github.com/grafana/pyroscope@v1.18.0/examples/grafana-alloy-auto-instrumentation/java/kubernetes/grafana-alloy.yaml (about) 1 --- 2 3 apiVersion: rbac.authorization.k8s.io/v1 4 kind: ClusterRole # needed for the discovery.kubernetes alloy component 5 metadata: 6 name: grafana-alloy-role 7 rules: 8 - apiGroups: [""] 9 resources: ["pods"] 10 verbs: ["list", "watch"] 11 12 --- 13 14 apiVersion: v1 15 kind: ServiceAccount 16 metadata: 17 name: grafana-alloy 18 19 --- 20 21 apiVersion: rbac.authorization.k8s.io/v1 22 kind: ClusterRoleBinding 23 metadata: 24 name: grafana-alloy-binding 25 roleRef: 26 apiGroup: rbac.authorization.k8s.io 27 kind: ClusterRole 28 name: grafana-alloy-role 29 subjects: 30 - kind: ServiceAccount 31 name: grafana-alloy 32 namespace: pyroscope-java 33 34 --- 35 36 apiVersion: apps/v1 37 kind: DaemonSet 38 metadata: 39 name: grafana-alloy 40 spec: 41 selector: 42 matchLabels: 43 app: grafana-alloy 44 template: 45 metadata: 46 labels: 47 app: grafana-alloy 48 spec: 49 serviceAccountName: grafana-alloy 50 containers: 51 - name: grafana-alloy 52 image: grafana/alloy 53 command: 54 - /bin/alloy 55 - run 56 - /etc/alloy-config/config.alloy 57 - --server.http.listen-addr=0.0.0.0:12345 58 ports: 59 - containerPort: 12345 60 volumeMounts: 61 - name: alloy-config 62 mountPath: /etc/alloy-config 63 securityContext: 64 privileged: true 65 runAsGroup: 0 66 runAsUser: 0 67 capabilities: 68 add: 69 - PERFMON 70 - SYS_PTRACE 71 - SYS_RESOURCE 72 - SYS_ADMIN 73 volumes: 74 - name: alloy-config 75 configMap: 76 name: alloy-config 77 hostPID: true 78 79 --- 80 81 apiVersion: v1 82 kind: ConfigMap 83 metadata: 84 name: alloy-config 85 data: 86 config.alloy: | 87 logging { 88 level = "debug" 89 format = "logfmt" 90 } 91 92 // Discovers all kubernetes pods. 93 // Relies on serviceAccountName=grafana-alloy in the pod spec for permissions. 94 discovery.kubernetes "pods" { 95 role = "pod" 96 } 97 98 // Discovers all processes running on the node. 99 // Relies on a security context with elevated permissions for the alloy container (running as root). 100 // Relies on hostPID=true on the pod spec, to be able to see processes from other pods. 101 discovery.process "all" { 102 // Merges kubernetes and process data (using container_id), to attach kubernetes labels to discovered processes. 103 join = discovery.kubernetes.pods.targets 104 } 105 106 // Drops non-java processes and adjusts labels. 107 discovery.relabel "java" { 108 targets = discovery.process.all.targets 109 // Drops non-java processes. 110 rule { 111 source_labels = ["__meta_process_exe"] 112 action = "keep" 113 regex = ".*/java$" 114 } 115 // Sets up the service_name using the namespace and container names. 116 rule { 117 source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"] 118 target_label = "service_name" 119 separator = "/" 120 } 121 // Sets up kubernetes labels (labels with the __ prefix are ultimately dropped). 122 rule { 123 action = "replace" 124 source_labels = ["__meta_kubernetes_pod_node_name"] 125 target_label = "node" 126 } 127 rule { 128 action = "replace" 129 source_labels = ["__meta_kubernetes_namespace"] 130 target_label = "namespace" 131 } 132 rule { 133 action = "replace" 134 source_labels = ["__meta_kubernetes_pod_name"] 135 target_label = "pod" 136 } 137 rule { 138 action = "replace" 139 source_labels = ["__meta_kubernetes_pod_container_name"] 140 target_label = "container" 141 } 142 // Sets up the cluster label. 143 // Relies on a pod-level annotation with the "cluster_name" name. 144 // Alternatively it can be set up using external_labels in pyroscope.write. 145 rule { 146 action = "replace" 147 source_labels = ["__meta_kubernetes_pod_annotation_cluster_name"] 148 target_label = "cluster" 149 } 150 } 151 152 // Attaches the Pyroscope profiler to the processes returned by the discovery.relabel component. 153 // Relies on a security context with elevated permissions for the alloy container (running as root). 154 // Relies on hostPID=true on the pod spec, to be able to access processes from other pods. 155 pyroscope.java "java" { 156 profiling_config { 157 interval = "15s" 158 alloc = "512k" 159 cpu = true 160 lock = "10ms" 161 sample_rate = 100 162 } 163 forward_to = [pyroscope.write.local.receiver] 164 targets = discovery.relabel.java.output 165 } 166 167 pyroscope.write "local" { 168 // Send metrics to the locally running Pyroscope instance. 169 endpoint { 170 url = "http://pyroscope:4040" 171 } 172 external_labels = { 173 "static_label" = "static_label_value", 174 } 175 } 176 ---