Kubernetes API Server
Plugin: go.d.plugin Module: k8s_apiserver
Overview
This collector monitors Kubernetes API Server health, performance, and request metrics.
It collects metrics from the kube-apiserver's /metrics endpoint, providing insights into:
- Request rates, latencies, and error rates
- Current inflight and long-running requests
- Admission controller and webhook performance
- etcd backend health and object counts
- Controller work queue depths and latencies
- Authentication and audit events
- Go runtime and process metrics
The collector scrapes Prometheus-format metrics from the Kubernetes API Server's metrics endpoint. Authentication is typically done using a ServiceAccount bearer token.
This collector is supported on all platforms.
This collector supports collecting metrics from multiple instances of this integration, including remote instances.
The ServiceAccount used must have permissions to access the /metrics endpoint.
In most clusters, this requires cluster-admin or a custom ClusterRole with metrics access.
Kubernetes API Server can be monitored further using the following other integrations:
Default Behavior
Auto-Detection
When running inside a Kubernetes cluster, the collector attempts to connect to
https://kubernetes.default.svc:443/metrics using the pod's ServiceAccount token.
Limits
The default configuration for this integration does not impose any limits on data collection.
Performance Impact
The default configuration for this integration is not expected to impose a significant performance impact on the system.
Metrics
Metrics grouped by scope.
The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.
Per Kubernetes API Server instance
These metrics refer to the entire monitored API server instance.
This scope has no labels.
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| k8s_apiserver.requests_total | requests | requests/s |
| k8s_apiserver.requests_dropped | dropped | requests/s |
| k8s_apiserver.requests_by_verb | a dimension per HTTP verb | requests/s |
| k8s_apiserver.requests_by_code | a dimension per HTTP status code | requests/s |
| k8s_apiserver.requests_by_resource | a dimension per Kubernetes resource | requests/s |
| k8s_apiserver.request_latency | p50, p90, p99 | milliseconds |
| k8s_apiserver.response_size | p50, p90, p99 | bytes |
| k8s_apiserver.inflight_requests | mutating, read_only | requests |
| k8s_apiserver.longrunning_requests | longrunning | requests |
| k8s_apiserver.rest_client_requests_by_code | a dimension per HTTP status code | requests/s |
| k8s_apiserver.rest_client_requests_by_method | a dimension per HTTP method | requests/s |
| k8s_apiserver.rest_client_latency | p50, p90, p99 | milliseconds |
| k8s_apiserver.admission_step_latency | validate, admit | milliseconds |
| k8s_apiserver.etcd_object_counts | a dimension per resource type | objects |
| k8s_apiserver.audit_events | events, rejected | events/s |
| k8s_apiserver.authentication_requests | authenticated | requests/s |
| k8s_apiserver.goroutines | goroutines | goroutines |
| k8s_apiserver.threads | threads | threads |
| k8s_apiserver.process_memory | resident, virtual | bytes |
| k8s_apiserver.heap_memory | alloc, inuse, stack | bytes |
| k8s_apiserver.gc_duration | min, p25, p50, p75, max | seconds |
| k8s_apiserver.open_fds | open, max | file descriptors |
| k8s_apiserver.cpu_usage | cpu | seconds/s |
Per workqueue
These metrics refer to controller work queues.
Labels:
| Label | Description |
|---|---|
| controller | Controller name |
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| k8s_apiserver.workqueue_depth | depth | items |
| k8s_apiserver.workqueue_latency | p50, p90, p99 | microseconds |
| k8s_apiserver.workqueue_adds | adds, retries | items/s |
| k8s_apiserver.workqueue_duration | p50, p90, p99 | microseconds |
Per admission controller
These metrics refer to admission controllers.
Labels:
| Label | Description |
|---|---|
| name | Admission controller name |
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| k8s_apiserver.admission_controller_latency | 5ms, 25ms, 100ms, 500ms, 1s, 2.5s, +Inf | events/s |
Per admission webhook
These metrics refer to admission webhooks.
Labels:
| Label | Description |
|---|---|
| name | Webhook name |
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| k8s_apiserver.admission_webhook_latency | 5ms, 25ms, 100ms, 500ms, 1s, 2.5s, +Inf | events/s |
Alerts
The following alerts are available:
| Alert name | On metric | Description |
|---|---|---|
| k8s_apiserver_request_errors | k8s_apiserver.requests_by_code | high rate of API server request errors (5xx responses) |
| k8s_apiserver_latency | k8s_apiserver.request_latency | API server request latency is high |
Setup
You can configure the k8s_apiserver collector in two ways:
| Method | Best for | How to |
|---|---|---|
| UI | Fast setup without editing files | Go to Nodes → Configure this node → Collectors → Jobs, search for k8s_apiserver, then click + to add a job. |
| File | If you prefer configuring via file, or need to automate deployments (e.g., with Ansible) | Edit go.d/k8s_apiserver.conf and add a job. |
UI configuration requires paid Netdata Cloud plan.
Prerequisites
ServiceAccount with metrics access
The Netdata pod must have a ServiceAccount with permissions to read metrics from the API server. You can create a ClusterRole and ClusterRoleBinding for this purpose.
Configuration
Options
The following options can be defined globally: update_every, autodetection_retry.
Config options
| Group | Option | Description | Default | Required |
|---|---|---|---|---|
| Collection | update_every | Data collection interval (seconds). | 1 | no |
| autodetection_retry | Autodetection retry interval (seconds). Set 0 to disable. | 0 | no | |
| Target | url | Target endpoint URL. | https://kubernetes.default.svc:443/metrics | yes |
| timeout | HTTP request timeout (seconds). | 2 | no | |
| HTTP Auth | username | Username for Basic HTTP authentication. | no | |
| password | Password for Basic HTTP authentication. | no | ||
| bearer_token_file | Path to a file containing a bearer token (used for Authorization: Bearer). | /var/run/secrets/kubernetes.io/serviceaccount/token | no | |
| TLS | tls_skip_verify | Skip TLS certificate and hostname verification (insecure). | no | no |
| tls_ca | Path to CA bundle used to validate the server certificate. | /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | no | |
| tls_cert | Path to client TLS certificate (for mTLS). | no | ||
| tls_key | Path to client TLS private key (for mTLS). | no | ||
| Proxy | proxy_url | HTTP proxy URL. | no | |
| proxy_username | Username for proxy Basic HTTP authentication. | no | ||
| proxy_password | Password for proxy Basic HTTP authentication. | no | ||
| Request | method | HTTP method to use. | GET | no |
| body | Request body (e.g., for POST/PUT). | no | ||
| headers | Additional HTTP headers (one per line as key: value). | no | ||
| not_follow_redirects | Do not follow HTTP redirects. | no | no | |
| force_http2 | Force HTTP/2 (including h2c over TCP). | no | no | |
| Virtual Node | vnode | Associates this data collection job with a Virtual Node. | no |
via UI
Configure the k8s_apiserver collector from the Netdata web interface:
- Go to Nodes.
- Select the node where you want the k8s_apiserver data-collection job to run and click the ⚙ (Configure this node). That node will run the data collection.
- The Collectors → Jobs view opens by default.
- In the Search box, type k8s_apiserver (or scroll the list) to locate the k8s_apiserver collector.
- Click the + next to the k8s_apiserver collector to add a new job.
- Fill in the job fields, then click Test to verify the configuration and Submit to save.
- Test runs the job with the provided settings and shows whether data can be collected.
- If it fails, an error message appears with details (for example, connection refused, timeout, or command execution errors), so you can adjust and retest.
via File
The configuration file name for this integration is go.d/k8s_apiserver.conf.
The file format is YAML. Generally, the structure is:
update_every: 1
autodetection_retry: 0
jobs:
- name: some_name1
- name: some_name2
You can edit the configuration file using the edit-config script from the
Netdata config directory.
cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config go.d/k8s_apiserver.conf
Examples
In-cluster (default)
Default configuration when running inside a Kubernetes cluster.
jobs:
- name: local
url: https://kubernetes.default.svc:443/metrics
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
tls_ca: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
External access with kubectl proxy
Access API server metrics via kubectl proxy running on localhost.
Config
jobs:
- name: via-proxy
url: http://127.0.0.1:8001/metrics
Direct access with token
Direct access to API server with a bearer token.
Config
jobs:
- name: direct
url: https://api.example.com:6443/metrics
bearer_token_file: /path/to/token
tls_skip_verify: yes
Troubleshooting
Debug Mode
Important: Debug mode is not supported for data collection jobs created via the UI using the Dyncfg feature.
To troubleshoot issues with the k8s_apiserver collector, run the go.d.plugin with the debug option enabled. The output
should give you clues as to why the collector isn't working.
-
Navigate to the
plugins.ddirectory, usually at/usr/libexec/netdata/plugins.d/. If that's not the case on your system, opennetdata.confand look for thepluginssetting under[directories].cd /usr/libexec/netdata/plugins.d/ -
Switch to the
netdatauser.sudo -u netdata -s -
Run the
go.d.pluginto debug the collector:./go.d.plugin -d -m k8s_apiserverTo debug a specific job:
./go.d.plugin -d -m k8s_apiserver -j jobName
Getting Logs
If you're encountering problems with the k8s_apiserver collector, follow these steps to retrieve logs and identify potential issues:
- Run the command specific to your system (systemd, non-systemd, or Docker container).
- Examine the output for any warnings or error messages that might indicate issues. These messages should provide clues about the root cause of the problem.
System with systemd
Use the following command to view logs generated since the last Netdata service restart:
journalctl _SYSTEMD_INVOCATION_ID="$(systemctl show --value --property=InvocationID netdata)" --namespace=netdata --grep k8s_apiserver
System without systemd
Locate the collector log file, typically at /var/log/netdata/collector.log, and use grep to filter for collector's name:
grep k8s_apiserver /var/log/netdata/collector.log
Note: This method shows logs from all restarts. Focus on the latest entries for troubleshooting current issues.
Docker Container
If your Netdata runs in a Docker container named "netdata" (replace if different), use this command:
docker logs netdata 2>&1 | grep k8s_apiserver
Connection refused
The API server may not be accessible. Check that:
- The URL is correct
- Network policies allow access
- The ServiceAccount has proper RBAC permissions
401 Unauthorized
Authentication failed. Verify:
- The bearer token file exists and is readable
- The token is valid and not expired
- The ServiceAccount has metrics access permissions
Certificate errors
TLS verification failed. Options:
- Provide the correct CA certificate path in
tls_ca - Set
tls_skip_verify: yes(not recommended for production)
Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.