Dashboards

The module lifecycle stage: Preview
The module has requirements for installation

A dashboard is a set of panels that display metric data as graphs, tables, and other visual elements. A dashboard is essentially a saved visual representation of PromQL queries against metrics.

The observability module provides mechanisms for managing cluster-level and project-level dashboards, as well as access control for them. Dashboards use the Grafana format, which makes it possible to import and export them when needed.

Dashboard types

Three types of dashboards are supported:

Dashboard type	Scope	Who has access
System dashboards (ClusterObservabilityDashboard)	Cluster level	DKP administrators
Project dashboards (ObservabilityDashboard)	Project (namespace) level	Users of the corresponding project
Standard propagated dashboards (ClusterObservabilityPropagatedDashboard)	Created at the cluster level and automatically available in all projects	All project users (read-only)

Dashboard types:

System dashboards (ClusterObservabilityDashboard): Used to visualize cluster metrics. Available in the Deckhouse web UI under “System” → “System management” → “Monitoring” → “Dashboards”. Created and managed by DKP administrators.
Project dashboards (ObservabilityDashboard): Designed to visualize metrics of a specific project (namespace). Available in the corresponding project under “Monitoring” → “Dashboards”. Project users can create and edit such dashboards within the configured permissions.
Standard propagated dashboards (ClusterObservabilityPropagatedDashboard): Created at the cluster level and automatically become available in all projects. Used to provide shared dashboards (for example, dashboards delivered by DKP modules) to all users. Available to all project users in read-only mode.

Dashboard access control

Access to dashboards is configured using the current role-based access control (RBAC) model.

Depending on the dashboard type, permissions are assigned to the following resources:

clusterobservabilitydashboards.observability.deckhouse.io: System dashboards.
observabilitydashboards.observability.deckhouse.io: Namespace-scoped dashboards.
clusterobservabilitypropagateddashboards.observability.deckhouse.io: Dashboards propagated to all users.

The following permissions are required to perform dashboard operations:

read: get
create and edit: create, update, patch, delete

Access to metrics used in dashboards is also controlled through RBAC. Metric filtering is applied automatically based on the granted permissions.

The following access scenarios are supported:

Namespace users get access only to metrics of their own namespace. RBAC access to the metrics.observability.deckhouse.io resource is checked.
DKP administrators get access to all system metrics:
- Deckhouse metrics (d8-*).
- Kubernetes metrics (kube-*).
- Metrics without the namespace label.
RBAC access to the clustermetrics.observability.deckhouse.io resource is used.
Metrics from user namespaces may also be available to administrators if they have the corresponding permissions for the metrics.observability.deckhouse.io resource.

Example ClusterRole and RoleBinding configuration for read and edit access to metrics and dashboards:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: observability-editor
rules:
  - apiGroups: ["observability.deckhouse.io"]
    resources: ["metrics", "observabilitydashboards"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["observability.deckhouse.io"]
    resources: ["observabilitydashboards"]
    verbs: ["create", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: bind-observability-editor
  namespace: my-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: observability-editor
subjects:
  - kind: User
    name: user@example.com
    apiGroup: rbac.authorization.k8s.io

Converting dashboards from GrafanaDashboardDefinition

To migrate dashboards created using the legacy GrafanaDashboardDefinition resource to one of the formats supported by the observability module, edit each dashboard manifest manually. Pay attention to the following key differences:

GrafanaDashboardDefinition format	`observability` module format
The Grafana folder is specified in the `spec.folder` field.	The folder is specified using the `observability.deckhouse.io/category` annotation.
The dashboard title is specified in the `title` field of the JSON manifest.	The title is specified using the `observability.deckhouse.io/title` annotation. If the annotation is missing, the `title` field from the JSON manifest is used.

Conversion example:

Old format:

apiVersion: deckhouse.io/v1
kind: GrafanaDashboardDefinition
metadata:
  name: example-dashboard
spec:
  folder: "Apps"
  json: '{
    "title": "Example Dashboard",
    ...
  }'

New format:

apiVersion: observability.deckhouse.io/v1alpha1
kind: ObservabilityDashboard
metadata:
  name: example-dashboard
  namespace: my-namespace
  annotations:
    metadata.deckhouse.io/category: "Apps"
    metadata.deckhouse.io/title: "Example Dashboard"
spec:
  definition: |
    {
      "title": "Example Dashboard",
      ...
    }

Dashboard types

Dashboard access control

Converting dashboards from GrafanaDashboardDefinition

An error has occurred

Tell us what you didn’t like.

Dashboards

Dashboard types

Dashboard access control

Converting dashboards from GrafanaDashboardDefinition

An error has occurred

Tell us what you didn’t like.

Request trial access

Thank you

Error

Request callback

Thank you

Something went wrong

Book your sessions

Thank you

Error

Request demo

Thank you

Error

Get the PCI SSC Compliance Report

Thank you

Error