8, 2021, 11:07pm

I am deploying Prometheus/Alertmanager/Grafana to my cluster using the latest kube-prometheus-stack helm chart (formerly known as the prometheus operator helm chart).

This chart provides the Helm Operator CRDs like ServiceMonitor and PodMonitor, which are really nice for exposing metrics to Prometheus. I’ve got a ServiceMonitor defined to pull in my custom workload metrics and the operator already includes monitors to pull in general Kubernetes cluster metrics, but I’m not sure how to proceed with Istio.

I’m curious about both the architecture of Istio metrics collection and the practical configuration side of things. With the current Istio architecture, am I right to guess that all metrics for the mesh will be exposed from Istiod? Or do I need to have Prometheus pull metrics directly from envoy containers in the mesh somehow?

Assuming all metrics are collected and exposed by Istiod, I would imagine that I can create a ServiceMonitor which targets the Istiod service in the istio-system namespace and scrape that? If I run kubectl get endpoints -n istio-system istiod-1-9-5 -o yaml, I see an endpoint named http-monitoring. Is that maybe a metrics endpoint?

I guess I’m wondering also if anyone out there has already tackled this problem. Is there any configuration available to pull Istio metrics into the Prometheus Operator, using a ServiceMonitor or PodMonitor? Thanks.

Ghazgkull · June 14, 2021, 9:47pm

I don’t know if this is optimal or not, but I’ve currently got some configuration which appears to be working. I’m defining a ServiceMonitor for Isiod and the ingress-gateway, since those both have services. And I’m defining a PodMonitor to scrape metrics from the injected sidecar containers in my other pods.

apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
  name: istio-sidecars
spec:
  selector:
    matchLabels:
      security.istio.io/tlsMode: 'istio'
  podMetricsEndpoints:
    - port: http-envoy-prom
      path: /stats/prometheus
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: istio-ingressgateway
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  namespaceSelector:
    matchNames:
      - istio-system
  endpoints:
    - targetPort: http-envoy-prom
      path: /stats/prometheus
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: istiod
spec:
  selector:
    matchLabels:
      istio: pilot
  namespaceSelector:
    matchNames:
      - istio-system
  endpoints:
    - port: http-monitoring
      interval: 15s

Hope this helps someone else. And very open to feedback if there’s a better way to pull these metrics.

breuerjo · July 5, 2021, 3:33pm

Thanks for sharing the useful configuration. Additionally, the ServiceMonitor resources have to be labelled to be automatically recognized by prometheus. In my case I had to add the following label:

labels:
    release: prometheus-stack

ViRus · August 20, 2021, 2:11pm

I was also wondering how to make Istio work with Prometheus Operator and found this:

github.com

istio/istio/blob/0c4570a10cb012a6f63796dcc6ec72d83599f1c7/samples/addons/extras/prometheus-operator.yaml

apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
  name: envoy-stats-monitor
  namespace: istio-system
  labels:
    monitoring: istio-proxies
    release: istio
spec:
  selector:
    matchExpressions:
    - {key: istio-prometheus-ignore, operator: DoesNotExist}
  namespaceSelector:
    any: true
  jobLabel: envoy-stats
  podMetricsEndpoints:
  - path: /stats/prometheus
    interval: 15s
    relabelings:
    - action: keep

This file has been truncated. show original

Ghazgkull · August 20, 2021, 5:39pm

I use the PodMonitor and ServiceMonitor CRDs I shared above exactly as-is with the PrometheusOperator, which I deploy via helm with the kube-prometheus-stack helm chart. helm-charts/charts/kube-prometheus-stack at main · prometheus-community/helm-charts · GitHub

Whether you need any other labels or selectors really depends on how you have the PrometheusOperator configured. I have it set up so that it finds all PodMonitors and ServiceMonitors in any namespace in my cluster.

Marcos_Muniz · December 12, 2022, 3:37pm

Hello Ghazgkull
I deployed it as mentioned, saved the file inside along with other "ServiceMonitor"s inside :
kube-prometheus-stack > templates > istio (mkdir) > servicemonitor.yaml (your file), but it didn’t work… in Service Discovery prometheus it’s possible to see some labels as mentioned, but it doesn’t work… Do you have any tips?

Checking the istio it has as mentioned the service and the http-monitoring endpoint, creating a PF for it it returns a 404 code, what could be wrong?

AurimasNav · January 19, 2023, 11:09am

just to clarify to others stumbling on this post, if you want your podMonitor to discover all sidecars across all namespaces, you should add:

spec:
  namespaceSelector:
    any: true

Topic		Replies	Views
ServiceMonitors needed for using Istio 1.7 with Prometheus Operator on Kubernetes 1.19	9	6460	June 8, 2021
Understanding the Istio Prometheus scraping configuration Policies and Telemetry	0	2583	July 13, 2022
Grafana Pilot Dashboard xDS metrics missing Kiali	2	871	August 14, 2019
Prometheus alerting on Istio Components	30	9834	October 8, 2021
Istio 1.5.1 Operator, Mixerless Metrics with Prometheus Operator	9	2513	May 15, 2020

Scraping Istio metrics from Prometheus Operator (e.g. using ServiceMonitor)

Related topics