Operator metrics
Big picture
Use Prometheus to monitor the Calico Enterprise operator.
Value
The Calico Enterprise operator exposes Prometheus metrics that give you visibility into the overall health of your Calico Enterprise installation. These metrics let you set up alerts for degraded components, expiring TLS certificates, and license issues before they impact operations.
Before you begin
Operator metrics are enabled by default. The tigera-operator deployment ships with the following environment variables already set:
METRICS_ENABLED=trueMETRICS_SCHEME=https
Metrics are served on port 9484 over HTTPS and scraped by the built-in Prometheus instance via the tigera-operator-metrics ServiceMonitor.
Metrics reference
Component status
The tigera_operator_component_status metric reports the status of each Calico Enterprise component as managed by the operator. This mirrors the information available through kubectl get tigerastatus.
| Metric | Labels | Description |
|---|---|---|
tigera_operator_component_status | component, condition | Status of a component. Value is 1 (true) or 0 (false). |
Labels:
component— The Calico Enterprise component (e.g.calico,apiserver,monitor,log-storage,manager)condition— One of:available— The component is running and healthydegraded— The component is in an error stateprogressing— The component is being updated or is starting up
Example queries:
-
Find all degraded components:
tigera_operator_component_status{condition="degraded"} == 1 -
Check if a specific component is available:
tigera_operator_component_status{component="calico", condition="available"}
TLS certificate expiry
The tigera_operator_tls_certificate_expiry_timestamp_seconds metric reports the expiry time of each TLS certificate managed by the operator.
| Metric | Labels | Description |
|---|---|---|
tigera_operator_tls_certificate_expiry_timestamp_seconds | name, namespace, issuer | Unix timestamp when the certificate expires. |
Labels:
name— The Secret name containing the certificatenamespace— The namespace of the Secretissuer— The certificate issuer (e.g.tigera-operator-signer)
Example queries:
-
Certificates expiring within 30 days:
tigera_operator_tls_certificate_expiry_timestamp_seconds - time() < 30 * 24 * 3600 -
Certificates expiring within 7 days:
tigera_operator_tls_certificate_expiry_timestamp_seconds - time() < 7 * 24 * 3600
License
| Metric | Labels | Description |
|---|---|---|
tigera_operator_license_valid | — | Whether the license is valid (1) or not (0). |
tigera_operator_license_expiry_timestamp_seconds | — | Unix timestamp when the license expires. |
Example queries:
-
License expires within 30 days:
tigera_operator_license_expiry_timestamp_seconds - time() < 30 * 24 * 3600 -
License is invalid:
tigera_operator_license_valid == 0
Built-in alerts
Calico Enterprise installs a PrometheusRule resource named calico with alerting rules that use these metrics. You can view it with:
kubectl -n tigera-prometheus get prometheusrule calico -o yaml
The built-in rules include:
| Alert | Condition | Severity |
|---|---|---|
DeniedPacketsRate | Denied packets rate > 50/s | info |
TLSCertExpiringWarning | Certificate expires in < 30 days | warning |
TLSCertExpiringCritical | Certificate expires in < 7 days | critical |
LicenseExpiringWarning | License expires in < 30 days | warning |
LicenseExpiringCritical | License expires in < 7 days or is invalid | critical |
ComponentDegradedWarning | Component degraded for > 15m | warning |
ComponentDegradedCritical | Component degraded for > 30m | critical |
ComponentProgressingWarning | Component progressing for > 15m | warning |
ComponentProgressingCritical | Component progressing for > 30m | critical |
To route these alerts, see Configure Alertmanager.