...
Enable Enrichment of AWS Metrics
In the account where you installed Klouduse to capture the metrics, perform these steps.
The metrics sent by AWS CloudWatch to the Kinesis Firehose only include minimal labels. Kloudfuse supports attaching more labels (and also user-defined custom tags from the AWS console) to the ingested metrics. This is done by scraping AWS.
To enable enrichment of AWS metrics, follow these steps:
Step1: Modify yaml
...
Add the following configuration in the global section of the custom values.yaml
Code Block |
---|
global: enrichmentEnabled: - aws |
Since Kfuse needs to scrape the additional labels from AWS to attach to the metrics, Kfuse requires a policy with the following permissions:
...
Step2: Create IAM scraper role in AWS account where the services are running.
In the account where the services are running whose metrics need to be captured, an IAM scraper role needs to be created which has the following policy attached to it for kloudfuse to scrape the additional labels from AWS. Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html for assistance.
Code Block |
---|
"Action": [
"acm:ListCertificates",
"acm:ListTagsForCertificate",
"apigateway:GET",
"athena:ListWorkGroups",
"athena:ListTagsForResource",
"autoscaling:DescribeAutoScalingGroups",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNatGateways",
"ec2:DescribeVolumes",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListServices",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices",
"ecs:ListTagsForResource",
"elasticache:DescribeCacheClusters",
"elasticache:ListTagsForResource",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeBackupPolicy",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeLoadBalancers",
"es:ListDomainNames",
"es:DescribeDomains",
"es:ListTags",
"events:ListRules",
"events:ListTagsForResource",
"events:ListEventBuses",
"firehose:DescribeDeliveryStream",
"firehose:ListDeliveryStreams",
"firehose:ListTagsForDeliveryStream",
"glue:ListJobs",
"glue:GetTags",
"kafka:ListTagsForResource",
"kafka:ListClustersV2",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kinesis:DescribeStream",
"lambda:GetPolicy",
"lambda:List*",
"lambda:ListTags",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup"
"mq:ListBrokers",
"mq:DescribeBroker",
"rds:DescribeDBInstances",
"rds:ListTagsForResource",
"rds:DescribeEvents",
"redshift:DescribeClusters",
"redshift:DescribeTags",
"route53:ListHealthChecks",
"route53:ListTagsForResource",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"sns:ListTagsForResource",
"sns:ListTopics",
"sqs:ListQueues",
"sqs:ListQueueTags",
"wafv2:ListWebACLs",
"wafv2:ListRuleGroups",
"wafv2:ListTagsForResource"
] |
Please make sure the permissions mapped to the correct nodepool being used for EKS cluster where Kloudfuse is hosted.
Step 3.1: Create an IAM scraper role with a policy to allow scraping on AWS labels.
Follow the instructions on the AWS page to create an IAM policy: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html
Step 3.2: Use one of the following options for kfuse to consume the policy created above
Option 1: Add your AWS credentials as a secret and use the secret in the ingester config.
You can retrieve your aws credentials required for the next step here.
Create a kube secret name named “aws-access-key” with keys “accessKey” and “secretKey” in the kfuse namespace
Code Block |
---|
kubectl create secret generic aws-access-key --from-literal=accessKey=<AWS_ACCESS_KEY_ID> --from-literal=secretKey=<AWS_SECRET_ACCESS_KEY> |
Specify the secretName in the custom values.yaml.
Code Block |
---|
ingester:
config:
awsScraper:
secretName: aws-access-key |
Kfuse by default attempts to scrape from all regions and all aws namespaces. This can be customized by adding the following configuration in the custom values.yaml
Code Block |
---|
ingester:
config:
awsScraper:
secretName: aws-access-key
namespaces:
- <add namespace>
regions:
- <add region> |
Do a helm upgrade for changes to take affect
Code Block |
---|
helm upgrade --create-namespace --install kfuse . -f <custom_values.yaml> |
Option 2: Add Role ARNs in the ingester config.
With this option, Kfuse can be configured to scrape multiple AWS accounts.
...
Modify the Trust Relationship for the policy of the scrape role ARN to add the node-group (Node IAM Role ARN), in which Kloudfuse is running on, as the Principal on the Account.
Code Block |
---|
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-NUMBER:role/eksctl-XXXXX-nodegroup-ng-XXXXXX-NodeInstanceRole-XXXXXXXXXX"
},
"Action": "sts:AssumeRole"
}
]
} |
Please make sure the permissions mapped to the correct nodepool being used for EKS cluster where Kloudfuse is hosted.
Step 3: Use one of the following options for kfuse to consume the role created above
Option 1: Add your AWS credentials as a secret and use the secret in the ingester config.
You can retrieve your aws credentials required for the next step here.
Create a kube secret name named “aws-access-key” with keys “accessKey” and “secretKey” in the kfuse namespace
Code Block |
---|
kubectl create secret generic aws-access-key --from-literal=accessKey=<AWS_ACCESS_KEY_ID> --from-literal=secretKey=<AWS_SECRET_ACCESS_KEY> |
Specify the secretName in the custom values.yaml.
Code Block |
---|
ingester: config: awsRoleArnsawsScraper: - role: <ADD ROLE ARN HERE>secretName: aws-access-key |
Kfuse by default attempts to scrape from all regions and all aws namespaces. This can be customized by adding the following configuration in the custom values.yaml
Code Block |
---|
ingester: config: awsRoleArns: - role: <ADD ROLE ARN HERE> namespaces: - <add namespace>: config: regionsawsScraper: - <add region> |
If needed modify the Trust Relationship for the policy of the scrape role ARN to add the node-group (Node IAM Role ARN), in which Kloudfuse is running on, as the Principal on the Account.
Code Block |
---|
{secretName: aws-access-key "Version": "2012-10-17",namespaces: - <add namespace> "Statement": [regions: - <add region> |
Do a helm upgrade for changes to take affect
Code Block |
---|
helm upgrade --create-namespace --install kfuse . {-f <custom_values.yaml> |
Option 2: Add Role ARNs in the ingester config.
With this option, Kfuse can be configured to scrape multiple AWS accounts.
Add the scraper Role ARNs (created with the permissions above) in the awsRoleArns list to your custom values.yaml
Code Block |
---|
ingester: config: "Sid"awsRoleArns: "Statement1", - role: <ADD ROLE "Effect": "Allow", ARN HERE> |
Kfuse by default attempts to scrape from all regions and all aws namespaces. This can be customized by adding the following configuration in the custom values.yaml
Code Block |
---|
ingester: config: "Principal": { awsRoleArns: "AWS": "arn:aws:iam::ACCOUNT-NUMBER:role/eksctl-XXXXX-nodegroup-ng-XXXXXX-NodeInstanceRole-XXXXXXXXXX" - role: <ADD ROLE ARN HERE> namespaces: }, - <add namespace> "Action": "sts:AssumeRole" regions: } - ] }<add region> |
Step4: Modify the node-group IAM role on which kloudfuse is running
The node-group (Node IAM Role ARN), in which Kloudfuse is running on, also needs to have the following permissions policy to assume the role.
Code Block |
---|
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": <REPLACE SCRAPER ROLE ARN HERE> } ] } |
Step5: Helm Upgrade
Do a helm upgrade for changes to take affect
...