Skip to content

Amazon EKS 监控和日志记录测验

本测验测试你对 Amazon EKS 监控和日志记录功能、工具以及最佳实践的理解。

测验概览

  • EKS Cluster 监控
  • Container 和 Application 日志记录
  • Performance Metrics 收集与分析
  • Alerting 和异常检测
  • 监控和日志记录架构
  • 最佳实践和工具

选择题

1. 为 Amazon EKS cluster 构建全面监控解决方案的最有效方法是什么?

A. 仅使用 CloudWatch B. 仅使用 Prometheus 和 Grafana C. 集成使用 CloudWatch、Prometheus、Grafana 和 X-Ray D. 编写自定义监控脚本

查看答案

答案:C. 集成使用 CloudWatch、Prometheus、Grafana 和 X-Ray

解释: 为 Amazon EKS cluster 构建全面监控解决方案的最有效方法是集成 CloudWatch、Prometheus、Grafana 和 X-Ray。这种集成方法可在基础设施、cluster、application 和分布式追踪层面提供完整可见性。

集成监控解决方案的主要优势:

  1. 多层监控

    • AWS 基础设施级 metrics (CloudWatch)
    • Kubernetes cluster 级 metrics (Prometheus)
    • Application 级 metrics (CloudWatch, Prometheus)
    • 分布式追踪 (X-Ray)
  2. 全面的数据收集

    • System metrics (CPU, memory, disk, network)
    • Kubernetes resource metrics (pods, nodes, controllers)
    • 自定义 application metrics
    • 分布式 Service transaction tracing
  3. 灵活的可视化和分析

    • 预配置 dashboard (CloudWatch, Grafana)
    • 自定义 dashboard (Grafana)
    • 高级查询和 alert (PromQL, CloudWatch Alarms)
    • Service map 和 trace analysis (X-Ray)

实施方法:

  1. 设置 CloudWatch Container Insights

    bash
    # Install CloudWatch agent
    kubectl apply -f https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/quickstart/cwagent-fluentd-quickstart.yaml
  2. 安装 Prometheus 和 Grafana

    bash
    # Create Prometheus namespace
    kubectl create namespace prometheus
    
    # Install Prometheus using Helm
    helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
    helm install prometheus prometheus-community/prometheus \
      --namespace prometheus \
      --set alertmanager.persistentVolume.storageClass="gp2" \
      --set server.persistentVolume.storageClass="gp2"
    
    # Install Grafana
    helm repo add grafana https://grafana.github.io/helm-charts
    helm install grafana grafana/grafana \
      --namespace prometheus \
      --set persistence.storageClassName="gp2" \
      --set persistence.enabled=true \
      --set adminPassword='EKS!sAWSome' \
      --set datasources."datasources\\.yaml".apiVersion=1 \
      --set datasources."datasources\\.yaml".datasources[0].name=Prometheus \
      --set datasources."datasources\\.yaml".datasources[0].type=prometheus \
      --set datasources."datasources\\.yaml".datasources[0].url=http://prometheus-server.prometheus.svc.cluster.local \
      --set datasources."datasources\\.yaml".datasources[0].access=proxy \
      --set datasources."datasources\\.yaml".datasources[0].isDefault=true
  3. 设置 AWS Distro for OpenTelemetry (ADOT) 和 X-Ray

    bash
    # Install ADOT operator
    kubectl apply -f https://github.com/aws-observability/aws-otel-collector/releases/latest/download/opentelemetry-operator.yaml
    
    # Configure ADOT collector with X-Ray integration
    cat <<EOF | kubectl apply -f -
    apiVersion: opentelemetry.io/v1alpha1
    kind: OpenTelemetryCollector
    metadata:
      name: adot-collector
    spec:
      mode: deployment
      serviceAccount: adot-collector
      config: |
        receivers:
          otlp:
            protocols:
              grpc:
                endpoint: 0.0.0.0:4317
              http:
                endpoint: 0.0.0.0:4318
        processors:
          batch:
            timeout: 1s
        exporters:
          awsxray:
            region: ${AWS_REGION}
          awsemf:
            region: ${AWS_REGION}
        service:
          pipelines:
            traces:
              receivers: [otlp]
              processors: [batch]
              exporters: [awsxray]
            metrics:
              receivers: [otlp]
              processors: [batch]
              exporters: [awsemf]
    EOF
  4. 将 CloudWatch 与 Prometheus 集成

    bash
    # Create Amazon Managed Prometheus workspace
    aws amp create-workspace --alias eks-monitoring
    
    # Configure CloudWatch agent
    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: prometheus-cwagent-config
      namespace: amazon-cloudwatch
    data:
      cwagentconfig.json: |
        {
          "logs": {
            "metrics_collected": {
              "prometheus": {
                "prometheus_config_path": "/etc/prometheusconfig/prometheus.yaml",
                "emf_processor": {
                  "metric_declaration": [
                    {
                      "source_labels": ["job", "pod_name"],
                      "label_matcher": "^kubernetes-pods;.*$",
                      "dimensions": [["ClusterName", "Namespace", "PodName"]],
                      "metric_selectors": ["^.*$"]
                    }
                  ]
                }
              }
            }
          }
        }
    EOF

关键监控组件:

  1. CloudWatch Container Insights

    • Cluster、node、pod 级 metrics
    • Container log 收集
    • 自动 dashboard 和 alert
  2. Prometheus 和 Grafana

    • 细粒度 Kubernetes metrics
    • 自定义 metrics 和 dashboard
    • 高级查询和 alert
  3. AWS X-Ray

    • 分布式追踪
    • Service map
    • Request path analysis
  4. AWS Distro for OpenTelemetry

    • 标准化 telemetry 收集
    • 支持多种 backend
    • Vendor-neutral instrumentation

最佳实践:

  1. 实施分层监控策略

    • Infrastructure level: nodes, network, storage
    • Cluster level: control plane, nodes, pods
    • Application level: services, endpoints, business metrics
  2. 建立有效的 Alerting 策略

    • 根据优先级设置 alert
    • 防止 alert fatigue
    • 定义 escalation path
  3. 实施自动化响应

    • Auto-scaling trigger
    • Self-healing mechanism
    • 主动维护
  4. 成本优化

    • 仅收集必要 metrics
    • 适当的 sampling 和 aggregation
    • 优化 data retention policy

实际实施示例:

  1. 全面监控架构

    +-------------------+    +-------------------+    +-------------------+
    |                   |    |                   |    |                   |
    |  EKS Cluster      |    |  CloudWatch       |    |  Amazon Managed   |
    |                   |    |                   |    |  Prometheus       |
    +-------------------+    +-------------------+    +-------------------+
            |                        ^                        ^
            |                        |                        |
            v                        |                        |
    +-------------------+            |                        |
    |                   |            |                        |
    |  ADOT Collector   |------------+                        |
    |                   |                                     |
    +-------------------+                                     |
            |                                                 |
            v                                                 |
    +-------------------+                                     |
    |                   |                                     |
    |  Prometheus       |------------------------------------|
    |                   |
    +-------------------+
            |
            v
    +-------------------+    +-------------------+
    |                   |    |                   |
    |  Grafana          |    |  X-Ray           |
    |                   |    |                   |
    +-------------------+    +-------------------+
  2. 使用 Terraform 配置监控基础设施

    hcl
    # Amazon Managed Prometheus workspace
    resource "aws_prometheus_workspace" "eks_monitoring" {
      alias = "eks-monitoring"
    }
    
    # Amazon Managed Grafana workspace
    resource "aws_grafana_workspace" "eks_monitoring" {
      name                     = "eks-monitoring"
      account_access_type      = "CURRENT_ACCOUNT"
      authentication_providers = ["AWS_SSO"]
      permission_type          = "SERVICE_MANAGED"
      data_sources             = ["PROMETHEUS", "CLOUDWATCH", "XRAY"]
    }
    
    # CloudWatch log group
    resource "aws_cloudwatch_log_group" "eks_logs" {
      name              = "/aws/eks/my-cluster/logs"
      retention_in_days = 30
    }

其他选项的问题:

  • A. 仅使用 CloudWatch:CloudWatch 提供 AWS infrastructure 和基本 container metrics,但在 Kubernetes-specific metrics 或细粒度 application-level monitoring 方面有限制。
  • B. 仅使用 Prometheus 和 Grafana:这种组合提供强大的 Kubernetes monitoring,但缺少与 AWS services 或 distributed tracing 功能的集成。
  • D. 编写自定义监控脚本:自定义脚本难以维护、扩展性差,并且无法利用行业标准工具的丰富功能。
### 2. 在 Amazon EKS 中有效收集和分析 container logs 的最佳方法是什么?

A. 从每个 node 手动检索 log files B. 直接从 containers 内部读取 log files C. 使用 Fluentd/Fluent Bit 将 logs 发送到 CloudWatch Logs 或 Elasticsearch D. 仅将 logs 发送到 standard output

查看答案

答案:C. 使用 Fluentd/Fluent Bit 将 logs 发送到 CloudWatch Logs 或 Elasticsearch

解释: 在 Amazon EKS 中有效收集和分析 container logs 的最佳方法是使用 Fluentd 或 Fluent Bit 等 log collector,将 logs 发送到 CloudWatch Logs、Amazon OpenSearch Service(以前称为 Elasticsearch Service)或其他 log analysis systems。此方法提供可扩展性、集中化以及搜索和分析能力。

基于 Fluentd/Fluent Bit 的日志记录的主要优势:

  1. 集中式 Log Management

    • 在单一位置收集所有 container logs
    • Cluster-wide log search and analysis
    • 长期 log retention 和归档
  2. 可扩展性和可靠性

    • 支持大规模 clusters
    • Buffering 和 retry mechanism
    • 尽量减少 log loss
  3. 灵活的 Log Processing

    • Log filtering 和 transformation
    • 支持 structured logging
    • 支持多种 output destination
  4. 集成分析和可视化

    • CloudWatch Logs Insights
    • OpenSearch Dashboards(以前称为 Kibana)
    • 高级搜索和查询

实施方法:

  1. Fluent Bit 与 CloudWatch Logs 集成

    bash
    # Create Fluent Bit namespace
    kubectl create namespace amazon-cloudwatch
    
    # Install AWS for Fluent Bit
    kubectl apply -f https://raw.githubusercontent.com/aws/aws-for-fluent-bit/master/eks/cloudwatch-namespace.yaml
    kubectl apply -f https://raw.githubusercontent.com/aws/aws-for-fluent-bit/master/eks/fluent-bit-service-account.yaml
    kubectl apply -f https://raw.githubusercontent.com/aws/aws-for-fluent-bit/master/eks/fluent-bit-role.yaml
    kubectl apply -f https://raw.githubusercontent.com/aws/aws-for-fluent-bit/master/eks/fluent-bit-role-binding.yaml
    
    # Deploy Fluent Bit ConfigMap and DaemonSet
    kubectl apply -f https://raw.githubusercontent.com/aws/aws-for-fluent-bit/master/eks/fluent-bit-configmap.yaml
    kubectl apply -f https://raw.githubusercontent.com/aws/aws-for-fluent-bit/master/eks/fluent-bit-ds.yaml
  2. Fluentd 与 Amazon OpenSearch Service 集成

    yaml
    # Fluentd ConfigMap
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: fluentd-config
      namespace: kube-system
    data:
      fluent.conf: |
        <source>
          @type tail
          path /var/log/containers/*.log
          pos_file /var/log/fluentd-containers.log.pos
          tag kubernetes.*
          read_from_head true
          <parse>
            @type json
            time_format %Y-%m-%dT%H:%M:%S.%NZ
          </parse>
        </source>
    
        <filter kubernetes.**>
          @type kubernetes_metadata
          @id filter_kube_metadata
        </filter>
    
        <match kubernetes.**>
          @type elasticsearch
          host search-eks-logs.us-west-2.es.amazonaws.com
          port 443
          scheme https
          ssl_verify false
          index_name fluentd.${record['kubernetes']['namespace_name']}.${record['kubernetes']['pod_name']}
          type_name fluentd
          logstash_format true
          logstash_prefix fluentd.${record['kubernetes']['namespace_name']}
          <buffer>
            @type file
            path /var/log/fluentd-buffers/kubernetes.system.buffer
            flush_mode interval
            retry_type exponential_backoff
            flush_thread_count 2
            flush_interval 5s
            retry_forever
            retry_max_interval 30
            chunk_limit_size 2M
            queue_limit_length 8
            overflow_action block
          </buffer>
        </match>
  3. 使用 AWS Distro for OpenTelemetry (ADOT) 收集 Logs

    yaml
    # ADOT collector configuration
    apiVersion: opentelemetry.io/v1alpha1
    kind: OpenTelemetryCollector
    metadata:
      name: adot-collector
    spec:
      mode: daemonset
      serviceAccount: adot-collector
      config: |
        receivers:
          filelog:
            include: [ /var/log/containers/*.log ]
            start_at: beginning
            include_file_path: true
            operators:
              - type: json_parser
                timestamp:
                  parse_from: attributes.time
                  layout: '%Y-%m-%dT%H:%M:%S.%LZ'
        processors:
          batch:
            timeout: 1s
        exporters:
          awscloudwatchlogs:
            log_group_name: "/aws/eks/my-cluster/logs"
            log_stream_name: "{pod_name}.{container_name}"
            region: us-west-2
        service:
          pipelines:
            logs:
              receivers: [filelog]
              processors: [batch]
              exporters: [awscloudwatchlogs]

Log 收集和分析最佳实践:

  1. 实施 Structured Logging

    • 使用 JSON 格式 logs
    • 一致的 log fields 和 formats
    • 包含 correlation IDs
  2. 优化 Log Levels

    • 设置适当的 log levels
    • 在生产环境中尽量减少 debug logs
    • 为重要事件提供足够上下文
  3. Log Retention 和归档策略

    • 平衡成本和合规要求
    • 使用分层存储
    • 配置自动归档
  4. Log Security Considerations

    • 过滤敏感信息
    • 控制 log access
    • 确保 log integrity

实际实施示例:

  1. 包含多个 Output Destinations 的 Fluent Bit 配置

    [INPUT]
        Name                tail
        Tag                 kube.*
        Path                /var/log/containers/*.log
        Parser              docker
        DB                  /var/log/flb_kube.db
        Mem_Buf_Limit       5MB
        Skip_Long_Lines     On
        Refresh_Interval    10
    
    [FILTER]
        Name                kubernetes
        Match               kube.*
        Kube_URL            https://kubernetes.default.svc:443
        Kube_CA_File        /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        Kube_Token_File     /var/run/secrets/kubernetes.io/serviceaccount/token
        Merge_Log           On
        K8S-Logging.Parser  On
        K8S-Logging.Exclude Off
    
    [OUTPUT]
        Name                cloudwatch_logs
        Match               kube.*
        region              us-west-2
        log_group_name      /aws/eks/my-cluster/logs
        log_stream_prefix   ${kubernetes['namespace_name']}.${kubernetes['pod_name']}.
        auto_create_group   true
    
    [OUTPUT]
        Name                es
        Match               kube.*
        Host                search-eks-logs.us-west-2.es.amazonaws.com
        Port                443
        TLS                 On
        Index               eks-logs
        Suppress_Type_Name  On
  2. 用于 Log Analysis 的 CloudWatch Logs Insights Query

    fields @timestamp, @message, kubernetes.pod_name, kubernetes.namespace_name, log
    | filter kubernetes.namespace_name = "production"
    | filter @message like /ERROR/
    | sort @timestamp desc
    | limit 100
  3. 使用 Terraform 配置 Logging Infrastructure

    hcl
    # CloudWatch log group
    resource "aws_cloudwatch_log_group" "eks_logs" {
      name              = "/aws/eks/my-cluster/logs"
      retention_in_days = 30
      tags = {
        Environment = "production"
        Application = "eks-cluster"
      }
    }
    
    # OpenSearch domain
    resource "aws_elasticsearch_domain" "eks_logs" {
      domain_name           = "eks-logs"
      elasticsearch_version = "OpenSearch_1.3"
    
      cluster_config {
        instance_type  = "m5.large.elasticsearch"
        instance_count = 3
      }
    
      ebs_options {
        ebs_enabled = true
        volume_size = 100
      }
    
      encrypt_at_rest {
        enabled = true
      }
    
      node_to_node_encryption {
        enabled = true
      }
    
      domain_endpoint_options {
        enforce_https       = true
        tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
      }
    
      advanced_security_options {
        enabled                        = true
        internal_user_database_enabled = true
        master_user_options {
          master_user_name     = "admin"
          master_user_password = var.opensearch_master_password
        }
      }
    }

其他选项的问题:

  • A. 从每个 node 手动检索 log files:不可扩展、没有自动化,并且如果 nodes 发生故障,logs 可能会丢失。
  • B. 直接从 containers 内部读取 log files:当 containers 终止时无法访问 logs,并且集中分析很困难。
  • D. 仅将 logs 发送到 standard output:将 logs 发送到 standard output 是一种良好实践,但如果没有收集并集中这些 logs 的机制,就很难进行有效分析。
### 3. 在 Amazon EKS 中构建有效 alerting system 的最佳方法是什么?

A. 手动审查 log files B. 仅使用 CloudWatch Alarms C. 仅使用 Prometheus AlertManager D. 集成 CloudWatch Alarms、Prometheus AlertManager 和 EventBridge,以支持多种 notification channels

查看答案

答案:D. 集成 CloudWatch Alarms、Prometheus AlertManager 和 EventBridge,以支持多种 notification channels

解释: 在 Amazon EKS 中构建有效 alerting system 的最佳方法是集成 CloudWatch Alarms、Prometheus AlertManager 和 EventBridge,以支持多种 notification channels。这种集成方法在 infrastructure、cluster 和 application 层面提供全面 alerting,并支持多种 notification channels 和 response mechanisms。

集成 Alerting System 的主要优势:

  1. 多层 Alerting

    • AWS infrastructure-level alerts (CloudWatch)
    • Kubernetes cluster-level alerts (Prometheus)
    • Application-level alerts (custom metrics)
    • Event-based alerts (EventBridge)
  2. 支持多种 Notification Channels

    • Email, SMS (SNS)
    • Slack, Microsoft Teams (webhooks)
    • PagerDuty, OpsGenie (incident management)
    • 自定义 Lambda functions
  3. 智能 Alert Management

    • Alert grouping 和 deduplication
    • Alert routing 和 escalation
    • Alert suppression 和 silencing

实施方法:

  1. 设置 CloudWatch Alarms

    bash
    # Create CloudWatch alarm for node CPU usage
    aws cloudwatch put-metric-alarm \
      --alarm-name EKS-Node-High-CPU \
      --alarm-description "Alarm when CPU exceeds 80%" \
      --metric-name CPUUtilization \
      --namespace AWS/EC2 \
      --dimensions Name=AutoScalingGroupName,Value=eks-node-group-1 \
      --statistic Average \
      --period 300 \
      --threshold 80 \
      --comparison-operator GreaterThanThreshold \
      --evaluation-periods 2 \
      --alarm-actions arn:aws:sns:us-west-2:123456789012:eks-alerts
  2. 配置 Prometheus AlertManager

    yaml
    # alertmanager-config.yaml
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: alertmanager-config
      namespace: prometheus
    data:
      alertmanager.yml: |
        global:
          resolve_timeout: 5m
        route:
          group_by: ['alertname', 'job', 'severity']
          group_wait: 30s
          group_interval: 5m
          repeat_interval: 12h
          receiver: 'sns-forwarder'
          routes:
          - match:
              severity: critical
            receiver: 'pagerduty-critical'
          - match:
              severity: warning
            receiver: 'slack-warnings'
        receivers:
        - name: 'sns-forwarder'
          webhook_configs:
          - url: 'http://sns-forwarder.monitoring.svc.cluster.local:9087/alert'
        - name: 'pagerduty-critical'
          pagerduty_configs:
          - service_key: '<PAGERDUTY_SERVICE_KEY>'
        - name: 'slack-warnings'
          slack_configs:
          - api_url: '<SLACK_WEBHOOK_URL>'
            channel: '#eks-alerts'
            title: '{{ .GroupLabels.alertname }}'
            text: '{{ .CommonAnnotations.description }}'
  3. 定义 Prometheus Alert Rules

    yaml
    # prometheus-rules.yaml
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: prometheus-rules
      namespace: prometheus
    data:
      alert-rules.yml: |
        groups:
        - name: node-alerts
          rules:
          - alert: NodeHighCPU
            expr: instance:node_cpu_utilization:rate5m > 80
            for: 5m
            labels:
              severity: warning
            annotations:
              summary: "High CPU usage on {{ $labels.instance }}"
              description: "CPU usage is above 80% for 5 minutes on {{ $labels.instance }}"
    
          - alert: NodeMemoryFilling
            expr: instance:node_memory_utilization:rate5m > 80
            for: 5m
            labels:
              severity: warning
            annotations:
              summary: "High memory usage on {{ $labels.instance }}"
              description: "Memory usage is above 80% for 5 minutes on {{ $labels.instance }}"
    
        - name: pod-alerts
          rules:
          - alert: PodCrashLooping
            expr: rate(kube_pod_container_status_restarts_total[15m]) > 0
            for: 10m
            labels:
              severity: warning
            annotations:
              summary: "Pod {{ $labels.pod }} is crash looping"
              description: "Pod {{ $labels.pod }} in namespace {{ $labels.namespace }} is crash looping"
    
          - alert: PodNotReady
            expr: sum by (namespace, pod) (kube_pod_status_phase{phase=~"Pending|Unknown"}) > 0
            for: 15m
            labels:
              severity: warning
            annotations:
              summary: "Pod {{ $labels.pod }} is not ready"
              description: "Pod {{ $labels.pod }} in namespace {{ $labels.namespace }} has been in non-ready state for more than 15 minutes"
  4. 设置 EventBridge Rules

    bash
    # Create EventBridge rule for EKS events
    aws events put-rule \
      --name EKS-Control-Plane-Events \
      --event-pattern '{"source":["aws.eks"],"detail-type":["EKS Cluster Control Plane Health"]}'
    
    # Set SNS topic as target
    aws events put-targets \
      --rule EKS-Control-Plane-Events \
      --targets 'Id"="1","Arn"="arn:aws:sns:us-west-2:123456789012:eks-alerts"'

Alert Integration 和 Routing:

  1. 通过 SNS Topics 集成 Alert

    bash
    # Create SNS topic
    aws sns create-topic --name eks-alerts
    
    # Add email subscription
    aws sns subscribe \
      --topic-arn arn:aws:sns:us-west-2:123456789012:eks-alerts \
      --protocol email \
      --notification-endpoint ops-team@example.com
    
    # Add Lambda subscription
    aws sns subscribe \
      --topic-arn arn:aws:sns:us-west-2:123456789012:eks-alerts \
      --protocol lambda \
      --notification-endpoint arn:aws:lambda:us-west-2:123456789012:function:process-eks-alerts
  2. 使用 Lambda 进行 Alert Processing 和 Routing

    python
    import json
    import boto3
    import requests
    
    def lambda_handler(event, context):
        message = json.loads(event['Records'][0]['Sns']['Message'])
    
        # Route to different channels based on alert severity
        if 'AlarmName' in message:
            severity = get_alarm_severity(message['AlarmName'])
        else:
            severity = 'info'
    
        if severity == 'critical':
            send_to_pagerduty(message)
        elif severity == 'warning':
            send_to_slack(message, '#eks-warnings')
        else:
            send_to_slack(message, '#eks-info')
    
        return {
            'statusCode': 200,
            'body': json.dumps('Alert processed successfully!')
        }
    
    def get_alarm_severity(alarm_name):
        if 'Critical' in alarm_name:
            return 'critical'
        elif 'Warning' in alarm_name:
            return 'warning'
        else:
            return 'info'
    
    def send_to_pagerduty(message):
        # Implement PagerDuty API call
        pass
    
    def send_to_slack(message, channel):
        # Implement Slack webhook call
        pass

Alerting 最佳实践:

  1. 防止 Alert Fatigue

    • 仅关注重要 alert
    • 对 alert 进行 grouping 和 deduplication
    • 限制 alert frequency
  2. 提供清晰的 Alert Content

    • 问题描述和影响
    • 推荐的解决操作
    • 相关资源和上下文
  3. Alert Priority 和 Escalation

    • 根据 severity 对 alerts 分类
    • 清晰的 escalation paths
    • 设置 response time targets
  4. 测试和验证 Alerts

    • 定期测试 alerts
    • 监控 false positives 和 negatives
    • 审查 alert effectiveness

实际实施示例:

  1. 全面 Alerting 架构

    +-------------------+    +-------------------+    +-------------------+
    |                   |    |                   |    |                   |
    |  CloudWatch       |    |  Prometheus       |    |  EventBridge      |
    |  Alarms           |    |  AlertManager     |    |  Rules            |
    +-------------------+    +-------------------+    +-------------------+
            |                        |                        |
            v                        v                        v
    +-------------------+    +-------------------+    +-------------------+
    |                   |    |                   |    |                   |
    |  SNS Topic        |<---|  Lambda           |<---|  SQS Queue        |
    |                   |    |  Forwarder        |    |                   |
    +-------------------+    +-------------------+    +-------------------+
            |
            v
    +-------------------+    +-------------------+    +-------------------+
    |                   |    |                   |    |                   |
    |  Email/SMS        |    |  Slack/Teams      |    |  PagerDuty        |
    |                   |    |                   |    |                   |
    +-------------------+    +-------------------+    +-------------------+
  2. 使用 Terraform 配置 Alerting Infrastructure

    hcl
    # SNS topic
    resource "aws_sns_topic" "eks_alerts" {
      name = "eks-alerts"
    }
    
    # CloudWatch alarm
    resource "aws_cloudwatch_metric_alarm" "node_cpu" {
      alarm_name          = "EKS-Node-High-CPU"
      comparison_operator = "GreaterThanThreshold"
      evaluation_periods  = 2
      metric_name         = "CPUUtilization"
      namespace           = "AWS/EC2"
      period              = 300
      statistic           = "Average"
      threshold           = 80
      alarm_description   = "This metric monitors EC2 CPU utilization for EKS nodes"
      alarm_actions       = [aws_sns_topic.eks_alerts.arn]
      dimensions = {
        AutoScalingGroupName = "eks-node-group-1"
      }
    }
    
    # EventBridge rule
    resource "aws_cloudwatch_event_rule" "eks_events" {
      name        = "EKS-Control-Plane-Events"
      description = "Capture EKS control plane events"
      event_pattern = jsonencode({
        source      = ["aws.eks"]
        detail-type = ["EKS Cluster Control Plane Health"]
      })
    }
    
    resource "aws_cloudwatch_event_target" "sns" {
      rule      = aws_cloudwatch_event_rule.eks_events.name
      target_id = "SendToSNS"
      arn       = aws_sns_topic.eks_alerts.arn
    }

其他选项的问题:

  • A. 手动审查 log files:手动审查不可扩展,不能提供实时 alerting,也不支持自动响应。
  • B. 仅使用 CloudWatch Alarms:CloudWatch Alarms 对 AWS infrastructure-level alerting 很有用,但在 Kubernetes-specific metrics 或详细 application-level alerting 方面有限制。
  • C. 仅使用 Prometheus AlertManager:Prometheus AlertManager 为 Kubernetes metrics 提供强大的 alerting,但与 AWS service events 或 infrastructure-level alerting 的集成有限。
### 4. 在 Amazon EKS 中进行 application performance monitoring 的最有效方法是什么?

A. 仅监控基本 system metrics B. 收集并分析自定义 application metrics C. 实施包含 distributed tracing、metrics 和 logs 的集成 observability D. 定期执行手动 performance tests

查看答案

答案:C. 实施包含 distributed tracing、metrics 和 logs 的集成 observability

解释: 在 Amazon EKS 中进行 application performance monitoring 的最有效方法是实施包含 distributed tracing、metrics 和 logs 的集成 observability。这种全面方法可提供 application performance 的完整可见性,并为 troubleshooting 和 optimization 提供详细信息。

集成 Observability 的关键组件:

  1. Distributed Tracing

    • 跟踪 services 之间的 request flow
    • 识别 latency bottlenecks
    • 理解 error propagation paths
  2. Metrics

    • System 和 resource usage
    • Application performance indicators
    • Business metrics
  3. Logs

    • 详细 application events
    • Error 和 exception information
    • Debugging context
  4. Profiling

    • CPU 和 memory usage analysis
    • 识别 hotspots 和 bottlenecks
    • 发现 code-level optimization opportunities

实施方法:

  1. 设置 AWS Distro for OpenTelemetry (ADOT)

    bash
    # Install ADOT operator
    kubectl apply -f https://github.com/aws-observability/aws-otel-collector/releases/latest/download/opentelemetry-operator.yaml
    
    # Configure ADOT collector
    cat <<EOF | kubectl apply -f -
    apiVersion: opentelemetry.io/v1alpha1
    kind: OpenTelemetryCollector
    metadata:
      name: adot-collector
    spec:
      mode: deployment
      serviceAccount: adot-collector
      config: |
        receivers:
          otlp:
            protocols:
              grpc:
                endpoint: 0.0.0.0:4317
              http:
                endpoint: 0.0.0.0:4318
          prometheus:
            config:
              scrape_configs:
              - job_name: 'kubernetes-pods'
                kubernetes_sd_configs:
                - role: pod
                relabel_configs:
                - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
                  action: keep
                  regex: true
    
        processors:
          batch:
            timeout: 1s
          resource:
            attributes:
            - key: service.name
              action: upsert
              value: "${SERVICE_NAME}"
    
        exporters:
          awsxray:
            region: "${AWS_REGION}"
          awsemf:
            region: "${AWS_REGION}"
            namespace: EKSApplicationMetrics
          awscloudwatchlogs:
            region: "${AWS_REGION}"
            log_group_name: "/aws/eks/my-cluster/application-logs"
    
        service:
          pipelines:
            traces:
              receivers: [otlp]
              processors: [batch, resource]
              exporters: [awsxray]
            metrics:
              receivers: [otlp, prometheus]
              processors: [batch, resource]
              exporters: [awsemf]
            logs:
              receivers: [otlp]
              processors: [batch, resource]
              exporters: [awscloudwatchlogs]
    EOF
  2. Application Instrumentation

    java
    // Java application example (Spring Boot)
    
    // build.gradle
    dependencies {
        implementation 'io.opentelemetry:opentelemetry-api'
        implementation 'io.opentelemetry:opentelemetry-sdk'
        implementation 'io.opentelemetry:opentelemetry-exporter-otlp'
        implementation 'io.opentelemetry.instrumentation:opentelemetry-spring-boot-starter:1.18.0-alpha'
    }
    
    // application.properties
    otel.service.name=order-service
    otel.exporter.otlp.endpoint=http://adot-collector:4317
    python
    # Python application example
    from opentelemetry import trace
    from opentelemetry.sdk.trace import TracerProvider
    from opentelemetry.sdk.trace.export import BatchSpanProcessor
    from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter
    from opentelemetry.sdk.resources import SERVICE_NAME, Resource
    
    # Set up resource and tracer
    resource = Resource(attributes={
        SERVICE_NAME: "payment-service"
    })
    
    tracer_provider = TracerProvider(resource=resource)
    processor = BatchSpanProcessor(OTLPSpanExporter(endpoint="adot-collector:4317"))
    tracer_provider.add_span_processor(processor)
    trace.set_tracer_provider(tracer_provider)
    
    # Use tracer
    tracer = trace.get_tracer(__name__)
    
    @app.route('/process-payment', methods=['POST'])
    def process_payment():
        with tracer.start_as_current_span("process-payment") as span:
            span.set_attribute("payment.amount", request.json.get('amount'))
            # Perform business logic
            result = process_transaction(request.json)
            span.set_attribute("payment.status", result['status'])
            return jsonify(result)
  3. 设置 Amazon Managed Grafana Dashboard

    bash
    # Create Amazon Managed Grafana workspace
    aws grafana create-workspace \
      --name eks-monitoring \
      --authentication-providers AWS_SSO \
      --permission-type SERVICE_MANAGED \
      --data-sources PROMETHEUS CLOUDWATCH XRAY
  4. X-Ray Service Map 和 Trace Analysis

    bash
    # Create X-Ray group
    aws xray create-group \
      --group-name "EKS-Applications" \
      --filter-expression "service(\"order-service\") OR service(\"payment-service\")"

关键 Observability Metrics 和 Dimensions:

  1. 核心 Application Performance Indicators

    • Request latency (p50, p90, p99)
    • Request throughput (RPS)
    • Error rate
    • Saturation (resource utilization)
  2. 关键 Dimensions 和 Labels

    • Service 和 endpoint
    • Cluster, namespace, pod
    • Version 和 environment
    • Customer 或 tenant ID
  3. User Experience Metrics

    • Page load time
    • API response time
    • User interaction latency
    • Client error rate

最佳实践:

  1. 实施标准化 Instrumentation

    • 使用 OpenTelemetry 等标准
    • 一致的 naming conventions 和 labels
    • 结合 automatic 和 manual instrumentation
  2. 确保 Context Propagation

    • 在 services 之间传递 trace context
    • 在 asynchronous operations 中保持 context
    • 与 external systems 集成
  3. 优化 Sampling Strategy

    • 平衡成本和可见性
    • 基于 error 和 latency 的 sampling
    • 优先处理 critical transactions
  4. 关联 Observability Data

    • 连接 traces、metrics 和 logs
    • 使用 common identifiers 和 labels
    • 集成 dashboard 和 analysis

实际实施示例:

  1. Microservices Architecture 的集成 Observability

    +-------------------+    +-------------------+    +-------------------+
    |                   |    |                   |    |                   |
    |  Frontend         |    |  Order Service    |    |  Payment Service  |
    |  (React)          |    |  (Java)           |    |  (Python)         |
    +-------------------+    +-------------------+    +-------------------+
            |                        |                        |
            v                        v                        v
    +-------------------+    +-------------------+    +-------------------+
    |                   |    |                   |    |                   |
    |  Browser SDK      |    |  OpenTelemetry    |    |  OpenTelemetry    |
    |  (RUM)            |    |  SDK              |    |  SDK              |
    +-------------------+    +-------------------+    +-------------------+
            |                        |                        |
            v                        v                        v
    +---------------------------------------------------------------+
    |                                                               |
    |                  ADOT Collector                               |
    |                                                               |
    +---------------------------------------------------------------+
            |                        |                        |
            v                        v                        v
    +-------------------+    +-------------------+    +-------------------+
    |                   |    |                   |    |                   |
    |  AWS X-Ray        |    |  Amazon           |    |  CloudWatch       |
    |  (Traces)         |    |  Managed Service  |    |  Logs             |
    |                   |    |  for Prometheus   |    |                   |
    +-------------------+    +-------------------+    +-------------------+
                                      |
                                      v
                             +-------------------+
                             |                   |
                             |  Amazon           |
                             |  Managed Grafana  |
                             |                   |
                             +-------------------+
  2. 使用 Terraform 配置 Observability Infrastructure

    hcl
    # Amazon Managed Service for Prometheus workspace
    resource "aws_prometheus_workspace" "eks_monitoring" {
      alias = "eks-monitoring"
    }
    
    # Amazon Managed Grafana workspace
    resource "aws_grafana_workspace" "eks_monitoring" {
      name                     = "eks-monitoring"
      account_access_type      = "CURRENT_ACCOUNT"
      authentication_providers = ["AWS_SSO"]
      permission_type          = "SERVICE_MANAGED"
      data_sources             = ["PROMETHEUS", "CLOUDWATCH", "XRAY"]
    }
    
    # X-Ray group
    resource "aws_xray_group" "eks_applications" {
      group_name        = "EKS-Applications"
      filter_expression = "service(\"order-service\") OR service(\"payment-service\")"
    }
    
    # CloudWatch log group
    resource "aws_cloudwatch_log_group" "application_logs" {
      name              = "/aws/eks/my-cluster/application-logs"
      retention_in_days = 30
    }
    
    # IAM role and policy
    resource "aws_iam_role" "adot_collector" {
      name = "adot-collector"
      assume_role_policy = jsonencode({
        Version = "2012-10-17",
        Statement = [{
          Effect = "Allow",
          Principal = {
            Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${module.eks.oidc_provider}"
          },
          Action = "sts:AssumeRoleWithWebIdentity",
          Condition = {
            StringEquals = {
              "${module.eks.oidc_provider}:sub" = "system:serviceaccount:opentelemetry:adot-collector"
            }
          }
        }]
      })
    }

其他选项的问题:

  • A. 仅监控基本 system metrics:System metrics 对理解 infrastructure status 很重要,但不足以识别 application performance issues 的 root causes。
  • B. 收集并分析自定义 application metrics:Application metrics 很重要,但理解 distributed systems 中的 service interactions 还需要 tracing 和 logs。
  • D. 定期执行手动 performance tests:Performance tests 很重要,但它们无法替代实时生产环境中的持续监控,也无法完全模拟真实 user patterns。
### 5. 在 Amazon EKS 中有效监控 control plane logs 的最佳方式是什么?

A. 通过 SSH 直接访问 control plane nodes B. 启用 EKS control plane logging 并发送到 CloudWatch Logs C. 部署自定义 log collectors D. 定期向 AWS support team 请求 logs

查看答案

答案:B. 启用 EKS control plane logging 并发送到 CloudWatch Logs

解释: 在 Amazon EKS 中有效监控 control plane logs 的最佳方式是启用 EKS control plane logging,并将 logs 发送到 CloudWatch Logs。此方法利用 EKS 作为 managed service 的特性,能够轻松访问和分析 control plane component logs。

EKS Control Plane Logging 的主要优势:

  1. 全面 Log Collection

    • API server logs
    • Audit logs
    • Authenticator logs
    • Controller manager logs
    • Scheduler logs
  2. Managed Solution

    • AWS-managed log collection
    • 无需额外 agents
    • 无需直接访问 control plane
  3. 集成分析和 Alerting

    • 通过 CloudWatch Logs Insights 进行查询和分析
    • 与 CloudWatch Alarms 集成
    • 长期 log retention 和归档

实施方法:

  1. 创建 EKS Cluster 时启用 Logging

    bash
    # Create EKS cluster with all log types enabled
    aws eks create-cluster \
      --name my-cluster \
      --role-arn arn:aws:iam::123456789012:role/EKSClusterRole \
      --resources-vpc-config subnetIds=subnet-12345,subnet-67890,securityGroupIds=sg-12345 \
      --logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'
  2. 为现有 EKS Cluster 启用 Logging

    bash
    # Enable all log types for existing cluster
    aws eks update-cluster-config \
      --name my-cluster \
      --logging '{"clusterLogging":[{"types":["api","audit","authenticator","controllerManager","scheduler"],"enabled":true}]}'
  3. 仅启用特定 Log Types

    bash
    # Enable only API server and audit logs
    aws eks update-cluster-config \
      --name my-cluster \
      --logging '{"clusterLogging":[{"types":["api","audit"],"enabled":true},{"types":["authenticator","controllerManager","scheduler"],"enabled":false}]}'

关键 Log Types 和用途:

  1. API Server Logs (api)

    • API requests 和 responses
    • Resource creation、modification、deletion
    • Error 和 warning messages
  2. Audit Logs (audit)

    • 所有 API calls 的详细记录
    • 跟踪 who、what、when 和 where
    • 满足 security 和 compliance requirements
  3. Authenticator Logs (authenticator)

    • 使用 AWS IAM credentials 的 authentication requests
    • Authentication successes 和 failures
    • 调试 permission issues
  4. Controller Manager Logs (controllerManager)

    • Controller operations 和 status
    • Resource reconciliation activities
    • Controller errors 和 retries
  5. Scheduler Logs (scheduler)

    • Pod scheduling decisions
    • Scheduling failures 和 reasons
    • Resource allocation issues

Log Analysis 和 Monitoring:

  1. 使用 CloudWatch Logs Insights 查询

    # Search for API server errors
    fields @timestamp, @message
    | filter @logStream like /kube-apiserver-/
    | filter @message like /Error/
    | sort @timestamp desc
    | limit 100
    
    # Search audit logs for specific user
    fields @timestamp, @message
    | filter @logStream like /kube-apiserver-audit/
    | parse @message "user.username*:*" as user_prefix, username
    | filter username like /admin/
    | sort @timestamp desc
    | limit 100
    
    # Search for authentication failures
    fields @timestamp, @message
    | filter @logStream like /authenticator/
    | filter @message like /failed/
    | sort @timestamp desc
    | limit 100
  2. 创建 CloudWatch Dashboard

    bash
    # Create dashboard monitoring API server error rate
    aws cloudwatch put-dashboard \
      --dashboard-name EKS-Control-Plane-Monitoring \
      --dashboard-body '{
        "widgets": [
          {
            "type": "log",
            "x": 0,
            "y": 0,
            "width": 24,
            "height": 6,
            "properties": {
              "query": "SOURCE \'/aws/eks/my-cluster/cluster\' | fields @timestamp, @message\n| filter @logStream like /kube-apiserver-/\n| filter @message like /Error/\n| stats count() as errorCount by bin(5m)",
              "region": "us-west-2",
              "title": "API Server Errors",
              "view": "timeSeries"
            }
          }
        ]
      }'
  3. 设置 CloudWatch Alarms

    bash
    # Create API server error alarm
    aws cloudwatch put-metric-alarm \
      --alarm-name EKS-APIServer-Errors \
      --alarm-description "Alarm when API server errors exceed threshold" \
      --metric-name ErrorCount \
      --namespace EKS \
      --statistic Sum \
      --period 300 \
      --threshold 10 \
      --comparison-operator GreaterThanThreshold \
      --evaluation-periods 1 \
      --alarm-actions arn:aws:sns:us-west-2:123456789012:eks-alerts \
      --dimensions Name=ClusterName,Value=my-cluster

最佳实践:

  1. Selective Log Enablement

    • 仅启用必要的 log types
    • 根据 compliance requirements 启用 audit logs
    • 平衡成本和可见性
  2. 设置 Log Retention Policy

    bash
    # Set CloudWatch log group retention period
    aws logs put-retention-policy \
      --log-group-name /aws/eks/my-cluster/cluster \
      --retention-in-days 90
  3. 配置 Log Encryption

    bash
    # Set CloudWatch log group encryption
    aws logs associate-kms-key \
      --log-group-name /aws/eks/my-cluster/cluster \
      --kms-key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab
  4. 控制 Log Access

    json
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "logs:GetLogEvents",
            "logs:FilterLogEvents",
            "logs:StartQuery",
            "logs:GetQueryResults"
          ],
          "Resource": "arn:aws:logs:us-west-2:123456789012:log-group:/aws/eks/my-cluster/cluster:*"
        }
      ]
    }

实际实施示例:

  1. 使用 Terraform 配置 EKS Cluster Logging

    hcl
    resource "aws_eks_cluster" "main" {
      name     = "my-cluster"
      role_arn = aws_iam_role.eks_cluster.arn
    
      vpc_config {
        subnet_ids         = var.subnet_ids
        security_group_ids = [aws_security_group.eks_cluster.id]
      }
    
      enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
    
      depends_on = [
        aws_iam_role_policy_attachment.eks_cluster_policy,
        aws_cloudwatch_log_group.eks_logs
      ]
    }
    
    resource "aws_cloudwatch_log_group" "eks_logs" {
      name              = "/aws/eks/my-cluster/cluster"
      retention_in_days = 90
      kms_key_id        = aws_kms_key.eks_logs.arn
    }
    
    resource "aws_kms_key" "eks_logs" {
      description             = "KMS key for EKS cluster logs encryption"
      deletion_window_in_days = 7
      enable_key_rotation     = true
    }
  2. CloudWatch Logs Insights Dashboard

    hcl
    resource "aws_cloudwatch_dashboard" "eks_control_plane" {
      dashboard_name = "EKS-Control-Plane-Monitoring"
    
      dashboard_body = jsonencode({
        widgets = [
          {
            type = "log"
            x    = 0
            y    = 0
            width = 24
            height = 6
            properties = {
              query = "SOURCE '/aws/eks/my-cluster/cluster' | fields @timestamp, @message\n| filter @logStream like /kube-apiserver-/\n| filter @message like /Error/\n| stats count() as errorCount by bin(5m)"
              region = "us-west-2"
              title = "API Server Errors"
              view = "timeSeries"
            }
          },
          {
            type = "log"
            x    = 0
            y    = 6
            width = 24
            height = 6
            properties = {
              query = "SOURCE '/aws/eks/my-cluster/cluster' | fields @timestamp, @message\n| filter @logStream like /kube-apiserver-audit/\n| stats count() as auditCount by bin(5m)"
              region = "us-west-2"
              title = "Audit Events"
              view = "timeSeries"
            }
          }
        ]
      })
    }

其他选项的问题:

  • A. 通过 SSH 直接访问 control plane nodes:EKS 是 managed service,因此你无法直接访问 control plane nodes。
  • C. 部署自定义 log collectors:由于 control plane 由 AWS 管理,部署自定义 log collectors 不会让你访问 control plane logs。
  • D. 定期向 AWS support team 请求 logs:这种方式效率低,不能提供实时监控,也不支持自动分析和 alerting。
### 6. 在 Amazon EKS 中用于成本优化的最有效监控策略是什么?

A. 收集所有可能的 metrics B. 专注于监控 resource usage、cost allocation tags 和 idle resources C. 只关注 performance,不进行 cost monitoring D. 只查看每月 AWS bills

查看答案

答案:B. 专注于监控 resource usage、cost allocation tags 和 idle resources

解释: 在 Amazon EKS 中用于成本优化的最有效监控策略是专注于监控 resource usage、cost allocation tags 和 idle resources。这种方法可确保 cluster resources 的高效使用,明确 cost allocation,并通过识别浪费资源来优化成本。

Cost Optimization Monitoring 的关键组件:

  1. Resource Usage Monitoring

    • CPU、memory、storage utilization
    • Actual usage vs. requests and limits
    • Resource usage trends and patterns
  2. Cost Allocation 和 Tagging

    • 按 namespace、service、team 进行 cost analysis
    • 实施并监控 cost allocation tags
    • 按 cost center 和 project 跟踪支出
  3. 识别 Idle 和 Wasted Resources

    • 未使用的 EBS volumes
    • Over-provisioned resources
    • Idle nodes 和 pods
  4. Cost Anomaly Detection

    • 对 unexpected cost increases 发出 alert
    • Cost trend analysis
    • 监控 actual spending vs. budget

实施方法:

  1. 监控 Kubernetes Resource Usage

    yaml
    # Monitor resource usage with Prometheus
    apiVersion: monitoring.coreos.com/v1
    kind: ServiceMonitor
    metadata:
      name: kubernetes-resources
      namespace: monitoring
    spec:
      selector:
        matchLabels:
          k8s-app: kubelet
      namespaceSelector:
        matchNames:
        - kube-system
      endpoints:
      - port: https-metrics
        scheme: https
        interval: 30s
        tlsConfig:
          insecureSkipVerify: true
        bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
      - port: cadvisor
        scheme: https
        interval: 30s
        tlsConfig:
          insecureSkipVerify: true
        bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
        metricRelabelings:
        - action: keep
          sourceLabels: [__name__]
          regex: container_cpu_usage_seconds_total|container_memory_working_set_bytes|container_fs_usage_bytes
  2. 实施 Cost Allocation Tags

    bash
    # Enable cost allocation tags
    aws ce update-cost-allocation-tags-status \
      --cost-allocation-tags-status '[{"TagKey": "kubernetes.io/cluster/my-cluster", "Status": "Active"}, {"TagKey": "kubernetes.io/namespace", "Status": "Active"}, {"TagKey": "app", "Status": "Active"}, {"TagKey": "team", "Status": "Active"}]'
    
    # Tag nodes
    aws ec2 create-tags \
      --resources i-1234567890abcdef0 \
      --tags Key=team,Value=platform Key=environment,Value=production
  3. 部署 Kubecost

    bash
    # Install Kubecost using Helm
    helm repo add kubecost https://kubecost.github.io/cost-analyzer/
    helm install kubecost kubecost/cost-analyzer \
      --namespace kubecost \
      --create-namespace \
      --set kubecostToken="<YOUR_KUBECOST_TOKEN>" \
      --set prometheus.server.persistentVolume.size=100Gi \
      --set prometheus.nodeExporter.enabled=true \
      --set serviceMonitor.enabled=true
  4. 设置 AWS Cost Explorer Dashboard

    bash
    # Create AWS Cost Explorer dashboard
    aws ce create-cost-category \
      --name EKS-Clusters \
      --rule-version "CostCategoryExpression.v1" \
      --rules '[{"Value": "my-cluster-prod", "Rule": {"Tags": {"Key": "kubernetes.io/cluster/my-cluster-prod", "Values": ["owned", "shared"], "MatchOptions": ["EQUALS"]}}}, {"Value": "my-cluster-dev", "Rule": {"Tags": {"Key": "kubernetes.io/cluster/my-cluster-dev", "Values": ["owned", "shared"], "MatchOptions": ["EQUALS"]}}}]'

关键 Monitoring Metrics 和 Dimensions:

  1. Resource Efficiency Metrics

    • CPU utilization = used CPU / requested CPU
    • Memory utilization = used memory / requested memory
    • Resource requests vs. limits ratio
  2. Cost Allocation Dimensions

    • Cluster
    • Namespace
    • Deployment/StatefulSet
    • Labels (team, application, environment)
  3. Waste Identification Metrics

    • Idle pods 的数量(CPU/memory utilization < 5%)
    • Unattached EBS volumes
    • 未使用的 load balancers

最佳实践:

  1. 优化 Resource Requests 和 Limits

    • 根据 actual usage 设置 resource requests
    • 使用 Vertical Pod Autoscaler
    • 定期审查 resource requests
  2. 实施有效的 Tagging Strategy

    yaml
    # Namespace labels example
    apiVersion: v1
    kind: Namespace
    metadata:
      name: team-a
      labels:
        team: team-a
        cost-center: cc-123
        environment: production
  3. 优化 Auto-scaling

    • 调整 Cluster Autoscaler configuration
    • 使用 Karpenter
    • 使用 spot instances
  4. 定期成本审查和优化

    • 每周/每月成本审查会议
    • 设置成本降低目标
    • 跟踪优化操作

实际实施示例:

  1. Grafana Cost Dashboard

    bash
    # Import Grafana dashboard
    kubectl -n monitoring create configmap cost-dashboard \
      --from-file=cost-dashboard.json
  2. Resource Request vs. Usage Monitoring Queries

    # Prometheus query examples
    # CPU utilization vs. requests
    sum(rate(container_cpu_usage_seconds_total{namespace="production"}[5m])) by (pod) /
    sum(kube_pod_container_resource_requests{resource="cpu", namespace="production"}) by (pod)
    
    # Memory utilization vs. requests
    sum(container_memory_working_set_bytes{namespace="production"}) by (pod) /
    sum(kube_pod_container_resource_requests{resource="memory", namespace="production"}) by (pod)
  3. Cost Optimization Automation Script

    python
    # Script example for identifying and reporting idle resources
    import boto3
    import kubernetes
    from kubernetes import client, config
    
    # Set up Kubernetes client
    config.load_kube_config()
    v1 = client.CoreV1Api()
    
    # Set up AWS client
    ec2 = boto3.client('ec2')
    elb = boto3.client('elb')
    
    def find_unused_volumes():
        volumes = ec2.describe_volumes(
            Filters=[
                {'Name': 'status', 'Values': ['available']},
                {'Name': 'tag:kubernetes.io/cluster/my-cluster', 'Values': ['owned']}
            ]
        )
        return volumes['Volumes']
    
    def find_underutilized_pods():
        pods = v1.list_pod_for_all_namespaces(watch=False)
        underutilized = []
        for pod in pods.items:
            # Get usage data from metrics API or Prometheus
            # Identify pods with low utilization
            pass
        return underutilized
    
    # Main function
    def main():
        unused_volumes = find_unused_volumes()
        underutilized_pods = find_underutilized_pods()
    
        # Generate report and alert
        generate_report(unused_volumes, underutilized_pods)
    
    if __name__ == "__main__":
        main()
  4. 使用 Terraform 配置 Cost Monitoring Infrastructure

    hcl
    # AWS budget alert setup
    resource "aws_budgets_budget" "eks_monthly" {
      name              = "eks-monthly-budget"
      budget_type       = "COST"
      limit_amount      = "1000"
      limit_unit        = "USD"
      time_unit         = "MONTHLY"
      time_period_start = "2023-01-01_00:00"
    
      cost_filter {
        name = "TagKeyValue"
        values = [
          "kubernetes.io/cluster/my-cluster$owned"
        ]
      }
    
      notification {
        comparison_operator        = "GREATER_THAN"
        threshold                  = 80
        threshold_type             = "PERCENTAGE"
        notification_type          = "ACTUAL"
        subscriber_email_addresses = ["team@example.com"]
      }
    }
    
    # CloudWatch dashboard
    resource "aws_cloudwatch_dashboard" "eks_cost" {
      dashboard_name = "EKS-Cost-Monitoring"
    
      dashboard_body = jsonencode({
        widgets = [
          {
            type   = "metric"
            x      = 0
            y      = 0
            width  = 12
            height = 6
            properties = {
              metrics = [
                ["AWS/EC2", "CPUUtilization", "AutoScalingGroupName", "eks-node-group-1", {"stat": "Average"}]
              ]
              period = 300
              region = "us-west-2"
              title  = "Node Group CPU Utilization"
            }
          },
          {
            type   = "metric"
            x      = 12
            y      = 0
            width  = 12
            height = 6
            properties = {
              metrics = [
                ["AWS/EC2", "NetworkIn", "AutoScalingGroupName", "eks-node-group-1", {"stat": "Sum"}],
                ["AWS/EC2", "NetworkOut", "AutoScalingGroupName", "eks-node-group-1", {"stat": "Sum"}]
              ]
              period = 300
              region = "us-west-2"
              title  = "Node Group Network Traffic"
            }
          }
        ]
      })
    }

其他选项的问题:

  • A. 收集所有可能的 metrics:收集所有 metrics 会增加存储成本,重要的 cost optimization signals 可能被埋没在噪音中,并且分析会变得更复杂。
  • C. 只关注 performance,不进行 cost monitoring:Performance 很重要,但如果没有 cost optimization,可能会产生不必要的支出。
  • D. 只查看每月 AWS bills:每月账单审查是被动的,不能提供详细的 cost allocation 信息,并且可能错过实时 optimization opportunities。