Azure Monitor Container Insights for Azure Arc-enabled Kubernetes clusters

Azure Monitor Container Insights provides rich monitoring experience for Azure Arc-enabled Kubernetes clusters.

Supported configurations

  • Azure Monitor Container Insights supports monitoring Azure Arc-enabled Kubernetes as described in the Overview article, except the live data feature. Also, users aren't required to have Owner permissions to enable metrics
  • Docker, Moby, and CRI compatible container runtimes such CRI-O and containerd.
  • Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.

Note

If you are migrating from Container Insights on Azure Red Hat OpenShift v4.x, please also ensure that you have disabled monitoring before proceeding with configuring Container Insights on Azure Arc enabled Kubernetes to prevent any installation issues.

Prerequisites

Identify workspace resource ID

Run the following commands to locate the full Azure Resource Manager identifier of the Log Analytics workspace.

  1. List all the subscriptions that you have access to using the following command:

    az account list --all -o table
    
  2. Switch to the subscription hosting the Log Analytics workspace using the following command:

    az account set -s <subscriptionId of the workspace>
    
  3. The following example displays the list of workspaces in your subscriptions in the default JSON format.

    az resource list --resource-type Microsoft.OperationalInsights/workspaces -o json
    

    In the output, find the workspace name of interest. The id field of that represents the Azure Resource Manager identifier of that Log Analytics workspace.

    Tip

    This id can also be found in the Overview pane of the Log Analytics workspace through the Azure portal.

Create extension instance

Option 1 - With default values

This option uses the following defaults:

  • Creates or uses existing default log analytics workspace corresponding to the region of the cluster
  • Auto-upgrade is enabled for the Azure Monitor cluster extension

Note

Managed identity authentication is the default in k8s-extension version 1.43.0 or higher.

az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers

To use managed identity authentication, add the configuration-settings parameter as in the following:

az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogs.useAADAuth=true

Note

Managed identity authentication is not supported for Arc-enabled Kubernetes clusters with ARO.

To use legacy/non-managed identity authentication to create an extension instance on Arc K8S connected clusters with ARO, use the commands below that don't use managed identity. Non-cli onboarding is not supported for Arc-enabled Kubernetes clusters with ARO. Currently, only k8s-extension version 1.3.7 or below is supported.

If you are using k8s-extension version above 1.3.7, downgrade the version.

Install the extension with **amalogs.useAADAuth=false**.
az extension add --name k8s-extension --version 1.3.7

Install the extension with amalogs.useAADAuth=false.

az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogs.useAADAuth=false

Option 2 - With existing Azure Log Analytics workspace

You can use an existing Azure Log Analytics workspace in any subscription on which you have Contributor or a more permissive role assignment.

az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings logAnalyticsWorkspaceResourceID=<armResourceIdOfExistingWorkspace>

Option 3 - With advanced configuration

If you want to tweak the default resource requests and limits, you can use the advanced configurations settings:

az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings  amalogs.resources.daemonset.limits.cpu=150m amalogs.resources.daemonset.limits.memory=600Mi amalogs.resources.deployment.limits.cpu=1 amalogs.resources.deployment.limits.memory=750Mi

Check out the resource requests and limits section of Helm chart for the available configuration settings.

Option 4 - On Azure Stack Edge

If the Azure Arc-enabled Kubernetes cluster is on Azure Stack Edge, then a custom mount path /home/data/docker needs to be used.

az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogs.logsettings.custommountpath=/home/data/docker

If the cluster is configured with a forward proxy, then proxy settings are automatically applied to the extension. In the case of a cluster with AMPLS + proxy, proxy config should be ignored. Onboard the extension with the configuration setting amalogs.ignoreExtensionProxySettings=true.

az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings amalogs.ignoreExtensionProxySettings=true

Note

If you are explicitly specifying the version of the extension to be installed in the create command, then ensure that the version specified is >= 2.8.2.

Verify extension installation status

Once you have successfully created the Azure Monitor extension for your Azure Arc-enabled Kubernetes cluster, you can additionally check the status of installation using the Azure portal or CLI. Successful installations should show the status as 'Installed'. If your status is showing 'Failed' or remains in the 'Pending' state for long periods of time, proceed to the Troubleshooting section below.

  1. In the Azure portal, select the Azure Arc-enabled Kubernetes cluster with the extension installing
  2. From the resource pane on the left, select the 'Extensions' item under the 'Settings' section.
  3. You should see an extension with the name 'azuremonitor-containers' listed, with the listed status in the 'Install status' column

Delete extension instance

The following command only deletes the extension instance, but doesn't delete the Log Analytics workspace. The data within the Log Analytics resource is left intact.

az k8s-extension delete --name azuremonitor-containers --cluster-type connectedClusters --cluster-name <cluster-name> --resource-group <resource-group>

Disconnected cluster

If your cluster is disconnected from Azure for > 48 hours, then Azure Resource Graph won't have information about your cluster. As a result the Insights pane may display incorrect information about your cluster state.

Troubleshooting

For issues with enabling monitoring, we have provided a troubleshooting script to help diagnose any problems.

Next steps

  • With monitoring enabled to collect health and resource utilization of your Azure Arc-enabled Kubernetes cluster and workloads running on them, learn how to use Container insights.

  • By default, the containerized agent collects the stdout/ stderr container logs of all the containers running in all the namespaces except kube-system. To configure container log collection specific to particular namespace or namespaces, review Container Insights agent configuration to configure desired data collection settings to your ConfigMap configurations file.

  • To scrape and analyze Prometheus metrics from your cluster, review Configure Prometheus metrics scraping