loki.rules.kubernetes
loki.rules.kubernetes
discovers PrometheusRule
Kubernetes resources and loads them into a Loki instance.
- You can specify multiple
loki.rules.kubernetes
components by giving them different labels. - Kubernetes label selectors can be used to limit the
Namespace
andPrometheusRule
resources considered during reconciliation. - Compatible with the Ruler APIs of Grafana Loki, Grafana Cloud, and Grafana Enterprise Metrics.
- Compatible with the
PrometheusRule
CRD from theprometheus-operator
. - This component accesses the Kubernetes REST API from within a Pod.
Note
This component requires Role-based access control (RBAC) to be set up in Kubernetes for Alloy to access it via the Kubernetes REST API.
Usage
loki.rules.kubernetes "<LABEL>" {
address = "<LOKI_RULER_URL>"
}
Arguments
You can use the following arguments with loki.rules.kubernetes
:
At most, one of the following can be provided:
authorization
blockbasic_auth
blockbearer_token_file
argumentbearer_token
argumentoauth2
block
If no tenant_id
is provided, the component assumes that the Loki instance at address
is running in single-tenant mode and no X-Scope-OrgID
header is sent.
The sync_interval
argument determines how often the Loki ruler API is accessed to reload the current state.
Interaction with the Kubernetes API works differently.
Updates are processed as events from the Kubernetes API server according to the informer pattern.
You can use the loki_namespace_prefix
argument to separate the rules managed by multiple Alloy deployments across your infrastructure.
You should set the prefix to a unique value for each deployment.
Blocks
You can use the following blocks with loki.rules.kubernetes
:
The > symbol indicates deeper levels of nesting.
For example, oauth2
> tls_config
refers to a tls_config
block defined inside an oauth2
block.
authorization
credential
and credentials_file
are mutually exclusive, and only one can be provided inside an authorization
block.
basic_auth
password
and password_file
are mutually exclusive, and only one can be provided inside a basic_auth
block.
rule_selector
and rule_namespace_selector
The rule_selector
and rule_namespace_selector
blocks describe a Kubernetes label selector for rule or namespace discovery.
The following arguments are supported:
When the match_labels
argument is empty, all resources are matched.
match_expression
The match_expression
block describes a Kubernetes label match expression for rule or namespace discovery.
The following arguments are supported:
The operator
argument should be one of the following strings:
"in"
"notin"
"exists"
oauth2
client_secret
and client_secret_file
are mutually exclusive, and only one can be provided inside an oauth2
block.
The oauth2
block may also contain a separate tls_config
sub-block.
no_proxy
can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers.
proxy_url
must be configured if no_proxy
is configured.
proxy_from_environment
uses the environment variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY (or the lowercase versions thereof).
Requests use the proxy from the environment variable matching their scheme, unless excluded by NO_PROXY.
proxy_url
and no_proxy
must not be configured if proxy_from_environment
is configured.
proxy_connect_header
should only be configured if proxy_url
or proxy_from_environment
are configured.
tls_config
The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:
ca_pem
andca_file
cert_pem
andcert_file
key_pem
andkey_file
When configuring client authentication, both the client certificate (using cert_pem
or cert_file
) and the client key (using key_pem
or key_file
) must be provided.
When min_version
isn’t provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2.
If min_version
is provided, it must be set to one of the following strings:
"TLS10"
(TLS 1.0)"TLS11"
(TLS 1.1)"TLS12"
(TLS 1.2)"TLS13"
(TLS 1.3)
Exported fields
loki.rules.kubernetes
doesn’t export any fields.
Component health
loki.rules.kubernetes
is reported as unhealthy if given an invalid configuration or an error occurs during reconciliation.
Debug information
loki.rules.kubernetes
exposes resource-level debug information.
The following are exposed per discovered PrometheusRule
resource:
- The Kubernetes namespace.
- The resource name.
- The resource UID.
- The number of rule groups.
The following are exposed per discovered Loki rule namespace resource:
- The namespace name.
- The number of rule groups.
Only resources managed by the component are exposed - regardless of how many actually exist.
Debug metrics
Example
This example creates a loki.rules.kubernetes
component that loads discovered rules to a local Loki instance under the team-a
tenant.
Only namespaces and rules with the alloy
label set to yes
are included.
loki.rules.kubernetes "local" {
address = "loki:3100"
tenant_id = "team-a"
rule_namespace_selector {
match_labels = {
alloy = "yes",
}
}
rule_selector {
match_labels = {
alloy = "yes",
}
}
}
This example creates a loki.rules.kubernetes
component that loads discovered rules to Grafana Cloud.
loki.rules.kubernetes "default" {
address = "<GRAFANA_CLOUD_URL>"
basic_auth {
username = "<GRAFANA_CLOUD_USER>"
password = "<GRAFANA_CLOUD_API_KEY>"
// Alternatively, load the password from a file:
// password_file = "<GRAFANA_CLOUD_API_KEY_PATH>"
}
}
Replace the following:
<GRAFANA_CLOUD_URL>
: The Grafana Cloud URL.<GRAFANA_CLOUD_USER>
: Your Grafana Cloud user name.<GRAFANA_CLOUD_API_KEY>
: Your Grafana Cloud API key.<GRAFANA_CLOUD_API_KEY_PATH>
: The path to the Grafana Cloud API key.
The following example is an RBAC configuration for Kubernetes. It authorizes Alloy to query the Kubernetes REST API: