kube-state-metrics VS Vault

git clone https://github.com/kubernetes/kube-state-metrics.git

https://github.com/kubernetes/kube-state-metrics/blob/main/docs/pod-metrics.md According to this github repo completion is responsible of termination date if I correctly understood .

kube-state-metrics

Those are entirely different types of data. You can get that from something like kube-state-metrics

I've never had a cluster of that size, so take it with a grain of salt - but maybe you could try purpose-based sharding? KSM has allowlist and denylist config flags, for configuring which metrics it exposes https://github.com/kubernetes/kube-state-metrics/blob/main/docs/cli-arguments.md

Kubernetes itself will not notify you, the way I've seen people do this, is to use something like kube-state-metrics or node_exporter, export that to Prometheus (or preferrably VictoriaMetrics because Prometheus is terrible IMO), and then setup alarms on that with alertmanager or equivalent, or just look at dashboards regularly with Grafana. Realistically I recommend only setting alerts on disk usage and application/database latency. CPU and memory utilization isn't a great metric to alert on a lot of the time.

Another tip that you could consider spelling out a little more, is to monitor the number of resources created by Kind. This is somewhat mentioned for jobs and services, but any Kind of which thousands of resources are created will put stress on the control-plane. The total number of resources per namespace/cluster can be monitored with kube-state-metrics. KSM does not emit metrics of resources created from CRDs. These metrics can be implemented with KSM's custom resource state metrics: https://github.com/kubernetes/kube-state-metrics/blob/main/docs/customresourcestate-metrics.md

We then have various other Metrics called Kubernetes Workload Metrics. These are the dashboards with names that start with “Kubernetes / Compute Resources / Workload”. These dashboards are specific to the services you are running. They take into account the Kubernetes Workloads in your various namespaces, using kube-state-metrics. For a closer look, check out otel_demo_app_k8s_dashboard.tf.

The first step to optimizing costs is gaining visibility into your costs using tools. Kubernetes provides a Metrics Server and kube-state-metrics that can give you the overall picture of resource utilization by your cluster. There are more tools that provide more granular breakdowns and provide dashboards with business metrics, infra cost, and alerting functionalities. Here are some strategies to optimize your resource utilization and cloud bills on k8s.

HashiCorp Vault

For a more comprehensive and robust secret management solution, get your hands on tools like GCP Secret Manager, or HashiCorp Vault. They're like the security guards of your secrets, providing a safe house, access control, and keeping logs of who’s been snooping around.

HashiCorp Vault is a popular tool for managing secrets in Kubernetes clusters. It offers advanced features such as secure storage, encryption, dynamic secrets generation, and integration with Kubernetes through its Kubernetes authentication method.

So you've just bought a new platform tool? Maybe it's Hashicorp Vault? Snyk? Backstage? You’re excited about all of the developer experience, security and other benefits you're about to unleash on your company—right? But wait…

You seem to be looking for a cross-platform solution, and https://www.vaultproject.io/ provides just that. If everything was in AWS, AWS Secret Manager might be great, but imo Vault provides much better platform-agnostic capabilities.

https://github.com/openwrt/luci/blob/master/applications/luc...

https://developer.hashicorp.com/vault/tutorials/secrets-mana... https://github.com/hashicorp/vault :

> Refer to Build Certificate Authority (CA) in Vault with an offline Root for an example of using a root CA external to Vault.

Secret Management: Securely stores sensitive configuration data and secrets using tools like AWS Secrets Manager or HashiCorp Vault. Avoid hardcoding secrets in code or configuration files.

The author of this tool basically took the Shamir code from Hashicorp Vault, which is pretty mainstream. If you're looking for a solid implementation, I would start there[0]. I wouldn't use the Shamir code from this repo, as it's an old version of the vault code using field arithmetic that doesn't run in constant time.

[0]: https://github.com/hashicorp/vault/blob/main/shamir/shamir.g...

Out of curiosity, what do you mean by this? cross-cluster? they already have HA: https://github.com/hashicorp/vault/blob/v1.14.1/website/cont...

while digging up that link, I also saw one named replication: https://github.com/hashicorp/vault/blob/v1.14.1/website/cont...