global: # zone: cluster.local (use only if your DNS server doesn't live in the same zone as kubecost) prometheus: enabled: true # If false, Prometheus will not be installed -- Warning: Before changing this setting, please read to understand this setting https://docs.kubecost.com/install-and-configure/install/custom-prom fqdn: http://cost-analyzer-prometheus-server.default.svc # example address of a prometheus to connect to. Include protocol (http:// or https://) Ignored if enabled: true # insecureSkipVerify: false # If true, kubecost will not check the TLS cert of prometheus # queryServiceBasicAuthSecretName: dbsecret # kubectl create secret generic dbsecret -n kubecost --from-file=USERNAME --from-file=PASSWORD # queryServiceBearerTokenSecretName: mcdbsecret # kubectl create secret generic mcdbsecret -n kubecost --from-file=TOKEN # Durable storage option, product key required thanos: enabled: false # queryService: http://kubecost-thanos-query-frontend-http.kubecost:{{ .Values.thanos.queryFrontend.http.port }} # an address of the thanos query-frontend endpoint, if different from installed thanos # queryServiceBasicAuthSecretName: mcdbsecret # kubectl create secret generic mcdbsecret -n kubecost --from-file=USERNAME --from-file=PASSWORD <---enter basic auth credentials like that # queryServiceBearerTokenSecretName mcdbsecret # kubectl create secret generic mcdbsecret -n kubecost --from-file=TOKEN # queryOffset: 3h # The offset to apply to all thanos queries in order to achieve synchronization on all cluster block stores grafana: enabled: true # If false, Grafana will not be installed domainName: cost-analyzer-grafana.default.svc # example grafana domain Ignored if enabled: true scheme: "http" # http or https, for the domain name above. proxy: true # If true, the kubecost frontend will route to your grafana through its service endpoint # fqdn: cost-analyzer-grafana.default.svc # Enable only when you are using GCP Marketplace ENT listing. Learn more at https://console.cloud.google.com/marketplace/product/kubecost-public/kubecost-ent gcpstore: enabled: false # Google Cloud Managed Service for Prometheus gmp: # Remember to set up these parameters when install the Kubecost Helm chart with `global.gmp.enabled=true` if you want to use GMP self-deployed collection (Recommended) to utilize Kubecost scrape configs. # If enabling GMP, it is highly recommended to utilize Google's distribution of Prometheus. # Learn more at https://cloud.google.com/stackdriver/docs/managed-prometheus/setup-unmanaged # --set prometheus.server.image.repository="gke.gcr.io/prometheus-engine/prometheus" \ # --set prometheus.server.image.tag="v2.35.0-gmp.2-gke.0" enabled: false # If true, kubecost will be configured to use GMP Prometheus image and query from Google Cloud Managed Service for Prometheus. prometheusServerEndpoint: http://localhost:8085/ # The prometheus service endpoint used by kubecost. The calls are forwarded through the GMP Prom proxy side car to the GMP database. gmpProxy: enabled: false image: gke.gcr.io/prometheus-engine/frontend:v0.4.1-gke.0 # GMP Prometheus proxy image that serve as an endpoint to query metrics from GMP imagePullPolicy: Always name: gmp-proxy port: 8085 projectId: YOUR_PROJECT_ID # example GCP project ID # Amazon Managed Service for Prometheus amp: enabled: false # If true, kubecost will be configured to remote_write and query from Amazon Managed Service for Prometheus. prometheusServerEndpoint: https://localhost:8085/workspaces// # The prometheus service endpoint used by kubecost. The calls are forwarded through the SigV4Proxy side car to the AMP workspace. remoteWriteService: https://aps-workspaces.us-west-2.amazonaws.com/workspaces//api/v1/remote_write # The remote_write endpoint for the AMP workspace. sigv4: region: us-west-2 # access_key: ACCESS_KEY # AWS Access key # secret_key: SECRET_KEY # AWS Secret key # role_arn: ROLE_ARN # AWS role arn # profile: PROFILE # AWS profile # Mimir Proxy to help Kubecost to query metrics from multi-tenant Grafana Mimir. # Set `global.mimirProxy.enabled=true` and `global.prometheus.enabled=false` to enable Mimir Proxy. # You also need to set `global.prometheus.fqdn=http://kubecost-cost-analyzer-mimir-proxy.kubecost.svc:8085/prometheus` # or `global.prometheus.fqdn=http://{{ template "cost-analyzer.fullname" . }}-mimir-proxy.{{ .Release.Namespace }}.svc:8085/prometheus' # Learn more at https://grafana.com/docs/mimir/latest/operators-guide/secure/authentication-and-authorization/#without-an-authenticating-reverse-proxy mimirProxy: enabled: false name: mimir-proxy image: nginxinc/nginx-unprivileged port: 8085 mimirEndpoint: $mimir_endpoint # Your Mimir query endpoint. If your Mimir query endpoint is http://example.com/prometheus, replace $mimir_endpoint with http://example.com/ orgIdentifier: $your_tenant_ID # Your Grafana Mimir tenant ID # basicAuth: # username: user # password: pwd notifications: # Kubecost alerting configuration # Ref: http://docs.kubecost.com/alerts # alertConfigs: # frontendUrl: http://localhost:9090 # optional, used for linkbacks # globalSlackWebhookUrl: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX # optional, used for Slack alerts # globalMsTeamsWebhookUrl: https://xxxxx.webhook.office.com/webhookb2/XXXXXXXXXXXXXXXXXXXXXXXX/IncomingWebhook/XXXXXXXXXXXXXXXXXXXXXXXX # optional, used for Microsoft Teams alerts # globalAlertEmails: # - recipient@example.com # - additionalRecipient@example.com # globalEmailSubject: Custom Subject # Alerts generated by kubecost, about cluster data # alerts: # Daily namespace budget alert on namespace `kubecost` # - type: budget # supported: budget, recurringUpdate # threshold: 50 # optional, required for budget alerts # window: daily # or 1d # aggregation: namespace # filter: kubecost # ownerContact: # optional, overrides globalAlertEmails default # - owner@example.com # - owner2@example.com # # optional, used for alert-specific Slack and Microsoft Teams alerts # slackWebhookUrl: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX # msTeamsWebhookUrl: https://xxxxx.webhook.office.com/webhookb2/XXXXXXXXXXXXXXXXXXXXXXXX/IncomingWebhook/XXXXXXXXXXXXXXXXXXXXXXXX # Daily cluster budget alert on cluster `cluster-one` # - type: budget # threshold: 200.8 # optional, required for budget alerts # window: daily # or 1d # aggregation: cluster # filter: cluster-one # does not accept csv # Recurring weekly update (weeklyUpdate alert) # - type: recurringUpdate # window: weekly # or 7d # aggregation: namespace # filter: '*' # Recurring weekly namespace update on kubecost namespace # - type: recurringUpdate # window: weekly # or 7d # aggregation: namespace # filter: kubecost # Spend Change Alert # - type: spendChange # change relative to moving avg # relativeThreshold: 0.20 # Proportional change relative to baseline. Must be greater than -1 (can be negative) # window: 1d # accepts ‘d’, ‘h’ # baselineWindow: 30d # previous window, offset by window # aggregation: namespace # filter: kubecost, default # accepts csv # Health Score Alert # - type: health # Alerts when health score changes by a threshold # window: 10m # threshold: 5 # Send Alert if health scores changes by 5 or more # Kubecost Health Diagnostic # - type: diagnostic # Alerts when kubecost is unable to compute costs - ie: Prometheus unreachable # window: 10m alertmanager: # Supply an alertmanager FQDN to receive notifications from the app. enabled: false # If true, allow kubecost to write to your alertmanager fqdn: http://cost-analyzer-prometheus-server.default.svc # example fqdn. Ignored if prometheus.enabled: true # Set saved Cost Allocation report(s) accessible from /reports # Ref: http://docs.kubecost.com/saved-reports savedReports: enabled: false # If true, overwrites report parameters set through UI reports: - title: "Example Saved Report 0" window: "today" aggregateBy: "namespace" chartDisplay: "category" idle: "separate" rate: "cumulative" accumulate: false # daily resolution filters: - property: "cluster" value: "cluster-one,cluster*" # supports wildcard filtering and multiple comma separated values - property: "namespace" value: "kubecost" - title: "Example Saved Report 1" window: "month" aggregateBy: "controllerKind" chartDisplay: "category" idle: "share" rate: "monthly" accumulate: false filters: - property: "label" value: "app:cost*,environment:kube*" - property: "namespace" value: "kubecost" - title: "Example Saved Report 2" window: "2020-11-11T00:00:00Z,2020-12-09T23:59:59Z" aggregateBy: "service" chartDisplay: "category" idle: "hide" rate: "daily" accumulate: true # entire window resolution filters: [] # if no filters, specify empty array # Set saved Asset report(s) accessible from /reports # Ref: http://docs.kubecost.com/saved-reports assetReports: enabled: false # If true, overwrites report parameters set through UI reports: - title: "Example Asset Report 0" window: "today" aggregateBy: "type" accumulate: false # daily resolution filters: - property: "cluster" value: "cluster-one" # Set saved Advanced report(s) accessible from /reports # Ref: http://docs.kubecost.com/saved-reports advancedReports: enabled: false # If true, overwrites report parameters set through UI reports: - title: "Example Advanced Report 0" window: "7d" aggregateBy: "namespace" filters: - property: "cluster" value: "cluster-one" cloudBreakdown: "service" cloudJoin: "label:kubernetes_namespace" # Set saved Cloud Cost report(s) accessible from /reports # Ref: http://docs.kubecost.com/saved-reports cloudCostReports: enabled: false # If true, overwrites report parameters set through UI reports: - title: "Cloud Cost Report 0" window: "today" aggregateBy: "service" accumulate: false # daily resolution # filters: # - property: "service" # value: "service1" # corresponds to a value to filter cloud cost aggregate by service data on. podAnnotations: {} # iam.amazonaws.com/role: role-arn additionalLabels: {} securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault fsGroup: 1001 runAsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: OnRootMismatch containerSecurityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true capabilities: drop: - ALL # generated at http://kubecost.com/install, used for alerts tracking and free trials kubecostToken: # "" # Advanced pipeline for custom prices, enterprise key required pricingCsv: enabled: false location: provider: "AWS" region: "us-east-1" URI: s3://kc-csv-test/pricing_schema.csv # a valid file URI csvAccessCredentials: pricing-schema-access-secret # SAML integration for user management and RBAC, enterprise key required # Ref: https://github.com/kubecost/docs/blob/main/user-management.md saml: enabled: false # secretName: "kubecost-authzero" # metadataSecretName: "kubecost-authzero-metadata" # One of metadataSecretName or idpMetadataURL must be set. defaults to metadataURL if set # idpMetadataURL: "https://dev-elu2z98r.auth0.com/samlp/metadata/c6nY4M37rBP0qSO1IYIqBPPyIPxLS8v2" # appRootURL: "http://localhost:9090" # sample URL # authTimeout: 1440 # number of minutes the JWT will be valid # redirectURL: "https://dev-elu2z98r.auth0.com/v2/logout" # callback URL redirected to after logout # audienceURI: "http://localhost:9090" # by convention, the same as the appRootURL, but any string uniquely identifying kubecost to your samp IDP. Optional if you follow the convention # nameIDFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" If your SAML provider requires a specific nameid format # isGLUUProvider: false # An additional URL parameter must be appended for GLUU providers # encryptionCertSecret: "kubecost-saml-cert" # k8s secret where the x509 certificate used to encrypt an Okta saml response is stored # decryptionKeySecret: "kubecost-sank-decryption-key" # k8s secret where the private key associated with the encryptionCertSecret is stored rbac: enabled: false # groups: # - name: admin # enabled: false # if admin is disabled, all SAML users will be able to make configuration changes to the kubecost frontend # assertionName: "http://schemas.auth0.com/userType" # a SAML Assertion, one of whose elements has a value that matches on of the values in assertionValues # assertionValues: # - "admin" # - "superusers" # - name: readonly # enabled: false # if readonly is disabled, all users authorized on SAML will default to readonly # assertionName: "http://schemas.auth0.com/userType" # assertionValues: # - "readonly" # - name: editor # enabled: true # if editor is enabled, editors will be allowed to edit reports/alerts scoped to them, and act as readers otherwise. Users will never default to editor. # assertionName: "http://schemas.auth0.com/userType" # assertionValues: # - "editor" oidc: enabled: false clientID: "" # application/client client_id parameter obtained from provider, used to make requests to server clientSecret: "" # application/client client_secret parameter obtained from provider, used to make requests to server # secretName: "kubecost-oidc-secret" # k8s secret where clientsecret will be stored # For use to provide a custom OIDC Secret. Overrides the usage of oidc.clientSecret and oidc.secretName. # Should contain the field directly. # Can be created using raw k8s secrets, external secrets, sealed secrets, or any other method. existingCustomSecret: enabled: false name: "" # name of the secret containing the client secret # authURL: "https://my.auth.server/authorize" # endpoint for login to auth server # loginRedirectURL: "http://my.kubecost.url/model/oidc/authorize" # Kubecost url configured in provider for redirect after authentication # discoveryURL: "https://my.auth.server/.well-known/openid-configuration" # url for OIDC endpoint discovery skipOnlineTokenValidation: false # if true, will skip accessing OIDC introspection endpoint for online token verification, and instead try to locally validate JWT claims # hostedDomain: "example.com" # optional, blocks access to the auth domain specified in the hd claim of the provider ID token rbac: enabled: false # groups: # - name: admin # enabled: false # if admin is disabled, all authenticated users will be able to make configuration changes to the kubecost frontend # claimName: "roles" # Kubecost matches this string against the JWT's payload key containing RBAC info (this value is unique across identity providers) # claimValues: # Kubecost matches these strings with the roles created in your identity provider # - "admin" # - "superusers" # - name: readonly # enabled: false # if readonly is disabled, all authenticated users will default to readonly # claimName: "roles" # claimValues: # - "readonly" # - name: editor # enabled: false # if editor is enabled, editors will be allowed to edit reports/alerts scoped to them, and act as readers otherwise. Users will never default to editor. # claimName: "roles" # claimValues: # - "editor" ## Adds the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables to all ## containers. Typically used in environments that have firewall rules which ## prevent kubecost from accessing cloud provider resources. ## Ref: https://www.oreilly.com/library/view/security-with-go/9781788627917/5ea6a02b-3d96-44b1-ad3c-6ab60fcbbe4f.xhtml ## systemProxy: enabled: false httpProxyUrl: "" httpsProxyUrl: "" noProxy: "" # imagePullSecrets: # - name: "image-pull-secret" kubecostFrontend: enabled: true image: "gcr.io/kubecost1/frontend" imagePullPolicy: Always # extraEnv: # - name: NGINX_ENTRYPOINT_WORKER_PROCESSES_AUTOTUNE # value: "1" # securityContext: # readOnlyRootFilesystem: true resources: requests: cpu: "10m" memory: "55Mi" # limits: # cpu: "100m" # memory: "256Mi" livenessProbe: enabled: true initialDelaySeconds: 30 periodSeconds: 10 failureThreshold: 200 ipv6: enabled: true # disable if the cluster does not support ipv6 # allow customizing nginx-conf server block # extraServerConfig: |- # proxy_busy_buffers_size 512k; # proxy_buffers 4 512k; # proxy_buffer_size 256k; # large_client_header_buffers 4 64k; # hideDiagnostics: false # used if the primary is not monitored. Supported in limited environments. # api: # fqdn: kubecost-api.kubecost.svc.cluster.local:9001 # model: # fqdn: kubecost-model.kubecost.svc.cluster.local:9003 # Kubecost Metrics deploys a separate pod which will emit kubernetes specific metrics required # by the cost-model. This pod is designed to remain active and decoupled from the cost-model itself. # However, disabling this service/pod deployment will flag the cost-model to emit the metrics instead. kubecostMetrics: # emitPodAnnotations: false # emitNamespaceAnnotations: false # emitKsmV1Metrics: true # emit all KSM metrics in KSM v1. # emitKsmV1MetricsOnly: false # emit only the KSM metrics missing from KSM v2. Advanced users only. # Optional # The metrics exporter is a separate deployment and service (for prometheus scrape auto-discovery) # which emits metrics cost-model relies on. Enabling this deployment also removes the KSM dependency # from the cost-model. If the deployment is not enabled, the metrics will continue to be emitted from # the cost-model. exporter: enabled: false port: 9005 # Adds the default Prometheus scrape annotations to the metrics exporter service. # Set to false and use service.annotations (below) to set custom scrape annotations. prometheusScrape: true resources: {} # requests: # cpu: "200m" # memory: "55Mi" ## Node tolerations for server scheduling to nodes with taints ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ tolerations: [] # - key: "key" # operator: "Equal|Exists" # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" affinity: {} service: annotations: {} # Service Monitor for Kubecost Metrics serviceMonitor: # the kubecost included prometheus uses scrapeConfigs and does not support service monitors. The following options assume an existing prometheus that supports serviceMonitors. enabled: false additionalLabels: {} metricRelabelings: [] relabelings: [] ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" additionalLabels: {} nodeSelector: {} extraArgs: [] sigV4Proxy: image: public.ecr.aws/aws-observability/aws-sigv4-proxy:latest imagePullPolicy: Always name: aps port: 8005 region: us-west-2 # The AWS region host: aps-workspaces.us-west-2.amazonaws.com # The hostname for AMP service. # role_arn: arn:aws:iam:::role/role-name # The AWS IAM role to assume. extraEnv: # Pass extra env variables to sigV4Proxy # - name: AWS_ACCESS_KEY_ID # value: # - name: AWS_SECRET_ACCESS_KEY # value: kubecostModel: image: "gcr.io/kubecost1/cost-model" imagePullPolicy: Always # set to 'true' to utilize images on the public Quay repository # openSourceOnly: false # extraEnv: # - name: SOME_VARIABLE # value: "some_value" # securityContext: # readOnlyRootFilesystem: true # Enables the emission of the kubecost_cloud_credit_total and # kubecost_cloud_expense_total metrics outOfClusterPromMetricsEnabled: false # Build local cost allocation cache warmCache: false # Build local savings cache warmSavingsCache: true # Run allocation ETL pipelines etl: true # Enable the ETL filestore backing storage etlFileStoreEnabled: true # The total number of days the ETL pipelines will build # Set to 0 to disable daily ETL (not recommended) etlDailyStoreDurationDays: 91 # The total number of hours the ETL pipelines will build # Set to 0 to disable hourly ETL (not recommended) etlHourlyStoreDurationHours: 49 # The total number of weeks the ETL pipelines will build # Set to 0 to disable weekly ETL (not recommended) # The default is 53 to ensure at least a year of coverage (371 days) etlWeeklyStoreDurationWeeks: 53 # For deploying kubecost in a cluster that does not self-monitor etlReadOnlyMode: false ## Feature to view your out-of-cluster costs and their k8s utilization ## Ref: https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/cloud-costs-explorer cloudCost: enabled: true labelList: IsIncludeList: false # format labels as comma separated string (ex. "label1,label2,label3") labels: "" topNItems: 1000 allocation: # Enables or disables adding node labels to allocation data (i.e. workloads). # Defaults to "true" and starts with a sensible includeList for basics like # topology (e.g. zone, region) and instance type labels. # nodeLabels: # enabled: true # includeList: "node.kubernetes.io/instance-type,topology.kubernetes.io/region,topology.kubernetes.io/zone" # Enables or disables the ContainerStats pipeline, used for quantile-based # queries like for request sizing recommendations. # ContainerStats provides support for quantile-based request right-sizing # recommendations. # # It is disabled by default to avoid problems in extremely high-scale Thanos # environments. If you would like to try quantile-based request-sizing # recommendations, enable this! If you are in a high-scale environment, # please monitor Kubecost logs, Thanos query logs, and Thanos load closely. # We hope to make major improvements at scale here soon! # # containerStatsEnabled: false # max number of concurrent Prometheus queries maxQueryConcurrency: 5 resources: requests: cpu: "200m" memory: "55Mi" # limits: # cpu: "800m" # memory: "256Mi" livenessProbe: enabled: false initialDelaySeconds: 30 periodSeconds: 10 failureThreshold: 200 extraArgs: [] # creates an ingress directly to the model container, for API access ingress: enabled: false # className: nginx labels: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" paths: ["/"] pathType: ImplementationSpecific hosts: - cost-analyzer-model.local tls: [] # - secretName: cost-analyzer-model-tls # hosts: # - cost-analyzer-model.local # etlUtils is a utility currently used by Kubecost internal support to implement specific functionality related to Thanos conversion. etlUtils: enabled: false fullImageName: null resources: {} env: {} nodeSelector: {} tolerations: {} affinity: {} # Basic Kubecost ingress, more examples available at https://github.com/kubecost/docs/blob/main/ingress-examples.md ingress: enabled: false # className: nginx labels: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" paths: ["/"] # There's no need to route specifically to the pods-- we have an nginx deployed that handles routing pathType: ImplementationSpecific hosts: - cost-analyzer.local tls: [] # - secretName: cost-analyzer-tls # hosts: # - cost-analyzer.local nodeSelector: {} tolerations: [] # - key: "key" # operator: "Equal|Exists" # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" affinity: {} # If true, creates a PriorityClass to be used by the cost-analyzer pod priority: enabled: false name: "" # Provide name of existing priority class only. If left blank, upstream chart will create one from default template. # value: 1000000 # If true, enable creation of NetworkPolicy resources. networkPolicy: enabled: false denyEgress: true # create a network policy that denies egress from kubecost sameNamespace: true # Set to true if cost analyzer and prometheus are on the same namespace # namespace: kubecost # Namespace where prometheus is installed # Cost-analyzer specific vars using the new template costAnalyzer: enabled: false # If true, create a network policy for cost-analyzer annotations: {} # annotations to be added to the network policy additionalLabels: {} # additional labels to be added to the network policy # Examples rules: # ingressRules: # - selectors: # allow ingress from self on all ports # - podSelector: # matchLabels: # app.kubernetes.io/name: cost-analyzer # - selectors: # allow egress access to prometheus # - namespaceSelector: # matchLabels: # name: prometheus # podSelector: # matchLabels: # app: prometheus # ports: # - protocol: TCP # port: 9090 # egressRules: # - selectors: # restrict egress to inside cluster # - namespaceSelector: {} podSecurityPolicy: enabled: false ## @param extraVolumes A list of volumes to be added to the pod ## extraVolumes: [] ## @param extraVolumeMounts A list of volume mounts to be added to the pod ## extraVolumeMounts: [] # Define persistence volume for cost-analyzer, more information at https://github.com/kubecost/docs/blob/main/storage.md persistentVolume: size: 32Gi dbSize: 32.0Gi enabled: true # Note that setting this to false means configurations will be wiped out on pod restart. # storageClass: "-" # # existingClaim: kubecost-cost-analyzer # a claim in the same namespace as kubecost labels: {} annotations: {} service: type: ClusterIP port: 9090 targetPort: 9090 # nodePort: labels: {} annotations: {} # Enabling long-term durable storage with Postgres requires an enterprise license remoteWrite: postgres: enabled: false initImage: "gcr.io/kubecost1/sql-init" initImagePullPolicy: Always installLocal: true remotePostgresAddress: "" # ignored if installing locally ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" persistentVolume: size: 200Gi auth: password: admin # change me prometheus: podSecurityPolicy: enabled: false extraScrapeConfigs: | - job_name: kubecost honor_labels: true scrape_interval: 1m scrape_timeout: 60s metrics_path: /metrics scheme: http dns_sd_configs: - names: - {{ template "cost-analyzer.serviceName" . }} type: 'A' port: 9003 - job_name: kubecost-networking kubernetes_sd_configs: - role: pod relabel_configs: # Scrape only the the targets matching the following metadata - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance] action: keep regex: kubecost - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name] action: keep regex: network-costs server: # If clusterIDConfigmap is defined, instead use user-generated configmap with key CLUSTER_ID # to use as unique cluster ID in kubecost cost-analyzer deployment. # This overrides the cluster_id set in prometheus.server.global.external_labels. # NOTE: This does not affect the external_labels set in prometheus config. # clusterIDConfigmap: cluster-id-configmap resources: {} # limits: # cpu: 500m # memory: 512Mi # requests: # cpu: 500m # memory: 512Mi global: scrape_interval: 1m scrape_timeout: 60s evaluation_interval: 1m external_labels: cluster_id: cluster-one # Each cluster should have a unique ID persistentVolume: size: 32Gi enabled: true extraArgs: query.max-concurrency: 1 query.max-samples: 100000000 tolerations: [] # - key: "key" # operator: "Equal|Exists" # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" # retention: 50h This must be greater than or equal to etlHourlyStoreDurationHours # retentionSize: should be significantly greater than the storage used in the number of hours set in etlHourlyStoreDurationHours alertmanager: enabled: false persistentVolume: enabled: true # node-export must be disabled if there is an existing daemonset: https://guide.kubecost.com/hc/en-us/articles/4407601830679-Troubleshoot-Install#a-name-node-exporter-a-issue-failedscheduling-kubecost-prometheus-node-exporter nodeExporter: enabled: true ## Default disabled since Kubecost already emits KSMv1 metrics. ## Ref: https://docs.kubecost.com/architecture/ksm-metrics kubeStateMetrics: enabled: false kube-state-metrics: disabled: true pushgateway: enabled: false persistentVolume: enabled: true serverFiles: # prometheus.yml: # Sample block -- enable if using an in cluster durable store. # remote_write: # - url: "http://pgprometheus-adapter:9201/write" # write_relabel_configs: # - source_labels: [__name__] # regex: 'container_.*_allocation|container_.*_allocation_bytes|.*_hourly_cost|kube_pod_container_resource_requests{resource="memory", unit="byte"}|container_memory_working_set_bytes|kube_pod_container_resource_requests{resource="cpu", unit="core"}|kube_pod_container_resource_requests|pod_pvc_allocation|kube_namespace_labels|kube_pod_labels' # action: keep # queue_config: # max_samples_per_send: 1000 # remote_read: # - url: "http://pgprometheus-adapter:9201/read" rules: groups: - name: CPU rules: - expr: sum(rate(container_cpu_usage_seconds_total{container!=""}[5m])) record: cluster:cpu_usage:rate5m - expr: rate(container_cpu_usage_seconds_total{container!=""}[5m]) record: cluster:cpu_usage_nosum:rate5m - expr: avg(irate(container_cpu_usage_seconds_total{container!="POD", container!=""}[5m])) by (container,pod,namespace) record: kubecost_container_cpu_usage_irate - expr: sum(container_memory_working_set_bytes{container!="POD",container!=""}) by (container,pod,namespace) record: kubecost_container_memory_working_set_bytes - expr: sum(container_memory_working_set_bytes{container!="POD",container!=""}) record: kubecost_cluster_memory_working_set_bytes - name: Savings rules: - expr: sum(avg(kube_pod_owner{owner_kind!="DaemonSet"}) by (pod) * sum(container_cpu_allocation) by (pod)) record: kubecost_savings_cpu_allocation labels: daemonset: "false" - expr: sum(avg(kube_pod_owner{owner_kind="DaemonSet"}) by (pod) * sum(container_cpu_allocation) by (pod)) / sum(kube_node_info) record: kubecost_savings_cpu_allocation labels: daemonset: "true" - expr: sum(avg(kube_pod_owner{owner_kind!="DaemonSet"}) by (pod) * sum(container_memory_allocation_bytes) by (pod)) record: kubecost_savings_memory_allocation_bytes labels: daemonset: "false" - expr: sum(avg(kube_pod_owner{owner_kind="DaemonSet"}) by (pod) * sum(container_memory_allocation_bytes) by (pod)) / sum(kube_node_info) record: kubecost_savings_memory_allocation_bytes labels: daemonset: "true" ## Module for measuring network costs ## Ref: https://github.com/kubecost/docs/blob/main/network-allocation.md networkCosts: enabled: false podSecurityPolicy: enabled: false image: gcr.io/kubecost1/kubecost-network-costs:v0.17.1 imagePullPolicy: Always updateStrategy: type: RollingUpdate # For existing Prometheus Installs, annotates the Service which generates Endpoints for each of the network-costs pods. # The Service is annotated with prometheus.io/scrape: "true" to automatically get picked up by the prometheus config. # NOTE: Setting this option to true and leaving the above extraScrapeConfig "job_name: kubecost-networking" configured will cause the # NOTE: pods to be scraped twice. prometheusScrape: false # Traffic Logging will enable logging the top 5 destinations for each source # every 30 minutes. trafficLogging: true # Port will set both the containerPort and hostPort to this value. # These must be identical due to network-costs being run on hostNetwork port: 3001 # this daemonset can use significant resources on large clusters: https://guide.kubecost.com/hc/en-us/articles/4407595973527-Network-Traffic-Cost-Allocation resources: limits: # remove the limits by setting cpu: null cpu: 500m # can be less, will depend on cluster size # memory: it is not recommended to set a memory limit requests: cpu: 50m memory: 20Mi extraArgs: [] config: # Configuration for traffic destinations, including specific classification # for IPs and CIDR blocks. This configuration will act as an override to the # automatic classification provided by network-costs. destinations: # In Zone contains a list of address/range that will be # classified as in zone. in-zone: # Loopback Addresses in "IANA IPv4 Special-Purpose Address Registry" - "127.0.0.0/8" # IPv4 Link Local Address Space - "169.254.0.0/16" # Private Address Ranges in RFC-1918 - "10.0.0.0/8" # Remove this entry if using Multi-AZ Kubernetes - "172.16.0.0/12" - "192.168.0.0/16" # In Region contains a list of address/range that will be # classified as in region. This is synonymous with cross # zone traffic, where the regions between source and destinations # are the same, but the zone is different. in-region: [] # Cross Region contains a list of address/range that will be # classified as non-internet egress from one region to another. cross-region: [] # Internet contains a list of address/range that will be # classified as internet traffic. This is synonymous with traffic # that cannot be classified within the cluster. # NOTE: Internet classification filters are executed _after_ # NOTE: direct-classification, but before in-zone, in-region, # NOTE: and cross-region. internet: [] # Direct Classification specifically maps an ip address or range # to a region (required) and/or zone (optional). This classification # takes priority over in-zone, in-region, and cross-region configurations. direct-classification: [] # - region: "us-east1" # zone: "us-east1-c" # ips: # - "10.0.0.0/24" services: # google-cloud-services: when set to true, enables labeling traffic metrics with google cloud # service endpoints google-cloud-services: false # amazon-web-services: when set to true, enables labeling traffic metrics with amazon web service # endpoints. amazon-web-services: false # azure-cloud-services: when set to true, enables labeling traffic metrics with azure cloud service # endpoints azure-cloud-services: false # user defined services provide a way to define custom service endpoints which will label traffic metrics # falling within the defined address range. # services: # - service: "test-service-1" # ips: # - "19.1.1.2" # - service: "test-service-2" # ips: # - "15.128.15.2" # - "20.0.0.0/8" ## Node tolerations for server scheduling to nodes with taints ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ ## tolerations: [] # - key: "key" # operator: "Equal|Exists" # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" affinity: {} service: annotations: {} labels: {} ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" ## PodMonitor ## Allows scraping of network metrics from a dedicated prometheus operator setup podMonitor: enabled: false additionalLabels: {} # match the default extraScrapeConfig additionalLabels: {} nodeSelector: {} annotations: {} healthCheckProbes: {} # readinessProbe: # tcpSocket: # port: 3001 # initialDelaySeconds: 5 # periodSeconds: 10 # failureThreshold: 5 # livenessProbe: # tcpSocket: # port: 3001 # initialDelaySeconds: 5 # periodSeconds: 10 # failureThreshold: 5 additionalSecurityContext: {} # readOnlyRootFilesystem: true ## Kubecost Deployment Configuration ## Used for HA mode in Business & Enterprise tier ## kubecostDeployment: # Instead of a kubecost-analyzer Deployment, you can set it to be a StatefulSet as for volumeClaimTemplates usage and real stateful behaviour statefulSet: enabled: false replicas: 1 leaderFollower: enabled: false # deploymentStrategy: # rollingUpdate: # maxSurge: 1 # maxUnavailable: 1 # type: RollingUpdate labels: {} annotations: {} ## QueryServiceReplicas ## Ref: https://docs.kubecost.com/install-and-configure/advanced-configuration/query-service-replicas ## queryServiceReplicas: 0 queryService: securityContext: runAsGroup: 1001 runAsUser: 1001 fsGroup: 1001 fsGroupChangePolicy: OnRootMismatch runAsNonRoot: false seccompProfile: type: RuntimeDefault containerSecurityContext: allowPrivilegeEscalation: true readOnlyRootFilesystem: false capabilities: drop: - ALL resources: requests: ## You can use the Kubecost savings report for 'Right-size your ## container requests' to determine the recommended resource requests ## once the pod has run for 24 hours. cpu: 1000m memory: 500Mi ## default storage class storageClass: "" databaseVolumeSize: 100Gi configVolumeSize: 1Gi initImage: {} ## The Kubecost Aggregator is a high scale implementation of Kubecost intended ## for large datasets and/or high query load. At present, this should only be ## enabled when recommended by Kubecost staff. ## kubecostAggregator: enabled: false replicas: 1 ## Creates a new pod to retrieve CloudCost data. By default it uses the same ## serviceaccount as the cost-analyzer pod. A custom serviceaccount can be ## specified. cloudCost: enabled: false # serviceAccountName: jaeger: enabled: false image: jaegertracing/all-in-one imageVersion: latest # containerSecurityContext: # fullImageName: resources: {} env: "LOG_LEVEL": "info" persistentConfigsStorage: # default storage class storageClass: "" storageRequest: 1Gi aggregatorStorage: # default storage class storageClass: "" storageRequest: 20Gi aggregatorDbStorage: # default storage class storageClass: "" storageRequest: 128Gi # securityContext: # runAsGroup: 1001 # runAsUser: 1001 # fsGroup: 1001 # fsGroupChangePolicy: OnRootMismatch # seccompProfile: # type: RuntimeDefault # runAsNonRoot: true # containerSecurityContext: # allowPrivilegeEscalation: false # readOnlyRootFilesystem: true # runAsNonRoot: true # seccompProfile: # type: RuntimeDefault # capabilities: # drop: # - ALL # Kubecost Cluster Controller for Right Sizing and Cluster Turndown clusterController: enabled: false image: gcr.io/kubecost1/cluster-controller:v0.12.0 imagePullPolicy: Always ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" kubescaler: # If true, will cause all (supported) workloads to be have their requests # automatically right-sized on a regular basis. defaultResizeAll: false # fqdn: kubecost-cluster-controller.kubecost.svc.cluster.local:9731 namespaceTurndown: rbac: enabled: true reporting: # Kubecost bug report feature: Logs access/collection limited to .Release.Namespace # Ref: http://docs.kubecost.com/bug-report logCollection: true # Basic frontend analytics productAnalytics: true # Report Javascript errors errorReporting: true valuesReporting: true # googleAnalyticsTag allows you to embed your Google Global Site Tag to track usage of Kubecost. # googleAnalyticsTag is only included in our Enterprise offering. # googleAnalyticsTag: G-XXXXXXXXX serviceMonitor: # the kubecost included prometheus uses scrapeConfigs and does not support service monitors. The following options assume an existing prometheus that supports serviceMonitors. enabled: false additionalLabels: {} metricRelabelings: [] relabelings: [] networkCosts: enabled: false scrapeTimeout: 10s additionalLabels: {} metricRelabelings: [] relabelings: [] prometheusRule: enabled: false additionalLabels: {} supportNFS: false # initChownDataImage ensures all Kubecost filepath permissions on PV or local storage are set up correctly. initChownDataImage: "busybox" # Supports a fully qualified Docker image, e.g. registry.hub.docker.com/library/busybox:latest initChownData: resources: {} # requests: # cpu: "50m" # memory: "20Mi" grafana: # namespace_datasources: kubecost # override the default namespace here # namespace_dashboards: kubecost # override the default namespace here rbac: # Manage the Grafana Pod Security Policy pspEnabled: false # datasources: # datasources.yaml: # apiVersion: 1 # datasources: # - name: prometheus-kubecost # type: prometheus # url: http://kubecost-prometheus-server.kubecost.svc.cluster.local # access: proxy # isDefault: false # jsonData: # httpMethod: POST # prometheusType: Prometheus # prometheusVersion: 2.35.0 # timeInterval: 1m sidecar: dashboards: enabled: true # label that the configmaps with dashboards are marked with label: grafana_dashboard # set sidecar ERROR_THROTTLE_SLEEP env var from default 5s to 0s -> fixes https://github.com/kubecost/cost-analyzer-helm-chart/issues/877 annotations: {} error_throttle_sleep: 0 datasources: # dataSourceFilename: foo.yml # If you need to change the name of the datasource file enabled: false error_throttle_sleep: 0 # For grafana to be accessible, add the path to root_url. For example, if you run kubecost at www.foo.com:9090/kubecost # set root_url to "%(protocol)s://%(domain)s:%(http_port)s/kubecost/grafana". No change is necessary here if kubecost runs at a root URL grafana.ini: server: serve_from_sub_path: true root_url: "%(protocol)s://%(domain)s:%(http_port)s/grafana" serviceAccount: create: true # Set this to false if you're bringing your own service account. annotations: {} # name: kc-test awsstore: useAwsStore: false createServiceAccount: false ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" ## Federated ETL Architecture ## Ref: https://docs.kubecost.com/install-and-configure/install/multi-cluster/federated-etl ## federatedETL: ## If true, push ETL data to the federated storage bucket federatedCluster: false ## If true, load ETL data from the combined storage bucket to display data ## from all monitored clusters. Note, if this is your first time setting up ## Federated ETL, ensure you see federated ETL data in combined storage before ## setting this config to true. primaryCluster: false ## If true, changes the dir of S3 backup to the Federated combined store. ## Commonly used when transitioning from Thanos to Federated ETL architecture. redirectS3Backup: false ## If true, will query metrics from a central PromQL DB (e.g. Amazon Managed ## Prometheus) useMultiClusterDB: false ## The Federator is responsible for combining each cluster's ETL files located ## in the federated storage bucket, and placing results in the combined ## storage bucket. federator: enabled: false ## Optional. Used when reconciliation is expected to occur on the Primary. # primaryClusterID: "cluster_id" ## Optional. Allowlist of which cluster_ids to federate. If not set, the ## federator will attempt to federated all clusters pushing to the federated ## storage. clusters: [] ## Optional. An RFC 3339-formatted string. All ETL files with windows that ## fall before this time are not processed by the Federator. If this is not ## set, the Federator will process all files regardless of date. # federationCutoffDate: "2022-10-18T00:00:00.000Z" ## Optional. You can use the Kubecost savings report for 'Right-size your ## container requests' to determine the recommended resource requests once ## the pod has run for 24 hours. resources: {} # requests: # cpu: 100m # memory: 500Mi ## Kubecost Admission Controller (beta feature) ## To use this feature, ensure you have run the `create-admission-controller.sh` ## script. This generates a k8s secret with TLS keys/certificats and a ## corresponding CA bundle. ## kubecostAdmissionController: enabled: false secretName: webhook-server-tls caBundle: ${CA_BUNDLE} # Enables or disables the Cost Event Audit pipeline, which tracks recent changes at cluster level # and provides an estimated cost impact via the Kubecost Predict API. # # It is disabled by default to avoid problems in high-scale environments. costEventsAudit: enabled: false ## Disable updates to kubecost from the frontend UI and via POST request ## # readonly: false # These configs can also be set from the Settings page in the Kubecost product UI # Values in this block override config changes in the Settings UI on pod restart # # kubecostProductConfigs: # An optional list of cluster definitions that can be added for frontend access. The local # cluster is *always* included by default, so this list is for non-local clusters. # Ref: https://github.com/kubecost/docs/blob/main/multi-cluster.md # clusters: # - name: "Cluster A" # address: http://cluster-a.kubecost.com:9090 # # Optional authentication credentials - only basic auth is currently supported. # auth: # type: basic # # Secret name should be a secret formatted based on: https://github.com/kubecost/docs/blob/main/ingress-examples.md # secretName: cluster-a-auth # # Or pass auth directly as base64 encoded user:pass # data: YWRtaW46YWRtaW4= # # Or user and pass directly # user: admin # pass: admin # - name: "Cluster B" # address: http://cluster-b.kubecost.com:9090 # defaultModelPricing: # default monthly resource prices, used predominately for on-prem clusters. Use quotes if setting "0.00" for any item. # CPU: 28.0 # spotCPU: 4.86 # RAM: 3.09 # spotRAM: 0.65 # GPU: 693.50 # spotGPU: 225.0 # storage: 0.04 # zoneNetworkEgress: 0.01 # regionNetworkEgress: 0.01 # internetNetworkEgress: 0.12 # enabled: true # # The cluster profile represents a predefined set of parameters to use when calculating savings. # # Possible values are: [ development, production, high-availability ] # clusterProfile: production # customPricesEnabled: false # This makes the default view custom prices-- generally used for on-premises clusters # spotLabel: lifecycle # spotLabelValue: Ec2Spot # gpuLabel: gpu # gpuLabelValue: true # awsServiceKeyName: ACCESSKEYID # awsServiceKeyPassword: fakepassword # Only use if your values.yaml are stored encrypted. Otherwise provide an existing secret via serviceKeySecretName # awsSpotDataRegion: us-east-1 # awsSpotDataBucket: spot-data-feed-s3-bucket # awsSpotDataPrefix: dev # athenaProjectID: "530337586277" # The AWS AccountID where the Athena CUR is. Generally your masterpayer account # athenaBucketName: "s3://aws-athena-query-results-530337586277-us-east-1" # athenaRegion: us-east-1 # athenaDatabase: athenacurcfn_athena_test1 # athenaTable: "athena_test1" # athenaWorkgroup: "primary" # The default workgroup in AWS is 'primary' # masterPayerARN: "" # projectID: "123456789" # Also known as AccountID on AWS -- the current account/project that this instance of Kubecost is deployed on. # gcpSecretName: gcp-secret # Name of a secret representing the gcp service key # gcpSecretKeyName: compute-viewer-kubecost-key.json # Name of the secret's key containing the gcp service key # bigQueryBillingDataDataset: billing_data.gcp_billing_export_v1_01AC9F_74CF1D_5565A2 # labelMappingConfigs: # names of k8s labels or annotations used to designate different allocation concepts # enabled: true # owner_label: "owner" # team_label: "team" # department_label: "dept" # product_label: "product" # environment_label: "env" # namespace_external_label: "kubernetes_namespace" # external labels/tags are used to map external cloud costs to kubernetes concepts # cluster_external_label: "kubernetes_cluster" # controller_external_label: "kubernetes_controller" # product_external_label: "kubernetes_label_app" # service_external_label: "kubernetes_service" # deployment_external_label: "kubernetes_deployment" # owner_external_label: "kubernetes_label_owner" # team_external_label: "kubernetes_label_team" # environment_external_label: "kubernetes_label_env" # department_external_label: "kubernetes_label_department" # statefulset_external_label: "kubernetes_statefulset" # daemonset_external_label: "kubernetes_daemonset" # pod_external_label: "kubernetes_pod" # grafanaURL: "" # clusterName: "" # clusterName is the default context name in settings. # clusterAccountID: "" # Manually set Account property for assets # currencyCode: "USD" # official support for USD, AUD, BRL, CAD, CHF, CNY, DKK, EUR, GBP, IDR, INR, JPY, NOK, PLN, SEK # azureBillingRegion: US # Represents 2-letter region code, e.g. West Europe = NL, Canada = CA. ref: https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes # azureSubscriptionID: 0bd50fdf-c923-4e1e-850c-196dd3dcc5d3 # azureClientID: f2ef6f7d-71fb-47c8-b766-8d63a19db017 # azureTenantID: 72faf3ff-7a3f-4597-b0d9-7b0b201bb23a # azureClientPassword: fake key # Only use if your values.yaml are stored encrypted. Otherwise provide an existing secret via serviceKeySecretName # azureOfferDurableID: "MS-AZR-0003p" # discount: "" # percentage discount applied to compute # negotiatedDiscount: "" # custom negotiated cloud provider discount # defaultIdle: false # serviceKeySecretName: "" # Use an existing AWS or Azure secret with format as in aws-service-key-secret.yaml or azure-service-key-secret.yaml. Leave blank if using createServiceKeySecret # createServiceKeySecret: true # Creates a secret representing your cloud service key based on data in values.yaml. If you are storing unencrypted values, add a secret manually # sharedNamespaces: "" # namespaces with shared workloads, example value: "kube-system\,ingress-nginx\,kubecost\,monitoring" # sharedOverhead: "" # value representing a fixed external cost per month to be distributed among aggregations. # shareTenancyCosts: true # enable or disable sharing costs such as cluster management fees (defaults to "true" on Settings page) # metricsConfigs: # configuration for metrics emitted by Kubecost # disabledMetrics: [] # list of metrics that Kubecost will not emit. Note that disabling metrics can lead to unexpected behavior in the cost-model. # productKey: # apply business or enterprise product license # key: "" # enabled: false # secretname: productkeysecret # create a secret out of a file named productkey.json of format { "key": "kc-b1325234" }. If the secretname is specified, a configmap with the key will not be created # mountPath: "/some/custom/path/productkey.json" # (use instead of secretname) declare the path at which the product key file is mounted (eg. by a secrets provisioner). The file must be of format { "key": "kc-b1325234" } # cloudIntegrationSecret: "cloud-integration" # ingestPodUID: false # Enables using UIDs to uniquely ID pods. This requires either Kubecost's replicated KSM metrics, or KSM v2.1.0+. This may impact performance, and changes the default cost-model allocation behavior. # regionOverrides: "region1,region2,region3" # list of regions which will override default costmodel provider regions # -- Array of extra K8s manifests to deploy ## Note: Supports use of custom Helm templates extraObjects: [] # Cloud Billing Integration: # - apiVersion: v1 # kind: Secret # metadata: # name: cloud-integration # namespace: kubecost # type: Opaque # data: # cloud-integration.json: BASE64_SECRET # Istio: # - apiVersion: networking.istio.io/v1alpha3 # kind: VirtualService # metadata: # name: my-virtualservice # spec: # hosts: # - kubecost.myorg.com # gateways: # - my-gateway # http: # - route: # - destination: # host: kubecost.kubecost.svc.cluster.local # port: # number: 80