Uploaded image for project: 'Knative Serving'
  1. Knative Serving
  2. SRVKS-767

[DOC] ServiceMonitor/metrics broken by mTLS strict :( document work around)

XMLWordPrintable

    • False
    • True
    • Undefined

      Users should know that for 1.16.0:

      a) if istio is enabled with mTLS, metrics for Serving are disabled by default because Service mesh blocks Prometheus from scraping them.

      b) If they want to enable them they have to do the following:

      • specify `prometheus` as the backend explicitly in the knative serving instance by adding (this avoids disabling metrics by default): 
        apiVersion: operator.knative.dev/v1alpha1
kind: KnativeServing
metadata:
  name: knative-serving
spec:
  config:
    observability:
      metrics.backend-destination: "prometheus"
.....
      • apply the following net policy to allow traffic from the Prometheus ns: 
        apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-monitoring-ns
  namespace: knative-serving
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: "openshift-monitoring"
  podSelector: {}
  policyTypes:
  - Ingress
      • finally modify the default smcp in istio-system ns and add: 
        spec:
  proxy:
    networking:
      trafficControl:
        inbound:
          excludedPorts:
          - 8444

              abrennan@redhat.com Ashleigh Brennan (Inactive)
              skontopo@redhat.com Stavros Kontopoulos
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: