API reference

podMetadata defines labels and annotations which are propagated to the Alertmanager pods.

The following items are reserved and cannot be overridden: * “alertmanager” label, set to the name of the Alertmanager instance. * “app.kubernetes.io/instance” label, set to the name of the Alertmanager instance. * “app.kubernetes.io/managed-by” label, set to “prometheus-operator”. * “app.kubernetes.io/name” label, set to “alertmanager”. * “app.kubernetes.io/version” label, set to the Alertmanager version. * “kubectl.kubernetes.io/default-container” annotation, set to “alertmanager”.

image if specified has precedence over baseImage, tag and sha combinations. Specifying the version is still necessary to ensure the Prometheus Operator knows what version of Alertmanager is being configured.

imagePullPolicy for the ‘alertmanager’, ‘init-config-reloader’ and ‘config-reloader’ containers. See https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for more details.

version the cluster should be on.

tag of Alertmanager container image to be deployed. Defaults to the value of version. Version is ignored if Tag is set. Deprecated: use ‘image’ instead. The image tag can be specified as part of the image URL.

sha of Alertmanager container image to be deployed. Defaults to the value of version. Similar to a tag, but the SHA explicitly deploys an immutable container image. Version and Tag are ignored if SHA is set. Deprecated: use ‘image’ instead. The image digest can be specified as part of the image URL.

baseImage that is used to deploy pods, without tag. Deprecated: use ‘image’ instead.

imagePullSecrets An optional list of references to secrets in the same namespace to use for pulling prometheus and alertmanager images from registries see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

secrets is a list of Secrets in the same namespace as the Alertmanager object, which shall be mounted into the Alertmanager Pods. Each Secret is added to the StatefulSet definition as a volume named secret-<secret-name>. The Secrets are mounted into /etc/alertmanager/secrets/<secret-name> in the ‘alertmanager’ container.

configMaps defines a list of ConfigMaps in the same namespace as the Alertmanager object, which shall be mounted into the Alertmanager Pods. Each ConfigMap is added to the StatefulSet definition as a volume named configmap-<configmap-name>. The ConfigMaps are mounted into /etc/alertmanager/configmaps/<configmap-name> in the ‘alertmanager’ container.

configSecret defines the name of a Kubernetes Secret in the same namespace as the Alertmanager object, which contains the configuration for this Alertmanager instance. If empty, it defaults to alertmanager-<alertmanager-name>.

The Alertmanager configuration should be available under the alertmanager.yaml key. Additional keys from the original secret are copied to the generated secret and mounted into the /etc/alertmanager/config directory in the alertmanager container.

If either the secret or the alertmanager.yaml key is missing, the operator provisions a minimal Alertmanager configuration with one empty receiver (effectively dropping alert notifications).

logLevel for Alertmanager to be configured with.

logFormat for Alertmanager to be configured with.

replicas defines the expected size of the alertmanager cluster. The controller will eventually make the size of the running cluster equal to the expected size.

retention defines the time duration Alertmanager shall retain data for. Default is ‘120h’, and must match the regular expression [0-9]+(ms|s|m|h) (milliseconds seconds minutes hours).

storage defines the definition of how storage will be used by the Alertmanager instances.

volumes allows configuration of additional volumes on the output StatefulSet definition. Volumes specified will be appended to other volumes that are generated as a result of StorageSpec objects.

volumeMounts allows configuration of additional VolumeMounts on the output StatefulSet definition. VolumeMounts specified will be appended to other VolumeMounts in the alertmanager container, that are generated as a result of StorageSpec objects.

persistentVolumeClaimRetentionPolicy controls if and how PVCs are deleted during the lifecycle of a StatefulSet. The default behavior is all PVCs are retained. This is an alpha field from kubernetes 1.23 until 1.26 and a beta field from 1.26. It requires enabling the StatefulSetAutoDeletePVC feature gate.

externalUrl defines the URL used to access the Alertmanager web service. This is necessary to generate correct URLs. This is necessary if Alertmanager is not served from root of a DNS name.

routePrefix Alertmanager registers HTTP handlers for. This is useful, if using ExternalURL and a proxy is rewriting HTTP routes of a request, and the actual ExternalURL is still true, but the server serves requests under a different route prefix. For example for use with kubectl proxy.

paused if set to true all actions on the underlying managed objects are not going to be performed, except for delete actions.

nodeSelector defines which Nodes the Pods are scheduled on.

resources defines the resource requests and limits of the Pods.

affinity defines the pod’s scheduling constraints.

tolerations defines the pod’s tolerations.

topologySpreadConstraints defines the Pod’s topology spread constraints.

securityContext holds pod-level security attributes and common container settings. This defaults to the default PodSecurityContext.

dnsPolicy defines the DNS policy for the pods.

dnsConfig defines the DNS configuration for the pods.

enableServiceLinks defines whether information about services should be injected into pod’s environment variables

serviceName defines the service name used by the underlying StatefulSet(s) as the governing service. If defined, the Service must be created before the Alertmanager resource in the same namespace and it must define a selector that matches the pod labels. If empty, the operator will create and manage a headless service named alertmanager-operated for Alertmanager resources. When deploying multiple Alertmanager resources in the same namespace, it is recommended to specify a different value for each. See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-network-id for more details.

serviceAccountName is the name of the ServiceAccount to use to run the Prometheus Pods.

listenLocal defines the Alertmanager server listen on loopback, so that it does not bind against the Pod IP. Note this is only for the Alertmanager UI, not the gossip communication.

containers allows injecting additional containers. This is meant to allow adding an authentication proxy to an Alertmanager pod. Containers described here modify an operator generated container if they share the same name and modifications are done via a strategic merge patch. The current container names are: alertmanager and config-reloader. Overriding containers is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

initContainers allows adding initContainers to the pod definition. Those can be used to e.g. fetch secrets for injection into the Alertmanager configuration from external sources. Any errors during the execution of an initContainer will lead to a restart of the Pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ InitContainers described here modify an operator generated init containers if they share the same name and modifications are done via a strategic merge patch. The current init container name is: init-config-reloader. Overriding init containers is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

priorityClassName assigned to the Pods

additionalPeers allows injecting a set of additional Alertmanagers to peer with to form a highly available cluster.

clusterAdvertiseAddress defines the explicit address to advertise in cluster. Needs to be provided for non RFC1918 1 addresses. [1] RFC1918: https://tools.ietf.org/html/rfc1918

clusterGossipInterval defines the interval between gossip attempts.

clusterLabel defines the identifier that uniquely identifies the Alertmanager cluster. You should only set it when the Alertmanager cluster includes Alertmanager instances which are external to this Alertmanager resource. In practice, the addresses of the external instances are provided via the .spec.additionalPeers field.

clusterPushpullInterval defines the interval between pushpull attempts.

clusterPeerTimeout defines the timeout for cluster peering.

portName defines the port’s name for the pods and governing service. Defaults to web.

forceEnableClusterMode ensures Alertmanager does not deactivate the cluster mode when running with a single replica. Use case is e.g. spanning an Alertmanager cluster across Kubernetes clusters with a single replica in each.

alertmanagerConfigSelector defines the selector to be used for to merge and configure Alertmanager with.

alertmanagerConfigNamespaceSelector defines the namespaces to be selected for AlertmanagerConfig discovery. If nil, only check own namespace.

alertmanagerConfigMatcherStrategy defines how AlertmanagerConfig objects process incoming alerts.

minReadySeconds defines the minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to be considered available.

If unset, pods will be considered available as soon as they are ready.

hostAliases Pods configuration

web defines the web command line flags when starting Alertmanager.

limits defines the limits command line flags when starting Alertmanager.

clusterTLS defines the mutual TLS configuration for the Alertmanager cluster’s gossip protocol.

It requires Alertmanager >= 0.24.0.

alertmanagerConfiguration defines the configuration of Alertmanager.

If defined, it takes precedence over the configSecret field.

This is an experimental feature, it may change in any upcoming release in a breaking way.

automountServiceAccountToken defines whether a service account token should be automatically mounted in the pod. If the service account has automountServiceAccountToken: true, set the field to false to opt out of automounting API credentials.

enableFeatures defines the Alertmanager’s feature flags. By default, no features are enabled. Enabling features which are disabled by default is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

It requires Alertmanager >= 0.27.0.

additionalArgs allows setting additional arguments for the ‘Alertmanager’ container. It is intended for e.g. activating hidden flags which are not supported by the dedicated configuration options yet. The arguments are passed as-is to the Alertmanager container which may cause issues if they are invalid or not supported by the given Alertmanager version.

terminationGracePeriodSeconds defines the Optional duration in seconds the pod needs to terminate gracefully. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down) which may lead to data corruption.

Defaults to 120 seconds.

hostUsers supports the user space in Kubernetes.

More info: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/

The feature requires at least Kubernetes 1.28 with the UserNamespacesSupport feature gate enabled. Starting Kubernetes 1.33, the feature is enabled by default.

jobLabel defines the label to use to retrieve the job name from. jobLabel selects the label from the associated Kubernetes Pod object which will be used as the job label for all metrics.

For example if jobLabel is set to foo and the Kubernetes Pod object is labeled with foo: bar, then Prometheus adds the job="bar" label to all ingested metrics.

If the value of this field is empty, the job label of the metrics defaults to the namespace and name of the PodMonitor object (e.g. <namespace>/<name>).

podTargetLabels defines the labels which are transferred from the associated Kubernetes Pod object onto the ingested metrics.

podMetricsEndpoints defines how to scrape metrics from the selected pods.

selector defines the label selector to select the Kubernetes Pod objects to scrape metrics from.

selectorMechanism defines the mechanism used to select the endpoints to scrape. By default, the selection process relies on relabel configurations to filter the discovered targets. Alternatively, you can opt in for role selectors, which may offer better efficiency in large clusters. Which strategy is best for your use case needs to be carefully evaluated.

It requires Prometheus >= v2.17.0.

namespaceSelector defines in which namespace(s) Prometheus should discover the pods. By default, the pods are discovered in the same namespace as the PodMonitor object but it is possible to select pods across different/all namespaces.

sampleLimit defines a per-scrape limit on the number of scraped samples that will be accepted.

targetLimit defines a limit on the number of scraped targets that will be accepted.

scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the protocols supported by Prometheus in order of preference (from most to least preferred).

If unset, Prometheus uses its default value.

It requires Prometheus >= v2.49.0.

fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type.

It requires Prometheus >= v3.0.0.

labelLimit defines the per-scrape limit on number of labels that will be accepted for a sample.

It requires Prometheus >= v2.27.0.

labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample.

It requires Prometheus >= v2.27.0.

labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample.

It requires Prometheus >= v2.27.0.

scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram. It requires Prometheus >= v2.45.0.

Notice: scrapeClassicHistograms corresponds to the always_scrape_classic_histograms field in the Prometheus configuration.

nativeHistogramBucketLimit defines ff there are more than this many buckets in a native histogram, buckets will be merged to stay within the limit. It requires Prometheus >= v2.45.0.

nativeHistogramMinBucketFactor defines if the growth factor of one bucket to the next is smaller than this, buckets will be merged to increase the factor sufficiently. It requires Prometheus >= v2.50.0.

convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets. It requires Prometheus >= v3.0.0.

keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling that will be kept in memory. 0 means no limit.

It requires Prometheus >= v2.47.0.

attachMetadata defines additional metadata which is added to the discovered targets.

It requires Prometheus >= v2.35.0.

scrapeClass defines the scrape class to apply.

bodySizeLimit when defined specifies a job level limit on the size of uncompressed response body that will be accepted by Prometheus.

It requires Prometheus >= v2.28.0.

jobName assigned to scraped metrics by default.

prober defines the specification for the prober to use for probing targets. The prober.URL parameter is required. Targets cannot be probed if left empty.

module to use for probing specifying how to probe the target. Example module configuring in the blackbox exporter: https://github.com/prometheus/blackbox_exporter/blob/master/example.yml

targets defines a set of static or dynamically discovered targets to probe.

interval at which targets are probed using the configured prober. If not specified Prometheus’ global scrape interval is used.

scrapeTimeout defines the timeout for scraping metrics from the Prometheus exporter. If not specified, the Prometheus global scrape timeout is used. The value cannot be greater than the scrape interval otherwise the operator will reject the resource.

tlsConfig defines the TLS configuration to use when scraping the endpoint.

bearerTokenSecret defines the secret to mount to read bearer token for scraping targets. The secret needs to be in the same namespace as the probe and accessible by the Prometheus Operator.

basicAuth allow an endpoint to authenticate over basic authentication. More info: https://prometheus.io/docs/operating/configuration/#endpoint

oauth2 for the URL. Only valid in Prometheus versions 2.27.0 and newer.

metricRelabelings defines the RelabelConfig to apply to samples before ingestion.

authorization section for this endpoint

sampleLimit defines per-scrape limit on number of scraped samples that will be accepted.

targetLimit defines a limit on the number of scraped targets that will be accepted.

scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the protocols supported by Prometheus in order of preference (from most to least preferred).

If unset, Prometheus uses its default value.

It requires Prometheus >= v2.49.0.

fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type.

It requires Prometheus >= v3.0.0.

labelLimit defines the per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer.

labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer.

labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer.

scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram. It requires Prometheus >= v2.45.0.

Notice: scrapeClassicHistograms corresponds to the always_scrape_classic_histograms field in the Prometheus configuration.

nativeHistogramBucketLimit defines ff there are more than this many buckets in a native histogram, buckets will be merged to stay within the limit. It requires Prometheus >= v2.45.0.

nativeHistogramMinBucketFactor defines if the growth factor of one bucket to the next is smaller than this, buckets will be merged to increase the factor sufficiently. It requires Prometheus >= v2.50.0.

convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets. It requires Prometheus >= v3.0.0.

keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling that will be kept in memory. 0 means no limit.

It requires Prometheus >= v2.47.0.

scrapeClass defines the scrape class to apply.

params defines the list of HTTP query parameters for the scrape. Please note that the .spec.module field takes precedence over the module parameter from this list when both are defined. The module name must be added using Module under ProbeSpec.

podMetadata defines labels and annotations which are propagated to the Prometheus pods.

The following items are reserved and cannot be overridden: * “prometheus” label, set to the name of the Prometheus object. * “app.kubernetes.io/instance” label, set to the name of the Prometheus object. * “app.kubernetes.io/managed-by” label, set to “prometheus-operator”. * “app.kubernetes.io/name” label, set to “prometheus”. * “app.kubernetes.io/version” label, set to the Prometheus version. * “operator.prometheus.io/name” label, set to the name of the Prometheus object. * “operator.prometheus.io/shard” label, set to the shard number of the Prometheus object. * “kubectl.kubernetes.io/default-container” annotation, set to “prometheus”.

serviceMonitorSelector defines the serviceMonitors to be selected for target discovery. An empty label selector matches all objects. A null label selector matches no objects.

If spec.serviceMonitorSelector, spec.podMonitorSelector, spec.probeSelector and spec.scrapeConfigSelector are null, the Prometheus configuration is unmanaged. The Prometheus operator will ensure that the Prometheus configuration’s Secret exists, but it is the responsibility of the user to provide the raw gzipped Prometheus configuration under the prometheus.yaml.gz key. This behavior is deprecated and will be removed in the next major version of the custom resource definition. It is recommended to use spec.additionalScrapeConfigs instead.

serviceMonitorNamespaceSelector defines the namespaces to match for ServicedMonitors discovery. An empty label selector matches all namespaces. A null label selector (default value) matches the current namespace only.

podMonitorSelector defines the podMonitors to be selected for target discovery. An empty label selector matches all objects. A null label selector matches no objects.

If spec.serviceMonitorSelector, spec.podMonitorSelector, spec.probeSelector and spec.scrapeConfigSelector are null, the Prometheus configuration is unmanaged. The Prometheus operator will ensure that the Prometheus configuration’s Secret exists, but it is the responsibility of the user to provide the raw gzipped Prometheus configuration under the prometheus.yaml.gz key. This behavior is deprecated and will be removed in the next major version of the custom resource definition. It is recommended to use spec.additionalScrapeConfigs instead.

podMonitorNamespaceSelector defines the namespaces to match for PodMonitors discovery. An empty label selector matches all namespaces. A null label selector (default value) matches the current namespace only.

probeSelector defines the probes to be selected for target discovery. An empty label selector matches all objects. A null label selector matches no objects.

If spec.serviceMonitorSelector, spec.podMonitorSelector, spec.probeSelector and spec.scrapeConfigSelector are null, the Prometheus configuration is unmanaged. The Prometheus operator will ensure that the Prometheus configuration’s Secret exists, but it is the responsibility of the user to provide the raw gzipped Prometheus configuration under the prometheus.yaml.gz key. This behavior is deprecated and will be removed in the next major version of the custom resource definition. It is recommended to use spec.additionalScrapeConfigs instead.

probeNamespaceSelector defines the namespaces to match for Probe discovery. An empty label selector matches all namespaces. A null label selector matches the current namespace only.

scrapeConfigSelector defines the scrapeConfigs to be selected for target discovery. An empty label selector matches all objects. A null label selector matches no objects.

If spec.serviceMonitorSelector, spec.podMonitorSelector, spec.probeSelector and spec.scrapeConfigSelector are null, the Prometheus configuration is unmanaged. The Prometheus operator will ensure that the Prometheus configuration’s Secret exists, but it is the responsibility of the user to provide the raw gzipped Prometheus configuration under the prometheus.yaml.gz key. This behavior is deprecated and will be removed in the next major version of the custom resource definition. It is recommended to use spec.additionalScrapeConfigs instead.

Note that the ScrapeConfig custom resource definition is currently at Alpha level.

scrapeConfigNamespaceSelector defines the namespaces to match for ScrapeConfig discovery. An empty label selector matches all namespaces. A null label selector matches the current namespace only.

Note that the ScrapeConfig custom resource definition is currently at Alpha level.

version of Prometheus being deployed. The operator uses this information to generate the Prometheus StatefulSet + configuration files.

If not specified, the operator assumes the latest upstream version of Prometheus available at the time when the version of the operator was released.

paused defines when a Prometheus deployment is paused, no actions except for deletion will be performed on the underlying objects.

image defines the container image name for Prometheus. If specified, it takes precedence over the spec.baseImage, spec.tag and spec.sha fields.

Specifying spec.version is still necessary to ensure the Prometheus Operator knows which version of Prometheus is being configured.

If neither spec.image nor spec.baseImage are defined, the operator will use the latest upstream version of Prometheus available at the time when the operator was released.

imagePullPolicy defines the image pull policy for the ‘prometheus’, ‘init-config-reloader’ and ‘config-reloader’ containers. See https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for more details.

imagePullSecrets defines an optional list of references to Secrets in the same namespace to use for pulling images from registries. See http://kubernetes.io/docs/user-guide/images#specifying-imagepullsecrets-on-a-pod

replicas defines the number of replicas of each shard to deploy for a Prometheus deployment. spec.replicas multiplied by spec.shards is the total number of Pods created.

Default: 1

shards defines the number of shards to distribute the scraped targets onto.

spec.replicas multiplied by spec.shards is the total number of Pods being created.

When not defined, the operator assumes only one shard.

Note that scaling down shards will not reshard data onto the remaining instances, it must be manually moved. Increasing shards will not reshard data either but it will continue to be available from the same instances. To query globally, use either * Thanos sidecar + querier for query federation and Thanos Ruler for rules. * Remote-write to send metrics to a central location.

By default, the sharding of targets is performed on: * The __address__ target’s metadata label for PodMonitor, ServiceMonitor and ScrapeConfig resources. * The __param_target__ label for Probe resources.

Users can define their own sharding implementation by setting the __tmp_hash label during the target discovery with relabeling configuration (either in the monitoring resources or via scrape class).

You can also disable sharding on a specific target by setting the __tmp_disable_sharding label with relabeling configuration. When the label value isn’t empty, all Prometheus shards will scrape the target.

replicaExternalLabelName defines the name of Prometheus external label used to denote the replica name. The external label will not be added when the field is set to the empty string ("").

Default: “prometheus_replica”

prometheusExternalLabelName defines the name of Prometheus external label used to denote the Prometheus instance name. The external label will not be added when the field is set to the empty string ("").

Default: “prometheus”

logLevel for Prometheus and the config-reloader sidecar.

logFormat for Log level for Prometheus and the config-reloader sidecar.

scrapeInterval defines interval between consecutive scrapes.

Default: “30s”

scrapeTimeout defines the number of seconds to wait until a scrape request times out. The value cannot be greater than the scrape interval otherwise the operator will reject the resource.

scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the protocols supported by Prometheus in order of preference (from most to least preferred).

If unset, Prometheus uses its default value.

It requires Prometheus >= v2.49.0.

PrometheusText1.0.0 requires Prometheus >= v3.0.0.

externalLabels defines the labels to add to any time series or alerts when communicating with external systems (federation, remote storage, Alertmanager). Labels defined by spec.replicaExternalLabelName and spec.prometheusExternalLabelName take precedence over this list.

enableRemoteWriteReceiver defines the Prometheus to be used as a receiver for the Prometheus remote write protocol.

WARNING: This is not considered an efficient way of ingesting samples. Use it with caution for specific low-volume use cases. It is not suitable for replacing the ingestion via scraping and turning Prometheus into a push-based metrics collection system. For more information see https://prometheus.io/docs/prometheus/latest/querying/api/#remote-write-receiver

It requires Prometheus >= v2.33.0.

enableOTLPReceiver defines the Prometheus to be used as a receiver for the OTLP Metrics protocol.

Note that the OTLP receiver endpoint is automatically enabled if .spec.otlpConfig is defined.

It requires Prometheus >= v2.47.0.

remoteWriteReceiverMessageVersions list of the protobuf message versions to accept when receiving the remote writes.

It requires Prometheus >= v2.54.0.

enableFeatures enables access to Prometheus feature flags. By default, no features are enabled.

Enabling features which are disabled by default is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

For more information see https://prometheus.io/docs/prometheus/latest/feature_flags/

externalUrl defines the external URL under which the Prometheus service is externally available. This is necessary to generate correct URLs (for instance if Prometheus is accessible behind an Ingress resource).

routePrefix defines the route prefix Prometheus registers HTTP handlers for.

This is useful when using spec.externalURL, and a proxy is rewriting HTTP routes of a request, and the actual ExternalURL is still true, but the server serves requests under a different route prefix. For example for use with kubectl proxy.

storage defines the storage used by Prometheus.

volumes allows the configuration of additional volumes on the output StatefulSet definition. Volumes specified will be appended to other volumes that are generated as a result of StorageSpec objects.

volumeMounts allows the configuration of additional VolumeMounts.

VolumeMounts will be appended to other VolumeMounts in the ‘prometheus’ container, that are generated as a result of StorageSpec objects.

persistentVolumeClaimRetentionPolicy defines the field controls if and how PVCs are deleted during the lifecycle of a StatefulSet. The default behavior is all PVCs are retained. This is an alpha field from kubernetes 1.23 until 1.26 and a beta field from 1.26. It requires enabling the StatefulSetAutoDeletePVC feature gate.

web defines the configuration of the Prometheus web server.

resources defines the resources requests and limits of the ‘prometheus’ container.

nodeSelector defines on which Nodes the Pods are scheduled.

serviceAccountName is the name of the ServiceAccount to use to run the Prometheus Pods.

automountServiceAccountToken defines whether a service account token should be automatically mounted in the pod. If the field isn’t set, the operator mounts the service account token by default.

Warning: be aware that by default, Prometheus requires the service account token for Kubernetes service discovery. It is possible to use strategic merge patch to project the service account token into the ‘prometheus’ container.

secrets defines a list of Secrets in the same namespace as the Prometheus object, which shall be mounted into the Prometheus Pods. Each Secret is added to the StatefulSet definition as a volume named secret-<secret-name>. The Secrets are mounted into /etc/prometheus/secrets/ in the ‘prometheus’ container.

configMaps defines a list of ConfigMaps in the same namespace as the Prometheus object, which shall be mounted into the Prometheus Pods. Each ConfigMap is added to the StatefulSet definition as a volume named configmap-<configmap-name>. The ConfigMaps are mounted into /etc/prometheus/configmaps/ in the ‘prometheus’ container.

affinity defines the Pods’ affinity scheduling rules if specified.

tolerations defines the Pods’ tolerations if specified.

topologySpreadConstraints defines the pod’s topology spread constraints if specified.

remoteWrite defines the list of remote write configurations.

otlp defines the settings related to the OTLP receiver feature. It requires Prometheus >= v2.55.0.

securityContext holds pod-level security attributes and common container settings. This defaults to the default PodSecurityContext.

dnsPolicy defines the DNS policy for the pods.

dnsConfig defines the DNS configuration for the pods.

listenLocal when true, the Prometheus server listens on the loopback address instead of the Pod IP’s address.

enableServiceLinks defines whether information about services should be injected into pod’s environment variables

containers allows injecting additional containers or modifying operator generated containers. This can be used to allow adding an authentication proxy to the Pods or to change the behavior of an operator generated container. Containers described here modify an operator generated container if they share the same name and modifications are done via a strategic merge patch.

The names of containers managed by the operator are: * prometheus * config-reloader * thanos-sidecar

Overriding containers is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

initContainers allows injecting initContainers to the Pod definition. Those can be used to e.g. fetch secrets for injection into the Prometheus configuration from external sources. Any errors during the execution of an initContainer will lead to a restart of the Pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ InitContainers described here modify an operator generated init containers if they share the same name and modifications are done via a strategic merge patch.

The names of init container name managed by the operator are: * init-config-reloader.

Overriding init containers is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

additionalScrapeConfigs allows specifying a key of a Secret containing additional Prometheus scrape configurations. Scrape configurations specified are appended to the configurations generated by the Prometheus Operator. Job configurations specified must have the form as specified in the official Prometheus documentation: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config. As scrape configs are appended, the user is responsible to make sure it is valid. Note that using this feature may expose the possibility to break upgrades of Prometheus. It is advised to review Prometheus release notes to ensure that no incompatible scrape configs are going to break Prometheus after the upgrade.

apiserverConfig allows specifying a host and auth methods to access the Kuberntees API server. If null, Prometheus is assumed to run inside of the cluster: it will discover the API servers automatically and use the Pod’s CA certificate and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/.

priorityClassName assigned to the Pods.

portName used for the pods and governing service. Default: “web”

arbitraryFSAccessThroughSMs when true, ServiceMonitor, PodMonitor and Probe object are forbidden to reference arbitrary files on the file system of the ‘prometheus’ container. When a ServiceMonitor’s endpoint specifies a bearerTokenFile value (e.g. ‘/var/run/secrets/kubernetes.io/serviceaccount/token’), a malicious target can get access to the Prometheus service account’s token in the Prometheus’ scrape request. Setting spec.arbitraryFSAccessThroughSM to ‘true’ would prevent the attack. Users should instead provide the credentials using the spec.bearerTokenSecret field.

overrideHonorLabels when true, Prometheus resolves label conflicts by renaming the labels in the scraped data to “exported_” for all targets created from ServiceMonitor, PodMonitor and ScrapeConfig objects. Otherwise the HonorLabels field of the service or pod monitor applies. In practice,OverrideHonorLabels:true enforces honorLabels:false for all ServiceMonitor, PodMonitor and ScrapeConfig objects.

overrideHonorTimestamps when true, Prometheus ignores the timestamps for all the targets created from service and pod monitors. Otherwise the HonorTimestamps field of the service or pod monitor applies.

ignoreNamespaceSelectors when true, spec.namespaceSelector from all PodMonitor, ServiceMonitor and Probe objects will be ignored. They will only discover targets within the namespace of the PodMonitor, ServiceMonitor and Probe object.

enforcedNamespaceLabel when not empty, a label will be added to:

1. All metrics scraped from ServiceMonitor, PodMonitor, Probe and ScrapeConfig objects.
2. All metrics generated from recording rules defined in PrometheusRule objects.
3. All alerts generated from alerting rules defined in PrometheusRule objects.
4. All vector selectors of PromQL expressions defined in PrometheusRule objects.

The label will not added for objects referenced in spec.excludedFromEnforcement.

The label’s name is this field’s value. The label’s value is the namespace of the ServiceMonitor, PodMonitor, Probe, PrometheusRule or ScrapeConfig object.

enforcedSampleLimit when defined specifies a global limit on the number of scraped samples that will be accepted. This overrides any spec.sampleLimit set by ServiceMonitor, PodMonitor, Probe objects unless spec.sampleLimit is greater than zero and less than spec.enforcedSampleLimit.

It is meant to be used by admins to keep the overall number of samples/series under a desired limit.

When both enforcedSampleLimit and sampleLimit are defined and greater than zero, the following rules apply: * Scrape objects without a defined sampleLimit value will inherit the global sampleLimit value (Prometheus >= 2.45.0) or the enforcedSampleLimit value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedSampleLimit is greater than the sampleLimit, the sampleLimit will be set to enforcedSampleLimit. * Scrape objects with a sampleLimit value less than or equal to enforcedSampleLimit keep their specific value. * Scrape objects with a sampleLimit value greater than enforcedSampleLimit are set to enforcedSampleLimit.

enforcedTargetLimit when defined specifies a global limit on the number of scraped targets. The value overrides any spec.targetLimit set by ServiceMonitor, PodMonitor, Probe objects unless spec.targetLimit is greater than zero and less than spec.enforcedTargetLimit.

It is meant to be used by admins to to keep the overall number of targets under a desired limit.

When both enforcedTargetLimit and targetLimit are defined and greater than zero, the following rules apply: * Scrape objects without a defined targetLimit value will inherit the global targetLimit value (Prometheus >= 2.45.0) or the enforcedTargetLimit value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedTargetLimit is greater than the targetLimit, the targetLimit will be set to enforcedTargetLimit. * Scrape objects with a targetLimit value less than or equal to enforcedTargetLimit keep their specific value. * Scrape objects with a targetLimit value greater than enforcedTargetLimit are set to enforcedTargetLimit.

enforcedLabelLimit when defined specifies a global limit on the number of labels per sample. The value overrides any spec.labelLimit set by ServiceMonitor, PodMonitor, Probe objects unless spec.labelLimit is greater than zero and less than spec.enforcedLabelLimit.

It requires Prometheus >= v2.27.0.

When both enforcedLabelLimit and labelLimit are defined and greater than zero, the following rules apply: * Scrape objects without a defined labelLimit value will inherit the global labelLimit value (Prometheus >= 2.45.0) or the enforcedLabelLimit value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedLabelLimit is greater than the labelLimit, the labelLimit will be set to enforcedLabelLimit. * Scrape objects with a labelLimit value less than or equal to enforcedLabelLimit keep their specific value. * Scrape objects with a labelLimit value greater than enforcedLabelLimit are set to enforcedLabelLimit.

enforcedLabelNameLengthLimit when defined specifies a global limit on the length of labels name per sample. The value overrides any spec.labelNameLengthLimit set by ServiceMonitor, PodMonitor, Probe objects unless spec.labelNameLengthLimit is greater than zero and less than spec.enforcedLabelNameLengthLimit.

It requires Prometheus >= v2.27.0.

When both enforcedLabelNameLengthLimit and labelNameLengthLimit are defined and greater than zero, the following rules apply: * Scrape objects without a defined labelNameLengthLimit value will inherit the global labelNameLengthLimit value (Prometheus >= 2.45.0) or the enforcedLabelNameLengthLimit value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedLabelNameLengthLimit is greater than the labelNameLengthLimit, the labelNameLengthLimit will be set to enforcedLabelNameLengthLimit. * Scrape objects with a labelNameLengthLimit value less than or equal to enforcedLabelNameLengthLimit keep their specific value. * Scrape objects with a labelNameLengthLimit value greater than enforcedLabelNameLengthLimit are set to enforcedLabelNameLengthLimit.

enforcedLabelValueLengthLimit when not null defines a global limit on the length of labels value per sample. The value overrides any spec.labelValueLengthLimit set by ServiceMonitor, PodMonitor, Probe objects unless spec.labelValueLengthLimit is greater than zero and less than spec.enforcedLabelValueLengthLimit.

It requires Prometheus >= v2.27.0.

When both enforcedLabelValueLengthLimit and labelValueLengthLimit are defined and greater than zero, the following rules apply: * Scrape objects without a defined labelValueLengthLimit value will inherit the global labelValueLengthLimit value (Prometheus >= 2.45.0) or the enforcedLabelValueLengthLimit value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedLabelValueLengthLimit is greater than the labelValueLengthLimit, the labelValueLengthLimit will be set to enforcedLabelValueLengthLimit. * Scrape objects with a labelValueLengthLimit value less than or equal to enforcedLabelValueLengthLimit keep their specific value. * Scrape objects with a labelValueLengthLimit value greater than enforcedLabelValueLengthLimit are set to enforcedLabelValueLengthLimit.

enforcedKeepDroppedTargets when defined specifies a global limit on the number of targets dropped by relabeling that will be kept in memory. The value overrides any spec.keepDroppedTargets set by ServiceMonitor, PodMonitor, Probe objects unless spec.keepDroppedTargets is greater than zero and less than spec.enforcedKeepDroppedTargets.

It requires Prometheus >= v2.47.0.

When both enforcedKeepDroppedTargets and keepDroppedTargets are defined and greater than zero, the following rules apply: * Scrape objects without a defined keepDroppedTargets value will inherit the global keepDroppedTargets value (Prometheus >= 2.45.0) or the enforcedKeepDroppedTargets value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedKeepDroppedTargets is greater than the keepDroppedTargets, the keepDroppedTargets will be set to enforcedKeepDroppedTargets. * Scrape objects with a keepDroppedTargets value less than or equal to enforcedKeepDroppedTargets keep their specific value. * Scrape objects with a keepDroppedTargets value greater than enforcedKeepDroppedTargets are set to enforcedKeepDroppedTargets.

enforcedBodySizeLimit when defined specifies a global limit on the size of uncompressed response body that will be accepted by Prometheus. Targets responding with a body larger than this many bytes will cause the scrape to fail.

It requires Prometheus >= v2.28.0.

When both enforcedBodySizeLimit and bodySizeLimit are defined and greater than zero, the following rules apply: * Scrape objects without a defined bodySizeLimit value will inherit the global bodySizeLimit value (Prometheus >= 2.45.0) or the enforcedBodySizeLimit value (Prometheus < v2.45.0). If Prometheus version is >= 2.45.0 and the enforcedBodySizeLimit is greater than the bodySizeLimit, the bodySizeLimit will be set to enforcedBodySizeLimit. * Scrape objects with a bodySizeLimit value less than or equal to enforcedBodySizeLimit keep their specific value. * Scrape objects with a bodySizeLimit value greater than enforcedBodySizeLimit are set to enforcedBodySizeLimit.

nameValidationScheme defines the validation scheme for metric and label names.

It requires Prometheus >= v2.55.0.

nameEscapingScheme defines the character escaping scheme that will be requested when scraping for metric and label names that do not conform to the legacy Prometheus character set.

It requires Prometheus >= v3.4.0.

convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets.

It requires Prometheus >= v3.4.0.

scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram.

Notice: scrapeClassicHistograms corresponds to the always_scrape_classic_histograms field in the Prometheus configuration.

It requires Prometheus >= v3.5.0.

minReadySeconds defines the minimum number of seconds for which a newly created Pod should be ready without any of its container crashing for it to be considered available.

If unset, pods will be considered available as soon as they are ready.

hostAliases defines the optional list of hosts and IPs that will be injected into the Pod’s hosts file if specified.

additionalArgs allows setting additional arguments for the ‘prometheus’ container.

It is intended for e.g. activating hidden flags which are not supported by the dedicated configuration options yet. The arguments are passed as-is to the Prometheus container which may cause issues if they are invalid or not supported by the given Prometheus version.

In case of an argument conflict (e.g. an argument which is already set by the operator itself) or when providing an invalid argument, the reconciliation will fail and an error will be logged.

walCompression defines the compression of the write-ahead log (WAL) using Snappy.

WAL compression is enabled by default for Prometheus >= 2.20.0

Requires Prometheus v2.11.0 and above.

excludedFromEnforcement defines the list of references to PodMonitor, ServiceMonitor, Probe and PrometheusRule objects to be excluded from enforcing a namespace label of origin.

It is only applicable if spec.enforcedNamespaceLabel set to true.

hostNetwork defines the host’s network namespace if true.

Make sure to understand the security implications if you want to enable it (https://kubernetes.io/docs/concepts/configuration/overview/ ).

When hostNetwork is enabled, this will set the DNS policy to ClusterFirstWithHostNet automatically (unless .spec.DNSPolicy is set to a different value).

podTargetLabels are appended to the spec.podTargetLabels field of all PodMonitor and ServiceMonitor objects.

tracingConfig defines tracing in Prometheus.

This is an experimental feature, it may change in any upcoming release in a breaking way.

bodySizeLimit defines per-scrape on response body size. Only valid in Prometheus versions 2.45.0 and newer.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedBodySizeLimit.

sampleLimit defines per-scrape limit on number of scraped samples that will be accepted. Only valid in Prometheus versions 2.45.0 and newer.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedSampleLimit.

targetLimit defines a limit on the number of scraped targets that will be accepted. Only valid in Prometheus versions 2.45.0 and newer.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedTargetLimit.

labelLimit defines per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.45.0 and newer.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelLimit.

labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.45.0 and newer.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelNameLengthLimit.

labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.45.0 and newer.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedLabelValueLengthLimit.

keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling that will be kept in memory. 0 means no limit.

It requires Prometheus >= v2.47.0.

Note that the global limit only applies to scrape objects that don’t specify an explicit limit value. If you want to enforce a maximum limit for all scrape objects, refer to enforcedKeepDroppedTargets.

reloadStrategy defines the strategy used to reload the Prometheus configuration. If not specified, the configuration is reloaded using the /-/reload HTTP endpoint.

maximumStartupDurationSeconds defines the maximum time that the prometheus container’s startup probe will wait before being considered failed. The startup probe will return success after the WAL replay is complete. If set, the value should be greater than 60 (seconds). Otherwise it will be equal to 900 seconds (15 minutes).

scrapeClasses defines the list of scrape classes to expose to scraping objects such as PodMonitors, ServiceMonitors, Probes and ScrapeConfigs.

This is an experimental feature, it may change in any upcoming release in a breaking way.

serviceDiscoveryRole defines the service discovery role used to discover targets from ServiceMonitor objects and Alertmanager endpoints.

If set, the value should be either “Endpoints” or “EndpointSlice”. If unset, the operator assumes the “Endpoints” role.

tsdb defines the runtime reloadable configuration of the timeseries database(TSDB). It requires Prometheus >= v2.39.0 or PrometheusAgent >= v2.54.0.

scrapeFailureLogFile defines the file to which scrape failures are logged. Reloading the configuration will reopen the file.

If the filename has an empty path, e.g. ‘file.log’, The Prometheus Pods will mount the file into an emptyDir volume at /var/log/prometheus. If a full path is provided, e.g. ‘/var/log/prometheus/file.log’, you must mount a volume in the specified directory and it must be writable. It requires Prometheus >= v2.55.0.

serviceName defines the name of the service name used by the underlying StatefulSet(s) as the governing service. If defined, the Service must be created before the Prometheus/PrometheusAgent resource in the same namespace and it must define a selector that matches the pod labels. If empty, the operator will create and manage a headless service named prometheus-operated for Prometheus resources, or prometheus-agent-operated for PrometheusAgent resources. When deploying multiple Prometheus/PrometheusAgent resources in the same namespace, it is recommended to specify a different value for each. See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-network-id for more details.

runtime defines the values for the Prometheus process behavior

terminationGracePeriodSeconds defines the optional duration in seconds the pod needs to terminate gracefully. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down) which may lead to data corruption.

Defaults to 600 seconds.

hostUsers supports the user space in Kubernetes.

More info: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/

The feature requires at least Kubernetes 1.28 with the UserNamespacesSupport feature gate enabled. Starting Kubernetes 1.33, the feature is enabled by default.

baseImage is deprecated: use ‘spec.image’ instead.

tag is deprecated: use ‘spec.image’ instead. The image’s tag can be specified as part of the image name.

sha is deprecated: use ‘spec.image’ instead. The image’s digest can be specified as part of the image name.

retention defines how long to retain the Prometheus data.

Default: “24h” if spec.retention and spec.retentionSize are empty.

retentionSize defines the maximum number of bytes used by the Prometheus data.

shardRetentionPolicy defines the retention policy for the Prometheus shards. (Alpha) Using this field requires the ‘PrometheusShardRetentionPolicy’ feature gate to be enabled.

The final goals for this feature can be seen at https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/proposals/202310-shard-autoscaling.md#graceful-scale-down-of-prometheus-servers, however, the feature is not yet fully implemented in this PR. The limitation being: * Retention duration is not settable, for now, shards are retained forever.

disableCompaction when true, the Prometheus compaction is disabled. When spec.thanos.objectStorageConfig or spec.objectStorageConfigFile are defined, the operator automatically disables block compaction to avoid race conditions during block uploads (as the Thanos documentation recommends).

rules defines the configuration of the Prometheus rules’ engine.

prometheusRulesExcludedFromEnforce defines the list of PrometheusRule objects to which the namespace label enforcement doesn’t apply. This is only relevant when spec.enforcedNamespaceLabel is set to true. Deprecated: use spec.excludedFromEnforcement instead.

ruleSelector defines the prometheusRule objects to be selected for rule evaluation. An empty label selector matches all objects. A null label selector matches no objects.

ruleNamespaceSelector defines the namespaces to match for PrometheusRule discovery. An empty label selector matches all namespaces. A null label selector matches the current namespace only.

query defines the configuration of the Prometheus query service.

alerting defines the settings related to Alertmanager.

additionalAlertRelabelConfigs defines a key of a Secret containing additional Prometheus alert relabel configurations. The alert relabel configurations are appended to the configuration generated by the Prometheus Operator. They must be formatted according to the official Prometheus documentation:

https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs

The user is responsible for making sure that the configurations are valid

Note that using this feature may expose the possibility to break upgrades of Prometheus. It is advised to review Prometheus release notes to ensure that no incompatible alert relabel configs are going to break Prometheus after the upgrade.

additionalAlertManagerConfigs defines a key of a Secret containing additional Prometheus Alertmanager configurations. The Alertmanager configurations are appended to the configuration generated by the Prometheus Operator. They must be formatted according to the official Prometheus documentation:

https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config

The user is responsible for making sure that the configurations are valid

Note that using this feature may expose the possibility to break upgrades of Prometheus. It is advised to review Prometheus release notes to ensure that no incompatible AlertManager configs are going to break Prometheus after the upgrade.

remoteRead defines the list of remote read configurations.

thanos defines the configuration of the optional Thanos sidecar.

queryLogFile specifies where the file to which PromQL queries are logged.

If the filename has an empty path, e.g. ‘query.log’, The Prometheus Pods will mount the file into an emptyDir volume at /var/log/prometheus. If a full path is provided, e.g. ‘/var/log/prometheus/query.log’, you must mount a volume in the specified directory and it must be writable. This is because the prometheus container runs with a read-only root filesystem for security reasons. Alternatively, the location can be set to a standard I/O stream, e.g. /dev/stdout, to log query information to the default Prometheus log stream.

allowOverlappingBlocks enables vertical compaction and vertical query merge in Prometheus.

Deprecated: this flag has no effect for Prometheus >= 2.39.0 where overlapping blocks are enabled by default.

exemplars related settings that are runtime reloadable. It requires to enable the exemplar-storage feature flag to be effective.

evaluationInterval defines the interval between rule evaluations. Default: “30s”

ruleQueryOffset defines the offset the rule evaluation timestamp of this particular group by the specified duration into the past. It requires Prometheus >= v2.53.0.

enableAdminAPI defines access to the Prometheus web admin API.

WARNING: Enabling the admin APIs enables mutating endpoints, to delete data, shutdown Prometheus, and more. Enabling this should be done with care and the user is advised to add additional authentication authorization via a proxy to ensure only clients authorized to perform these actions can do so.

For more information: https://prometheus.io/docs/prometheus/latest/querying/api/#tsdb-admin-apis

groups defines the content of Prometheus rule file

jobLabel selects the label from the associated Kubernetes Service object which will be used as the job label for all metrics.

For example if jobLabel is set to foo and the Kubernetes Service object is labeled with foo: bar, then Prometheus adds the job="bar" label to all ingested metrics.

If the value of this field is empty or if the label doesn’t exist for the given Service, the job label of the metrics defaults to the name of the associated Kubernetes Service.

targetLabels defines the labels which are transferred from the associated Kubernetes Service object onto the ingested metrics.

podTargetLabels defines the labels which are transferred from the associated Kubernetes Pod object onto the ingested metrics.

endpoints defines the list of endpoints part of this ServiceMonitor. Defines how to scrape metrics from Kubernetes Endpoints objects. In most cases, an Endpoints object is backed by a Kubernetes Service object with the same name and labels.

selector defines the label selector to select the Kubernetes Endpoints objects to scrape metrics from.

selectorMechanism defines the mechanism used to select the endpoints to scrape. By default, the selection process relies on relabel configurations to filter the discovered targets. Alternatively, you can opt in for role selectors, which may offer better efficiency in large clusters. Which strategy is best for your use case needs to be carefully evaluated.

It requires Prometheus >= v2.17.0.

namespaceSelector defines in which namespace(s) Prometheus should discover the services. By default, the services are discovered in the same namespace as the ServiceMonitor object but it is possible to select pods across different/all namespaces.

sampleLimit defines a per-scrape limit on the number of scraped samples that will be accepted.

scrapeProtocols defines the protocols to negotiate during a scrape. It tells clients the protocols supported by Prometheus in order of preference (from most to least preferred).

If unset, Prometheus uses its default value.

It requires Prometheus >= v2.49.0.

fallbackScrapeProtocol defines the protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type.

It requires Prometheus >= v3.0.0.

targetLimit defines a limit on the number of scraped targets that will be accepted.

labelLimit defines the per-scrape limit on number of labels that will be accepted for a sample.

It requires Prometheus >= v2.27.0.

labelNameLengthLimit defines the per-scrape limit on length of labels name that will be accepted for a sample.

It requires Prometheus >= v2.27.0.

labelValueLengthLimit defines the per-scrape limit on length of labels value that will be accepted for a sample.

It requires Prometheus >= v2.27.0.

scrapeClassicHistograms defines whether to scrape a classic histogram that is also exposed as a native histogram. It requires Prometheus >= v2.45.0.

Notice: scrapeClassicHistograms corresponds to the always_scrape_classic_histograms field in the Prometheus configuration.

nativeHistogramBucketLimit defines ff there are more than this many buckets in a native histogram, buckets will be merged to stay within the limit. It requires Prometheus >= v2.45.0.

nativeHistogramMinBucketFactor defines if the growth factor of one bucket to the next is smaller than this, buckets will be merged to increase the factor sufficiently. It requires Prometheus >= v2.50.0.

convertClassicHistogramsToNHCB defines whether to convert all scraped classic histograms into a native histogram with custom buckets. It requires Prometheus >= v3.0.0.

keepDroppedTargets defines the per-scrape limit on the number of targets dropped by relabeling that will be kept in memory. 0 means no limit.

It requires Prometheus >= v2.47.0.

attachMetadata defines additional metadata which is added to the discovered targets.

It requires Prometheus >= v2.37.0.

scrapeClass defines the scrape class to apply.

bodySizeLimit when defined, bodySizeLimit specifies a job level limit on the size of uncompressed response body that will be accepted by Prometheus.

It requires Prometheus >= v2.28.0.

serviceDiscoveryRole defines the service discovery role used to discover targets.

If set, the value should be either “Endpoints” or “EndpointSlice”. Otherwise it defaults to the value defined in the Prometheus/PrometheusAgent resource.

version of Thanos to be deployed.

podMetadata defines labels and annotations which are propagated to the ThanosRuler pods.

The following items are reserved and cannot be overridden: * “app.kubernetes.io/name” label, set to “thanos-ruler”. * “app.kubernetes.io/managed-by” label, set to “prometheus-operator”. * “app.kubernetes.io/instance” label, set to the name of the ThanosRuler instance. * “thanos-ruler” label, set to the name of the ThanosRuler instance. * “kubectl.kubernetes.io/default-container” annotation, set to “thanos-ruler”.

image defines Thanos container image URL.

imagePullPolicy defines for the ‘thanos’, ‘init-config-reloader’ and ‘config-reloader’ containers. See https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy for more details.

imagePullSecrets defines an optional list of references to secrets in the same namespace to use for pulling thanos images from registries see http://kubernetes.io/docs/user-guide/images#specifying-imagepullsecrets-on-a-pod

paused defines when a ThanosRuler deployment is paused, no actions except for deletion will be performed on the underlying objects.

replicas defines the number of thanos ruler instances to deploy.

nodeSelector defines which Nodes the Pods are scheduled on.

resources defines the resource requirements for single Pods. If not provided, no requests/limits will be set

affinity defines when specified, the pod’s scheduling constraints.

tolerations defines when specified, the pod’s tolerations.

topologySpreadConstraints defines the pod’s topology spread constraints.

securityContext defines the pod-level security attributes and common container settings. This defaults to the default PodSecurityContext.

dnsPolicy defines the DNS policy for the pods.

dnsConfig defines Defines the DNS configuration for the pods.

enableServiceLinks defines whether information about services should be injected into pod’s environment variables

priorityClassName defines the priority class assigned to the Pods

serviceName defines the name of the service name used by the underlying StatefulSet(s) as the governing service. If defined, the Service must be created before the ThanosRuler resource in the same namespace and it must define a selector that matches the pod labels. If empty, the operator will create and manage a headless service named thanos-ruler-operated for ThanosRuler resources. When deploying multiple ThanosRuler resources in the same namespace, it is recommended to specify a different value for each. See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-network-id for more details.

serviceAccountName defines the name of the ServiceAccount to use to run the Thanos Ruler Pods.

storage defines the specification of how storage shall be used.

volumes defines how configuration of additional volumes on the output StatefulSet definition. Volumes specified will be appended to other volumes that are generated as a result of StorageSpec objects.

volumeMounts defines how the configuration of additional VolumeMounts on the output StatefulSet definition. VolumeMounts specified will be appended to other VolumeMounts in the ruler container, that are generated as a result of StorageSpec objects.

objectStorageConfig defines the configuration format is defined at https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

The operator performs no validation of the configuration.

objectStorageConfigFile takes precedence over this field.

objectStorageConfigFile defines the path of the object storage configuration file.

The configuration format is defined at https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

The operator performs no validation of the configuration file.

This field takes precedence over objectStorageConfig.

listenLocal defines the Thanos ruler listen on loopback, so that it does not bind against the Pod IP.

queryEndpoints defines the list of Thanos Query endpoints from which to query metrics.

For Thanos >= v0.11.0, it is recommended to use queryConfig instead.

queryConfig takes precedence over this field.

queryConfig defines the list of Thanos Query endpoints from which to query metrics.

The configuration format is defined at https://thanos.io/tip/components/rule.md/#query-api

It requires Thanos >= v0.11.0.

The operator performs no validation of the configuration.

This field takes precedence over queryEndpoints.

alertmanagersUrl defines the list of Alertmanager endpoints to send alerts to.

For Thanos >= v0.10.0, it is recommended to use alertmanagersConfig instead.

alertmanagersConfig takes precedence over this field.

alertmanagersConfig defines the list of Alertmanager endpoints to send alerts to.

The configuration format is defined at https://thanos.io/tip/components/rule.md/#alertmanager.

It requires Thanos >= v0.10.0.

The operator performs no validation of the configuration.

This field takes precedence over alertmanagersUrl.

ruleSelector defines the PrometheusRule objects to be selected for rule evaluation. An empty label selector matches all objects. A null label selector matches no objects.

ruleNamespaceSelector defines the namespaces to be selected for Rules discovery. If unspecified, only the same namespace as the ThanosRuler object is in is used.

enforcedNamespaceLabel enforces adding a namespace label of origin for each alert and metric that is user created. The label value will always be the namespace of the object that is being created.

excludedFromEnforcement defines the list of references to PrometheusRule objects to be excluded from enforcing a namespace label of origin. Applies only if enforcedNamespaceLabel set to true.

prometheusRulesExcludedFromEnforce defines a list of Prometheus rules to be excluded from enforcing of adding namespace labels. Works only if enforcedNamespaceLabel set to true. Make sure both ruleNamespace and ruleName are set for each pair Deprecated: use excludedFromEnforcement instead.

logLevel for ThanosRuler to be configured with.

logFormat for ThanosRuler to be configured with.

portName defines the port name used for the pods and governing service. Defaults to web.

evaluationInterval defines the interval between consecutive evaluations.

resendDelay defines the minimum amount of time to wait before resending an alert to Alertmanager.

ruleOutageTolerance defines the max time to tolerate prometheus outage for restoring “for” state of alert. It requires Thanos >= v0.30.0.

ruleQueryOffset defines the default rule group’s query offset duration to use. It requires Thanos >= v0.38.0.

ruleConcurrentEval defines how many rules can be evaluated concurrently. It requires Thanos >= v0.37.0.

ruleGracePeriod defines the minimum duration between alert and restored “for” state. This is maintained only for alerts with configured “for” time greater than grace period. It requires Thanos >= v0.30.0.

retention defines the time duration ThanosRuler shall retain data for. Default is ‘24h’, and must match the regular expression [0-9]+(ms|s|m|h|d|w|y) (milliseconds seconds minutes hours days weeks years).

The field has no effect when remote-write is configured since the Ruler operates in stateless mode.

containers allows injecting additional containers or modifying operator generated containers. This can be used to allow adding an authentication proxy to a ThanosRuler pod or to change the behavior of an operator generated container. Containers described here modify an operator generated container if they share the same name and modifications are done via a strategic merge patch. The current container names are: thanos-ruler and config-reloader. Overriding containers is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

initContainers allows adding initContainers to the pod definition. Those can be used to e.g. fetch secrets for injection into the ThanosRuler configuration from external sources. Any errors during the execution of an initContainer will lead to a restart of the Pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ Using initContainers for any use case other then secret fetching is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

tracingConfig defines the tracing configuration.

The configuration format is defined at https://thanos.io/tip/thanos/tracing.md/#configuration

This is an experimental feature, it may change in any upcoming release in a breaking way.

The operator performs no validation of the configuration.

tracingConfigFile takes precedence over this field.

tracingConfigFile defines the path of the tracing configuration file.

The configuration format is defined at https://thanos.io/tip/thanos/tracing.md/#configuration

This is an experimental feature, it may change in any upcoming release in a breaking way.

The operator performs no validation of the configuration file.

This field takes precedence over tracingConfig.

labels defines the external label pairs of the ThanosRuler resource.

A default replica label thanos_ruler_replica will be always added as a label with the value of the pod’s name.

alertDropLabels defines the label names which should be dropped in Thanos Ruler alerts.

The replica label thanos_ruler_replica will always be dropped from the alerts.

externalPrefix defines the Thanos Ruler instances will be available under. This is necessary to generate correct URLs. This is necessary if Thanos Ruler is not served from root of a DNS name.

routePrefix defines the route prefix ThanosRuler registers HTTP handlers for. This allows thanos UI to be served on a sub-path.

grpcServerTlsConfig defines the gRPC server from which Thanos Querier reads recorded rule data. Note: Currently only the CAFile, CertFile, and KeyFile fields are supported. Maps to the ‘–grpc-server-tls-*’ CLI args.

alertQueryUrl defines how Thanos Ruler will set in the ‘Source’ field of all alerts. Maps to the ‘–alert.query-url’ CLI arg.

minReadySeconds defines the minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to be considered available.

If unset, pods will be considered available as soon as they are ready.

alertRelabelConfigs defines the alert relabeling in Thanos Ruler.

Alert relabel configuration must have the form as specified in the official Prometheus documentation: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs

The operator performs no validation of the configuration.

alertRelabelConfigFile takes precedence over this field.

alertRelabelConfigFile defines the path to the alert relabeling configuration file.

Alert relabel configuration must have the form as specified in the official Prometheus documentation: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs

The operator performs no validation of the configuration file.

This field takes precedence over alertRelabelConfig.

hostAliases defines pods’ hostAliases configuration

additionalArgs defines how to add additional arguments for the ThanosRuler container. It is intended for e.g. activating hidden flags which are not supported by the dedicated configuration options yet. The arguments are passed as-is to the ThanosRuler container which may cause issues if they are invalid or not supported by the given ThanosRuler version. In case of an argument conflict (e.g. an argument which is already set by the operator itself) or when providing an invalid argument the reconciliation will fail and an error will be logged.

web defines the configuration of the ThanosRuler web server.

remoteWrite defines the list of remote write configurations.

When the list isn’t empty, the ruler is configured with stateless mode.

It requires Thanos >= 0.24.0.

terminationGracePeriodSeconds defines the optional duration in seconds the pod needs to terminate gracefully. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down) which may lead to data corruption.

Defaults to 120 seconds.

enableFeatures defines how to setup Thanos Ruler feature flags. By default, no features are enabled.

Enabling features which are disabled by default is entirely outside the scope of what the maintainers will support and by doing so, you accept that this behaviour may break at any time without notice.

For more information see https://thanos.io/tip/components/rule.md/

It requires Thanos >= 0.39.0.

hostUsers supports the user space in Kubernetes.

More info: https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/

The feature requires at least Kubernetes 1.28 with the UserNamespacesSupport feature gate enabled. Starting Kubernetes 1.33, the feature is enabled by default.

accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1

selector is a label query over volumes to consider for binding.

resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources

volumeName is the binding reference to the PersistentVolume backing this claim.

storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1

volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.

dataSource field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. If the namespace is specified, then dataSourceRef will not be copied to dataSource.

dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the dataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, when namespace isn’t specified in dataSourceRef, both fields (dataSource and dataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. When namespace is specified in dataSourceRef, dataSource isn’t set to the same value and must be empty. There are three important differences between dataSource and dataSourceRef: * While dataSource only allows two specific types of objects, dataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects. * While dataSource ignores disallowed values (dropping them), dataSourceRef preserves all values, and generates an error if a disallowed value is specified. * While dataSource only allows local objects, dataSourceRef allows objects in any namespaces. (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.

volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, it can be changed after the claim is created. An empty string or nil value indicates that no VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, this field can be reset to its previous value (including nil) to cancel the modification. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/