From f90bbc3d6bfba992831eb216161990eae1098ae5 Mon Sep 17 00:00:00 2001 From: Max Leonard Inden Date: Fri, 1 Mar 2019 11:34:38 +0100 Subject: [PATCH] src/k8s.io/apiserver: Increase cert expiration histogram resolution The `certificate_expiration_seconds` histogram measures the remaining time of client certificates used to authenticate to the API server. It records the lifetime of received client request certificates in buckets of 6h, 12h, ..., 1y. In environments with automated certificate rotation it is not uncommen to have issued certificates expire in less than the above mentioned minimum bucket of 6h. In such environments the above histogram is useless given that every request will be recorded in the first bucket. This patch increases the histogram resolution by adding a 30m, 1h and 2h bucket. Prometheus histogram buckets are cummulative, e.g. the 12h bucket is counting _all_ records with an expiration date lower or equal to 12h including _all_ requests of the 6h bucket. Thereby this patch does not break existing monitoring setups. This histogram is exposed once per API server, thereby the 3 additional time series do not cause a cardinality issue. --- .../k8s.io/apiserver/pkg/authentication/request/x509/x509.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go index bc875adacf1..5e91034aa24 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/x509/x509.go @@ -39,6 +39,9 @@ var clientCertificateExpirationHistogram = prometheus.NewHistogram( Help: "Distribution of the remaining lifetime on the certificate used to authenticate a request.", Buckets: []float64{ 0, + (30 * time.Minute).Seconds(), + (1 * time.Hour).Seconds(), + (2 * time.Hour).Seconds(), (6 * time.Hour).Seconds(), (12 * time.Hour).Seconds(), (24 * time.Hour).Seconds(),