Skip to content
For Self-Managed AI Platform users running v11.1, see the on-premise platform documentation

GCP with Cloud Monitoring

This section shows how to configure the chart and provision the infrastructure to observe DataRobot on GCP managed services.

要件

OIDC provider must be configured. Refer to the Google - Google Kubernetes Engine (GKE) documentation in the installation guide.

The created Google service account must: * Get assigned the logging.logWriter, monitoring.metricWriter and cloudtrace.agent roles * Bound to each of the Kubernetes service account that are bound to the observability subchart pods

The Kubernetes service accounts used by the pods are the following (unless explicitly named otherwise in the subchart):

  • observability-v2-otel-deployment
  • observability-v2-otel-daemonset
  • observability-v2-otel-statsd
  • observability-v2-otel-scraper
  • observability-v2-otel-scraper-static

This is explained below.

Google service account

First, the Google Service Account needs to be created for the project:

GOOGLE_SERVICE_ACCOUNT_ID="<GOOGLE_SERVICE_ACCOUNT_ID>"
PROJECT_NAME="<PROJECT_NAME>"
GOOGLE_SERVICE_ACCOUNT_DISPLAY_NAME="<GOOGLE_SERVICE_ACCOUNT_DISPLAY_NAME>"

gcloud iam service-accounts create "$GOOGLE_SERVICE_ACCOUNT_ID" \
    --project="$PROJECT_NAME" \
    --display-name="$GOOGLE_SERVICE_ACCOUNT_DISPLAY_NAME"

# Required for subsequent steps {: #required-for-subsequent-steps }
GOOGLE_SERVICE_ACCOUNT_EMAIL="$GOOGLE_SERVICE_ACCOUNT_ID@$PROJECT_NAME.iam.gserviceaccount.com"

The GOOGLE_SERVICE_ACCOUNT_EMAIL will be later needed to configure the chart. The value for this will be <GOOGLE_SERVICE_ACCOUNT_ID>@<PROJECT_NAME>.iam.gserviceaccount.com, where GOOGLE_SERVICE_ACCOUNT and PROJECT_NAME where manually specified above at the time of creating this account.

Role binding to the Google service account

The previously mentioned roles need to be bound to this account:

declare -a PROJECT_ROLES=(
    "roles/logging.logWriter"
    "roles/monitoring.metricWriter"
    "roles/cloudtrace.agent"
)

for ROLE in "${PROJECT_ROLES[@]}"; do
    echo "  -> Granting role: $ROLE"
    gcloud projects add-iam-policy-binding "$PROJECT_NAME" \
        --member="serviceAccount:$GOOGLE_SERVICE_ACCOUNT_EMAIL" \
        --role="$ROLE" \
        --no-user-output-enabled
done

Workload identity binding to Kubernetes service accounts

Finally, the kubernetes service accounts mentioned earlier need to be bound to the Google service account:

NAMESPACE="<KUBERNETES_NAMESPACE>"

declare -a KUBERNETES_SERVICE_ACCOUNT_NAMES=(
    "observability-v2-otel-deployment"
    "observability-v2-otel-daemonset"
    "observability-v2-otel-statsd"
    "observability-v2-otel-scraper"
    "observability-v2-otel-scraper-static"
)

for KSA in "${KUBERNETES_SERVICE_ACCOUNT_NAMES[@]}"; do
    MEMBER="serviceAccount:${PROJECT_NAME}.svc.id.goog[${NAMESPACE}/${KSA}]"

    gcloud iam service-accounts add-iam-policy-binding "$GOOGLE_SERVICE_ACCOUNT_EMAIL" \
        --project="$PROJECT_NAME" \
        --role="$WORKLOAD_IDENTITY_BINDING_ROLE" \
        --member="$MEMBER" \
        --no-user-output-enabled
done

Full chart configuration

A full working example of the configuration can be found in the datarobot-prime/charts/datarobot-observability-core/examples/gke.values.yaml file in the DataRobot tarball.

In the minimal configuration without additional custom processors (see extending pipelines with custom processors), the values to update are the following:

  • SERVICE_ACCOUNT: see Google service account
  • PROJECT_NAME: the project name where DataRobot is deployed. This value is the same as the one used in Google service account
  • LOG_NAME: a default name for log entries (log.default_log_name in googlecloudexporter)

For additional exporter configuration, check the specific exporter definition where these values are referenced, where a link to the upstream exporter documentation is included.

Once the values are set, DataRobot can be installed/upgraded by specifying the path to this file with the -f option to the helm command.