global: # zone: cluster.local (use only if your DNS server doesn't live in the same zone as kubecost) prometheus: enabled: true # If false, Prometheus will not be installed -- Warning: Before changing this setting, please read to understand this setting https://docs.kubecost.com/install-and-configure/install/custom-prom fqdn: http://cost-analyzer-prometheus-server.default.svc # example address of a prometheus to connect to. Include protocol (http:// or https://) Ignored if enabled: true # insecureSkipVerify: false # If true, kubecost will not check the TLS cert of prometheus # queryServiceBasicAuthSecretName: dbsecret # kubectl create secret generic dbsecret -n kubecost --from-file=USERNAME --from-file=PASSWORD # queryServiceBearerTokenSecretName: mcdbsecret # kubectl create secret generic mcdbsecret -n kubecost --from-file=TOKEN grafana: enabled: true # If false, Grafana will not be installed domainName: cost-analyzer-grafana.default.svc # example grafana domain Ignored if enabled: true scheme: "http" # http or https, for the domain name above. proxy: true # If true, the kubecost frontend will route to your grafana through its service endpoint # fqdn: cost-analyzer-grafana.default.svc # Enable only when you are using GCP Marketplace ENT listing. Learn more at https://console.cloud.google.com/marketplace/product/kubecost-public/kubecost-ent gcpstore: enabled: false # Google Cloud Managed Service for Prometheus gmp: # Remember to set up these parameters when install the Kubecost Helm chart with `global.gmp.enabled=true` if you want to use GMP self-deployed collection (Recommended) to utilize Kubecost scrape configs. # If enabling GMP, it is highly recommended to utilize Google's distribution of Prometheus. # Learn more at https://cloud.google.com/stackdriver/docs/managed-prometheus/setup-unmanaged # --set prometheus.server.image.repository="gke.gcr.io/prometheus-engine/prometheus" \ # --set prometheus.server.image.tag="v2.35.0-gmp.2-gke.0" enabled: false # If true, kubecost will be configured to use GMP Prometheus image and query from Google Cloud Managed Service for Prometheus. prometheusServerEndpoint: http://localhost:8085/ # The prometheus service endpoint used by kubecost. The calls are forwarded through the GMP Prom proxy side car to the GMP database. gmpProxy: enabled: false image: gke.gcr.io/prometheus-engine/frontend:v0.4.1-gke.0 # GMP Prometheus proxy image that serve as an endpoint to query metrics from GMP imagePullPolicy: Always name: gmp-proxy port: 8085 projectId: YOUR_PROJECT_ID # example GCP project ID # Amazon Managed Service for Prometheus amp: enabled: false # If true, kubecost will be configured to remote_write and query from Amazon Managed Service for Prometheus. prometheusServerEndpoint: http://localhost:8005/workspaces// # The prometheus service endpoint used by kubecost. The calls are forwarded through the SigV4Proxy side car to the AMP workspace. remoteWriteService: https://aps-workspaces.us-west-2.amazonaws.com/workspaces//api/v1/remote_write # The remote_write endpoint for the AMP workspace. sigv4: region: us-west-2 # access_key: ACCESS_KEY # AWS Access key # secret_key: SECRET_KEY # AWS Secret key # role_arn: ROLE_ARN # AWS role arn # profile: PROFILE # AWS profile # Mimir Proxy to help Kubecost to query metrics from multi-tenant Grafana Mimir. # Set `global.mimirProxy.enabled=true` and `global.prometheus.enabled=false` to enable Mimir Proxy. # You also need to set `global.prometheus.fqdn=http://kubecost-cost-analyzer-mimir-proxy.kubecost.svc:8085/prometheus` # or `global.prometheus.fqdn=http://{{ template "cost-analyzer.fullname" . }}-mimir-proxy.{{ .Release.Namespace }}.svc:8085/prometheus' # Learn more at https://grafana.com/docs/mimir/latest/operators-guide/secure/authentication-and-authorization/#without-an-authenticating-reverse-proxy mimirProxy: enabled: false name: mimir-proxy image: nginxinc/nginx-unprivileged port: 8085 mimirEndpoint: $mimir_endpoint # Your Mimir query endpoint. If your Mimir query endpoint is http://example.com/prometheus, replace $mimir_endpoint with http://example.com/ orgIdentifier: $your_tenant_ID # Your Grafana Mimir tenant ID # basicAuth: # username: user # password: pwd notifications: # Kubecost alerting configuration # Ref: http://docs.kubecost.com/alerts # alertConfigs: # frontendUrl: http://localhost:9090 # optional, used for linkbacks # globalSlackWebhookUrl: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX # optional, used for Slack alerts # globalMsTeamsWebhookUrl: https://xxxxx.webhook.office.com/webhookb2/XXXXXXXXXXXXXXXXXXXXXXXX/IncomingWebhook/XXXXXXXXXXXXXXXXXXXXXXXX # optional, used for Microsoft Teams alerts # globalAlertEmails: # - recipient@example.com # - additionalRecipient@example.com # globalEmailSubject: Custom Subject # Alerts generated by kubecost, about cluster data # alerts: # Daily namespace budget alert on namespace `kubecost` # - type: budget # supported: budget, recurringUpdate # threshold: 50 # optional, required for budget alerts # window: daily # or 1d # aggregation: namespace # filter: kubecost # ownerContact: # optional, overrides globalAlertEmails default # - owner@example.com # - owner2@example.com # # optional, used for alert-specific Slack and Microsoft Teams alerts # slackWebhookUrl: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX # msTeamsWebhookUrl: https://xxxxx.webhook.office.com/webhookb2/XXXXXXXXXXXXXXXXXXXXXXXX/IncomingWebhook/XXXXXXXXXXXXXXXXXXXXXXXX # Daily cluster budget alert on cluster `cluster-one` # - type: budget # threshold: 200.8 # optional, required for budget alerts # window: daily # or 1d # aggregation: cluster # filter: cluster-one # does not accept csv # Recurring weekly update (weeklyUpdate alert) # - type: recurringUpdate # window: weekly # or 7d # aggregation: namespace # filter: '*' # Recurring weekly namespace update on kubecost namespace # - type: recurringUpdate # window: weekly # or 7d # aggregation: namespace # filter: kubecost # Spend Change Alert # - type: spendChange # change relative to moving avg # relativeThreshold: 0.20 # Proportional change relative to baseline. Must be greater than -1 (can be negative) # window: 1d # accepts ‘d’, ‘h’ # baselineWindow: 30d # previous window, offset by window # aggregation: namespace # filter: kubecost, default # accepts csv # Health Score Alert # - type: health # Alerts when health score changes by a threshold # window: 10m # threshold: 5 # Send Alert if health scores changes by 5 or more # Kubecost Health Diagnostic # - type: diagnostic # Alerts when kubecost is unable to compute costs - ie: Prometheus unreachable # window: 10m alertmanager: # Supply an alertmanager FQDN to receive notifications from the app. enabled: false # If true, allow kubecost to write to your alertmanager fqdn: http://cost-analyzer-prometheus-server.default.svc # example fqdn. Ignored if prometheus.enabled: true # Set saved Cost Allocation report(s) accessible from /reports # Ref: http://docs.kubecost.com/saved-reports savedReports: enabled: false # If true, overwrites report parameters set through UI reports: - title: "Example Saved Report 0" window: "today" aggregateBy: "namespace" chartDisplay: "category" idle: "separate" rate: "cumulative" accumulate: false # daily resolution filters: # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api - key: "cluster" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#allocation-apis-request-sizing-v2-api operator: ":" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#filter-operators value: "dev" - title: "Example Saved Report 1" window: "month" aggregateBy: "controllerKind" chartDisplay: "category" idle: "share" rate: "monthly" accumulate: false filters: # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api - key: "namespace" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#allocation-apis-request-sizing-v2-api operator: "!:" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#filter-operators value: "kubecost" - title: "Example Saved Report 2" window: "2020-11-11T00:00:00Z,2020-12-09T23:59:59Z" aggregateBy: "service" chartDisplay: "category" idle: "hide" rate: "daily" accumulate: true # entire window resolution filters: [] # if no filters, specify empty array # Set saved Asset report(s) accessible from /reports # Ref: http://docs.kubecost.com/saved-reports assetReports: enabled: false # If true, overwrites report parameters set through UI reports: - title: "Example Asset Report 0" window: "today" aggregateBy: "type" accumulate: false # daily resolution filters: - property: "cluster" value: "cluster-one" # Set saved Advanced report(s) accessible from /reports # Ref: http://docs.kubecost.com/saved-reports advancedReports: enabled: false # If true, overwrites report parameters set through UI reports: - title: "Example Advanced Report 0" window: "7d" aggregateBy: "namespace" filters: # same as allocation api filters Ref: https://docs.kubecost.com/apis/apis-overview/filters-api - key: "cluster" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#allocation-apis-request-sizing-v2-api operator: ":" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#filter-operators value: "dev" cloudBreakdown: "service" cloudJoin: "label:kubernetes_namespace" # Set saved Cloud Cost report(s) accessible from /reports # Ref: http://docs.kubecost.com/saved-reports cloudCostReports: enabled: false # If true, overwrites report parameters set through UI reports: - title: "Cloud Cost Report 0" window: "today" aggregateBy: "service" accumulate: false # daily resolution # filters: # - property: "service" # value: "service1" # corresponds to a value to filter cloud cost aggregate by service data on. podAnnotations: {} # iam.amazonaws.com/role: role-arn additionalLabels: {} securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault fsGroup: 1001 runAsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: OnRootMismatch containerSecurityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true capabilities: drop: - ALL # Platforms is a higher-level abstraction for platform-specific values and settings. platforms: # Deploying to OpenShift (OCP) requires enabling this option. openshift: enabled: false # Deploy Kubecost to OpenShift. route: enabled: false # Create an OpenShift Route. annotations: {} # Add annotations to the Route. # host: kubecost.apps.okd4.example.com # Add a custom host for your Route. # Create Security Context Constraint resources for the DaemonSets requiring additional privileges. scc: nodeExporter: false # Creates an SCC for Prometheus Node Exporter. This requires Node Exporter be enabled. networkCosts: false # Creates an SCC for Kubecost network-costs. This requires network-costs be enabled. # When OpenShift is enabled, the following securityContext will be applied to all resources unless they define their own. securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault # Set options for deploying with CI/CD tools like Argo CD. cicd: enabled: false # Set to true when using affected CI/CD tools for access to the below configuration options. skipSanityChecks: false # If true, skip all sanity/existence checks for resources like Secrets. ## Provide a name override for the chart. # nameOverride: "" ## Provide a full name override option for the chart. # fullnameOverride: "" ## This flag is only required for users upgrading to a new version of Kubecost. ## The flag is used to ensure users are aware of important ## (potentially breaking) changes included in the new version. ## upgrade: toV2: false # generated at http://kubecost.com/install, used for alerts tracking and free trials kubecostToken: # "" # Advanced pipeline for custom prices, enterprise key required pricingCsv: enabled: false location: provider: "AWS" region: "us-east-1" URI: s3://kc-csv-test/pricing_schema.csv # a valid file URI csvAccessCredentials: pricing-schema-access-secret # SAML integration for user management and RBAC, enterprise key required # Ref: https://github.com/kubecost/docs/blob/main/user-management.md saml: enabled: false # secretName: "kubecost-authzero" # metadataSecretName: "kubecost-authzero-metadata" # One of metadataSecretName or idpMetadataURL must be set. defaults to metadataURL if set # idpMetadataURL: "https://dev-elu2z98r.auth0.com/samlp/metadata/c6nY4M37rBP0qSO1IYIqBPPyIPxLS8v2" # appRootURL: "http://localhost:9090" # sample URL # authTimeout: 1440 # number of minutes the JWT will be valid # redirectURL: "https://dev-elu2z98r.auth0.com/v2/logout" # callback URL redirected to after logout # audienceURI: "http://localhost:9090" # by convention, the same as the appRootURL, but any string uniquely identifying kubecost to your samp IDP. Optional if you follow the convention # nameIDFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" If your SAML provider requires a specific nameid format # isGLUUProvider: false # An additional URL parameter must be appended for GLUU providers # encryptionCertSecret: "kubecost-saml-cert" # k8s secret where the x509 certificate used to encrypt an Okta saml response is stored # decryptionKeySecret: "kubecost-sank-decryption-key" # k8s secret where the private key associated with the encryptionCertSecret is stored # authSecret: "random-string" # value of SAML secret used to issue tokens, will be autogenerated as random string if not provided # authSecretName: "kubecost-saml-secret" # name of k8s secret where the authSecret will be stored, defaults to "kubecost-saml-secret" if not provided rbac: enabled: false # groups: # - name: admin # enabled: false # if admin is disabled, all SAML users will be able to make configuration changes to the kubecost frontend # assertionName: "http://schemas.auth0.com/userType" # a SAML Assertion, one of whose elements has a value that matches on of the values in assertionValues # assertionValues: # - "admin" # - "superusers" # - name: readonly # enabled: false # if readonly is disabled, all users authorized on SAML will default to readonly # assertionName: "http://schemas.auth0.com/userType" # assertionValues: # - "readonly" # - name: editor # enabled: true # if editor is enabled, editors will be allowed to edit reports/alerts scoped to them, and act as readers otherwise. Users will never default to editor. # assertionName: "http://schemas.auth0.com/userType" # assertionValues: # - "editor" oidc: enabled: false clientID: "" # application/client client_id parameter obtained from provider, used to make requests to server clientSecret: "" # application/client client_secret parameter obtained from provider, used to make requests to server # secretName: "kubecost-oidc-secret" # k8s secret where clientsecret will be stored # For use to provide a custom OIDC Secret. Overrides the usage of oidc.clientSecret and oidc.secretName. # Should contain the field directly. # Can be created using raw k8s secrets, external secrets, sealed secrets, or any other method. existingCustomSecret: enabled: false name: "" # name of the secret containing the client secret # authURL: "https://my.auth.server/authorize" # endpoint for login to auth server # loginRedirectURL: "http://my.kubecost.url/model/oidc/authorize" # Kubecost url configured in provider for redirect after authentication # discoveryURL: "https://my.auth.server/.well-known/openid-configuration" # url for OIDC endpoint discovery skipOnlineTokenValidation: false # if true, will skip accessing OIDC introspection endpoint for online token verification, and instead try to locally validate JWT claims # hostedDomain: "example.com" # optional, blocks access to the auth domain specified in the hd claim of the provider ID token rbac: enabled: false # groups: # - name: admin # enabled: false # if admin is disabled, all authenticated users will be able to make configuration changes to the kubecost frontend # claimName: "roles" # Kubecost matches this string against the JWT's payload key containing RBAC info (this value is unique across identity providers) # claimValues: # Kubecost matches these strings with the roles created in your identity provider # - "admin" # - "superusers" # - name: readonly # enabled: false # if readonly is disabled, all authenticated users will default to readonly # claimName: "roles" # claimValues: # - "readonly" # - name: editor # enabled: false # if editor is enabled, editors will be allowed to edit reports/alerts scoped to them, and act as readers otherwise. Users will never default to editor. # claimName: "roles" # claimValues: # - "editor" ## Adds the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables to all ## containers. Typically used in environments that have firewall rules which ## prevent kubecost from accessing cloud provider resources. ## Ref: https://www.oreilly.com/library/view/security-with-go/9781788627917/5ea6a02b-3d96-44b1-ad3c-6ab60fcbbe4f.xhtml ## systemProxy: enabled: false httpProxyUrl: "" httpsProxyUrl: "" noProxy: "" # imagePullSecrets: # - name: "image-pull-secret" # imageVersion uses the base image name (image:) but overrides the version # pulled. It should be avoided. If non-default behavior is needed, use # fullImageName for the relevant component. # imageVersion: kubecostFrontend: enabled: true deployMethod: singlepod # haMode or singlepod - haMode is currently only supported with Enterprise tier haReplicas: 2 # only used with haMode image: "gcr.io/kubecost1/frontend" imagePullPolicy: Always # fullImageName overrides the default image construction logic. The exact # image provided (registry, image, tag) will be used for the frontend. # fullImageName: # extraEnv: # - name: NGINX_ENTRYPOINT_WORKER_PROCESSES_AUTOTUNE # value: "1" # securityContext: # readOnlyRootFilesystem: true resources: requests: cpu: "10m" memory: "55Mi" # limits: # cpu: "100m" # memory: "256Mi" deploymentStrategy: {} # rollingUpdate: # maxSurge: 1 # maxUnavailable: 1 # type: RollingUpdate # Define a readiness probe for the Kubecost frontend container. readinessProbe: enabled: true initialDelaySeconds: 1 periodSeconds: 5 failureThreshold: 6 # Define a liveness probe for the Kubecost frontend container. livenessProbe: enabled: true initialDelaySeconds: 1 periodSeconds: 5 failureThreshold: 6 ipv6: enabled: true # disable if the cluster does not support ipv6 # timeoutSeconds: 600 # should be rarely used, but can be increased if needed # allow customizing nginx-conf server block # extraServerConfig: |- # proxy_busy_buffers_size 512k; # proxy_buffers 4 512k; # proxy_buffer_size 256k; # large_client_header_buffers 4 64k; # hideDiagnostics: false # useful if the primary is not monitored. Supported in limited environments. # hideOrphanedResources: false # OrphanedResources works on the primary-cluster's cloud-provider only. # set to true to set all upstreams to use ..svc.cluster.local instead of just . useDefaultFqdn: false # api: # fqdn: kubecost-api.kubecost.svc.cluster.local:9001 # model: # fqdn: kubecost-model.kubecost.svc.cluster.local:9003 # forecasting: # fqdn: kubecost-forcasting.kubecost.svc.cluster.local:5000 # aggregator: # fqdn: kubecost-aggregator.kubecost.svc.cluster.local:9004 # cloudCost: # fqdn: kubecost-cloud-cost.kubecost.svc.cluster.local:9005 # multiClusterDiagnostics: # fqdn: kubecost-multi-diag.kubecost.svc.cluster.local:9007 # clusterController: # fqdn: cluster-controller.kubecost.svc.cluster.local:9731 # Kubecost Metrics deploys a separate pod which will emit kubernetes specific metrics required # by the cost-model. This pod is designed to remain active and decoupled from the cost-model itself. # However, disabling this service/pod deployment will flag the cost-model to emit the metrics instead. kubecostMetrics: # emitPodAnnotations: false # emitNamespaceAnnotations: false # emitKsmV1Metrics: true # emit all KSM metrics in KSM v1. # emitKsmV1MetricsOnly: false # emit only the KSM metrics missing from KSM v2. Advanced users only. # Optional # The metrics exporter is a separate deployment and service (for prometheus scrape auto-discovery) # which emits metrics cost-model relies on. Enabling this deployment also removes the KSM dependency # from the cost-model. If the deployment is not enabled, the metrics will continue to be emitted from # the cost-model. exporter: enabled: false port: 9005 # Adds the default Prometheus scrape annotations to the metrics exporter service. # Set to false and use service.annotations (below) to set custom scrape annotations. prometheusScrape: true resources: {} # requests: # cpu: "200m" # memory: "55Mi" ## Node tolerations for server scheduling to nodes with taints ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ tolerations: [] # - key: "key" # operator: "Equal|Exists" # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" affinity: {} service: annotations: {} # Service Monitor for Kubecost Metrics serviceMonitor: # the kubecost included prometheus uses scrapeConfigs and does not support service monitors. The following options assume an existing prometheus that supports serviceMonitors. enabled: false additionalLabels: {} metricRelabelings: [] relabelings: [] ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" additionalLabels: {} nodeSelector: {} extraArgs: [] sigV4Proxy: image: public.ecr.aws/aws-observability/aws-sigv4-proxy:latest imagePullPolicy: Always name: aps port: 8005 region: us-west-2 # The AWS region host: aps-workspaces.us-west-2.amazonaws.com # The hostname for AMP service. # role_arn: arn:aws:iam:::role/role-name # The AWS IAM role to assume. extraEnv: # Pass extra env variables to sigV4Proxy # - name: AWS_ACCESS_KEY_ID # value: # - name: AWS_SECRET_ACCESS_KEY # value: # Optional resource requests and limits for the sigV4proxy container. resources: {} kubecostModel: image: "gcr.io/kubecost1/cost-model" imagePullPolicy: Always # fullImageName overrides the default image construction logic. The exact # image provided (registry, image, tag) will be used for cost-model. # fullImageName: # extraEnv: # - name: SOME_VARIABLE # value: "some_value" # securityContext: # readOnlyRootFilesystem: true # Enables the emission of the kubecost_cloud_credit_total and # kubecost_cloud_expense_total metrics outOfClusterPromMetricsEnabled: false # Build local cost allocation cache warmCache: false # Run allocation ETL pipelines etl: true # Enable the ETL filestore backing storage etlFileStoreEnabled: true # The total number of days the ETL pipelines will build # Set to 0 to disable daily ETL (not recommended) etlDailyStoreDurationDays: 91 # The total number of hours the ETL pipelines will build # Set to 0 to disable hourly ETL (not recommended) # Must be < prometheus server retention, otherwise empty data may overwrite # known-good data etlHourlyStoreDurationHours: 49 # The total number of weeks the ETL pipelines will build # Set to 0 to disable weekly ETL (not recommended) # The default is 53 to ensure at least a year of coverage (371 days) etlWeeklyStoreDurationWeeks: 53 # For deploying kubecost in a cluster that does not self-monitor etlReadOnlyMode: false # The name of the Secret containing a bucket config for ETL backup. # etlBucketConfigSecret: # The name of the Secret containing a bucket config for Federated storage. The contents should be stored # under a key named federated-store.yaml. # federatedStorageConfigSecret: "" # Installs Kubecost/OpenCost plugins plugins: enabled: false install: enabled: false fullImageName: curlimages/curl:latest securityContext: allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 folder: /opt/opencost/plugin # leave this commented to always download most recent version of plugins # version: # the list of enabled plugins enabledPlugins: [] # - datadog # pre-existing secret for plugin configuration configSecret: kubecost-plugin-secret # uncomment this to define plugin configuration via the values file # configs: # datadog: | # { # "datadog_site": "", # "datadog_api_key": "", # "datadog_app_key": "" # } ## Feature to view your out-of-cluster costs and their k8s utilization ## Ref: https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/cloud-costs-explorer cloudCost: # enabled: true # this logic is always enabled if cloud billing integration is configured. This option is no longer configurable. labelList: IsIncludeList: false # format labels as comma separated string (ex. "label1,label2,label3") labels: "" topNItems: 1000 allocation: # Enables or disables adding node labels to allocation data (i.e. workloads). # Defaults to "true" and starts with a sensible includeList for basics like # topology (e.g. zone, region) and instance type labels. # nodeLabels: # enabled: true # includeList: "node.kubernetes.io/instance-type,topology.kubernetes.io/region,topology.kubernetes.io/zone" # Enables or disables the ContainerStats pipeline, used for quantile-based # queries like for request sizing recommendations. # ContainerStats provides support for quantile-based request right-sizing # recommendations. # # It is disabled by default to avoid problems in extremely high-scale Thanos # environments. If you would like to try quantile-based request-sizing # recommendations, enable this! If you are in a high-scale environment, # please monitor Kubecost logs, Thanos query logs, and Thanos load closely. # We hope to make major improvements at scale here soon! # containerStatsEnabled: true # enabled by default as of v2.2.0 # max number of concurrent Prometheus queries maxQueryConcurrency: 5 resources: requests: cpu: "200m" memory: "55Mi" # limits: # cpu: "800m" # memory: "256Mi" # Define a readiness probe for the Kubecost cost-model container. readinessProbe: enabled: true initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 200 # Define a liveness probe for the Kubecost cost-model container. livenessProbe: enabled: true initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 200 extraArgs: [] # Optional. A list of extra environment variables to be added to the cost-model container. # extraEnv: [] # - name: LOG_LEVEL # value: trace # - name: LOG_FORMAT # value: json # creates an ingress directly to the model container, for API access ingress: enabled: false # className: nginx labels: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" paths: ["/"] pathType: ImplementationSpecific hosts: - cost-analyzer-model.local tls: [] # - secretName: cost-analyzer-model-tls # hosts: # - cost-analyzer-model.local utcOffset: "+00:00" # Optional - add extra ports to the cost-model container. For kubecost development purposes only - not recommended for users. extraPorts: [] # - name: debug # port: 40000 # targetPort: 40000 # containerPort: 40000 # etlUtils is a utility currently used by Kubecost internal support to implement specific functionality related to Thanos conversion. etlUtils: enabled: false fullImageName: null resources: {} env: {} nodeSelector: {} tolerations: {} affinity: {} # Basic Kubecost ingress, more examples available at https://github.com/kubecost/docs/blob/main/ingress-examples.md ingress: enabled: false # className: nginx labels: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" paths: ["/"] # There's no need to route specifically to the pods-- we have an nginx deployed that handles routing pathType: ImplementationSpecific hosts: - cost-analyzer.local tls: [] # - secretName: cost-analyzer-tls # hosts: # - cost-analyzer.local nodeSelector: {} tolerations: [] # - key: "key" # operator: "Equal|Exists" # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" affinity: {} topologySpreadConstraints: [] # If true, creates a PriorityClass to be used by the cost-analyzer pod priority: enabled: false name: "" # Provide name of existing priority class only. If left blank, upstream chart will create one from default template. # If true, enable creation of NetworkPolicy resources. networkPolicy: enabled: false denyEgress: true # create a network policy that denies egress from kubecost sameNamespace: true # Set to true if cost analyzer and prometheus are on the same namespace # namespace: kubecost # Namespace where prometheus is installed # Cost-analyzer specific vars using the new template costAnalyzer: enabled: false # If true, create a network policy for cost-analyzer annotations: {} # annotations to be added to the network policy additionalLabels: {} # additional labels to be added to the network policy # Examples rules: # ingressRules: # - selectors: # allow ingress from self on all ports # - podSelector: # matchLabels: # app.kubernetes.io/name: cost-analyzer # - selectors: # allow egress access to prometheus # - namespaceSelector: # matchLabels: # name: prometheus # podSelector: # matchLabels: # app: prometheus # ports: # - protocol: TCP # port: 9090 # egressRules: # - selectors: # restrict egress to inside cluster # - namespaceSelector: {} ## @param extraVolumes A list of volumes to be added to the pod ## extraVolumes: [] ## @param extraVolumeMounts A list of volume mounts to be added to the pod ## extraVolumeMounts: [] # Define persistence volume for cost-analyzer, more information at https://docs.kubecost.com/install-and-configure/install/storage persistentVolume: size: 32Gi dbSize: 32.0Gi enabled: true # Note that setting this to false means configurations will be wiped out on pod restart. # storageClass: "-" # # existingClaim: kubecost-cost-analyzer # a claim in the same namespace as kubecost labels: {} annotations: {} # helm.sh/resource-policy: keep # https://helm.sh/docs/howto/charts_tips_and_tricks/#tell-helm-not-to-uninstall-a-resource # Enables a separate PV specifically for ETL data. This should be avoided, but # is kept for legacy compatibility. dbPVEnabled: false service: type: ClusterIP port: 9090 targetPort: 9090 nodePort: {} labels: {} annotations: {} # loadBalancerSourceRanges: [] sessionAffinity: enabled: false # Makes sure that connections from a client are passed to the same Pod each time, when set to `true`. You should set it when you enabled authentication through OIDC or SAML integration. timeoutSeconds: 10800 prometheus: ## Provide a full name override for Prometheus. # fullnameOverride: "" ## Provide a name override for Prometheus. # nameOverride: "" rbac: create: true # Create the RBAC resources for Prometheus. ## Define serviceAccount names for components. Defaults to component's fully qualified name. ## serviceAccounts: alertmanager: create: true name: nodeExporter: create: true name: pushgateway: create: true name: server: create: true name: ## Prometheus server ServiceAccount annotations. ## Can be used for AWS IRSA annotations when using Remote Write mode with Amazon Managed Prometheus. annotations: {} ## Specify an existing ConfigMap to be used by Prometheus when using self-signed certificates. ## # selfsignedCertConfigMapName: "" imagePullSecrets: # - name: "image-pull-secret" extraScrapeConfigs: | - job_name: kubecost honor_labels: true scrape_interval: 1m scrape_timeout: 60s metrics_path: /metrics scheme: http dns_sd_configs: - names: - {{ template "cost-analyzer.serviceName" . }} type: 'A' port: 9003 - job_name: kubecost-networking kubernetes_sd_configs: - role: pod relabel_configs: # Scrape only the the targets matching the following metadata - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance] action: keep regex: kubecost - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name] action: keep regex: network-costs server: # If clusterIDConfigmap is defined, instead use user-generated configmap with key CLUSTER_ID # to use as unique cluster ID in kubecost cost-analyzer deployment. # This overrides the cluster_id set in prometheus.server.global.external_labels. # NOTE: This does not affect the external_labels set in prometheus config. # clusterIDConfigmap: cluster-id-configmap ## Provide a full name override for the Prometheus server. # fullnameOverride: "" ## Prometheus server container name ## enabled: true name: server sidecarContainers: strategy: type: Recreate rollingUpdate: null ## Prometheus server container image ## image: repository: quay.io/prometheus/prometheus tag: v2.50.1 pullPolicy: IfNotPresent ## prometheus server priorityClassName ## priorityClassName: "" ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug ## so that the various internal URLs are still able to access as they are in the default case. ## (Optional) prefixURL: "" ## External URL which can access alertmanager ## Maybe same with Ingress host name baseURL: "" ## Additional server container environment variables ## ## You specify this manually like you would a raw deployment manifest. ## This means you can bind in environment variables from secrets. ## ## e.g. static environment variable: ## - name: DEMO_GREETING ## value: "Hello from the environment" ## ## e.g. secret environment variable: ## - name: USERNAME ## valueFrom: ## secretKeyRef: ## name: mysecret ## key: username env: [] extraFlags: - web.enable-lifecycle ## web.enable-admin-api flag controls access to the administrative HTTP API which includes functionality such as ## deleting time series. This is disabled by default. # - web.enable-admin-api ## ## storage.tsdb.no-lockfile flag controls BD locking # - storage.tsdb.no-lockfile ## ## storage.tsdb.wal-compression flag enables compression of the write-ahead log (WAL) # - storage.tsdb.wal-compression ## Path to a configuration file on prometheus server container FS configPath: /etc/config/prometheus.yml global: ## How frequently to scrape targets by default ## scrape_interval: 1m ## How long until a scrape request times out ## scrape_timeout: 60s ## How frequently to evaluate rules ## evaluation_interval: 1m external_labels: cluster_id: cluster-one # Each cluster should have a unique ID ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write ## remoteWrite: {} ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read ## remoteRead: {} ## Additional Prometheus server container arguments ## extraArgs: query.max-concurrency: 1 query.max-samples: 100000000 ## Additional InitContainers to initialize the pod ## extraInitContainers: [] ## Additional Prometheus server Volume mounts ## extraVolumeMounts: [] ## Additional Prometheus server Volumes ## extraVolumes: [] ## Additional Prometheus server hostPath mounts ## extraHostPathMounts: [] # - name: certs-dir # mountPath: /etc/kubernetes/certs # subPath: "" # hostPath: /etc/kubernetes/certs # readOnly: true extraConfigmapMounts: [] # - name: certs-configmap # mountPath: /prometheus # subPath: "" # configMap: certs-configmap # readOnly: true ## Additional Prometheus server Secret mounts # Defines additional mounts with secrets. Secrets must be manually created in the namespace. extraSecretMounts: [] # - name: secret-files # mountPath: /etc/secrets # subPath: "" # secretName: prom-secret-files # readOnly: true ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.server.configMapOverrideName}} ## Defining configMapOverrideName will cause templates/server-configmap.yaml ## to NOT generate a ConfigMap resource ## configMapOverrideName: "" ingress: ## If true, Prometheus server Ingress will be created ## enabled: false # className: nginx ## Prometheus server Ingress annotations ## annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: 'true' ## Prometheus server Ingress additional labels ## extraLabels: {} ## Prometheus server Ingress hostnames with optional path ## Must be provided if Ingress is enabled ## hosts: [] # - prometheus.domain.com # - domain.com/prometheus ## PathType determines the interpretation of the Path matching pathType: "Prefix" ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. extraPaths: [] # - path: /* # backend: # serviceName: ssl-redirect # servicePort: use-annotation ## Prometheus server Ingress TLS configuration ## Secrets must be manually created in the namespace ## tls: [] # - secretName: prometheus-server-tls # hosts: # - prometheus.domain.com ## Server Deployment Strategy type # strategy: # type: Recreate ## Node tolerations for server scheduling to nodes with taints ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ ## tolerations: [] # - key: "key" # operator: "Equal|Exists" # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" ## Node labels for Prometheus server pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} ## Pod affinity ## affinity: {} ## PodDisruptionBudget settings ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ ## podDisruptionBudget: enabled: false maxUnavailable: 1 ## Use an alternate scheduler, e.g. "stork". ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## # schedulerName: persistentVolume: ## If true, Prometheus server will create/use a Persistent Volume Claim ## If false, use emptyDir ## enabled: true ## Prometheus server data Persistent Volume access modes ## Must match those of existing PV or dynamic provisioner ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ## accessModes: - ReadWriteOnce ## Prometheus server data Persistent Volume annotations ## annotations: {} # helm.sh/resource-policy: keep # https://helm.sh/docs/howto/charts_tips_and_tricks/#tell-helm-not-to-uninstall-a-resource ## Prometheus server data Persistent Volume existing claim name ## Requires server.persistentVolume.enabled: true ## If defined, PVC must be created manually before volume will be bound existingClaim: "" ## Prometheus server data Persistent Volume mount root path ## mountPath: /data ## Prometheus server data Persistent Volume size ## size: 32Gi ## Prometheus server data Persistent Volume Storage Class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## # storageClass: "-" ## Prometheus server data Persistent Volume Binding Mode ## If defined, volumeBindingMode: ## If undefined (the default) or set to null, no volumeBindingMode spec is ## set, choosing the default mode. ## # volumeBindingMode: "" ## Subdirectory of Prometheus server data Persistent Volume to mount ## Useful if the volume's root directory is not empty ## subPath: "" emptyDir: sizeLimit: "" ## Annotations to be added to Prometheus server pods ## podAnnotations: {} # iam.amazonaws.com/role: prometheus ## Annotations to be added to the Prometheus Server deployment ## deploymentAnnotations: {} ## Labels to be added to Prometheus server pods ## podLabels: {} ## Prometheus AlertManager configuration ## alertmanagers: [] ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) ## replicaCount: 1 statefulSet: ## If true, use a statefulset instead of a deployment for pod management. ## This allows to scale replicas to more than 1 pod ## enabled: false annotations: {} labels: {} podManagementPolicy: OrderedReady ## Alertmanager headless service to use for the statefulset ## headless: annotations: {} labels: {} servicePort: 80 ## Prometheus server readiness and liveness probe initial delay and timeout ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ ## readinessProbeInitialDelay: 5 readinessProbeTimeout: 3 readinessProbeFailureThreshold: 3 readinessProbeSuccessThreshold: 1 livenessProbeInitialDelay: 5 livenessProbeTimeout: 3 livenessProbeFailureThreshold: 3 livenessProbeSuccessThreshold: 1 ## Prometheus server resource requests and limits ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: {} # limits: # cpu: 500m # memory: 512Mi # requests: # cpu: 500m # memory: 512Mi ## Vertical Pod Autoscaler config ## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler verticalAutoscaler: ## If true a VPA object will be created for the controller (either StatefulSet or Deployment, based on above configs) enabled: false ## Optional. Defaults to "Auto" if not specified. # updateMode: "Auto" ## Mandatory. Without, VPA will not be created. # containerPolicies: # - containerName: 'prometheus-server' ## Security context to be added to server pods ## securityContext: {} # runAsUser: 1001 # runAsNonRoot: true # runAsGroup: 1001 # fsGroup: 1001 containerSecurityContext: {} service: annotations: {} labels: {} clusterIP: "" # nodePort: "" ## List of IP addresses at which the Prometheus server service is available ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips ## externalIPs: [] loadBalancerIP: "" loadBalancerSourceRanges: [] servicePort: 80 sessionAffinity: None type: ClusterIP ## Enable gRPC port on service to allow auto discovery with thanos-querier gRPC: enabled: false servicePort: 10901 # nodePort: 10901 ## If using a statefulSet (statefulSet.enabled=true), configure the ## service to connect to a specific replica to have a consistent view ## of the data. statefulsetReplica: enabled: false replica: 0 ## Prometheus server pod termination grace period ## terminationGracePeriodSeconds: 300 ## Prometheus data retention period (default if not specified is 97 hours) ## ## Kubecost builds up its own persistent store of metric data on the ## filesystem (usually a PV) and, when using ETL Backup and/or Federated ## ETL, in more durable object storage like S3 or GCS. Kubecost's data ## retention is _not_ tied to the configured Prometheus retention. ## ## For data durability, we recommend using ETL Backup instead of relying on ## Prometheus retention. ## ## Lower retention values will affect Prometheus by reducing resource ## consumption and increasing stability. It _must not_ be set below or equal ## to kubecostModel.etlHourlyStoreDurationHours, otherwise empty data sets ## may overwrite good data sets. For now, it must also be >= 49h for Daily ## ETL stability. ## ## "ETL Rebuild" and "ETL Repair" is only possible on data available within ## this retention window. This is an extremely rare operation. ## ## If you want maximum security in the event of a Kubecost agent ## (cost-model) outage, increase this value. The current default of 97h is ## intended to balance Prometheus stability and resource consumption ## against the event of an outage in Kubecost which would necessitate a ## version change. 4 days should provide enough time for most users to ## notice a problem and initiate corrective action. retention: 97h # retentionSize: should be significantly greater than the storage used in the number of hours set in etlHourlyStoreDurationHours # Install Prometheus Alert Manager alertmanager: ## If false, alertmanager will not be installed ## enabled: false ## Provide a full name override for Prometheus alertmanager. # fullnameOverride: "" strategy: type: Recreate rollingUpdate: null ## alertmanager container name ## name: alertmanager ## alertmanager container image ## image: repository: quay.io/prometheus/alertmanager tag: v0.27.0 pullPolicy: IfNotPresent ## alertmanager priorityClassName ## priorityClassName: "" ## Additional alertmanager container arguments ## extraArgs: {} ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug ## so that the various internal URLs are still able to access as they are in the default case. ## (Optional) prefixURL: "" ## External URL which can access alertmanager baseURL: "http://localhost:9093" ## Additional alertmanager container environment variable ## For instance to add a http_proxy ## extraEnv: {} ## Additional alertmanager Secret mounts # Defines additional mounts with secrets. Secrets must be manually created in the namespace. extraSecretMounts: [] # - name: secret-files # mountPath: /etc/secrets # subPath: "" # secretName: alertmanager-secret-files # readOnly: true ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.alertmanager.configMapOverrideName}} ## Defining configMapOverrideName will cause templates/alertmanager-configmap.yaml ## to NOT generate a ConfigMap resource ## configMapOverrideName: "" ## The name of a secret in the same kubernetes namespace which contains the Alertmanager config ## Defining configFromSecret will cause templates/alertmanager-configmap.yaml ## to NOT generate a ConfigMap resource ## configFromSecret: "" ## The configuration file name to be loaded to alertmanager ## Must match the key within configuration loaded from ConfigMap/Secret ## configFileName: alertmanager.yml ingress: ## If true, alertmanager Ingress will be created ## enabled: false ## alertmanager Ingress annotations ## annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: 'true' ## alertmanager Ingress additional labels ## extraLabels: {} ## alertmanager Ingress hostnames with optional path ## Must be provided if Ingress is enabled ## hosts: [] # - alertmanager.domain.com # - domain.com/alertmanager ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. extraPaths: [] # - path: /* # backend: # serviceName: ssl-redirect # servicePort: use-annotation ## alertmanager Ingress TLS configuration ## Secrets must be manually created in the namespace ## tls: [] # - secretName: prometheus-alerts-tls # hosts: # - alertmanager.domain.com ## Alertmanager Deployment Strategy type # strategy: # type: Recreate ## Node tolerations for alertmanager scheduling to nodes with taints ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ ## tolerations: [] # - key: "key" # operator: "Equal|Exists" # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" ## Node labels for alertmanager pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} ## Pod affinity ## affinity: {} ## PodDisruptionBudget settings ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ ## podDisruptionBudget: enabled: false maxUnavailable: 1 ## Use an alternate scheduler, e.g. "stork". ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## # schedulerName: persistentVolume: ## If true, alertmanager will create/use a Persistent Volume Claim ## If false, use emptyDir ## enabled: true ## alertmanager data Persistent Volume access modes ## Must match those of existing PV or dynamic provisioner ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ## accessModes: - ReadWriteOnce ## alertmanager data Persistent Volume Claim annotations ## annotations: {} ## alertmanager data Persistent Volume existing claim name ## Requires alertmanager.persistentVolume.enabled: true ## If defined, PVC must be created manually before volume will be bound existingClaim: "" ## alertmanager data Persistent Volume mount root path ## mountPath: /data ## alertmanager data Persistent Volume size ## size: 2Gi ## alertmanager data Persistent Volume Storage Class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## # storageClass: "-" ## alertmanager data Persistent Volume Binding Mode ## If defined, volumeBindingMode: ## If undefined (the default) or set to null, no volumeBindingMode spec is ## set, choosing the default mode. ## # volumeBindingMode: "" ## Subdirectory of alertmanager data Persistent Volume to mount ## Useful if the volume's root directory is not empty ## subPath: "" ## Annotations to be added to alertmanager pods ## podAnnotations: {} ## Tell prometheus to use a specific set of alertmanager pods ## instead of all alertmanager pods found in the same namespace ## Useful if you deploy multiple releases within the same namespace ## ## prometheus.io/probe: alertmanager-teamA ## Labels to be added to Prometheus AlertManager pods ## podLabels: {} ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) ## replicaCount: 1 statefulSet: ## If true, use a statefulset instead of a deployment for pod management. ## This allows to scale replicas to more than 1 pod ## enabled: false podManagementPolicy: OrderedReady ## Alertmanager headless service to use for the statefulset ## headless: annotations: {} labels: {} ## Enabling peer mesh service end points for enabling the HA alert manager ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md # enableMeshPeer : true servicePort: 80 ## alertmanager resource requests and limits ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: {} # limits: # cpu: 10m # memory: 32Mi # requests: # cpu: 10m # memory: 32Mi ## Security context to be added to alertmanager pods ## securityContext: runAsUser: 1001 runAsNonRoot: true runAsGroup: 1001 fsGroup: 1001 service: annotations: {} labels: {} clusterIP: "" ## Enabling peer mesh service end points for enabling the HA alert manager ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md # enableMeshPeer : true ## List of IP addresses at which the alertmanager service is available ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips ## externalIPs: [] loadBalancerIP: "" loadBalancerSourceRanges: [] servicePort: 80 # nodePort: 30000 sessionAffinity: None type: ClusterIP # Define a custom scheduler for Alertmanager pods # schedulerName: default-scheduler ## alertmanager ConfigMap entries ## alertmanagerFiles: alertmanager.yml: global: {} # slack_api_url: '' receivers: - name: default-receiver # slack_configs: # - channel: '@you' # send_resolved: true route: group_wait: 10s group_interval: 5m receiver: default-receiver repeat_interval: 3h ## Monitors ConfigMap changes and POSTs to a URL configmapReload: prometheus: ## If false, the configmap-reload container will not be deployed ## enabled: false ## configmap-reload container name ## name: configmap-reload ## configmap-reload container image ## image: repository: quay.io/prometheus-operator/prometheus-config-reloader tag: v0.72.0 pullPolicy: IfNotPresent ## Additional configmap-reload container arguments ## extraArgs: {} ## Additional configmap-reload volume directories ## extraVolumeDirs: [] ## Additional configmap-reload mounts ## extraConfigmapMounts: [] # - name: prometheus-alerts # mountPath: /etc/alerts.d # subPath: "" # configMap: prometheus-alerts # readOnly: true ## configmap-reload resource requests and limits ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: {} ## configmap-reload container securityContext containerSecurityContext: {} alertmanager: ## If false, the configmap-reload container will not be deployed ## enabled: false ## configmap-reload container name ## name: configmap-reload ## configmap-reload container image ## image: repository: quay.io/prometheus-operator/prometheus-config-reloader tag: v0.72.0 pullPolicy: IfNotPresent ## Additional configmap-reload container arguments ## extraArgs: {} ## Additional configmap-reload volume directories ## extraVolumeDirs: [] ## Additional configmap-reload mounts ## extraConfigmapMounts: [] # - name: prometheus-alerts # mountPath: /etc/alerts.d # subPath: "" # configMap: prometheus-alerts # readOnly: true ## configmap-reload resource requests and limits ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: {} # node-export must be disabled if there is an existing daemonset: https://guide.kubecost.com/hc/en-us/articles/4407601830679-Troubleshoot-Install#a-name-node-exporter-a-issue-failedscheduling-kubecost-prometheus-node-exporter nodeExporter: ## If false, node-exporter will not be installed. ## This is disabled by default in Kubecost 2.0, though it can be enabled as needed. ## enabled: false ## Provide a full name override for node exporter. # fullnameOverride: "" ## If true, node-exporter pods share the host network namespace ## hostNetwork: true ## If true, node-exporter pods share the host PID namespace ## hostPID: true ## node-exporter dns policy ## dnsPolicy: ClusterFirstWithHostNet ## node-exporter container name ## name: node-exporter ## node-exporter container image ## image: repository: prom/node-exporter tag: v1.7.0 pullPolicy: IfNotPresent ## node-exporter priorityClassName ## priorityClassName: "" ## Custom Update Strategy ## updateStrategy: type: RollingUpdate ## Additional node-exporter container arguments ## extraArgs: {} ## Additional node-exporter hostPath mounts ## extraHostPathMounts: [] # - name: textfile-dir # mountPath: /srv/txt_collector # hostPath: /var/lib/node-exporter # readOnly: true # mountPropagation: HostToContainer extraConfigmapMounts: [] # - name: certs-configmap # mountPath: /prometheus # configMap: certs-configmap # readOnly: true ## Set a custom affinity for node-exporter ## # affinity: ## Node tolerations for node-exporter scheduling to nodes with taints ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ ## tolerations: [] # - key: "key" # operator: "Equal|Exists" # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" ## Node labels for node-exporter pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} ## Annotations to be added to node-exporter pods ## podAnnotations: {} ## Annotations to be added to the node-exporter DaemonSet ## deploymentAnnotations: {} ## Labels to be added to node-exporter pods ## pod: labels: {} ## PodDisruptionBudget settings ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ ## podDisruptionBudget: enabled: false maxUnavailable: 1 ## node-exporter resource limits & requests ## Ref: https://kubernetes.io/docs/user-guide/compute-resources/ ## resources: {} # limits: # cpu: 200m # memory: 50Mi # requests: # cpu: 100m # memory: 30Mi ## Security context to be added to node-exporter pods ## securityContext: {} # runAsUser: 0 service: annotations: prometheus.io/scrape: "true" labels: {} # Exposed as a headless service: # https://kubernetes.io/docs/concepts/services-networking/service/#headless-services clusterIP: None ## List of IP addresses at which the node-exporter service is available ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips ## externalIPs: [] hostPort: 9100 loadBalancerIP: "" loadBalancerSourceRanges: [] servicePort: 9100 type: ClusterIP # Install Prometheus Push Gateway. pushgateway: ## If false, pushgateway will not be installed ## enabled: false ## Provide a full name override for Prometheus push gateway. # fullnameOverride: "" ## Use an alternate scheduler, e.g. "stork". ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## # schedulerName: ## pushgateway container name ## name: pushgateway ## pushgateway container image ## image: repository: prom/pushgateway tag: v1.6.2 pullPolicy: IfNotPresent ## pushgateway priorityClassName ## priorityClassName: "" ## Additional pushgateway container arguments ## ## for example: persistence.file: /data/pushgateway.data extraArgs: {} ingress: ## If true, pushgateway Ingress will be created ## enabled: false ## pushgateway Ingress annotations ## annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: 'true' ## pushgateway Ingress hostnames with optional path ## Must be provided if Ingress is enabled ## hosts: [] # - pushgateway.domain.com # - domain.com/pushgateway ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. extraPaths: [] # - path: /* # backend: # serviceName: ssl-redirect # servicePort: use-annotation ## pushgateway Ingress TLS configuration ## Secrets must be manually created in the namespace ## tls: [] # - secretName: prometheus-alerts-tls # hosts: # - pushgateway.domain.com ## Node tolerations for pushgateway scheduling to nodes with taints ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ ## tolerations: [] # - key: "key" # operator: "Equal|Exists" # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" ## Node labels for pushgateway pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} ## Annotations to be added to pushgateway pods ## podAnnotations: {} replicaCount: 1 ## PodDisruptionBudget settings ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ ## podDisruptionBudget: enabled: false maxUnavailable: 1 ## pushgateway resource requests and limits ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: {} # limits: # cpu: 10m # memory: 32Mi # requests: # cpu: 10m # memory: 32Mi ## Security context to be added to push-gateway pods ## securityContext: runAsUser: 1001 runAsNonRoot: true service: annotations: prometheus.io/probe: pushgateway labels: {} clusterIP: "" ## List of IP addresses at which the pushgateway service is available ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips ## externalIPs: [] loadBalancerIP: "" loadBalancerSourceRanges: [] servicePort: 9091 type: ClusterIP strategy: type: Recreate rollingUpdate: null persistentVolume: ## If true, pushgateway will create/use a Persistent Volume Claim ## If false, use emptyDir ## enabled: true ## pushgateway data Persistent Volume access modes ## Must match those of existing PV or dynamic provisioner ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ## accessModes: - ReadWriteOnce ## pushgateway data Persistent Volume Claim annotations ## annotations: {} ## pushgateway data Persistent Volume existing claim name ## Requires pushgateway.persistentVolume.enabled: true ## If defined, PVC must be created manually before volume will be bound existingClaim: "" ## pushgateway data Persistent Volume mount root path ## mountPath: /data ## pushgateway data Persistent Volume size ## size: 2Gi ## pushgateway data Persistent Volume Storage Class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## # storageClass: "-" ## pushgateway data Persistent Volume Binding Mode ## If defined, volumeBindingMode: ## If undefined (the default) or set to null, no volumeBindingMode spec is ## set, choosing the default mode. ## # volumeBindingMode: "" ## Subdirectory of pushgateway data Persistent Volume to mount ## Useful if the volume's root directory is not empty ## subPath: "" serverFiles: ## Alerts configuration ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ alerting_rules.yml: {} # groups: # - name: Instances # rules: # - alert: InstanceDown # expr: up == 0 # for: 5m # labels: # severity: page # annotations: # description: '{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.' # summary: 'Instance {{ $labels.instance }} down' ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use alerting_rules.yml alerts: {} ## Records configuration ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/ recording_rules.yml: {} ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use recording_rules.yml prometheus.yml: rule_files: - /etc/config/recording_rules.yml - /etc/config/alerting_rules.yml ## Below two files are DEPRECATED will be removed from this default values file - /etc/config/rules - /etc/config/alerts scrape_configs: - job_name: prometheus static_configs: - targets: - localhost:9090 # A scrape configuration for running Prometheus on a Kubernetes cluster. # This uses separate scrape configs for cluster components (i.e. API server, node) # and services to allow each to use different authentication configs. # # Kubernetes labels will be added as Prometheus labels on metrics via the # `labelmap` relabeling action. - job_name: 'kubernetes-nodes-cadvisor' # Default to scraping over https. If required, just disable this or change to # `http`. scheme: https # This TLS & bearer token file config is used to connect to the actual scrape # endpoints for cluster components. This is separate to discovery auth # configuration because discovery & scraping are two separate concerns in # Prometheus. The discovery auth config is automatic if Prometheus runs inside # the cluster. Otherwise, more config options have to be provided within the # . tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt # If your node certificates are self-signed or use a different CA to the # master CA, then disable certificate verification below. Note that # certificate verification is an integral part of a secure infrastructure # so this should only be disabled in a controlled environment. You can # disable certificate verification by uncommenting the line below. # insecure_skip_verify: true bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_sd_configs: - role: node # This configuration will work only on kubelet 1.7.3+ # As the scrape endpoints for cAdvisor have changed # if you are using older version you need to change the replacement to # replacement: /api/v1/nodes/$1:4194/proxy/metrics # more info here https://github.com/coreos/prometheus-operator/issues/633 relabel_configs: - action: labelmap regex: __meta_kubernetes_node_label_(.+) - target_label: __address__ replacement: kubernetes.default.svc:443 - source_labels: [__meta_kubernetes_node_name] regex: (.+) target_label: __metrics_path__ replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor metric_relabel_configs: - source_labels: [__name__] regex: (container_cpu_usage_seconds_total|container_memory_working_set_bytes|container_network_receive_errors_total|container_network_transmit_errors_total|container_network_receive_packets_dropped_total|container_network_transmit_packets_dropped_total|container_memory_usage_bytes|container_cpu_cfs_throttled_periods_total|container_cpu_cfs_periods_total|container_fs_usage_bytes|container_fs_limit_bytes|container_cpu_cfs_periods_total|container_fs_inodes_free|container_fs_inodes_total|container_fs_usage_bytes|container_fs_limit_bytes|container_cpu_cfs_throttled_periods_total|container_cpu_cfs_periods_total|container_network_receive_bytes_total|container_network_transmit_bytes_total|container_fs_inodes_free|container_fs_inodes_total|container_fs_usage_bytes|container_fs_limit_bytes|container_spec_cpu_shares|container_spec_memory_limit_bytes|container_network_receive_bytes_total|container_network_transmit_bytes_total|container_fs_reads_bytes_total|container_network_receive_bytes_total|container_fs_writes_bytes_total|container_fs_reads_bytes_total|cadvisor_version_info|kubecost_pv_info) action: keep - source_labels: [container] target_label: container_name regex: (.+) action: replace - source_labels: [pod] target_label: pod_name regex: (.+) action: replace # A scrape configuration for running Prometheus on a Kubernetes cluster. # This uses separate scrape configs for cluster components (i.e. API server, node) # and services to allow each to use different authentication configs. # # Kubernetes labels will be added as Prometheus labels on metrics via the # `labelmap` relabeling action. - job_name: 'kubernetes-nodes' # Default to scraping over https. If required, just disable this or change to # `http`. scheme: https # This TLS & bearer token file config is used to connect to the actual scrape # endpoints for cluster components. This is separate to discovery auth # configuration because discovery & scraping are two separate concerns in # Prometheus. The discovery auth config is automatic if Prometheus runs inside # the cluster. Otherwise, more config options have to be provided within the # . tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt # If your node certificates are self-signed or use a different CA to the # master CA, then disable certificate verification below. Note that # certificate verification is an integral part of a secure infrastructure # so this should only be disabled in a controlled environment. You can # disable certificate verification by uncommenting the line below. # insecure_skip_verify: true bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_sd_configs: - role: node relabel_configs: - action: labelmap regex: __meta_kubernetes_node_label_(.+) - target_label: __address__ replacement: kubernetes.default.svc:443 - source_labels: [__meta_kubernetes_node_name] regex: (.+) target_label: __metrics_path__ replacement: /api/v1/nodes/$1/proxy/metrics metric_relabel_configs: - source_labels: [__name__] regex: (kubelet_volume_stats_used_bytes) # this metric is in alpha action: keep # Scrape config for service endpoints. # # The relabeling allows the actual service scrape endpoint to be configured # via the following annotations: # # * `prometheus.io/scrape`: Only scrape services that have a value of `true` # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need # to set this to `https` & most likely set the `tls_config` of the scrape config. # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. # * `prometheus.io/port`: If the metrics are exposed on a different port to the # service then set this appropriately. - job_name: 'kubernetes-service-endpoints' kubernetes_sd_configs: - role: endpoints relabel_configs: - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] action: keep regex: true - source_labels: [__meta_kubernetes_endpoints_name] action: keep regex: (.*node-exporter|kubecost-network-costs) - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] action: replace target_label: __scheme__ regex: (https?) - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] action: replace target_label: __metrics_path__ regex: (.+) - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] action: replace target_label: __address__ regex: ([^:]+)(?::\d+)?;(\d+) replacement: $1:$2 - action: labelmap regex: __meta_kubernetes_service_label_(.+) - source_labels: [__meta_kubernetes_namespace] action: replace target_label: kubernetes_namespace - source_labels: [__meta_kubernetes_service_name] action: replace target_label: kubernetes_name - source_labels: [__meta_kubernetes_pod_node_name] action: replace target_label: kubernetes_node metric_relabel_configs: - source_labels: [__name__] regex: (container_cpu_allocation|container_cpu_usage_seconds_total|container_fs_limit_bytes|container_fs_writes_bytes_total|container_gpu_allocation|container_memory_allocation_bytes|container_memory_usage_bytes|container_memory_working_set_bytes|container_network_receive_bytes_total|container_network_transmit_bytes_total|DCGM_FI_DEV_GPU_UTIL|deployment_match_labels|kube_daemonset_status_desired_number_scheduled|kube_daemonset_status_number_ready|kube_deployment_spec_replicas|kube_deployment_status_replicas|kube_deployment_status_replicas_available|kube_job_status_failed|kube_namespace_annotations|kube_namespace_labels|kube_node_info|kube_node_labels|kube_node_status_allocatable|kube_node_status_allocatable_cpu_cores|kube_node_status_allocatable_memory_bytes|kube_node_status_capacity|kube_node_status_capacity_cpu_cores|kube_node_status_capacity_memory_bytes|kube_node_status_condition|kube_persistentvolume_capacity_bytes|kube_persistentvolume_status_phase|kube_persistentvolumeclaim_info|kube_persistentvolumeclaim_resource_requests_storage_bytes|kube_pod_container_info|kube_pod_container_resource_limits|kube_pod_container_resource_limits_cpu_cores|kube_pod_container_resource_limits_memory_bytes|kube_pod_container_resource_requests|kube_pod_container_resource_requests_cpu_cores|kube_pod_container_resource_requests_memory_bytes|kube_pod_container_status_restarts_total|kube_pod_container_status_running|kube_pod_container_status_terminated_reason|kube_pod_labels|kube_pod_owner|kube_pod_status_phase|kube_replicaset_owner|kube_statefulset_replicas|kube_statefulset_status_replicas|kubecost_cluster_info|kubecost_cluster_management_cost|kubecost_cluster_memory_working_set_bytes|kubecost_load_balancer_cost|kubecost_network_internet_egress_cost|kubecost_network_region_egress_cost|kubecost_network_zone_egress_cost|kubecost_node_is_spot|kubecost_pod_network_egress_bytes_total|node_cpu_hourly_cost|node_cpu_seconds_total|node_disk_reads_completed|node_disk_reads_completed_total|node_disk_writes_completed|node_disk_writes_completed_total|node_filesystem_device_error|node_gpu_count|node_gpu_hourly_cost|node_memory_Buffers_bytes|node_memory_Cached_bytes|node_memory_MemAvailable_bytes|node_memory_MemFree_bytes|node_memory_MemTotal_bytes|node_network_transmit_bytes_total|node_ram_hourly_cost|node_total_hourly_cost|pod_pvc_allocation|pv_hourly_cost|service_selector_labels|statefulSet_match_labels|kubecost_pv_info|up) action: keep # prometheus.yml: # Sample block -- enable if using an in cluster durable store. # remote_write: # - url: "http://pgprometheus-adapter:9201/write" # write_relabel_configs: # - source_labels: [__name__] # regex: 'container_.*_allocation|container_.*_allocation_bytes|.*_hourly_cost|kube_pod_container_resource_requests{resource="memory", unit="byte"}|container_memory_working_set_bytes|kube_pod_container_resource_requests{resource="cpu", unit="core"}|kube_pod_container_resource_requests|pod_pvc_allocation|kube_namespace_labels|kube_pod_labels' # action: keep # queue_config: # max_samples_per_send: 1000 # remote_read: # - url: "http://pgprometheus-adapter:9201/read" rules: groups: - name: CPU rules: - expr: sum(rate(container_cpu_usage_seconds_total{container!=""}[5m])) record: cluster:cpu_usage:rate5m - expr: rate(container_cpu_usage_seconds_total{container!=""}[5m]) record: cluster:cpu_usage_nosum:rate5m - expr: avg(irate(container_cpu_usage_seconds_total{container!="POD", container!=""}[5m])) by (container,pod,namespace) record: kubecost_container_cpu_usage_irate - expr: sum(container_memory_working_set_bytes{container!="POD",container!=""}) by (container,pod,namespace) record: kubecost_container_memory_working_set_bytes - expr: sum(container_memory_working_set_bytes{container!="POD",container!=""}) record: kubecost_cluster_memory_working_set_bytes - name: Savings rules: - expr: sum(avg(kube_pod_owner{owner_kind!="DaemonSet"}) by (pod) * sum(container_cpu_allocation) by (pod)) record: kubecost_savings_cpu_allocation labels: daemonset: "false" - expr: sum(avg(kube_pod_owner{owner_kind="DaemonSet"}) by (pod) * sum(container_cpu_allocation) by (pod)) / sum(kube_node_info) record: kubecost_savings_cpu_allocation labels: daemonset: "true" - expr: sum(avg(kube_pod_owner{owner_kind!="DaemonSet"}) by (pod) * sum(container_memory_allocation_bytes) by (pod)) record: kubecost_savings_memory_allocation_bytes labels: daemonset: "false" - expr: sum(avg(kube_pod_owner{owner_kind="DaemonSet"}) by (pod) * sum(container_memory_allocation_bytes) by (pod)) / sum(kube_node_info) record: kubecost_savings_memory_allocation_bytes labels: daemonset: "true" # Adds option to add alert_relabel_configs to avoid duplicate alerts in alertmanager # useful in H/A prometheus with different external labels but the same alerts alertRelabelConfigs: # alert_relabel_configs: # - source_labels: [dc] # regex: (.+)\d+ # target_label: dc networkPolicy: ## Enable creation of NetworkPolicy resources. ## enabled: false ## Module for measuring network costs ## Ref: https://github.com/kubecost/docs/blob/main/network-allocation.md networkCosts: enabled: false image: repository: gcr.io/kubecost1/kubecost-network-costs tag: v0.17.3 imagePullPolicy: Always updateStrategy: type: RollingUpdate # For existing Prometheus Installs, annotates the Service which generates Endpoints for each of the network-costs pods. # The Service is annotated with prometheus.io/scrape: "true" to automatically get picked up by the prometheus config. # NOTE: Setting this option to true and leaving the above extraScrapeConfig "job_name: kubecost-networking" configured will cause the # NOTE: pods to be scraped twice. prometheusScrape: false # Traffic Logging will enable logging the top 5 destinations for each source # every 30 minutes. trafficLogging: true logLevel: info # Port will set both the containerPort and hostPort to this value. # These must be identical due to network-costs being run on hostNetwork port: 3001 # this daemonset can use significant resources on large clusters: https://guide.kubecost.com/hc/en-us/articles/4407595973527-Network-Traffic-Cost-Allocation resources: limits: # remove the limits by setting cpu: null cpu: 500m # can be less, will depend on cluster size # memory: it is not recommended to set a memory limit requests: cpu: 50m memory: 20Mi extraArgs: [] config: # Configuration for traffic destinations, including specific classification # for IPs and CIDR blocks. This configuration will act as an override to the # automatic classification provided by network-costs. destinations: # In Zone contains a list of address/range that will be # classified as in zone. in-zone: # Loopback Addresses in "IANA IPv4 Special-Purpose Address Registry" - "127.0.0.0/8" # IPv4 Link Local Address Space - "169.254.0.0/16" # Private Address Ranges in RFC-1918 - "10.0.0.0/8" # Remove this entry if using Multi-AZ Kubernetes - "172.16.0.0/12" - "192.168.0.0/16" # In Region contains a list of address/range that will be # classified as in region. This is synonymous with cross # zone traffic, where the regions between source and destinations # are the same, but the zone is different. in-region: [] # Cross Region contains a list of address/range that will be # classified as non-internet egress from one region to another. cross-region: [] # Internet contains a list of address/range that will be # classified as internet traffic. This is synonymous with traffic # that cannot be classified within the cluster. # NOTE: Internet classification filters are executed _after_ # NOTE: direct-classification, but before in-zone, in-region, # NOTE: and cross-region. internet: [] # Direct Classification specifically maps an ip address or range # to a region (required) and/or zone (optional). This classification # takes priority over in-zone, in-region, and cross-region configurations. direct-classification: [] # - region: "us-east1" # zone: "us-east1-c" # ips: # - "10.0.0.0/24" services: # google-cloud-services: when set to true, enables labeling traffic metrics with google cloud # service endpoints google-cloud-services: false # amazon-web-services: when set to true, enables labeling traffic metrics with amazon web service # endpoints. amazon-web-services: false # azure-cloud-services: when set to true, enables labeling traffic metrics with azure cloud service # endpoints azure-cloud-services: false # user defined services provide a way to define custom service endpoints which will label traffic metrics # falling within the defined address range. # services: # - service: "test-service-1" # ips: # - "19.1.1.2" # - service: "test-service-2" # ips: # - "15.128.15.2" # - "20.0.0.0/8" ## Node tolerations for server scheduling to nodes with taints ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ ## tolerations: [] # - key: "key" # operator: "Equal|Exists" # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" affinity: {} service: annotations: {} labels: {} ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" ## PodMonitor ## Allows scraping of network metrics from a dedicated prometheus operator setup podMonitor: enabled: false additionalLabels: {} # match the default extraScrapeConfig additionalLabels: {} nodeSelector: {} annotations: {} healthCheckProbes: {} # readinessProbe: # tcpSocket: # port: 3001 # initialDelaySeconds: 5 # periodSeconds: 10 # failureThreshold: 5 # livenessProbe: # tcpSocket: # port: 3001 # initialDelaySeconds: 5 # periodSeconds: 10 # failureThreshold: 5 additionalSecurityContext: {} # readOnlyRootFilesystem: true ## Kubecost Deployment Configuration ## Used for HA mode in Business & Enterprise tier ## kubecostDeployment: replicas: 1 # deploymentStrategy: # rollingUpdate: # maxSurge: 1 # maxUnavailable: 1 # type: RollingUpdate labels: {} annotations: {} ## Kubecost Forecasting forecasts future cost patterns based on historical ## patterns observed by Kubecost. forecasting: enabled: true # fullImageName overrides the default image construction logic. The exact # image provided (registry, image, tag) will be used for the forecasting # container. # Example: fullImageName: gcr.io/kubecost1/forecasting:v0.0.1 fullImageName: gcr.io/kubecost1/kubecost-modeling:v0.1.6 # Resource specification block for the forecasting container. resources: requests: cpu: 200m memory: 300Mi limits: cpu: 1500m memory: 1Gi # Set environment variables for the forecasting container as key/value pairs. env: # -t is the worker timeout which primarily affects model training time; # if it is not high enough, training workers may die mid training "GUNICORN_CMD_ARGS": "--log-level info -t 1200" # Define a priority class for the forecasting Deployment. priority: enabled: false name: "" # Define a nodeSelector for the forecasting Deployment. nodeSelector: {} # Define tolerations for the forecasting Deployment. tolerations: {} # Define Pod affinity for the forecasting Deployment. affinity: {} # Define a readiness probe for the forecasting container readinessProbe: enabled: true initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 200 # Define a liveness probe for the forecasting container. livenessProbe: enabled: true initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 200 ## The Kubecost Aggregator is a high scale implementation of Kubecost intended ## for large datasets and/or high query load. At present, this should only be ## enabled when recommended by Kubecost staff. ## kubecostAggregator: # deployMethod determines how Aggregator is deployed. Current options are # "singlepod" (within cost-analyzer Pod) "statefulset" (separate # StatefulSet), and "disabled". Only use "disabled" if this is a secondary # Federated ETL cluster which does not need to answer queries. deployMethod: singlepod # fullImageName overrides the default image construction logic. The exact # image provided (registry, image, tag) will be used for aggregator. # fullImageName: # For legacy configuration support, `enabled: true` overrides deployMethod # and causes `deployMethod: "statefulset"` enabled: false # Replicas sets the number of Aggregator replicas. It only has an effect if # `deployMethod: "statefulset"` replicas: 1 # stagingEmptyDirSizeLimit changes how large the "staging" # /var/configs/waterfowl emptyDir is. It only takes effect in StatefulSet # configurations of Aggregator, other configurations are unaffected. # # It should be set to approximately 8x the size of the largest bingen file in # object storage. For example, if your largest bingen file is a daily # Allocation file with size 300MiB, this value should be set to approximately # 2400Mi. In most environments, the default should suffice. stagingEmptyDirSizeLimit: 2Gi # this is the number of partitions the datastore is split into for copying # the higher this number, the lower the ram usage but the longer it takes for # new data to show in the kubecost UI # set to 0 for max partitioning (minimum possible ram usage, but the slowest) # the default of 25 is sufficient for 95%+ of users. This should only be modified # after consulting with Kubecost's support team numDBCopyPartitions: 25 env: "LOG_LEVEL": "info" "DB_READ_THREADS": "1" "DB_WRITE_THREADS": "1" "DB_CONCURRENT_INGESTION_COUNT": "3" persistentConfigsStorage: storageClass: "" # default storage class storageRequest: 1Gi aggregatorDbStorage: storageClass: "" # default storage class storageRequest: 128Gi resources: {} # requests: # cpu: 1000m # memory: 1Gi readinessProbe: enabled: true initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 200 ## Set additional environment variables for the aggregator pod # extraEnv: # - name: SOME_VARIABLE # value: "some_value" ## Add a priority class to the aggregator pod # priority: # enabled: false # name: "" ## Optional - add extra ports to the aggregator container. For kubecost development purposes only - not recommended for users. # extraPorts: [] # - name: debug # port: 40000 # targetPort: 40000 # containerPort: 40000 ## Define a securityContext for the aggregator pod. This will take highest precedence. # securityContext: {} ## Define the container-level security context for the aggregator pod. This will take highest precedence. # containerSecurityContext: {} ## Provide a Service Account name for aggregator. # serviceAccountName: "" ## Define a nodeSelector for the aggregator pod # nodeSelector: {} ## Define tolerations for the aggregator pod # tolerations: [] ## Define Pod affinity for the aggregator pod # affinity: {} ## Define extra volumes for the aggregator pod # extraVolumes: [] ## Define extra volumemounts for the aggregator pod # extraVolumeMounts: [] ## Creates a new container/pod to retrieve CloudCost data. By default it uses ## the same serviceaccount as the cost-analyzer pod. A custom serviceaccount ## can be specified. cloudCost: # The cloudCost component of Aggregator depends on # kubecostAggregator.deployMethod: # kA.dM = "singlepod" -> cloudCost is run as container inside cost-analyzer # kA.dM = "statefulset" -> cloudCost is run as single-replica Deployment enabled: false resources: {} # requests: # cpu: 1000m # memory: 1Gi # refreshRateHours: # queryWindowDays: # runWindowDays: # serviceAccountName: readinessProbe: enabled: true initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 200 ## Add a nodeSelector for aggregator cloud costs # nodeSelector: {} ## Tolerations for the aggregator cloud costs # tolerations: {} ## Affinity for the aggregator cloud costs # affinity: {} ## ServiceAccount for the aggregator cloud costs # serviceAccountName: "" ## Define environment variables for cloud cost # env: {} ## Define extra volumes for the cloud cost pod # extraVolumes: [] ## Define extra volumemounts for the cloud cost pod # extraVolumeMounts: [] ## Configure the Collections service for aggregator. # collections: # cache: # enabled: false # Jaeger is an optional container attached to wherever the Aggregator # container is running. It is used for performance investigation. Enable if # Kubecost Support asks. jaeger: enabled: false image: jaegertracing/all-in-one imageVersion: latest # containerSecurityContext: ## Kubecost Multi-cluster Diagnostics (beta) ## A single view into the health of all agent clusters. Each agent cluster sends ## its diagnostic data to a storage bucket. Future versions may include ## repairing & alerting from the primary. ## Ref: https://docs.kubecost.com/install-and-configure/install/multi-cluster-diagnostics ## diagnostics: enabled: true ## The primary aggregates all diagnostic data and handles API requests. It's ## also responsible for deleting diagnostic data (on disk & bucket) beyond ## retention. When in readonly mode it does not push its own diagnostic data ## to the bucket. primary: enabled: false retention: "7d" readonly: false ## How frequently to run & push diagnostics. Defaults to 5 minutes. pollingInterval: "300s" ## Creates a new Diagnostic file in the bucket for every run. keepDiagnosticHistory: false ## Pushes the cluster's Kubecost Helm Values to the bucket once upon startup. ## This may contain sensitive information and is roughly 30kb per cluster. collectHelmValues: false ## By default, the Multi-cluster Diagnostics service runs within the ## cost-model container in the cost-analyzer pod. For higher availability, it ## can be run as a separate deployment. deployment: enabled: false resources: requests: cpu: "10m" memory: "20Mi" env: {} labels: {} securityContext: {} containerSecurityContext: {} nodeSelector: {} tolerations: {} affinity: {} ## Provide a full name override for the diagnostics Deployment. # diagnosticsFullnameOverride: "" # Kubecost Cluster Controller for Right Sizing and Cluster Turndown clusterController: enabled: false image: repository: gcr.io/kubecost1/cluster-controller tag: v0.16.0 imagePullPolicy: Always ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" # Set custom tolerations for the cluster controller. tolerations: [] actionConfigs: # this configures the Kubecost Cluster Turndown action # for more details, see documentation at https://github.com/kubecost/cluster-turndown/tree/develop?tab=readme-ov-file#setting-a-turndown-schedule clusterTurndown: [] # - name: my-schedule # start: "2024-02-09T00:00:00Z" # end: "2024-02-09T12:00:00Z" # repeat: daily # - name: my-schedule2 # start: "2024-02-09T00:00:00Z" # end: "2024-02-09T01:00:00Z" # repeat: weekly # this configures the Kubecost Namespace Turndown action # for more details, see documentation at https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/savings/savings-actions#namespace-turndown namespaceTurndown: # - name: my-ns-turndown-action # dryRun: false # schedule: "0 0 * * *" # type: Scheduled # targetObjs: # - namespace # keepPatterns: # - ignorednamespace # keepLabels: # turndown: ignore # params: # minNamespaceAge: 4h # this configures the Kubecost Cluster Sizing action # for more details, see documentation at https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/savings/savings-actions#cluster-sizing clusterRightsize: # startTime: '2024-01-02T15:04:05Z' # frequencyMinutes: 1440 # lastCompleted: '' # recommendationParams: # window: 48h # architecture: '' # targetUtilization: 0.8 # minNodeCount: 1 # allowSharedCore: false # allowCostIncrease: false # recommendationType: '' # This configures the Kubecost Continuous Request Sizing Action # # Using this configuration overrides annotation-based configuration of # Continuous Request Sizing. Annotation configuration will be ignored while # this configuration method is present in the cluster. # # For more details, see documentation at https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/savings/savings-actions#automated-request-sizing containerRightsize: # Workloads can be selected by an _exact_ key (namespace, controllerKind, # controllerName). This will only match a single controller. The cluster # ID is current irrelevant because Cluster Controller can only modify # workloads within the cluster it is running in. # workloads: # - clusterID: cluster-one # namespace: my-namespace # controllerKind: deployment # controllerName: my-controller # An alternative to exact key selection is filter selection. The filters # are syntactically identical to Kubecost's "v2" filters [1] but only # support a small set of filter fields, those being: # - namespace # - controllerKind # - controllerName # - label # - annotation # # If multiple filters are listed, they will be ORed together at the top # level. # # See the examples below. # # [1] https://docs.kubecost.com/apis/apis-overview/filters-api # filterConfig: # - filter: | # namespace:"abc"+controllerKind:"deployment" # - filter: | # controllerName:"abc123"+controllerKind:"daemonset" # - filter: | # namespace:"foo"+controllerKind!:"statefulset" # - filter: | # namespace:"bar","baz" # schedule: # start: "2024-01-30T15:04:05Z" # frequencyMinutes: 5 # recommendationQueryWindow: "48h" # lastModified: '' # targetUtilizationCPU: 0.8 # results in a cpu request setting that is 20% higher than the max seen over last 48h # targetUtilizationMemory: 0.8 # results in a RAM request setting that is 20% higher than the max seen over last 48h kubescaler: # If true, will cause all (supported) workloads to be have their requests # automatically right-sized on a regular basis. defaultResizeAll: false # fqdn: kubecost-cluster-controller.kubecost.svc.cluster.local:9731 namespaceTurndown: rbac: enabled: true reporting: # Kubecost bug report feature: Logs access/collection limited to .Release.Namespace # Ref: http://docs.kubecost.com/bug-report logCollection: true # Basic frontend analytics productAnalytics: true # Report Javascript errors errorReporting: true valuesReporting: true # googleAnalyticsTag allows you to embed your Google Global Site Tag to track usage of Kubecost. # googleAnalyticsTag is only included in our Enterprise offering. # googleAnalyticsTag: G-XXXXXXXXX serviceMonitor: # the kubecost included prometheus uses scrapeConfigs and does not support service monitors. The following options assume an existing prometheus that supports serviceMonitors. enabled: false additionalLabels: {} metricRelabelings: [] relabelings: [] networkCosts: enabled: false scrapeTimeout: 10s additionalLabels: {} metricRelabelings: [] relabelings: [] prometheusRule: enabled: false additionalLabels: {} supportNFS: false # initChownDataImage ensures all Kubecost filepath permissions on PV or local storage are set up correctly. initChownDataImage: "busybox" # Supports a fully qualified Docker image, e.g. registry.hub.docker.com/library/busybox:latest initChownData: resources: {} # requests: # cpu: "50m" # memory: "20Mi" grafana: # namespace_datasources: kubecost # override the default namespace here # namespace_dashboards: kubecost # override the default namespace here rbac: create: true serviceAccount: create: true name: "" ## Provide a full name override for the Grafana Deployment. # fullnameOverride: "" ## Provide a name override for the Grafana Deployment. # nameOverride: "" ## Configure grafana datasources ## ref: http://docs.grafana.org/administration/provisioning/#datasources ## # datasources: # datasources.yaml: # apiVersion: 1 # datasources: # - name: prometheus-kubecost # type: prometheus # url: http://kubecost-prometheus-server.kubecost.svc.cluster.local # access: proxy # isDefault: false # jsonData: # httpMethod: POST # prometheusType: Prometheus # prometheusVersion: 2.35.0 # timeInterval: 1m ## Number of replicas for the Grafana deployment replicas: 1 ## Deployment strategy for the Grafana deployment deploymentStrategy: RollingUpdate ## Readiness probe for the Grafana deployment readinessProbe: httpGet: path: /api/health port: 3000 ## Liveness probe for the Grafana deployment livenessProbe: httpGet: path: /api/health port: 3000 initialDelaySeconds: 60 timeoutSeconds: 30 failureThreshold: 10 ## Container image settings for the Grafana deployment image: repository: grafana/grafana tag: 10.3.4 pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. # pullSecrets: # - myRegistrKeySecretName ## Pod-level security context for the Grafana deployment. Recommended let global defaults take effect. securityContext: {} # runAsUser: 472 # fsGroup: 472 ## PriorityClassName for the Grafana deployment priorityClassName: "" ## Container image settings for Grafana initContainer used to download dashboards. Will only be used when dashboards are present. downloadDashboardsImage: repository: curlimages/curl tag: latest pullPolicy: IfNotPresent ## Pod Annotations for the Grafana deployment podAnnotations: {} ## Deployment annotations for the Grafana deployment annotations: {} ## Expose the Grafana service to be accessed from outside the cluster (LoadBalancer service). ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. service: type: ClusterIP port: 80 annotations: {} labels: {} ## Ingress service for the Grafana deployment ingress: enabled: false annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" labels: {} path: / pathType: Prefix hosts: - chart-example.local tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local ## Resource requests and limits for the Grafana deployment resources: {} # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi ## Node labels for pod assignment of the Grafana deployment nodeSelector: {} ## Tolerations for pod assignment of the Grafana deployment tolerations: [] ## Affinity for pod assignment of the Grafana deployment affinity: {} ## Enable persistence using Persistent Volume Claims of the Grafana deployment persistence: enabled: false # storageClassName: default # accessModes: # - ReadWriteOnce # size: 10Gi # annotations: {} # subPath: "" # existingClaim: ## Admin user for Grafana adminUser: admin ## Admin password for Grafana adminPassword: strongpassword ## Use an alternate scheduler for the Grafana deployment # schedulerName: ## Extra environment variables that will be passed onto Grafana deployment pods env: {} ## The name of a secret for Grafana in the same Kubernetes namespace which contain values to be added to the environment ## This can be useful for auth tokens, etc envFromSecret: "" ## Additional Grafana server secret mounts ## Defines additional mounts with secrets. Secrets must be manually created in the namespace. extraSecretMounts: [] # - name: secret-files # mountPath: /etc/secrets # secretName: grafana-secret-files # readOnly: true ## List of Grafana plugins plugins: [] # - digrich-bubblechart-panel # - grafana-clock-panel ## Grafana dashboard providers ## ref: http://docs.grafana.org/administration/provisioning/#dashboards ## ## `path` must be /var/lib/grafana/dashboards/ ## dashboardProviders: {} # dashboardproviders.yaml: # apiVersion: 1 # providers: # - name: 'default' # orgId: 1 # folder: '' # type: file # disableDeletion: false # editable: true # options: # path: /var/lib/grafana/dashboards/default ## Configure Grafana dashboard to import ## NOTE: To use dashboards you must also enable/configure dashboardProviders ## ref: https://grafana.com/dashboards ## ## dashboards per provider, use provider name as key. ## dashboards: {} # default: # prometheus-stats: # gnetId: 3662 # revision: 2 # datasource: Prometheus ## Reference to external Grafana ConfigMap per provider. Use provider name as key and ConfiMap name as value. ## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both. ## ConfigMap data example: ## ## data: ## example-dashboard.json: | ## RAW_JSON ## dashboardsConfigMaps: {} # default: "" ## LDAP Authentication for Grafana can be enabled with the following values on grafana.ini ## NOTE: Grafana will fail to start if the value for ldap.toml is invalid # auth.ldap: # enabled: true # allow_sign_up: true # config_file: /etc/grafana/ldap.toml ## Grafana's LDAP configuration ## Templated by the template in _helpers.tpl ## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled ## ref: http://docs.grafana.org/installation/configuration/#auth-ldap ## ref: http://docs.grafana.org/installation/ldap/#configuration ldap: # `existingSecret` is a reference to an existing secret containing the ldap configuration # for Grafana in a key `ldap-toml`. existingSecret: "" # `config` is the content of `ldap.toml` that will be stored in the created secret config: "" # config: |- # verbose_logging = true # [[servers]] # host = "my-ldap-server" # port = 636 # use_ssl = true # start_tls = false # ssl_skip_verify = false # bind_dn = "uid=%s,ou=users,dc=myorg,dc=com" ## Grafana's SMTP configuration ## NOTE: To enable, grafana.ini must be configured with smtp.enabled ## ref: http://docs.grafana.org/installation/configuration/#smtp smtp: # `existingSecret` is a reference to an existing secret containing the smtp configuration # for Grafana in keys `user` and `password`. existingSecret: "" ## Grafana sidecars that collect the configmaps with specified label and stores the included files them into the respective folders ## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards sidecar: image: repository: kiwigrid/k8s-sidecar tag: 1.26.0 pullPolicy: IfNotPresent resources: {} dashboards: enabled: true # label that the configmaps with dashboards are marked with label: grafana_dashboard labelValue: "1" # set sidecar ERROR_THROTTLE_SLEEP env var from default 5s to 0s -> fixes https://github.com/kubecost/cost-analyzer-helm-chart/issues/877 annotations: {} error_throttle_sleep: 0 folder: /tmp/dashboards datasources: # dataSourceFilename: foo.yml # If you need to change the name of the datasource file enabled: false error_throttle_sleep: 0 # label that the configmaps with datasources are marked with label: grafana_datasource ## Grafana's primary configuration ## NOTE: values in map will be converted to ini format ## ref: http://docs.grafana.org/installation/configuration/ ## ## For grafana to be accessible, add the path to root_url. For example, if you run kubecost at www.foo.com:9090/kubecost ## set root_url to "%(protocol)s://%(domain)s:%(http_port)s/kubecost/grafana". No change is necessary here if kubecost runs at a root URL grafana.ini: server: serve_from_sub_path: false # Set to false on Grafana v10+ root_url: "%(protocol)s://%(domain)s:%(http_port)s/grafana" paths: data: /var/lib/grafana/data logs: /var/log/grafana plugins: /var/lib/grafana/plugins provisioning: /etc/grafana/provisioning analytics: check_for_updates: true log: mode: console grafana_net: url: https://grafana.net auth.anonymous: enabled: true org_role: Editor org_name: Main Org. serviceAccount: create: true # Set this to false if you're bringing your own service account. annotations: {} # name: kc-test awsstore: useAwsStore: false imageNameAndVersion: gcr.io/kubecost1/awsstore:latest # Name and version of the container image for AWSStore. createServiceAccount: false ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" # Use a custom nodeSelector for AWSStore. nodeSelector: {} # kubernetes.io/arch: amd64 ## Annotations for the AWSStore ServiceAccount. annotations: {} ## Federated ETL Architecture ## Ref: https://docs.kubecost.com/install-and-configure/install/multi-cluster/federated-etl ## federatedETL: ## If true, installs the minimal set of components required for a Federated ETL cluster. agentOnly: false ## If true, push ETL data to the federated storage bucket federatedCluster: false ## If true, changes the dir of S3 backup to the Federated combined store. ## Commonly used when transitioning from Thanos to Federated ETL architecture. redirectS3Backup: false ## If true, will query metrics from a central PromQL DB (e.g. Amazon Managed ## Prometheus) useMultiClusterDB: false ## Kubecost Admission Controller (beta feature) ## To use this feature, ensure you have run the `create-admission-controller.sh` ## script. This generates a k8s secret with TLS keys/certificats and a ## corresponding CA bundle. ## kubecostAdmissionController: enabled: false secretName: webhook-server-tls caBundle: ${CA_BUNDLE} # Enables or disables the Cost Event Audit pipeline, which tracks recent changes at cluster level # and provides an estimated cost impact via the Kubecost Predict API. # # It is disabled by default to avoid problems in high-scale environments. costEventsAudit: enabled: false ## Disable updates to kubecost from the frontend UI and via POST request ## This feature is considered beta, entrprise users should use teams: ## https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/teams # readonly: false # # These configs can also be set from the Settings page in the Kubecost product # # UI. Values in this block override config changes in the Settings UI on pod # # restart # kubecostProductConfigs: # # An optional list of cluster definitions that can be added for frontend # # access. The local cluster is *always* included by default, so this list is # # for non-local clusters. # clusters: # - name: "Cluster A" # address: http://cluster-a.kubecost.com:9090 # # Optional authentication credentials - only basic auth is currently supported. # auth: # type: basic # # Secret name should be a secret formatted based on: https://github.com/kubecost/docs/blob/main/ingress-examples.md # secretName: cluster-a-auth # # Or pass auth directly as base64 encoded user:pass # data: YWRtaW46YWRtaW4= # # Or user and pass directly # user: admin # pass: admin # - name: "Cluster B" # address: http://cluster-b.kubecost.com:9090 # # Enabling customPricesEnabled and defaultModelPricing instructs Kubecost to # # use these custom monthly resource prices when reporting node costs. Note, # # that the below configuration is for the monthly cost of the resource. # # Kubecost considers there to be 730 hours in a month. Also note, that these # # configurations will have no effect on metrics emitted such as # # `node_ram_hourly_cost` or `node_cpu_hourly_cost`. # # Ref: https://docs.kubecost.com/install-and-configure/install/provider-installations/air-gapped # customPricesEnabled: false # defaultModelPricing: # enabled: true # CPU: "28.0" # spotCPU: "4.86" # RAM: "3.09" # spotRAM: "0.65" # GPU: "693.50" # spotGPU: "225.0" # storage: "0.04" # zoneNetworkEgress: "0.01" # regionNetworkEgress: "0.01" # internetNetworkEgress: "0.12" # # The cluster profile represents a predefined set of parameters to use when calculating savings. # # Possible values are: [ development, production, high-availability ] # clusterProfile: production # spotLabel: lifecycle # spotLabelValue: Ec2Spot # gpuLabel: gpu # gpuLabelValue: true # alibabaServiceKeyName: "" # alibabaServiceKeyPassword: "" # awsServiceKeyName: ACCESSKEYID # awsServiceKeyPassword: fakepassword # Only use if your values.yaml are stored encrypted. Otherwise provide an existing secret via serviceKeySecretName # awsSpotDataRegion: us-east-1 # awsSpotDataBucket: spot-data-feed-s3-bucket # awsSpotDataPrefix: dev # athenaProjectID: "530337586277" # The AWS AccountID where the Athena CUR is. Generally your masterpayer account # athenaBucketName: "s3://aws-athena-query-results-530337586277-us-east-1" # athenaRegion: us-east-1 # athenaDatabase: athenacurcfn_athena_test1 # athenaTable: "athena_test1" # athenaWorkgroup: "primary" # The default workgroup in AWS is 'primary' # masterPayerARN: "" # projectID: "123456789" # Also known as AccountID on AWS -- the current account/project that this instance of Kubecost is deployed on. # gcpSecretName: gcp-secret # Name of a secret representing the gcp service key # gcpSecretKeyName: compute-viewer-kubecost-key.json # Name of the secret's key containing the gcp service key # bigQueryBillingDataDataset: billing_data.gcp_billing_export_v1_01AC9F_74CF1D_5565A2 # labelMappingConfigs: # names of k8s labels or annotations used to designate different allocation concepts # enabled: true # owner_label: "owner" # team_label: "team" # department_label: "dept" # product_label: "product" # environment_label: "env" # namespace_external_label: "kubernetes_namespace" # external labels/tags are used to map external cloud costs to kubernetes concepts # cluster_external_label: "kubernetes_cluster" # controller_external_label: "kubernetes_controller" # product_external_label: "kubernetes_label_app" # service_external_label: "kubernetes_service" # deployment_external_label: "kubernetes_deployment" # owner_external_label: "kubernetes_label_owner" # team_external_label: "kubernetes_label_team" # environment_external_label: "kubernetes_label_env" # department_external_label: "kubernetes_label_department" # statefulset_external_label: "kubernetes_statefulset" # daemonset_external_label: "kubernetes_daemonset" # pod_external_label: "kubernetes_pod" # grafanaURL: "" # # Provide a mapping from Account ID to a readable Account Name in a key/value object. Provide Account IDs as they are displayed in CloudCost # # as the 'key' and the Account Name associated with it as the 'value' # cloudAccountMapping: # EXAMPLE_ACCOUNT_ID: EXAMPLE_ACCOUNT_NAME # clusterName: "" # clusterName is the default context name in settings. # clusterAccountID: "" # Manually set Account property for assets # currencyCode: "USD" # official support for USD, AUD, BRL, CAD, CHF, CNY, DKK, EUR, GBP, IDR, INR, JPY, NOK, PLN, SEK # azureBillingRegion: US # Represents 2-letter region code, e.g. West Europe = NL, Canada = CA. ref: https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes # azureSubscriptionID: 0bd50fdf-c923-4e1e-850c-196dd3dcc5d3 # azureClientID: f2ef6f7d-71fb-47c8-b766-8d63a19db017 # azureTenantID: 72faf3ff-7a3f-4597-b0d9-7b0b201bb23a # azureClientPassword: fake key # Only use if your values.yaml are stored encrypted. Otherwise provide an existing secret via serviceKeySecretName # azureOfferDurableID: "MS-AZR-0003p" # discount: "" # percentage discount applied to compute # negotiatedDiscount: "" # custom negotiated cloud provider discount # defaultIdle: false # serviceKeySecretName: "" # Use an existing AWS or Azure secret with format as in aws-service-key-secret.yaml or azure-service-key-secret.yaml. Leave blank if using createServiceKeySecret # createServiceKeySecret: true # Creates a secret representing your cloud service key based on data in values.yaml. If you are storing unencrypted values, add a secret manually # sharedNamespaces: "" # namespaces with shared workloads, example value: "kube-system\,ingress-nginx\,kubecost\,monitoring" # sharedOverhead: "" # value representing a fixed external cost per month to be distributed among aggregations. # shareTenancyCosts: true # enable or disable sharing costs such as cluster management fees (defaults to "true" on Settings page) # metricsConfigs: # configuration for metrics emitted by Kubecost # disabledMetrics: [] # list of metrics that Kubecost will not emit. Note that disabling metrics can lead to unexpected behavior in the cost-model. # productKey: # Apply enterprise product license # enabled: false # key: "" # secretname: productkeysecret # Reference an existing k8s secret created from a file named productkey.json of format { "key": "enterprise-key-here" }. If the secretname is specified, a configmap with the key will not be created. # mountPath: "/some/custom/path/productkey.json" # (use instead of secretname) Declare the path at which the product key file is mounted (eg. by a secrets provisioner). The file must be of format { "key": "enterprise-key-here" }. # carbonEstimates: false # Enables Kubecost beta carbon estimation endpoints /assets/carbon and /allocations/carbon ## Specify an existing Kubernetes Secret holding the cloud integration information. This Secret must contain ## a key with name `cloud-integration.json` and the contents must be in a specific format. It is expected ## to exist in the release Namespace. This is mutually exclusive with cloudIntegrationJSON where only one must be defined. # cloudIntegrationSecret: "cloud-integration" ## Specify the cloud integration information in JSON form if pointing to an existing Secret is not desired or you'd rather ## define the cloud integration information directly in the values file. This will result in a new Secret being created ## named `cloud-integration` in the release Namespace. It is mutually exclusive with the cloudIntegrationSecret where only one must be defined. # cloudIntegrationJSON: |- # { # "aws": [ # { # "athenaBucketName": "s3://AWS_cloud_integration_athenaBucketName", # "athenaRegion": "AWS_cloud_integration_athenaRegion", # "athenaDatabase": "AWS_cloud_integration_athenaDatabase", # "athenaTable": "AWS_cloud_integration_athenaBucketName", # "projectID": "AWS_cloud_integration_athena_projectID", # "serviceKeyName": "AWS_cloud_integration_athena_serviceKeyName", # "serviceKeySecret": "AWS_cloud_integration_athena_serviceKeySecret" # } # ], # "azure": [ # { # "azureSubscriptionID": "my-subscription-id", # "azureStorageAccount": "my-storage-account", # "azureStorageAccessKey": "my-storage-access-key", # "azureStorageContainer": "my-storage-container" # } # ], # "gcp": [ # { # "projectID": "my-project-id", # "billingDataDataset": "detailedbilling.my-billing-dataset", # "key": { # "type": "service_account", # "project_id": "my-project-id", # "private_key_id": "my-private-key-id", # "private_key": "my-pem-encoded-private-key", # "client_email": "my-service-account-name@my-project-id.iam.gserviceaccount.com", # "client_id": "my-client-id", # "auth_uri": "auth-uri", # "token_uri": "token-uri", # "auth_provider_x509_cert_url": "my-x509-provider-cert", # "client_x509_cert_url": "my-x509-cert-url" # } # } # ] # } # ingestPodUID: false # Enables using UIDs to uniquely ID pods. This requires either Kubecost's replicated KSM metrics, or KSM v2.1.0+. This may impact performance, and changes the default cost-model allocation behavior. # regionOverrides: "region1,region2,region3" # list of regions which will override default costmodel provider regions # Explicit name of the ConfigMap to use for pricing overrides. If not set, a default will apply. # pricingConfigmapName: "" # -- Array of extra K8s manifests to deploy ## Note: Supports use of custom Helm templates extraObjects: [] # Cloud Billing Integration: # - apiVersion: v1 # kind: Secret # metadata: # name: cloud-integration # namespace: kubecost # type: Opaque # data: # cloud-integration.json: BASE64_SECRET # Istio: # - apiVersion: networking.istio.io/v1alpha3 # kind: VirtualService # metadata: # name: my-virtualservice # spec: # hosts: # - kubecost.myorg.com # gateways: # - my-gateway # http: # - route: # - destination: # host: kubecost.kubecost.svc.cluster.local # port: # number: 80