Guides

Kubernetes SRE guide

Kubernetes Observability: Metrics, Logs, Traces

Design telemetry around the questions operators must answer: who is affected, where the request slowed or failed, and what changed.

Kubernetes observability is not a collection of dashboards for every resource. It is the ability to explain service behavior across the client, delivery path, ingress, workload, cluster, and dependencies. A pod restart, a high CPU signal, or a failed readiness probe can be useful evidence, but customers experience a completed request, delayed page, failed API call, or missing asynchronous result.

Start from the diagnosis path. When an alert fires, the on-call engineer should be able to determine the affected service and region, correlate a request with a trace and log event, compare the current release with the prior one, and inspect the platform conditions around it without searching unrelated systems.

Telemetry without correlation creates slower incidents

Standardize service identity, environment, region, and release version first. Instrumentation added without stable identifiers often produces more data but less evidence.

Define a telemetry contract

Publish a small contract shared by application and platform teams. At minimum, define service name, namespace, cluster, environment, region, deployment version, request route template, response status class, trace ID, and a safe request or correlation ID. Apply data classification rules to every signal: do not put credentials, session identifiers, raw authorization headers, or unnecessary personal data in labels, logs, or trace attributes.

Keep metric cardinality bounded. User ID, email address, full URL, random request ID, container ID, and unbounded query string are generally unsafe metric labels. Put diagnostic detail in sampled traces or structured logs instead. A monitoring system overloaded by high-cardinality labels is least reliable during the incident when it is needed most.

Instrument four useful layers

Application and ingress

Measure request rate, error outcomes, duration distributions, concurrency, queue time, and dependency calls. Instrument the HTTP or RPC boundary once and use route templates rather than raw paths. At ingress, capture the host, route, upstream response class, request duration, and an identifier that can join application telemetry. Compare ingress timing with application timing to expose queueing, proxy, TLS, or network delay.

Kubernetes workloads and nodes

Collect deployment availability, desired versus ready replicas, pod lifecycle events, restart reasons, resource requests and limits, CPU throttling, memory working set, scheduling latency, node pressure, and network or storage symptoms. These metrics explain constraints; they should not be used alone to assert user impact.

Logs and events

Use structured logs with timestamp, level, service identity, release version, trace ID, and an event-specific outcome. Kubernetes events can help explain image pull failures, failed scheduling, eviction, and autoscaler actions, but their retention and aggregation characteristics vary. Export the events you need for operations and test that the export remains available during control-plane stress.

Distributed traces

Propagate trace context from the first controlled request boundary through application calls, queues, workers, and external service adapters. Sampling needs an explicit policy. Tail sampling or error-aware sampling can retain slow and failed requests while controlling cost, but the sampling pipeline itself becomes a dependency that needs capacity, backpressure, and failure handling.

Use OpenTelemetry deliberately

OpenTelemetry provides common APIs, SDKs, semantic conventions, and a Collector for telemetry pipelines. Use it to avoid making every service depend directly on a single monitoring backend, not as a reason to export every possible attribute. Start with automatic HTTP, runtime, and database instrumentation where it is well understood, then add business spans and attributes for the operations that matter.

Run Collectors with resource limits and a documented loss policy. Under pressure, decide which telemetry can be sampled or dropped and which signals must be preserved for alerting and audit. Protect the collector endpoint, authenticate exporters, and treat telemetry as production data: it can expose topology, behavior, and sensitive context.

Build dashboards from service questions

Each service dashboard should answer a bounded set of questions:

  • Are valid requests succeeding and completing within the service objective?
  • Which route, region, tenant class, or release is contributing to the change?
  • Is the delay at the client or edge, ingress, workload, queue, data store, or external dependency?
  • Is capacity constrained by replicas, scheduling, node resources, connection pools, or an upstream quota?
  • What deployment, configuration, traffic, DNS, certificate, or routing event coincided with the change?

Create links from alerts to a focused dashboard, representative traces, relevant logs, runbooks, and recent deploys. Test these links with someone who did not build the dashboard. A dashboard that requires tribal knowledge during an outage is not a reliable interface.

Observe public traffic beyond the cluster

Cluster telemetry begins too late for a public request that fails at DNS, TLS, a web application firewall, an edge rule, or a regional network path. Add synthetic journeys for critical paths from selected locations and real-user measurements where privacy and consent practices permit. Preserve a correlation strategy across the delivery layer and origin so operators can compare edge response, upstream timing, origin status, and release state.

This does not mean a single global latency average is meaningful. Segment by user geography, route, device or client type when appropriate, and delivery configuration. A fast cached public asset does not prove an authenticated application route is healthy, and a slower origin response does not prove a delivery provider is at fault.

Test the observability system

Run controlled failure exercises: a bad release, unavailable dependency, DNS resolution issue, saturated node pool, expired credential, blocked ingress path, and telemetry-collector outage. Verify that alerts describe customer impact, traces retain usable exemplars, logs can be found by correlation ID, and access works for the incident team. Review retention, cost, and data access after the exercise.

Authoritative references

See the whole delivery path, not only the cluster

Talk to Optimi about observability and edge delivery architecture that helps teams isolate regional and path-specific performance issues.

Review delivery observability