Enable ARMS for a registered cluster - Container Service for Kubernetes

You can use Application Real-Time Monitoring Service (ARMS) to monitor the status of applications in real time. To monitor applications in a registered cluster, you need to install the ARMS application monitoring component in the registered cluster.

Prerequisites

An external Kubernetes cluster is registered in the Container Service for Kubernetes (ACK) console. For more information, see Create a registered cluster.
A kubectl client is connected to the registered cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Step 1: Install the ARMS application monitoring component

Use onectl

Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

Run the following command to configure RAM permissions for the ack-onepilot component:

onectl ram-user grant --addon ack-onepilot

Expected output:

Ram policy ack-one-registered-cluster-policy-ack-onepilot granted to ram user **** successfully.

Run the following command to install the ack-onepilot component:
```
onectl addon install ack-onepilot
```
Expected output:
```
Addon ack-onepilot, version **** installed.
```

Use the console

Configure a RAM policy. Before installing the component, you must specify your AccessKey pair in the registered cluster. The AccessKey pair is used to acquire cloud service access permissions.
1. Create a RAM user.
2. Create custom policies. The ack-onepilot component requires the following permission policy:
```
{
    "Version": "1",
    "Statement": [
        {
            "Action": "arms:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
```
3. Grant permissions to the RAM user. Attach the custom policy created in the preceding step to the RAM user.
4. Create an AccessKey pair for the RAM user.
  Warning
  We recommend that you configure AccessKey pair-based policies for network access control, limiting AccessKey invocation sources to trusted network environments to enhance AccessKey security.
5. Use the AccessKey pair to create a Secret named alibaba-addon-secret in the registered cluster.
  Run the following command to create a Secret used by the ack-onepilot component.
  Note
  You need to replace access-key-id and access-key-secret in the command with the AccessKey ID and AccessKey secret you created in the previous step.
```
kubectl -n ack-onepilot create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
```
Install the ack-onepilot component.
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, find the one you want to manage and click its name. In the left-side navigation pane, choose Operations > Add-ons.
3. On the Add-ons page, click the Logs and Monitoring tab, find the ack-onepilot card, and then click Install in the lower-right corner.
4. In the Install ack-onepilot dialog box, configure the parameters and click OK.

Step 2: Enable ARMS for a Java application

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster you want to manage and click its name. In the left-side pane, choose Workloads > Deployments.
On the Deployments page, choose More > View in YAML in the Actions column of the deployment that you want to manage.

In the YAML file, add the following labels to spec.template.metadata:

labels:
  armsPilotAutoEnable: "on"
  armsPilotCreateAppName: "<your-deployment-name>"    # Replace <your-deployment-name> with the actual application name. 
  armsSecAutoEnable: "on"    # If you want to connect the application to Application Security, you must configure this parameter.

Note

For information about Application Security, see What is Application Security?
For information about the billing rules of Application Security, see Billing.

YAML Example

Click Update.
On the Deployments page, find the application, and check whether the ARMS Console button appears in the Actions column.

On the Deployments page, click ARMS Console in the Actions column of the Java application to navigate to the ARMS console and perform service governance.

What to do next

Uninstall ack-onepilot for all applications in the cluster
Use onectl
1. Run the following command to uninstall the ack-onepilot component:
```
onectl addon uninstall ack-onepilot
```
  Expected output:
```
Addon ack-onepilot uninstalled.
```
2. Restart your application pod.
Use the console
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, find the one you want to manage and click its name. In the left-side navigation pane, choose Operations > Add-ons.
3. On the Add-ons page, click the Logs and Monitoring tab, find the ack-onepilot component, and then click Uninstall in the lower-right corner.
4. In the message that appears, click OK.
5. Restart your application pod.
Uninstall ack-onepilot for an application in the cluster
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, click the name of the desired cluster and choose Workloads > Deployments in the left-side navigation pane.
3. On the Deployments page, choose More > View in YAML in the Actions column of the application that you want to manage. In the Edit YAML dialog box, delete the labels that you added in Step 2, and then click Update.
4. Restart your application pod.