kubernetes service checks #5

Supports: focal bionic xenial


This charm provides NRPE Checks verifying Kubernetes API accessibility and integrates with Nagios for timely alerting.

kubernetes-service-checks Charm


This charm provides Kubernetes Service checks for Nagios


juju deploy cs:kubernetes-service-checks
juju add-relation kubernetes-service-checks nrpe
juju add-relation kubernetes-service-checks:kube-api-endpoint kubernetes-master
juju add-relation kubernetes-service-checks:kube-control kubernetes-master


  • kubernetes-master:kube-api-endpoint - Provides KSC with the kubernetes-api hostname and port
  • kubernetes-master:kube-control - Provides KSC with a kubernetes-api client-token for authentication
  • nrpe:nrpe-external-master - Required for nagios; provides additional plugins

Note: Future relations with kubernetes-master may be changed so that a single relation can provide the K8S api hostname, port, client token and ssl ca cert.

Config Options

trusted_ssl_ca (Optional) Setting this option enables SSL host certificate authentication in the api checks

juju config kubernetes-service-checks trusted_ssl_ca="${KUBERNETES_API_CA}"

Service Checks

The plugin check_kubernetes_api.py ships with this charm and contains an array of checks for the k8s api health.

check_kubernetes_api.py --help
usage: check_kubernetes_api.py [-h] [-H HOST] [-P PORT] [-T CLIENT_TOKEN]
                               [--check health] [-C SSL_CA_PATH]

Check Kubernetes API status

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  Hostname or IP of the kube-api-server (default: None)
  -P PORT, --port PORT  Port of the kube-api-server (default: 6443)
                        Client access token for authenticate with the
                        Kubernetes API (default: None)
  --check health        which check to run (default: health)
  -C SSL_CA_PATH, --trusted-ca-cert SSL_CA_PATH
                        String containing path to the trusted CA certificate
                        (default: None)

health - This polls the kubernetes-api /healthz endpoint. Posting a GET to this URL endpoint is expected to return 200 - 'ok' if the api is healthy, otherwise 500.

Other Checks

Certificate Expiration: The check_http plugin is shipped with nrpe, and contains a built in cert expiration check. The warning and crit thesholds are configurable:

juju config kubernetes-service-checks tls_warn_days=90
juju config kubernetes-service-checks tls_crit_days=30


Juju should be installed and bootstrapped on the system to run functional tests.

export MODEL_SETTINGS=<semicolon-separated list of "juju model-config" settings>
make test

NOTE: If you are behind a proxy, be sure to export a MODEL_SETTINGS variable as described above. Note that you will need to use the juju-http-proxy, juju-https-proxy, juju-no-proxy and similar settings.

Contact information

Please contact Canonical's BootStack team via the "Submit a bug" link.


(string) Snap channel to install kubectl from
(string) Used by the nrpe subordinate charms. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: juju-myservice-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
(string) A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup
(int) Number of days left for the TLS certificate to expire before alerting Critical.
(int) Number of days left for the TLS certificate to expire before Warning.
(string) base64 encoded SSL ca cert to use for Kubernetes API client connections.