Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Container Insights EKS Prometheus documentation #554

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Container Insights EKS Prometheus documentation #554

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 26 additions & 13 deletions src/docs/getting-started/container-insights/eks-prometheus.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,32 @@ This section explains how to set up Prometheus monitoring with the ADOT Collecto

To deploy these sample workloads, please follow the above links for guidance.

## Set Up IAM Policy
To use the ADOT Collector to collect Prometheus metrics, make sure the following policies are attached to your node instance role.

```bash
AmazonEKSWorkerNodePolicy
AmazonEKS_CNI_Policy
AmazonEC2ContainerRegistryReadOnly
CloudWatchAgentServerPolicy
AmazonSSMManagedInstanceCore
AWSXrayWriteOnlyAccess
AWSXRayDaemonWriteAccess
AmazonS3ReadOnlyAccess
AmazonPrometheusFullAccess
### Use your IAM role to launch the ADOT Collector
You can associate your IAM role to your EKS service account using [IRSA](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-enable-IAM.html). Your service account can then provide AWS permissions to the containers you run in any pod that use that service account. You must use this command for each cluster where you're installing ADOT to grant your AWS service account permissions.
Follow these steps to associate your IAM role to your EKS service account using IRSA:

1. Create an IAM OIDC provider for your cluster by following the steps in the link below:
* [Create an IAM OIDC provider for your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html)
2. Create your service account and IAM role. In this command, you must have values for the following flags:
* For the `--name` flag, add the name of the service account you want to create; for this example we will name it `adot-collector`.
* For the `--namespace` flag, use the namespace your service account will reside in; for our example we will use the default namespace.
* For the `--cluster` flag, use the name of your cluster.
* The three `--attach-policy-arn` values are the policies to be attached. These three policies are the policies needed for each service we want to export to. If you only plan on using 1 or 2 of the services, you only need to attach the policies for that service:
* `arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess` grants write access to the Prometheus service.
* `arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess` grants write access to the AWS X-Ray service.
* `arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy` grants access to write the CloudWatch service.
* The `--override-existing-serviceaccounts` flag is for if you have a service account already created in the cluster without an IAM Role. You can exclude this if that is not the case.

```console
eksctl create iamserviceaccount \
--name adot-collector \
--namespace default \
--cluster <your_cluster_name> \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess \
--attach-policy-arn arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess \
--attach-policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy \
--approve \
--override-existing-serviceaccounts
```

## Deploy the ADOT Collector with default configuration
Expand Down