The latest articles on DEV Community by DevOps Start (@devopsstart). https://dev.to/devopsstart https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3862044%2F9672d1b5-f8fd-4473-998f-30a47c07608f.png https://dev.to/devopsstart en DevOps Start Fri, 26 Jun 2026 13:02:06 +0000 https://dev.to/devopsstart/mitigate-cve-2026-20245-cisco-sd-wan-manager-exploit-guide-18h2 https://dev.to/devopsstart/mitigate-cve-2026-20245-cisco-sd-wan-manager-exploit-guide-18h2 <p><em>This article was originally published on devopsstart.com. It provides a step-by-step guide to detect, block, and patch the critical CVE-2026-20245 remote code execution vulnerability in Cisco SD-WAN Manager.</em></p> <h2> Introduction </h2> <p>A single unauthenticated API request can give an attacker full control over your Cisco SD-WAN Manager (vManage). If you are running a vulnerable version, you need to act within hours, not days. This guide explains the CVE-2026-20245 remote code execution bug, shows how to detect it, gives a no-patch workaround, and walks through the official fix. You will leave with a repeatable checklist that secures your SD-WAN control plane.</p> <h2> Problem </h2> <p>CVE-2026-20245 is a critical (CVSS 9.8) remote code execution vulnerability in Cisco SD-WAN Manager. The flaw exists in the REST API endpoints that handle device registration and configuration push. An unauthenticated attacker can send specially crafted HTTP requests to the vManage server and execute arbitrary commands with root privileges. This means full device compromise: the attacker can pivot to managed routers, steal configuration secrets, and disrupt WAN traffic. The exploit does not require any prior access.</p> <h2> Root Causes </h2> <p>Three conditions make this exploit possible.</p> <p><strong>Unpatched software version.</strong> Affected releases include Cisco SD-WAN Manager versions 20.3.x before 20.3.4, 20.6.x before 20.6.2, and 20.9.x before 20.9.1. If you are running one of these, the vulnerable code path is present by default.</p> <p><strong>Management interface exposed to untrusted networks.</strong> The API endpoint <code>/dataservice/device/config</code> is reachable on TCP port 443. Many organisations place vManage on a flat management network or expose the web UI to the internet for remote access. A misconfigured firewall or lack of ACLs lets attackers reach the vulnerable service.</p> <p><strong>Missing authentication enforcement for certain API calls.</strong> Some API routes were not properly guarded. The <code>/dataservice/device/config</code> endpoint expects a token, but prior to the patch the token validation was skipped for requests that included a specific Content-Type header. A simple <code>curl</code> command bypasses authentication entirely.</p> <h2> Solution </h2> <p>Follow these steps to mitigate and then patch the vulnerability. The workaround should be applied immediately; schedule the patch window as soon as possible.</p> <h3> Step 1 – Immediate Workaround (Block the Vulnerable Endpoint) </h3> <p>Do not rely on the vManage's own CLI (it does not run a standard IOS configuration system). Instead, implement a firewall rule on the network layer. On the firewall or router that sits in front of vManage, add an access control entry that drops all traffic to the vManage IP on port 443 from untrusted sources. For more precise blocking, configure deep packet inspection to drop HTTP requests with a URI containing <code>/dataservice/device/config</code>. If your firewall does not support L7 inspection, an iptables rule on the vManage Linux host can do the job:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>ssh admin@vmanage-ip <span class="nv">$ </span><span class="nb">sudo </span>iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 443 <span class="nt">-m</span> string <span class="nt">--string</span> <span class="s2">"/dataservice/device/config"</span> <span class="nt">--algo</span> bm <span class="nt">-j</span> DROP <span class="nv">$ </span><span class="nb">sudo </span>iptables-save <span class="o">&gt;</span> /etc/iptables/rules.v4 </code></pre> </div> <p><strong>Important:</strong> This iptables rule blocks only requests targeting that specific path. All other API calls and web GUI access remain functional. Verify the rule is active: <code>sudo iptables -L INPUT -v -n | grep DROP</code>.</p> <p>If you cannot apply network-layer filtering immediately, disable all REST API services via the vManage GUI: <em>Administration &gt; Settings &gt; REST API &gt; Disable</em>. This breaks automation workflows, but it is safer than leaving the endpoint open.</p> <h3> Step 2 – Apply the Official Patch </h3> <p>Download the patched version from the <a href="https://software.cisco.com/download/home/286310553" rel="noopener noreferrer">Cisco Software Download Center</a>. The recommended versions are:</p> <ul> <li>20.3.4 (or later)</li> <li>20.6.2 (or later)</li> <li>20.9.1 (or later)</li> </ul> <p><strong>Procedure:</strong></p> <ol> <li>Backup the current configuration using the GUI: <em>Administration &gt; Maintenance &gt; Backup/Restore</em>. Download a full backup.</li> <li>Upgrade the SD-WAN Manager first, then the controllers (vBond, vSmart). Use the GUI <em>Administration &gt; Software Upgrade</em> or the CLI: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>request software <span class="nb">install</span> &lt;filename&gt; <span class="nv">$ </span>request software activate <span class="nv">$ </span>reload </code></pre> </div> <ol> <li>After reboot, verify the version: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>show version Cisco SD-WAN Manager 20.9.1 </code></pre> </div> <h3> Step 3 – Post-Mitigation Verification </h3> <p>Test that the exploit no longer works. From a separate host, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-k</span> <span class="nt">-X</span> POST <span class="s2">"https://&lt;vmanage-ip&gt;/dataservice/device/config"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/xml"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'&lt;config&gt;&lt;device-ip&gt;10.0.0.1&lt;/device-ip&gt;&lt;/config&gt;'</span> </code></pre> </div> <p>If the patch is applied, you get a <code>403 Forbidden</code> or <code>401 Unauthorized</code> response. A successful <code>200</code> response means the endpoint is still accessible – double-check your firewall and patch version.</p> <p>Also monitor syslog for any unusual connection attempts. If you used the iptables rule, check its counters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>iptables <span class="nt">-L</span> INPUT <span class="nt">-v</span> <span class="nt">-n</span> | <span class="nb">grep</span> <span class="s2">"dataservice"</span> </code></pre> </div> <p>A non-zero packet count means the vulnerable endpoint was targeted (possibly a live attack).</p> <h2> Prevention </h2> <p>Long term, treat the SD-WAN Manager as a bastion host.</p> <p><strong>Segment the management network.</strong> Place vManage behind a firewall that only allows access from trusted jump boxes. Use Cisco TrustSec or 802.1X for additional network access control.</p> <p><strong>Enforce RBAC.</strong> Ensure only read-only API tokens are used where possible. Assign the <code>netadmin</code> role sparingly.</p> <p><strong>Enable API rate limiting.</strong> In the vManage GUI, go to <em>Administration &gt; Settings &gt; API Rate Limiting</em> and set a low limit (for example, 100 requests per minute).</p> <p><strong>Integrate with a SIEM.</strong> Forward vManage logs to your SIEM and alert on any <code>/dataservice/device/config</code> requests. Add a log-action to your firewall rule to capture hits.</p> <p>For a broader security posture, review our CVE remediation guides, such as <a href="https://dev.to/troubleshooting/how-to-fix-cve-2026-43284-preventing-dirty-frag-pod-escapes">How to Fix CVE-2026-43284: Preventing Dirty Frag Pod Escapes</a> and <a href="https://dev.to/troubleshooting/how-to-mitigate-copy-fail-cve-2026-31431-with-seccomp">How to Mitigate Copy Fail (CVE-2026-31431) with Seccomp</a>. These articles apply similar workaround-first, patch-second patterns to infrastructure vulnerabilities.</p> <p>Act now. A remote root shell in your SD-WAN control plane is one curl request away.</p> cve202620245 ciscosdwanmanagerrce remotecodeexecution mitigationguide DevOps Start Fri, 26 Jun 2026 08:32:34 +0000 https://dev.to/devopsstart/mastering-devops-fundamentals-a-practical-guide-1kfn https://dev.to/devopsstart/mastering-devops-fundamentals-a-practical-guide-1kfn <p>True DevOps mastery isn't about adopting specific tools or methodologies in isolation, but about deeply integrating cultural shifts with practical, often low-tech, engineering discipline.</p> <h2> Why this take </h2> <p>I've seen too many organizations spend fortunes on tools, proclaiming they're "doing DevOps" because they bought a CI/CD platform or deployed Kubernetes, only to find their release cycles are still glacial, incidents are frequent, and teams are burnt out. The mistake is believing that technology alone can fix systemic issues rooted in process, communication, and organizational structure.</p> <p>Consider a team I worked with that adopted a high-end CI/CD pipeline. They integrated static analysis, unit tests, and automated deployments to Kubernetes v1.28. Sounds great, right? The problem was that their cultural "inner loop" was broken. Developers would push code, the pipeline would fail due to flaky tests or environment mismatches, and instead of fixing the root cause, they'd spend hours manually re-running builds or merging stale branches. The tools allowed them to fail faster and more often, but didn't address the lack of shared ownership over the pipeline's health or the inconsistent local development environments. They were doing "continuous integration" in name, but not in spirit. This led to a significant increase in lead time for changes, the exact opposite of the DevOps promise.</p> <p>Another common anti-pattern is the "Kubernetes or bust" mentality. A growing startup I advised decided to migrate all their services to Kubernetes v1.29 to "be cloud-native" and "do DevOps." They skipped crucial steps like improving their logging, monitoring, and incident response for simpler, monolithic applications. The result? They suddenly had a massively complex distributed system with no effective way to observe its behavior or debug issues. When a pod started crashing (a classic <code>CrashLoopBackOff</code> scenario, often due to misconfigured liveness probes), developers were lost. They lacked the fundamental observability practices that would have been valuable even with a simple virtual machine deployment. The advanced tooling amplified their lack of basic operational discipline, turning minor issues into major outages. If you're struggling to debug a monolith, a microservice running on Kubernetes will only make things worse. You can get a sense of how complex these issues can be by checking out guides like <a href="https://dev.to/troubleshooting/crashloopbackoff-kubernetes">Fix CrashLoopBackOff in Kubernetes Pods</a>.</p> <p>Finally, many teams declare they're "shifting left" security by integrating vulnerability scanners into their CI/CD pipeline. This is a good start. However, if they don't simultaneously implement basic supply chain security practices, enforce least privilege, or establish a robust incident response plan, they're only patching a symptom. I've seen teams with pristine SAST reports fall victim to dependency confusion attacks or secret leaks because their fundamental security hygiene was lacking. Shifting left is only effective when paired with a strong security posture across the entire lifecycle, including runtime protection and a clear understanding of the threat model. The most sophisticated security tools won't help if your team uses weak passwords or stores secrets in plaintext in Git.</p> <h2> The strongest counter-argument </h2> <p>The strongest counter-argument is that while cultural shifts are paramount, tools are not merely optional accessories; they are fundamental enablers without which those cultural aspirations often remain just that: aspirations. Without robust tooling, the "culture of automation" becomes a pipe dream, drowned out by manual toil and inconsistent processes. It's difficult to argue for a blameless culture around incident response if every deployment requires 20 manual steps and a prayer.</p> <p>Tools provide the scaffolding for DevOps practices. Git v2.43, for example, isn't just a version control system; it's the bedrock of collaborative development, enabling practices like pull requests, code reviews, and reproducible builds. Without a solid version control system, concepts like Infrastructure as Code (IaC) or GitOps are simply impossible. Imagine trying to manage Terraform v1.7.0 configuration files or Kubernetes manifests without Git history, branching, or merge capabilities. You'd quickly descend into "config drift" hell and a manual, error-prone deployment process. The <a href="https://developer.hashicorp.com/terraform/language/state" rel="noopener noreferrer">official Terraform documentation on state management</a> makes it clear that a robust backend with locking, like Amazon S3 with DynamoDB, is crucial, and that's just one piece of the tooling puzzle for reliability.</p> <p>Similarly, CI/CD platforms like GitHub Actions v3.0, GitLab CI v16.8, or Jenkins v2.426 don't just "do" automation; they enforce it. They standardize the build, test, and deployment process, making it repeatable and auditable. This consistency is what allows teams to gain confidence in frequent releases, which in turn fosters a culture of small, incremental changes, easier debugging, and quicker feedback loops. It's not the <em>presence</em> of the tool, but its <em>effective application</em> that makes the difference. If you can automate a deployment process from commit to production in under 10 minutes with high confidence, that speed and reliability fundamentally change how teams approach their work. It shifts their focus from "will it deploy?" to "is the feature valuable?"</p> <p>Moreover, modern infrastructure complexity practically <em>demands</em> sophisticated tooling. Managing hundreds of microservices, thousands of containers, and petabytes of data without tools for observability (Prometheus v2.48, Grafana v10.3), centralized logging (Elastic Stack v8.11), and automated incident response (PagerDuty) is simply unfeasible. These tools collect the data and provide the insights necessary for a team to truly understand their systems, respond effectively to failures, and iterate on improvements. The tools are not just "nice-to-haves"; they are the very mechanisms through which a modern DevOps team gains visibility, control, and ultimately, reliability at scale.</p> <h2> Exceptions where a tool-first approach still wins </h2> <p>There are specific scenarios where a judicious, tool-first approach can indeed catalyze cultural change and deliver immediate, tangible benefits, even before every cultural nuance of "DevOps" has permeated an organization. These are typically situations where a clear, pressing technical need can be met by a well-understood tool, subsequently driving process improvements.</p> <p>One such scenario is when a team is struggling with inconsistent infrastructure deployments. Introducing Infrastructure as Code (IaC) with a tool like Terraform v1.7.0, even with minimal initial buy-in beyond the core infrastructure team, can be a game-changer. By centralizing infrastructure definitions in Git, it immediately enforces a single source of truth, makes changes auditable, and enables repeatable deployments. Developers who previously waited days for manual infrastructure provisioning suddenly get resources in minutes via self-service pipelines. This tangible benefit often kickstarts broader adoption of version control for everything, peer review processes, and a shared understanding of infrastructure, organically fostering a "you build it, you run it" mentality. Using tools like Terraform with established best practices can dramatically improve the security posture of your infrastructure, as discussed in <a href="https://dev.to/blog/secure-terraform-prs-with-an-architecture-firewall">Secure Terraform PRs with an Architecture Firewall</a>.</p> <p>Another strong case is in highly regulated industries or environments with strict compliance requirements. Here, adopting specific security, audit, or compliance tools isn't just a best practice; it's often a legal mandate. For example, implementing a robust software supply chain security solution that scans dependencies (for example, with tools like Trivy v0.49 or Snyk v1.1270) and enforces policies throughout the CI/CD pipeline. The tool dictates a new, more secure process, forcing developers to address vulnerabilities earlier and providing auditors with clear evidence of compliance. While the ideal is cultural adoption, the immediate need for compliance can drive the integration of specific tools which then educate and influence behavior. These tools act as a guardrail, preventing non-compliant actions and establishing a baseline for security that might otherwise be overlooked. This proactive stance is critical for avoiding security incidents and can be bolstered by advanced strategies discussed in <a href="https://dev.to/blog/supply-chain-security-proxy-move-beyond-vulnerability-scanni">Supply Chain Security Proxy: Move Beyond Vulnerability Scann</a>.</p> <p>Finally, in rapidly scaling organizations, specialized tools become indispensable for managing complexity, even if the cultural maturity lags. When you move from a handful of services to hundreds, or from a few dozen users to millions, tools for advanced observability (like a comprehensive ELK stack for logs, Prometheus v2.48 for metrics, and Jaeger for tracing), performance testing, and cloud cost management (FinOps tools) are not optional. They provide the necessary visibility and control to prevent total collapse. While a fully mature DevOps culture would use these tools to drive continuous improvement, their initial implementation often serves as a survival mechanism, providing the data necessary to react to growth challenges. The insights gained from these tools can then be used to evangelize and drive the cultural changes required for long-term sustainability.</p> <h2> Practical Fundamentals You Should Prioritize </h2> <p>If you're looking to truly master DevOps fundamentals, shift your focus from chasing the latest shiny tool to building a solid foundation of engineering discipline and fostering the right cultural habits. Here's where to put your energy:</p> <h3> Version Control Everything </h3> <p>This isn't just about your application code. Your infrastructure configurations, Kubernetes manifests, documentation, database schemas, and even your <code>.env</code> files (sanitized, of course) belong in Git. This provides an auditable history, enables collaboration, and is the absolute bedrock for automation.</p> <p>Here's a simple example of cloning a repository and checking its status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>git clone https://github.com/your-org/your-repo.git <span class="nv">$ </span><span class="nb">cd </span>your-repo <span class="nv">$ </span>git status </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>On branch main Your branch is up to <span class="nb">date </span>with <span class="s1">'origin/main'</span><span class="nb">.</span> nothing to commit, working tree clean </code></pre> </div> <h3> Automate Relentlessly (But Smartly) </h3> <p>CI/CD isn't a destination; it's a continuous process of reducing manual effort and improving feedback loops. Start with the most repetitive, error-prone tasks. Build, test, scan, and deploy automatically. But don't just automate bad processes; fix the processes first, then automate them.</p> <p>A basic GitHub Actions workflow for a Node.js application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Node.js CI</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">main</span> <span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">main</span> <span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Use Node.js 20.x</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20.x'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test</span> </code></pre> </div> <p>This workflow ensures that every push and pull request to <code>main</code> branch automatically runs tests, giving immediate feedback.</p> <h3> Treat Infrastructure as Code (IaC) </h3> <p>Stop clicking in the console. Define your infrastructure (servers, networks, databases, Kubernetes clusters) in code using tools like Terraform v1.7.0 or Pulumi v3.100. This makes your infrastructure reproducible, versionable, and testable. It's the only way to scale infrastructure reliably.</p> <p>Here's a simple <code>main.tf</code> file using Terraform v1.7.0 to define an AWS S3 bucket:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf for Terraform v1.7.0</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"example_bucket"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-unique-application-logs-bucket-12345"</span> <span class="c1"># Must be globally unique</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"Dev"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"MyApp"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"bucket_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">example_bucket</span><span class="p">.</span><span class="nx">bucket</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the S3 bucket"</span> <span class="p">}</span> </code></pre> </div> <p>To apply this, you would run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>terraform init <span class="nv">$ </span>terraform plan <span class="nv">$ </span>terraform apply <span class="nt">--auto-approve</span> </code></pre> </div> <p>Output of <code>terraform apply</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Terraform will perform the following actions: <span class="c"># aws_s3_bucket.example_bucket will be created</span> + resource <span class="s2">"aws_s3_bucket"</span> <span class="s2">"example_bucket"</span> <span class="o">{</span> + accel_transfer_enabled <span class="o">=</span> <span class="nb">false</span> + acl <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + arn <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + bucket <span class="o">=</span> <span class="s2">"my-unique-application-logs-bucket-12345"</span> + bucket_domain_name <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + bucket_prefix <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + bucket_regional_domain_name <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + force_destroy <span class="o">=</span> <span class="nb">false</span> + <span class="nb">id</span> <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + object_lock_enabled <span class="o">=</span> <span class="nb">false</span> + policy <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + region <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + request_payer <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + tags <span class="o">=</span> <span class="o">{</span> + <span class="s2">"Environment"</span> <span class="o">=</span> <span class="s2">"Dev"</span> + <span class="s2">"Project"</span> <span class="o">=</span> <span class="s2">"MyApp"</span> <span class="o">}</span> + tags_all <span class="o">=</span> <span class="o">{</span> + <span class="s2">"Environment"</span> <span class="o">=</span> <span class="s2">"Dev"</span> + <span class="s2">"Project"</span> <span class="o">=</span> <span class="s2">"MyApp"</span> <span class="o">}</span> + website_domain <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> + website_endpoint <span class="o">=</span> <span class="o">(</span>known after apply<span class="o">)</span> <span class="o">}</span> Plan: 1 to add, 0 to change, 0 to destroy. aws_s3_bucket.example_bucket: Creating... aws_s3_bucket.example_bucket: Creation <span class="nb">complete </span>after 1s <span class="o">[</span><span class="nb">id</span><span class="o">=</span>my-unique-application-logs-bucket-12345] Apply <span class="nb">complete</span><span class="o">!</span> Resources: 1 added, 0 changed, 0 destroyed. Outputs: bucket_name <span class="o">=</span> <span class="s2">"my-unique-application-logs-bucket-12345"</span> </code></pre> </div> <p>Remember to use a globally unique bucket name.</p> <h3> Monitor and Observe Deeply </h3> <p>You can't fix what you can't see. Instrument your applications and infrastructure to collect metrics, logs, and traces. Use tools like Prometheus v2.48 for metrics, Grafana v10.3 for dashboards, and a robust logging solution (for example, Loki v2.9 or Elastic Stack v8.11) to understand system behavior. Proactive monitoring helps you detect issues before your users do. Don't just watch CPU and memory; understand business metrics and application health indicators. For example, monitor your API's 99th percentile latency and error rates, not just if the process is running.</p> <h3> Embrace Feedback Loops and a Blameless Culture </h3> <p>DevOps is fundamentally about continuous improvement. After an incident, conduct blameless post-mortems focusing on system and process failures, not individual blame. Learn from mistakes, implement corrective actions, and share knowledge. Encourage frequent, open communication between development and operations teams. This fosters trust and a shared sense of responsibility. If something breaks in production, the question should always be "What can we do to prevent this type of failure again?" not "Whose fault was this?"</p> <h3> Shift Security Left, but Don't Forget Right </h3> <p>Integrate security into every stage of your development pipeline. This means security training for developers, static and dynamic analysis in CI/CD, dependency scanning, and threat modeling. However, don't stop there. Implement runtime security measures, network segmentation, robust access controls, and a solid incident response plan. A comprehensive approach covers the entire lifecycle, from design to production. Focusing solely on "shift left" without considering runtime protection is like locking your front door but leaving your back door wide open.</p> <p>Mastering DevOps fundamentals means internalizing these core principles. It's about changing how teams work together, improving their engineering practices, and relentlessly seeking efficiency and reliability. The tools are there to support these efforts, but they are not the goal in themselves. Without the underlying cultural and practical discipline, even the most sophisticated tools will only lead to more complex problems. Start simple, focus on the fundamentals, and let your problems drive your tool choices, rather than letting tools dictate your approach.</p> devops cicd automation bestpractices DevOps Start Thu, 25 Jun 2026 08:30:04 +0000 https://dev.to/devopsstart/llm-prompt-caching-with-git-to-cut-api-costs-121h https://dev.to/devopsstart/llm-prompt-caching-with-git-to-cut-api-costs-121h <p>If your CI/CD pipelines call LLM APIs like OpenAI's GPT-4, you've probably noticed the token costs. Automated systems that generate documentation or review code often run the same prompts repeatedly, leading to high bills. You can reduce these costs significantly by implementing a simple prompt cache using a tool you already have: Git.</p> <p>This article explains how to use a dedicated Git repository as a database-free key-value cache for LLM prompts and responses. Before calling an expensive API, your script checks a local Git clone for a cached answer. If found, it uses the saved response, avoiding the API call entirely. This method can cut costs by over 50% in CI/CD environments where prompts are frequently repeated.</p> <h2> How Git-Based Caching Works </h2> <p>The approach treats a Git repository as a key-value store. You simply create a new, dedicated repository to act as the cache.</p> <ul> <li> <strong>Key:</strong> A SHA256 hash of the prompt's content. Hashing ensures that even a one-character difference creates a unique key.</li> <li> <strong>Value:</strong> The LLM's response, stored as a plain text file. The filename is the key, for example, <code>5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8</code>.</li> </ul> <p>When your script needs an LLM response, it first calculates the prompt's hash. It then checks if a file with that name exists in its local clone of the cache repository. If it does, that's a cache hit. If not, it's a miss.</p> <h2> The Caching Workflow in Action </h2> <p>The logic for your application or CI script follows a "check-miss-write" pattern.</p> <ol> <li> <strong>Clone/Pull:</strong> Before running, ensure your script has an up-to-date local clone of the cache repository. A quick <code>$ git pull</code> is all you need.</li> <li> <strong>Generate Hash:</strong> Take the full prompt string and generate its SHA256 hash. This becomes your cache key.</li> <li> <strong>Check for Key:</strong> Look for a file named after the hash in the local cache repository.</li> <li><strong>Handle the Result:</strong></li> </ol> <ul> <li> <strong>Cache Hit:</strong> If the file exists, read its contents. This is your LLM response. No API call is made.</li> <li> <strong>Cache Miss:</strong> If the file does not exist, call the actual LLM API to get a new response.</li> </ul> <ol> <li> <strong>Write to Cache:</strong> On a cache miss, save the new response to a file named after the prompt's hash. Then, commit and push this new file to the remote cache repository. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Example of a cache repository's structure</span> <span class="nv">$ </span><span class="nb">ls</span> <span class="nt">-1</span> llm-cache/ 0a3b... 1c5d... 5e88... </code></pre> </div> <p>This workflow ensures that the next time the same prompt is encountered by any user or pipeline with access to the repo, it will be a cache hit. This is particularly effective in CI pipelines that <a href="https://dev.to/tutorials/how-to-build-ai-agents-for-kubernetes-deployments">build AI agents for Kubernetes deployments</a>, where environment setup prompts are often identical across runs.</p> <h2> A Python Implementation Example </h2> <p>Here is a simple Python function that implements this caching logic. It uses the standard <code>hashlib</code> and <code>os</code> libraries. You can consult the official <a href="https://docs.python.org/3/library/hashlib.html" rel="noopener noreferrer">Python hashlib documentation</a> for more details on hashing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">hashlib</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="c1"># --- Configuration --- # IMPORTANT: Update this to the absolute path of your cache repository clone. </span><span class="n">CACHE_DIR</span> <span class="o">=</span> <span class="sh">"</span><span class="s">/path/to/your/local/llm-cache-repo</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">get_llm_response_with_cache</span><span class="p">(</span><span class="n">prompt</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">llm_api_call_func</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Gets an LLM response, using a Git-based file cache to avoid duplicate API calls. Args: prompt: The full prompt string to send to the LLM. llm_api_call_func: A function that takes a prompt string and returns the API response. Returns: The LLM</span><span class="sh">'</span><span class="s">s response, either from the cache or a new API call. </span><span class="sh">"""</span> <span class="c1"># 1. Ensure the cache is up-to-date </span> <span class="c1"># A production implementation should include robust error handling for Git commands. </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span><span class="sh">"</span><span class="s">git</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">pull</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">CACHE_DIR</span><span class="p">,</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># 2. Generate the cache key </span> <span class="n">prompt_hash</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(</span><span class="n">prompt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)).</span><span class="nf">hexdigest</span><span class="p">()</span> <span class="n">cache_file_path</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">CACHE_DIR</span><span class="p">,</span> <span class="n">prompt_hash</span><span class="p">)</span> <span class="c1"># 3. Check for a cache hit </span> <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">cache_file_path</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">CACHE HIT: Found response for hash </span><span class="si">{</span><span class="n">prompt_hash</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">cache_file_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">return</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="c1"># 4. Handle a cache miss </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">CACHE MISS: Calling API for hash </span><span class="si">{</span><span class="n">prompt_hash</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">llm_api_call_func</span><span class="p">(</span><span class="n">prompt</span><span class="p">)</span> <span class="c1"># 5. Write the new response to the cache and push </span> <span class="c1"># Note: The prompt and response are stored in plain text. Do not use this method for sensitive data. </span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">cache_file_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">w</span><span class="sh">'</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">response</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Adding new response to cache...</span><span class="sh">"</span><span class="p">)</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span><span class="sh">"</span><span class="s">git</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">add</span><span class="sh">"</span><span class="p">,</span> <span class="n">cache_file_path</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">CACHE_DIR</span><span class="p">,</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span><span class="sh">"</span><span class="s">git</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">commit</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-m</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Add cache for </span><span class="si">{</span><span class="n">prompt_hash</span><span class="si">}</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">CACHE_DIR</span><span class="p">,</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span><span class="sh">"</span><span class="s">git</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">push</span><span class="sh">"</span><span class="p">],</span> <span class="n">cwd</span><span class="o">=</span><span class="n">CACHE_DIR</span><span class="p">,</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="n">response</span> <span class="c1"># --- Example Usage --- </span><span class="k">def</span> <span class="nf">fake_openai_call</span><span class="p">(</span><span class="n">prompt</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="c1"># Replace this with your actual client.chat.completions.create() call </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">--- Faking expensive API call ---</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">This is the LLM</span><span class="sh">'</span><span class="s">s answer to the prompt starting with: </span><span class="sh">'</span><span class="si">{</span><span class="n">prompt</span><span class="p">[</span><span class="si">:</span><span class="mi">30</span><span class="p">]</span><span class="si">}</span><span class="s">...</span><span class="sh">'"</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">my_prompt</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Generate a Kubernetes Deployment YAML for a Python Flask app named </span><span class="sh">'</span><span class="s">my-app</span><span class="sh">'</span><span class="s"> listening on port 5000.</span><span class="sh">"</span> <span class="c1"># First call (will be a miss) </span> <span class="n">response1</span> <span class="o">=</span> <span class="nf">get_llm_response_with_cache</span><span class="p">(</span><span class="n">my_prompt</span><span class="p">,</span> <span class="n">fake_openai_call</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">Response 1:</span><span class="se">\n</span><span class="sh">"</span><span class="p">,</span> <span class="n">response1</span><span class="p">)</span> <span class="c1"># Second call (will be a hit) </span> <span class="n">response2</span> <span class="o">=</span> <span class="nf">get_llm_response_with_cache</span><span class="p">(</span><span class="n">my_prompt</span><span class="p">,</span> <span class="n">fake_openai_call</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">Response 2:</span><span class="se">\n</span><span class="sh">"</span><span class="p">,</span> <span class="n">response2</span><span class="p">)</span> </code></pre> </div> <h2> Benefits of This Approach </h2> <ul> <li> <strong>Cost Reduction:</strong> Avoids expensive API calls for repeated prompts. With GPT-4 Turbo input prices around $10 per million tokens, caching just a few hundred complex prompts in CI can lead to substantial savings.</li> <li> <strong>No New Infrastructure:</strong> It uses your existing Git provider, so there is no need to set up or maintain a separate caching service like Redis or Memcached.</li> <li> <strong>Audit Trail:</strong> The Git history provides a complete, version-controlled log of every unique prompt and its corresponding LLM response.</li> <li> <strong>Faster Execution on Hits:</strong> Reading a local file takes milliseconds, while a network API call can take several seconds. This speeds up CI/CD jobs that get a cache hit.</li> </ul> <h2> Limitations and Considerations </h2> <p>This method is pragmatic but has trade-offs compared to a dedicated caching system.</p> <ul> <li> <strong>Manual Cache Invalidation:</strong> To get a fresh response for a cached prompt, you must manually delete the file from the repository (<code>git rm &lt;hash&gt;</code>, commit and push). There is no built-in time-to-live (TTL) mechanism.</li> <li> <strong>Repository Size:</strong> The cache repository will grow indefinitely. While text-based responses are small, this method is unsuitable for caching large files like images or audio. Regular maintenance may be needed to prune old entries.</li> <li> <strong>Concurrency and Race Conditions:</strong> If two CI jobs miss on the <em>same prompt</em> simultaneously, they will both call the LLM API. They will then race to commit and push the new file. One <code>git push</code> will fail. The failing script needs retry logic (for example, <code>git pull</code> and check again), or you will waste an API call.</li> </ul> <p>This Git-based caching technique is most effective in environments with high prompt repetition, such as CI/CD pipelines for code analysis, documentation generation, or testing. For applications requiring high-throughput, atomic operations, or automatic cache eviction, a dedicated solution like Redis is more appropriate. For many teams, however, this simple approach provides a significant benefit for minimal effort.</p> llmpromptcaching llmcostoptimization gitkeyvaluestore llmops DevOps Start Wed, 24 Jun 2026 08:30:44 +0000 https://dev.to/devopsstart/how-to-detect-and-prevent-malicious-ai-agent-skills-3ea0 https://dev.to/devopsstart/how-to-detect-and-prevent-malicious-ai-agent-skills-3ea0 <p>Malicious AI agent skills are tool or server dependencies (often via Model Context Protocol or MCP) that present a benign interface to the LLM but execute unauthorized actions on the host system. You detect these by monitoring for unauthorized tool calls, unexpected egress traffic or attempts to access sensitive system files like <code>/etc/shadow</code>. Prevention requires a zero-trust architecture where skills are isolated in sandboxes with strict network egress filters and human-in-the-loop approvals for destructive actions.</p> <h2> What the error means </h2> <p>When you integrate "skills" into an AI agent, you add executable dependencies to your runtime. A malicious skill acts as a Trojan horse, allowing an agent to perform "silent failures" or "unauthorized escalation."</p> <p>Unlike a traditional software crash, the error here is a security breach. You might see an agent unexpectedly exfiltrating <code>.env</code> files, executing <code>rm -rf /</code>, or sending internal system prompts to an external API. If your agent calls tools you didn't authorize or accesses paths outside its designated workspace, your skill supply chain is compromised.</p> <h2> Root Causes </h2> <p>The vulnerability comes from treating AI tools as static configuration rather than executable code.</p> <p><strong>Implicit Trust in the Supply Chain</strong><br> Many developers install MCP servers from community repositories without auditing the source. Similar to a malicious npm package, an MCP server can contain obfuscated code that triggers only under specific prompt conditions.</p> <p><strong>Indirect Prompt Injection</strong><br> An agent may read a malicious file (for example, a README.md in a repo) containing hidden instructions. These instructions trick the LLM into using a legitimate skill, such as a shell executor, to perform a malicious action that bypasses the user's intent.</p> <p><strong>Over-Privileged Environments</strong><br> Running AI agents with the same permissions as the local user is a critical failure. If the agent has root access or full SSH key access, one compromised skill can compromise the entire workstation or cluster.</p> <p><strong>Lack of Egress Control</strong><br> Most agent runtimes allow unrestricted outbound HTTP requests. This allows malicious skills to "phone home" with stolen secrets or API keys.</p> <h2> Detection and Neutralization </h2> <p>To stop malicious skills, implement layered defense focusing on isolation and auditing. For those building custom agents, refer to the <a href="https://modelcontextprotocol.io" rel="noopener noreferrer">Model Context Protocol documentation</a> to understand standard communication patterns.</p> <h3> Static Audit of MCP Servers </h3> <p>Before adding a server to your <code>claude_desktop_config.json</code> or agent config, audit the entry point. Search for <code>curl</code>, <code>wget</code>, or <code>eval</code> calls that fetch remote scripts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Search for suspicious remote execution patterns in a local MCP server directory</span> <span class="nb">grep</span> <span class="nt">-rE</span> <span class="s2">"curl|wget|eval|exec|base64"</span> ./mcp-servers/suspicious-tool/ </code></pre> </div> <h3> Implement a Restricted Runtime </h3> <p>Never run agent skills directly on your host. Use a containerized environment with limited resources. For those managing agents on a cluster, integrate <a href="https://dev.to/tutorials/llm-observability-on-kubernetes-a-practical-guide">LLM Observability on Kubernetes: A Practical Guide</a> to monitor tool-call latency and volume. I have seen this prevent total host compromise in environments with &gt;10 nodes by trapping the agent in a non-privileged namespace.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run a potentially risky MCP server in a restricted Docker container</span> docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--name</span> mcp-sandbox <span class="se">\</span> <span class="nt">--memory</span><span class="o">=</span><span class="s2">"512m"</span> <span class="se">\</span> <span class="nt">--cpus</span><span class="o">=</span><span class="s2">"0.5"</span> <span class="se">\</span> <span class="nt">--network</span><span class="o">=</span><span class="s2">"bridge"</span> <span class="se">\</span> <span class="nt">--read-only</span> <span class="se">\</span> <span class="nt">-v</span> /tmp/agent-data:/data:rw <span class="se">\</span> mcp-server-image:v1.0.0 </code></pre> </div> <h3> Enforce Network Egress Filtering </h3> <p>Use <code>iptables</code> or a service mesh to block all outbound traffic except to known API endpoints. This reduces the risk of data exfiltration by nearly 100% for basic "phone-home" malware.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Block all outbound traffic by default, allow only specific APIs</span> <span class="nb">sudo </span>iptables <span class="nt">-P</span> OUTPUT DROP <span class="nb">sudo </span>iptables <span class="nt">-A</span> OUTPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 443 <span class="nt">-d</span> api.anthropic.com <span class="nt">-j</span> ACCEPT <span class="nb">sudo </span>iptables <span class="nt">-A</span> OUTPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 443 <span class="nt">-d</span> github.com <span class="nt">-j</span> ACCEPT </code></pre> </div> <h3> Structured Tool Logging </h3> <p>Configure your agent to log every <code>tool_use</code> call, including the exact arguments passed and the raw output returned.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Piping agent logs to a file for forensic analysis</span> agent-runtime <span class="nt">--log-level</span> debug 2&gt;&amp;1 | <span class="nb">tee </span>agent_audit.log </code></pre> </div> <h2> Prevention Strategies </h2> <p>Shift from a "trust-by-default" to a "zero-trust" agent architecture to avoid future compromises.</p> <p><strong>AI Bill of Materials (AIBOM)</strong><br> Maintain a versioned list of every MCP server and model version used in production. Do not allow "latest" tags; pin to specific git hashes. This prevents "poisoned" updates from automatically entering your environment.</p> <p><strong>Human-in-the-Loop (HITL)</strong><br> Configure your agent interface to require manual approval for destructive tools, such as <code>delete_file</code>, <code>execute_shell</code>, or <code>send_email</code>.</p> <p><strong>Least Privilege</strong><br> Create a dedicated OS user for the agent with no sudo privileges and restricted directory access.</p> <p><strong>Secret Management</strong><br> Use a secret manager instead of environment variables. This prevents skills from simply calling <code>env</code> to steal your keys, a common tactic seen in <a href="https://dev.to/blog/github-actions-security-how-to-stop-secret-leaks-in-cicd">GitHub Actions Security: How to Stop Secret Leaks in CI/CD</a>.</p> <h3> Next Steps for DevOps Teams </h3> <ol> <li>Audit your current <code>config.json</code> files for third-party MCP servers.</li> <li>Wrap your agent runtime in a Docker container with <code>--read-only</code> flags.</li> <li>Implement an egress allow-list to restrict tool communications.</li> </ol> aiagentsecurity modelcontextprotocol devopssecurity llmsandboxing DevOps Start Tue, 23 Jun 2026 08:32:37 +0000 https://dev.to/devopsstart/kubernetes-troubleshooting-why-did-my-pod-die-1m1p https://dev.to/devopsstart/kubernetes-troubleshooting-why-did-my-pod-die-1m1p <p>Pods die because of scheduling failures, startup crashes or runtime terminations. When a Kubernetes pod fails, it rarely tells you exactly why in a single line. Instead, it gives you a status like <code>CrashLoopBackOff</code> or <code>Pending</code>, which are symptoms rather than root causes. To fix a pod, you must distinguish between these three failure modes. This guide provides a decision tree for diagnosing pod deaths, moving from high-level status checks to deep-dive container inspection.</p> <p>For a comprehensive look at the most common restart cycles, check out the guide on <a href="https://dev.to/troubleshooting/how-to-fix-kubernetes-crashloopbackoff-in-production">how to fix Kubernetes CrashLoopBackOff in production</a>.</p> <h2> Understanding the failure states </h2> <p>A pod "death" is a transition in the Pod Lifecycle. When you see <code>CrashLoopBackOff</code>, the container started, crashed, and Kubernetes is now waiting an exponentially increasing amount of time before trying to start it again to avoid hammering the node.</p> <p><code>OOMKilled</code> means the Linux kernel terminated the process because it exceeded its memory limit. I have seen this happen frequently in Java applications where the JVM heap is set higher than the Kubernetes memory limit. <code>ImagePullBackOff</code> means the kubelet cannot retrieve the container image from the registry. Each of these states points to a different layer of the stack: the infrastructure, the container runtime or the application code itself. Refer to the official <a href="https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/" rel="noopener noreferrer">Kubernetes Pod Lifecycle documentation</a> for the full state machine.</p> <h2> Common root causes </h2> <p>Pod failures generally fall into three categories.</p> <h3> Startup and Configuration Failures </h3> <ul> <li> <strong>Missing Environment Variables</strong>: The application panics immediately because a required database URL or API key is missing.</li> <li> <strong>Invalid Image Tags</strong>: A typo in the image version or a deleted tag in the registry leads to <code>ErrImagePull</code>.</li> <li> <strong>Registry Authentication</strong>: The <code>imagePullSecrets</code> are missing or the service account lacks permission to pull from a private repository.</li> </ul> <h3> Resource and Infrastructure Constraints </h3> <ul> <li> <strong>Memory Limits (OOMKilled)</strong>: The container attempted to allocate more memory than defined in its <code>limits</code> section.</li> <li> <strong>CPU Throttling</strong>: Extreme throttling can trigger Liveness probe timeouts, causing Kubernetes to kill and restart the pod.</li> <li> <strong>Scheduling Constraints</strong>: Pods stuck in <code>Pending</code> usually suffer from "Insufficient cpu" or "Insufficient memory" on all available nodes, or they have <code>nodeSelector</code> constraints that no node meets.</li> </ul> <h3> Health Check Failures </h3> <ul> <li> <strong>Liveness Probe Misconfiguration</strong>: The probe checks a <code>/health</code> endpoint that takes 10 seconds to respond, but the <code>timeoutSeconds</code> is set to 1. Kubernetes assumes the app is dead and kills it.</li> <li> <strong>Slow Startup</strong>: Heavy frameworks like Spring Boot may take 60 seconds to start. If the Liveness probe starts checking after 10 seconds, the pod is killed before it ever becomes ready.</li> </ul> <h2> Step-by-step recovery process </h2> <p>Follow this decision tree to isolate the root cause.</p> <h3> Step 1: Identify the Symptom </h3> <p>Start with the high-level status.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods </code></pre> </div> <p><strong>Observation:</strong></p> <ul> <li>If status is <code>Pending</code> → Go to Step 2.</li> <li>If status is <code>CrashLoopBackOff</code> or <code>Error</code> → Go to Step 3.</li> <li>If status is <code>Running</code> but the pod keeps restarting → Go to Step 4.</li> </ul> <h3> Step 2: Debugging Pending Pods </h3> <p>If the pod isn't even starting, check the events.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl describe pod &lt;pod-name&gt; </code></pre> </div> <p>Look at the <code>Events</code> section at the bottom. If you see <code>FailedScheduling</code>, check for taints or resource pressure. If you see <code>FailedMount</code>, your PVC is likely stuck in another zone or not bound.</p> <h3> Step 3: Debugging CrashLoops and Errors </h3> <p>If the pod starts and then dies, check the application logs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs &lt;pod-name&gt; <span class="nt">--previous</span> </code></pre> </div> <p>The <code>--previous</code> flag is critical. It allows you to see the logs from the container that just crashed, rather than the logs of the new container currently starting.</p> <p>If logs are empty, check the exit code using <code>kubectl describe pod</code>.</p> <ul> <li> <strong>Exit Code 137</strong>: This is almost always <code>OOMKilled</code>. You must increase the memory limits in your manifest.</li> <li> <strong>Exit Code 1</strong>: Application crash (NullPointerException, missing config, etc.).</li> </ul> <h3> Step 4: Debugging Pods that Restart </h3> <p>If the pod is <code>Running</code> but the restart count is climbing, the Liveness probe is likely killing it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl describe pod &lt;pod-name&gt; | <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"Liveness probe failed"</span> </code></pre> </div> <p>Implement a <code>startupProbe</code>. This tells Kubernetes to ignore Liveness and Readiness probes until the container has finished its initial boot sequence. In clusters with slow-starting legacy apps, this reduces unnecessary restart cycles by nearly 100%.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Example Startup Probe for slow apps</span> <span class="na">startupProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/healthz</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">30</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> </code></pre> </div> <h3> Step 5: Advanced Inspection </h3> <p>If you cannot get logs and the pod dies too fast to <code>exec</code> into, use an ephemeral debug container.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl debug <span class="nt">-it</span> &lt;pod-name&gt; <span class="nt">--image</span><span class="o">=</span>busybox <span class="nt">--target</span><span class="o">=</span>&lt;container-name&gt; </code></pre> </div> <p>This attaches a shell to the process namespace of the failing pod without restarting it, which allows you to inspect the filesystem and network state in real time.</p> <h2> How to prevent future failures </h2> <p>Preventing pod failure requires a production-ready manifest checklist. Never deploy a pod without these four elements:</p> <ol> <li> <strong>Explicit Resource Requests and Limits</strong>: Set <code>requests</code> to what the app needs to run and <code>limits</code> to a reasonable ceiling. This prevents a single pod from consuming all node memory and triggering a node-wide Out-of-Memory event.</li> <li> <strong>Proper Probe Hierarchy</strong>: Use <code>startupProbe</code> for initial boot, <code>livenessProbe</code> for deadlock detection and <code>readinessProbe</code> to control traffic flow.</li> <li> <strong>Non-Root Users</strong>: Use <code>securityContext</code> to ensure the pod does not crash due to permission errors when writing to mounted volumes.</li> <li> <strong>Graceful Shutdown</strong>: Handle <code>SIGTERM</code> in your application code. This allows Kubernetes to drain connections before the 30-second <code>terminationGracePeriodSeconds</code> expires, avoiding 502 errors during deployments.</li> </ol> kubernetestroubleshooting crashloopbackoff kubernetespods devopsguide DevOps Start Mon, 22 Jun 2026 09:24:18 +0000 https://dev.to/devopsstart/how-to-debug-oomkilled-pods-in-kubernetes-a-step-by-step-guide-2daj https://dev.to/devopsstart/how-to-debug-oomkilled-pods-in-kubernetes-a-step-by-step-guide-2daj <h2> What Does OOMKilled Actually Mean? </h2> <p>An <code>OOMKilled</code> status occurs when the Linux kernel's Out-of-Memory (OOM) killer terminates a process to prevent a system-wide crash. In Kubernetes, this is signaled by Exit Code 137. The primary goal of the OOM killer is to reclaim memory to keep the underlying node stable.</p> <p>There are two distinct triggers for this event. First, a container may exceed its specified memory <code>limit</code>, leading the kubelet to kill the process immediately. Second, the entire node may experience memory exhaustion, forcing the kernel to select a "victim" pod based on its Quality of Service (QoS) class. I've seen this happen frequently in clusters where "Burstable" pods are over-provisioned, causing the kernel to kill pods that were technically under their own limits just to save the node. Detailed resource management specifications are available in the <a href="https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" rel="noopener noreferrer">official Kubernetes documentation</a>.</p> <h2> Why is Your Pod Getting OOMKilled? </h2> <p>Root causes typically fall into three categories: application leaks, misconfigured limits, or node-level pressure.</p> <h3> Application Memory Leaks </h3> <p>This is the most common cause for pods that operate normally for several hours before crashing. A leak occurs when an application allocates memory but fails to release it. In Java, this often happens when objects are stored in static collections that never clear. In Go, common culprits include unclosed goroutines or slices that grow indefinitely. In these cases, memory usage climbs linearly until it hits the hard limit.</p> <h3> Improper Resource Limits </h3> <p>Engineers often set <code>limits</code> too close to <code>requests</code>. Many applications have a "bursty" startup phase. For example, a Spring Boot application loading numerous beans into memory may spike to 600Mi during initialization. If the <code>limit</code> is set to 512Mi, the pod will be killed before it ever reaches a healthy state.</p> <h3> Node-Level Memory Pressure </h3> <p>When multiple pods are configured with <code>requests</code> significantly lower than their <code>limits</code>, they can all attempt to burst simultaneously. If the aggregate usage exceeds the node's physical RAM, the kernel triggers a node-level OOM event. The kernel targets pods with the lowest priority or those consuming the most memory relative to their requested amount.</p> <h2> How to Diagnose and Fix OOMKilled Pods </h2> <p>Follow this systematic workflow to move from a crashing pod to a verified root cause.</p> <h3> Step 1: Confirm the Termination Reason </h3> <p>Identify the failing pod and verify the exit code using <code>kubectl</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get pods NAME READY STATUS RESTARTS AGE api-gateway-7f8db6d9-abc12 0/1 CrashLoopBackOff 4 12m <span class="nv">$ </span>kubectl describe pod api-gateway-7f8db6d9-abc12 </code></pre> </div> <p>Locate the <code>Last State</code> section in the output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Containers: api-container: State: Running Last State: Terminated Reason: OOMKilled Exit Code: 137 Finished: Thu, 24 Oct 2024 14:22:01 +0000 </code></pre> </div> <p>An <code>Exit Code: 137</code> confirms an OOM event. If the pod cycles through crashes without this specific code, refer to our guide on <a href="https://dev.to/troubleshooting/crashloopbackoff-kubernetes">Fix CrashLoopBackOff in Kubernetes Pods</a>.</p> <h3> Step 2: Analyze the "Working Set" Metric </h3> <p>Avoid using <code>container_memory_usage_bytes</code> in Prometheus, as it includes page caches that the kernel can reclaim under pressure. Kubernetes makes OOM decisions based on <code>container_memory_working_set_bytes</code>.</p> <p>Execute this PromQL query in your Grafana dashboard:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sum(container_memory_working_set_bytes{pod="api-gateway-7f8db6d9-abc12"}) by (pod) </code></pre> </div> <p>A "sawtooth" pattern (steady growth followed by a sharp drop to zero) indicates a memory leak. A flat line with a sudden, vertical spike suggests a resource limit issue or a specific heavy request.</p> <h3> Step 3: Application Profiling </h3> <p>Increasing limits without profiling only delays the crash. If a leak is suspected, you must analyze the heap.</p> <p>For Go applications, integrate <code>pprof</code>. Add this to your <code>main.go</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="n">_</span> <span class="s">"net/http/pprof"</span> <span class="s">"net/http"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">go</span> <span class="k">func</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Listen on a separate port to avoid interfering with app traffic</span> <span class="n">http</span><span class="o">.</span><span class="n">ListenAndServe</span><span class="p">(</span><span class="s">"0.0.0.0:6060"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="p">}()</span> <span class="c">// your app logic</span> <span class="p">}</span> </code></pre> </div> <p>Capture a heap profile while the pod is under load:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec </span>api-gateway-7f8db6d9-abc12 <span class="nt">--</span> curl <span class="nt">-s</span> http://localhost:6060/debug/pprof/heap <span class="o">&gt;</span> heap.pprof go tool pprof <span class="nt">-http</span><span class="o">=</span>:8080 heap.pprof </code></pre> </div> <p>For Java applications, trigger a heap dump using <code>jcmd</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec </span>api-gateway-7f8db6d9-abc12 <span class="nt">--</span> jcmd 1 GC.heap_dump /tmp/heapdump.hprof kubectl <span class="nb">cp </span>api-gateway-7f8db6d9-abc12:/tmp/heapdump.hprof ./heapdump.hprof </code></pre> </div> <p>Analyze the <code>.hprof</code> file in VisualVM or Eclipse MAT to identify the leaking class.</p> <h3> Step 4: Right-Sizing the Limits </h3> <p>Calculate the new limit based on observed peaks. A production-ready standard is to set the <code>limit</code> 20% to 30% above the peak <code>working_set_bytes</code> observed during a full load test.</p> <p>Update your deployment manifest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">250m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1Gi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> </code></pre> </div> <p>Apply the change:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> deployment.yaml </code></pre> </div> <h2> How to Prevent OOMKills in the Future </h2> <p>To stop reacting to memory crashes, implement these three architectural strategies.</p> <ol> <li><p><strong>Deploy Vertical Pod Autoscaler (VPA)</strong>: Use VPA in <code>Recommender</code> mode. It analyzes historical usage and suggests the ideal requests and limits, reducing the guesswork that leads to OOM events.</p></li> <li><p><strong>Enforce Guaranteed QoS</strong>: For critical workloads, set <code>requests</code> exactly equal to <code>limits</code>. This assigns the pod to the "Guaranteed" QoS class, making it the last candidate for eviction when the node runs out of RAM.</p></li> <li><p><strong>Coordinate with HPA</strong>: Ensure your Horizontal Pod Autoscaler (HPA) is tuned. If HPA triggers new pods based on CPU but your pods are OOMKilled due to memory, you'll experience cascading failures. Read <a href="https://dev.to/blog/kubernetes-hpa-deep-dive-autoscaling-explained">Kubernetes HPA Deep Dive: Autoscaling Explained</a> for coordination tips.</p></li> </ol> <h2> FAQ </h2> <p><strong>Q: Why did my pod get OOMKilled even though it was below its limit?</strong><br> A: This is a node-level OOM event. When the physical RAM of the node is exhausted, the kernel kills pods based on QoS class. "BestEffort" pods die first, then "Burstable" pods. If your pod is "Burstable" and the node is under pressure, it can be killed regardless of its individual limit.</p> <p><strong>Q: What is the difference between RSS and Working Set?</strong><br> A: Resident Set Size (RSS) is the memory physically held in RAM. Working Set is RSS plus cached memory that cannot be evicted. Kubernetes uses Working Set for OOM decisions because it represents the memory the container absolutely requires to function.</p> <p><strong>Q: Should I enable swap in Kubernetes to prevent OOMKills?</strong><br> A: No. While Kubernetes 1.28+ has improved swap support, relying on swap usually masks memory leaks and introduces severe latency spikes. It is better to fix the leak or increase the node size.</p> <h2> Conclusion and Next Steps </h2> <p>Debugging <code>OOMKilled</code> pods requires moving beyond <code>kubectl get pods</code> and into memory metrics and heap profiling. By distinguishing between container-level and node-level OOM events, you can apply the correct fix, whether that is tuning JVM heap sizes or adjusting your QoS class.</p> <p><strong>Your next steps:</strong></p> <ol> <li>Audit your current deployments for "Burstable" pods with wide gaps between requests and limits.</li> <li>Install the Prometheus <code>kube-state-metrics</code> to track <code>container_memory_working_set_bytes</code>.</li> <li>Integrate <code>pprof</code> or <code>jcmd</code> into your base container images to make profiling immediate during incidents.</li> </ol> kubernetestroubleshooting oomkilled kubernetesmemorylimits devopsguide DevOps Start Sun, 21 Jun 2026 08:47:09 +0000 https://dev.to/devopsstart/cilium-vs-calico-cni-comparison-for-platform-teams-54i2 https://dev.to/devopsstart/cilium-vs-calico-cni-comparison-for-platform-teams-54i2 <p>Choosing a Container Network Interface (CNI) for Kubernetes used to be a simple decision. Does it connect pods? Good enough. Today, that choice is a foundational platform decision that dictates your cluster's security posture, performance limits, and observability capabilities for years to come. Your CNI is no longer just a networking plugin; it's a critical piece of infrastructure that can either accelerate or bottleneck your entire stack.</p> <p>In 2026, the conversation is dominated by two leaders: Cilium and Calico. Both are powerful, mature, and trusted in massive production environments. But they represent different philosophies and technical approaches. Calico offers battle-tested flexibility with a rich history, while Cilium represents a new, eBPF-native world of networking. This guide will cut through the noise to help your platform team make the right long-term decision, focusing not just on features, but on the strategic implications for performance, security, and operations at scale.</p> <h2> The Core Differentiator: The Rise of eBPF </h2> <p>To understand the Cilium vs. Calico debate, you first have to understand eBPF (extended Berkeley Packet Filter). Think of eBPF as a way to run sandboxed, event-driven programs directly within the Linux kernel without changing kernel source code. For networking, this is a game-changer. You can find a deep dive on the technology at the official <a href="https://ebpf.io/what-is-ebpf/" rel="noopener noreferrer">eBPF &amp; Cilium community site</a>.</p> <p>For decades, Kubernetes networking relied on <code>iptables</code> or <code>IPVS</code>. These tools are powerful but operate by creating long, complex chains of rules. As your cluster grows, with thousands of services and pods, traversing these chains for every single packet adds significant CPU overhead and latency. It's like sending a package through a city with thousands of traffic stops.</p> <p>eBPF offers a direct path. eBPF programs can be attached to network interfaces to make intelligent routing and filtering decisions right at the source, bypassing the cumbersome <code>iptables</code> and <code>conntrack</code> subsystems entirely. The result is a faster, more efficient, and more programmable data path.</p> <ul> <li> <strong>Cilium</strong> was built from the ground up with eBPF as its core. Every feature (networking, observability, and security) is designed to leverage the power and efficiency of eBPF.</li> <li> <strong>Calico</strong> started with a standard Linux networking data plane using <code>iptables</code> and IP-in-IP or BGP for routing. It's incredibly robust and well-understood. Recognizing the power of eBPF, Calico introduced a pluggable eBPF data plane. This gives you a choice, but it also means eBPF is an add-on to its core architecture rather than its native foundation.</li> </ul> <p>This fundamental difference in architecture is the source of nearly every other distinction between the two projects.</p> <h2> Network Policy and Security Showdown </h2> <p>Both Cilium and Calico provide robust network security, but their approaches and advanced capabilities differ significantly due to eBPF.</p> <h3> Calico's Policy Engine </h3> <p>Calico has long been the gold standard for network policy. It supports standard Kubernetes <code>NetworkPolicy</code> resources and extends them with its own CRDs like <code>GlobalNetworkPolicy</code> and <code>NetworkPolicy</code> with richer features like explicit <code>deny</code> rules and rule ordering.</p> <p>A typical Calico policy is direct and focuses on L3/L4 (IP and port) filtering. Here's an example that allows ingress from pods with the <code>app: frontend</code> label to port <code>6379/TCP</code> on pods with the <code>app: database</code> label.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">projectcalico.org/v3</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">allow-frontend-to-db</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">production</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="s">app == 'database'</span> <span class="na">types</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Ingress</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">action</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">source</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="s">app == 'frontend'</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="m">6379</span> </code></pre> </div> <p>This is clear, effective, and works reliably across Calico's standard and eBPF data planes. For many organizations, this level of control is perfectly sufficient.</p> <h3> Cilium's L7-Aware Security </h3> <p>Cilium's eBPF-native approach allows it to operate at a much higher level of the stack. It can parse application-layer protocols like HTTP, gRPC, and Kafka directly from the kernel. This enables incredibly granular, identity-aware policies that <code>iptables</code>-based systems simply cannot match.</p> <p>Imagine you want to allow the <code>billing-service</code> to read from a <code>metrics-api</code> but not write to it. With Cilium, you can enforce this at the API level.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">cilium.io/v2"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CiliumNetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-aware-policy-example</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">production</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">endpointSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">metrics-api</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">fromEndpoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">billing-service</span> <span class="na">toPorts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="s2">"</span><span class="s">8080"</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">rules</span><span class="pi">:</span> <span class="na">http</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">method</span><span class="pi">:</span> <span class="s2">"</span><span class="s">GET"</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/api/v1/metrics"</span> </code></pre> </div> <p>This policy enforces that only <code>GET</code> requests to <code>/api/v1/metrics</code> are allowed from the <code>billing-service</code>. Any <code>POST</code>, <code>DELETE</code>, or other requests would be dropped by the CNI, even if they are on the correct port. This is a massive security enhancement, effectively turning your network into a zero-trust environment at the API level without requiring a service mesh.</p> <p>For encryption, both projects support WireGuard for transparent, in-transit encryption between nodes, providing a modern and performant alternative to IPsec.</p> <h2> Performance and Scalability in 2026 </h2> <p>In a small cluster, the performance difference between Cilium and Calico's eBPF mode might be negligible. But when you scale to hundreds of nodes and tens of thousands of pods, the architectural differences become stark.</p> <p>The primary performance advantage of eBPF comes from avoiding the <code>iptables</code> and <code>conntrack</code> kernel subsystems.</p> <ul> <li> <strong>Reduced CPU Overhead:</strong> Every packet doesn't need to traverse long chains of <code>iptables</code> rules. This frees up significant CPU cycles on each node, which can then be used by your applications. This is especially noticeable on nodes with high connection churn.</li> <li> <strong>Lower Latency:</strong> By processing packets on a more direct path, eBPF reduces the per-packet latency within the cluster. This can have a meaningful impact on the performance of latency-sensitive applications like databases or real-time APIs.</li> <li> <strong>Improved Throughput:</strong> The efficiency of the eBPF data path allows for higher overall network throughput, a key consideration for data-intensive workloads.</li> </ul> <p>While Calico's eBPF mode also gains these benefits, Cilium's eBPF implementation is often considered more mature and deeply integrated, having been the project's sole focus since its inception. In large-scale clusters, this maturity can translate to better stability and more predictable performance under extreme load. If you are deploying large clusters, for example when you <a href="https://dev.to/tutorials/deploy-eks-cluster-with-terraform">deploy an EKS cluster with Terraform</a>, this long-term performance profile becomes a critical factor.</p> <h2> Observability: Seeing the Unseen </h2> <p>Troubleshooting network issues in Kubernetes can be a nightmare. Is a packet being dropped by a network policy? Is a service not responding? This is where built-in observability tools make a huge difference.</p> <h3> Cilium's Hubble </h3> <p>Cilium comes with Hubble, a powerful, purpose-built observability platform that leverages eBPF to provide deep visibility into network flows without any application instrumentation. It gives you a service dependency map, real-time flow data, and policy troubleshooting tools out of the box.</p> <p>With the Hubble CLI, you can immediately see what's happening. For instance, to see all DNS requests and replies in real time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="c"># Assuming Cilium v1.15+ and Hubble is enabled</span> <span class="nv">$ </span>hubble observe <span class="nt">--protocol</span> dns <span class="nt">-f</span> TIMESTAMP SOURCE DESTINATION TYPE VERDICT SUMMARY May 20 12:34:56.123Z kube-system/coredns-abcde default/my-app-fghij L7:response FORWARDED DNS Qry: A, Rcode: NOERROR May 20 12:34:56.456Z default/my-app-fghij kube-system/coredns-abcde L7:request FORWARDED DNS Qry: my-external-service.com. </code></pre> </div> <p>The Hubble UI provides a graphical representation of this data, making it incredibly easy to spot anomalies or understand service communication patterns. If you're constantly fighting weird networking bugs or dealing with a <code>CrashLoopBackOff</code>, this level of insight can save hours of debugging.</p> <h3> Calico's Observability </h3> <p>Calico Enterprise offers similar observability features, including a dynamic service graph and flow visualization. In the open-source version, observability is typically achieved by exporting metrics to Prometheus and building Grafana dashboards. This is a powerful and flexible approach, but it requires more setup and integration effort. You can get flow logs, but they are not as rich or easily queryable as what Hubble provides out of the box.</p> <p>For teams that want a "batteries-included" observability solution tightly coupled with their CNI, Hubble is a clear winner. For teams that prefer to build their own observability stack around standards like Prometheus, Calico's approach is perfectly viable.</p> <h2> The Blurring Lines with Service Mesh </h2> <p>The next battleground for CNIs is the service mesh. Both Cilium and Calico are expanding their feature sets to provide capabilities traditionally associated with tools like Istio or Linkerd.</p> <ul> <li> <strong>Cilium Service Mesh:</strong> Cilium offers service mesh features like traffic management (retries, timeouts), canary deployments, and mTLS encryption without requiring a sidecar proxy. It achieves this by embedding Envoy proxy functionality directly into the CNI layer, managed by eBPF. This sidecar-less model promises better performance and lower resource overhead compared to traditional service meshes.</li> <li> <strong>Calico and Istio:</strong> Calico's strategy is to provide best-in-class integration with Istio. It can accelerate Istio's data plane by offloading some of the networking functions to its eBPF layer. This allows you to combine Calico's robust CNI and policy engine with the full, mature feature set of the Istio service mesh.</li> </ul> <p>This presents a strategic choice: do you want a single, integrated platform for networking, security, and service mesh (Cilium), or do you prefer a modular approach, combining a dedicated CNI (Calico) with a dedicated service mesh (Istio)?</p> <h2> Making the Choice: A Decision Framework </h2> <p>There is no single "best" CNI. The right choice depends entirely on your team's priorities, existing infrastructure, and future goals.</p> <h3> Choose Cilium if </h3> <ul> <li> <strong>Performance is your top priority.</strong> You run latency-sensitive or high-throughput applications and want to squeeze every ounce of performance from your infrastructure.</li> <li> <strong>You need advanced, L7-aware security.</strong> Your security model requires enforcing policies at the API level (HTTP, gRPC) and you want to build a zero-trust network.</li> <li> <strong>You want built-in, out-of-the-box observability.</strong> Your team values integrated tools like Hubble for rapid troubleshooting and dependency mapping.</li> <li> <strong>You are building a new platform and are "all-in" on eBPF.</strong> You are comfortable adopting a modern, eBPF-native stack and are interested in its integrated service mesh capabilities.</li> </ul> <h3> Choose Calico if </h3> <ul> <li> <strong>You need maximum flexibility and a proven track record.</strong> You operate in diverse environments (on-prem, multiple clouds) and need a CNI that supports various data planes (standard Linux, eBPF, Windows).</li> <li> <strong>Your organization already has a significant investment in Istio.</strong> Calico's deep integration with Istio allows you to enhance your existing service mesh with a powerful CNI.</li> <li> <strong>You prefer a more gradual adoption of eBPF.</strong> You want the option to run some clusters with the well-understood standard Linux data plane while experimenting with the eBPF data plane in others.</li> <li> <strong>Your team has deep expertise in traditional Linux networking.</strong> Calico's architecture will feel familiar and its use of BGP for routing is a standard in many enterprises.</li> </ul> <h2> Frequently Asked Questions (FAQ) </h2> <p><strong>1. Is eBPF mature enough for production in 2026?</strong><br> Absolutely. eBPF has been a stable part of the Linux kernel for years. It's used in production by massive tech companies like Google, Meta, and Netflix to handle networking, security, and observability at an immense scale. Both Cilium and Calico's eBPF implementations are considered production-grade.</p> <p><strong>2. Can I migrate from Calico to another CNI like Cilium?</strong><br> Yes, but it's a complex and disruptive process. A CNI migration typically requires a "rip and replace" approach, which involves draining nodes, uninstalling the old CNI, installing the new one, and then uncordoning the nodes. This requires careful planning and significant downtime. It's far better to make the right choice from the beginning.</p> <p><strong>3. Does Calico's standard Linux data plane still have a place?</strong><br> Yes. For environments with older Linux kernels that lack the necessary eBPF features, or for teams who prioritize stability and familiarity over cutting-edge performance, the standard <code>iptables</code>-based data plane is still a very solid and reliable choice. It's one of Calico's key strengths: providing that flexibility.</p> <p><strong>4. What about other CNIs like Flannel or Weave Net?</strong><br> While Flannel and Weave Net are excellent for getting started or for smaller, less demanding clusters, they generally lack the advanced security, observability, and performance features of Cilium and Calico. For any serious production platform, the choice has largely narrowed to these two.</p> <h2> Conclusion </h2> <p>Choosing between Cilium and Calico is a strategic decision that will shape your Kubernetes platform for years. It's a choice between an eBPF-native, all-in-one solution that pushes the boundaries of performance and security (Cilium), and a flexible, battle-hardened CNI that offers a choice of data planes and deep integration with the wider ecosystem (Calico).</p> <p>Your next step should be hands-on evaluation. Don't just read about it. Spin up two identical test clusters. <a href="https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/" rel="noopener noreferrer">Install Cilium</a> on one and <a href="https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart" rel="noopener noreferrer">Calico with the eBPF data plane</a> on the other. Deploy a sample application and use tools like <code>netperf</code> to measure throughput and latency. Test a complex network policy on each. Use Hubble to visualize traffic. Only by seeing how they operate in your environment can you make a truly informed decision for the future of your platform.</p> kubernetes cni comparison cilium DevOps Start Sat, 20 Jun 2026 08:28:19 +0000 https://dev.to/devopsstart/nginx-vs-traefik-kubernetes-ingress-comparison-guide-21gd https://dev.to/devopsstart/nginx-vs-traefik-kubernetes-ingress-comparison-guide-21gd <h2> Introduction </h2> <p>Choosing between NGINX and Traefik isn't about finding the "better" tool, but about deciding where you want your operational toil to live. For a platform engineer, the choice comes down to a trade-off between raw, predictable performance and developer agility. NGINX is the industry titan, offering unmatched throughput and a configuration model that's been battle-tested for decades. Traefik, conversely, was born for the cloud-native era, treating infrastructure as a fluid entity where services appear and disappear in seconds.</p> <p>To evaluate these, you must look beyond the feature checklist. You need to consider Day 2 operations: how the controller handles 500+ microservices, the complexity of managing TLS certificates and the latency introduced during configuration reloads. As the industry shifts toward the <a href="https://kubernetes.io/docs/concepts/services-networking/gateway/" rel="noopener noreferrer">Kubernetes Gateway API</a>, both tools are evolving, but their core philosophies remain distinct. You're choosing between a high-performance proxy that adapts to Kubernetes and a Kubernetes-native orchestrator that happens to be a proxy.</p> <h2> Side-by-Side Comparison Table </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>NGINX Ingress Controller</th> <th>Traefik Proxy</th> </tr> </thead> <tbody> <tr> <td><strong>Architecture</strong></td> <td>Process-based (C-based)</td> <td>Event-driven (Go-based)</td> </tr> <tr> <td><strong>Config Model</strong></td> <td>Annotations $\rightarrow$ nginx.conf</td> <td>CRDs $\rightarrow$ Dynamic Config</td> </tr> <tr> <td><strong>Config Updates</strong></td> <td>Reloads (potential connection drops)</td> <td>Hot-reloads (zero downtime)</td> </tr> <tr> <td><strong>TLS/SSL</strong></td> <td>External (cert-manager)</td> <td>Native ACME/Let's Encrypt</td> </tr> <tr> <td><strong>Observability</strong></td> <td>External (Prometheus/Grafana)</td> <td>Built-in Dashboard + Metrics</td> </tr> <tr> <td><strong>Performance</strong></td> <td>Higher raw throughput, lower CPU</td> <td>High, but slightly higher overhead</td> </tr> <tr> <td><strong>Learning Curve</strong></td> <td>Steep for complex routing</td> <td>Moderate, native K8s feel</td> </tr> <tr> <td><strong>Gateway API</strong></td> <td>Supported</td> <td>First-class citizen</td> </tr> </tbody> </table></div> <h2> NGINX: The High-Performance Workhorse </h2> <p>NGINX Ingress is the safe bet for environments where every millisecond of latency counts and traffic patterns are relatively stable. Its strength lies in its efficiency. Because it's written in C, it handles massive concurrency with a smaller memory footprint than Go-based alternatives. In high-load scenarios, NGINX typically maintains a lower p99 latency than Traefik.</p> <p>However, the "NGINX way" often involves a heavy reliance on annotations. If you need complex routing, you end up with an <code>Ingress</code> resource cluttered with <code>nginx.ingress.kubernetes.io</code> keys. For advanced logic, you have to use "snippets", which are essentially raw NGINX config fragments injected into the template. This is powerful but dangerous, as a syntax error in a snippet can crash the entire controller.</p> <p>One major pain point is the reload mechanism. While the controller tries to minimize disruption, changing certain global settings triggers a reload of the NGINX process. I've seen this cause intermittent connection drops in clusters with &gt;100 nodes when managing long-lived WebSockets or gRPC streams.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-gateway</span> <span class="na">annotations</span><span class="pi">:</span> <span class="c1"># Example of annotation-heavy config</span> <span class="na">nginx.ingress.kubernetes.io/rewrite-target</span><span class="pi">:</span> <span class="s">/</span> <span class="na">nginx.ingress.kubernetes.io/backend-protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">HTTPS"</span> <span class="na">nginx.ingress.kubernetes.io/limit-rps</span><span class="pi">:</span> <span class="s2">"</span><span class="s">50"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">api.example.com</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/v1</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-service</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <h2> Traefik: The Cloud-Native Orchestrator </h2> <p>Traefik is designed for the "churn" of microservices. It doesn't just read a config file; it listens to the Kubernetes API server. When a new service is deployed or an HPA scales your pods, Traefik updates its routing table in real-time without restarting or reloading.</p> <p>The standout feature is the native CRD approach. Instead of messy annotations, Traefik uses <code>IngressRoute</code> and <code>Middleware</code> resources. This allows you to define a "RateLimit" middleware once and attach it to ten different services, rather than duplicating annotations across ten different Ingress files. This architectural choice reduces YAML duplication by roughly 40% in large-scale deployments.</p> <p>The built-in Let's Encrypt integration is a massive win for platform teams. You don't need to install and manage <code>cert-manager</code> and its associated <code>ClusterIssuers</code> if you only need basic ACME automation. Traefik handles the challenge and renewal internally.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Middleware</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">rate-limit-api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">rateLimit</span><span class="pi">:</span> <span class="na">average</span><span class="pi">:</span> <span class="m">100</span> <span class="na">burst</span><span class="pi">:</span> <span class="m">50</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">IngressRoute</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-route</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">entryPoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">websecure</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="s">Host(`api.example.com`) &amp;&amp; PathPrefix(`/v1`)</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rule</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-service</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">middlewares</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">rate-limit-api</span> </code></pre> </div> <h2> When to Choose Which </h2> <p>The decision should be based on your team's operational capacity and your application's traffic profile.</p> <p><strong>Choose NGINX if:</strong></p> <ul> <li>You are running a high-throughput API where raw latency is your primary KPI.</li> <li>You have a small number of stable services that don't change their routing rules hourly.</li> <li>Your team is already comfortable with NGINX syntax and wants a predictable tool.</li> <li>You are leveraging a CNI like Cilium to handle some of the L7 logic and only need NGINX for the edge. If you're evaluating networking layers, check out our /comparisons/kubernetes-cni-comparison-cilium-vs-calico-for-platform-team for more context.</li> </ul> <p><strong>Choose Traefik if:</strong></p> <ul> <li>You are managing a volatile microservices environment with frequent deployments and auto-scaling.</li> <li>You want a built-in dashboard to visualize traffic flow without configuring a complex Grafana stack.</li> <li>You want to reduce "YAML bloat" by using reusable Middlewares.</li> <li>You prefer a tool that feels like a native part of the Kubernetes API rather than an external proxy ported to K8s.</li> </ul> <h2> FAQ </h2> <p><strong>Does Traefik support the standard Kubernetes Ingress resource?</strong><br> Yes, Traefik supports the standard <code>Ingress</code> resource for compatibility, but to unlock features like advanced Middlewares and complex routing rules, you must use the <code>IngressRoute</code> CRD.</p> <p><strong>Which one is better for gRPC traffic?</strong><br> Both support gRPC, but NGINX generally provides better raw performance for gRPC streams. However, Traefik's lack of reload-based disruptions makes it more stable for long-lived gRPC connections during configuration updates.</p> <p><strong>Can I use both in the same cluster?</strong><br> Yes. By using different <code>ingressClassName</code> values, you can run both controllers. This is a common pattern when migrating from one to the other or when separating internal and external traffic.</p> <h2> Migration and Adoption Checklist </h2> <p>If you are moving from NGINX to Traefik (or vice versa), avoid a "big bang" migration. The risk of a total outage is too high.</p> <ol> <li> <strong>Parallel Deployment</strong>: Install the new controller alongside the old one. Use different <code>ingressClassName</code> values to ensure they don't fight over the same resources.</li> <li> <strong>Canary Routing</strong>: Use a DNS weight shift (e.g., Route53 or Cloudflare) to send 5% of traffic to the new controller.</li> <li> <strong>Middleware Mapping</strong>: Map your NGINX snippets to Traefik Middlewares. Document every custom header or rewrite rule.</li> <li> <strong>Cert Validation</strong>: If moving to Traefik, verify ACME challenge propagation before deleting your <code>cert-manager</code> setup.</li> <li> <strong>Observability Sync</strong>: Ensure your Prometheus scrapers are updated to pull the specific metrics format of the new controller. If you're struggling with pod stability during this rollout, see our guide on /troubleshooting/crashloopbackoff-kubernetes to debug fast.</li> </ol> <p>Once 100% of traffic is stable on the new controller, prune the old Ingress resources and uninstall the legacy controller to reclaim cluster resources.</p> kubernetesingress nginxingresscontroller traefikproxy platformengineering DevOps Start Fri, 19 Jun 2026 18:59:16 +0000 https://dev.to/devopsstart/fix-gitlab-ci-docker-daemon-connection-error-in-3-steps-240o https://dev.to/devopsstart/fix-gitlab-ci-docker-daemon-connection-error-in-3-steps-240o <p><em>This article was originally published on DevOpsStart.com. Here's a quick fix for the dreaded 'Cannot connect to the Docker daemon' error in GitLab CI.</em></p> <h2> The Problem </h2> <p>You have a GitLab CI job that tries to run <code>docker build</code> or <code>docker info</code>, and it fails with this error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Cannot connect to the Docker daemon at tcp://docker:2375. Is the docker daemon running? </code></pre> </div> <p>The error means your job is running inside a container that has the <code>docker</code> CLI installed but no Docker daemon (<code>dockerd</code>) service to talk to. The default <code>docker</code> image from Docker Hub ships only the client. Without a running daemon, every <code>docker</code> command returns this error.</p> <h2> Root Causes </h2> <p>Three things cause this error.</p> <h3> 1. Missing <code>docker</code> service in <code>.gitlab-ci.yml</code> </h3> <p>You must define a <code>services</code> block that runs the daemon. The standard approach is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker:dind</span> </code></pre> </div> <p>Without this, your job has no daemon to connect to.</p> <h3> 2. Incorrect or missing <code>DOCKER_HOST</code> variable </h3> <p>When you use the <code>docker</code> executor (the default GitLab Runner executor), the daemon runs as a separate container in the same Pod. You must tell the client where to find it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">variables</span><span class="pi">:</span> <span class="na">DOCKER_HOST</span><span class="pi">:</span> <span class="s">tcp://docker:2375</span> </code></pre> </div> <p>If <code>DOCKER_HOST</code> is set to <code>tcp://localhost:2375</code> or missing entirely, the client looks for a local Unix socket that does not exist inside your job container. The job container has no socket file.</p> <h3> 3. Runner not in <code>privileged</code> mode </h3> <p>The <code>docker:dind</code> service requires <code>privileged</code> mode to run its own Docker daemon. If your GitLab Runner's <code>config.toml</code> has <code>privileged = false</code> or is unset, the dind container cannot start. Check your runner configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat</span> /etc/gitlab-runner/config.toml <span class="o">[[</span>runners]] name <span class="o">=</span> <span class="s2">"my-runner"</span> url <span class="o">=</span> <span class="s2">"https://gitlab.com/"</span> token <span class="o">=</span> <span class="s2">"..."</span> executor <span class="o">=</span> <span class="s2">"docker"</span> <span class="o">[</span>runners.docker] privileged <span class="o">=</span> <span class="nb">true </span>pull_policy <span class="o">=</span> <span class="s2">"always"</span> </code></pre> </div> <p>If <code>privileged</code> is <code>false</code> or absent, the dind service never boots, and you get the <code>Cannot connect to the Docker daemon</code> error.</p> <h2> The Solution </h2> <p>A complete fix takes three steps.</p> <h3> Step 1: add the <code>docker:dind</code> service </h3> <p>Add this to your <code>.gitlab-ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">docker:24.0.7</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">docker:dind</span> <span class="na">alias</span><span class="pi">:</span> <span class="s">docker</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">DOCKER_HOST</span><span class="pi">:</span> <span class="s">tcp://docker:2375</span> <span class="na">DOCKER_TLS_CERTDIR</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> </code></pre> </div> <p>The <code>DOCKER_HOST</code> value <code>tcp://docker:2375</code> tells the client to use the service container named <code>docker</code> (the GitLab Runner resolves the service alias to the container hostname). The <code>DOCKER_TLS_CERTDIR: ""</code> disables TLS for simplicity.</p> <h3> Step 2: test with a simple job </h3> <p>Add a minimal job to verify the fix works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">build</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">build</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker info</span> <span class="pi">-</span> <span class="s">docker build -t my-app .</span> </code></pre> </div> <p>The <code>docker info</code> command confirms the daemon is reachable. If it succeeds, your pipeline is ready.</p> <h3> Step 3: check runner logs </h3> <p>If <code>docker info</code> still fails, inspect the runner logs. On your GitLab Runner host, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker logs &lt;runner-container-id&gt; <span class="nt">--tail</span> 50 </code></pre> </div> <p>Look for lines like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Starting container service-docker:dind-0 ... </code></pre> </div> <p>If you see no such line, the service never started. Check <code>privileged</code> mode again in <code>config.toml</code>.</p> <h2> Prevention </h2> <p>To avoid this error in future:</p> <ul> <li>Always add <code>services: - docker:dind</code> to any job that needs <code>docker</code> commands.</li> <li>Always set <code>DOCKER_HOST: tcp://docker:2375</code> as a top-level variable in your pipeline.</li> <li>Verify your GitLab Runner's <code>config.toml</code> has <code>privileged = true</code> before you push new jobs.</li> <li>For a production-grade setup, consider using the <code>docker:24.0.7-dind</code> image variant. It bundles the daemon and the client in one image, reducing the chance of version mismatches.</li> </ul> gitlabcidockerdaemon dockerdindservice gitlabcicannotconnectdockerdae gitlabrunnerprivilegedmode DevOps Start Fri, 19 Jun 2026 09:04:30 +0000 https://dev.to/devopsstart/how-to-fix-kubernetes-crashloopbackoff-in-production-34fl https://dev.to/devopsstart/how-to-fix-kubernetes-crashloopbackoff-in-production-34fl <h2> Problem: What CrashLoopBackOff actually means </h2> <p>When you see <code>CrashLoopBackOff</code> in your <code>kubectl get pods</code> output, you aren't looking at a specific error, but a state. It is a symptom. It tells you that the kubelet tried to start your container, the container crashed, and Kubernetes is now waiting before trying again.</p> <p>To prevent the API server and the node from being hammered by a process that crashes instantly, Kubernetes implements an exponential backoff delay. The first restart happens quickly, but subsequent failures increase the wait time (10s, 20s, 40s, up to a maximum of 5 minutes). If you don't intervene, your pod will spend more time waiting than running, making it nearly impossible to catch logs in real-time.</p> <p>You can find more details on the pod lifecycle in the official <a href="https://kubernetes.io/docs/concepts/workloads/pods/" rel="noopener noreferrer">Kubernetes Documentation</a>.</p> <h2> Root Causes: The "Why" behind the crash </h2> <p>Diagnosing a crash loop requires moving from the symptom to the cause. I've seen this fail most often in clusters with &gt;50 nodes where configuration drift becomes common. Root causes generally fall into three severity tiers.</p> <h3> Low Severity: Configuration and Environment </h3> <p>These are "fail-fast" errors. The application starts, realizes it is missing a critical piece of information, and exits. Common culprits include:</p> <ul> <li> <strong>Missing ConfigMaps or Secrets</strong>: The pod is configured to expect a volume or environment variable that doesn't exist.</li> <li> <strong>Incorrect Environment Variables</strong>: A typo in a database URL or a missing API key.</li> <li> <strong>Wrong Command/Args</strong>: An incorrect entrypoint in the Dockerfile or a typo in the <code>args</code> section of the YAML.</li> </ul> <h3> Medium Severity: Resource and Infrastructure </h3> <p>These crashes are often intermittent or happen shortly after the app begins processing traffic:</p> <ul> <li> <strong>OOMKilled (Exit Code 137)</strong>: The container exceeded its memory limit. This is the most common production crash, often reducing availability by 100% for that specific replica.</li> <li> <strong>Liveness Probe Death Spiral</strong>: The application takes 30 seconds to start, but the liveness probe kills it after 10 seconds. The pod is healthy, but Kubernetes thinks it's dead.</li> <li> <strong>Storage Permissions</strong>: The container user doesn't have write access to a mounted PersistentVolume.</li> </ul> <h3> High Severity: External Dependencies </h3> <p>The application is healthy, but its environment is hostile:</p> <ul> <li> <strong>Database Connection Timeouts</strong>: The app crashes because it cannot reach the DB due to a firewall rule or incorrect credentials.</li> <li> <strong>DNS Resolution Failures</strong>: CoreDNS issues prevent the app from finding other services within the cluster.</li> <li> <strong>Dependency API Outages</strong>: A hard dependency (like an external Auth provider) is down, and the app isn't designed to handle the failure gracefully.</li> </ul> <h2> Solution: Step-by-Step Production Triage </h2> <p>When a production service goes into <code>CrashLoopBackOff</code>, follow this severity-based logic tree. Do not guess; use the data provided by the cluster.</p> <h3> Step 1: The Rapid Triage </h3> <p>Start by checking the pod status and events. This tells you if the crash is happening because of the image, the scheduler, or the application itself.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl describe pod &lt;pod-name&gt; </code></pre> </div> <p>Look at the <code>Containers</code> section for the <code>Last State</code>. You will see an <code>Exit Code</code>. This is your most important clue.</p> <p><strong>Expected Output:</strong><br> You should see a section like this:<br> <code>Last State: Terminated</code><br> <code>Reason: Error</code><br> <code>Exit Code: 137</code></p> <h3> Step 2: Decoding the Exit Code </h3> <p>Map the exit code from <code>describe</code> to your action plan:</p> <ul> <li> <strong>Exit Code 0</strong>: The app finished its task and exited. If this is a Deployment, it shouldn't happen. You likely need a Job instead.</li> <li> <strong>Exit Code 1</strong>: General application crash. Move to Step 3 to check logs.</li> <li> <strong>Exit Code 137</strong>: OOMKilled. Increase your memory limits in the deployment YAML.</li> <li> <strong>Exit Code 139</strong>: Segmentation fault. This is usually a binary incompatibility or a memory corruption issue in the code.</li> <li> <strong>Exit Code 143</strong>: SIGTERM. The pod was told to stop but didn't do it gracefully.</li> </ul> <h3> Step 3: Retrieving the "Hidden" Logs </h3> <p>If a pod is crashing, <code>kubectl logs &lt;pod-name&gt;</code> often returns nothing because the current container has just started and hasn't logged anything yet. You must check the logs of the previous failed instance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs &lt;pod-name&gt; <span class="nt">--previous</span> </code></pre> </div> <p>If the logs show a connection timeout to a database, check your network policies or secret values. If you need a faster way to handle urgent fixes, you can use <code>/tips/rapid-rollback-kubectl-set-image-for-urgent-fixes</code> to revert to a known working image version.</p> <h3> Step 4: Debugging "Silent" Crashes with Ephemeral Containers </h3> <p>Sometimes logs are empty and the exit code is vague. In Kubernetes v1.23+, you can use <code>kubectl debug</code> to spin up a sidecar container with debugging tools (like <code>curl</code>, <code>dig</code>, or <code>vim</code>) that shares the same process namespace as the crashing pod.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl debug <span class="nt">-it</span> &lt;pod-name&gt; <span class="nt">--image</span><span class="o">=</span>busybox <span class="nt">--target</span><span class="o">=</span>&lt;container-name&gt; </code></pre> </div> <p>Once inside, you can inspect the <code>/tmp</code> directory, check network connectivity, or look at the filesystem to see if a config file was mounted incorrectly. For a wider array of helpful commands, refer to the /tips/kubectl-essential-commands guide.</p> <h2> Prevention: Stopping the loop before it starts </h2> <p>Prevention is about shifting from "fixing" to "hardening". Implement these four strategies to eliminate <code>CrashLoopBackOff</code> in production:</p> <ol> <li><p><strong>Right-Size Resources</strong>: Use a Vertical Pod Autoscaler (VPA) in <code>Recommender</code> mode to find the actual memory usage of your app. Set your <code>limits</code> roughly 20% higher than your <code>requests</code> to handle spikes without triggering an OOMKill.</p></li> <li><p><strong>Graceful Probes</strong>: Never set a <code>livenessProbe</code> with the same timing as your <code>readinessProbe</code>. Give your application a <code>initialDelaySeconds</code> that covers its worst-case startup time. If your app takes 20 seconds to boot, set the delay to 30 seconds.</p></li> <li><p><strong>Robust Signal Handling</strong>: Ensure your application handles <code>SIGTERM</code> (Exit Code 143). If your app ignores this signal, Kubernetes will eventually force-kill it with <code>SIGKILL</code> (Exit Code 137) after the <code>terminationGracePeriodSeconds</code> expires.</p></li> <li><p><strong>Better Observability</strong>: Integrate deep monitoring. If you are running AI workloads, implementing /tutorials/llm-observability-on-kubernetes-a-practical-guide will help you identify if crashes are caused by GPU memory exhaustion or model loading timeouts.</p></li> </ol> <h2> FAQ </h2> <p><strong>Why does my pod stay in CrashLoopBackOff even after I fix the ConfigMap?</strong><br> Kubernetes uses an exponential backoff. If your pod has crashed multiple times, it might wait up to 5 minutes before the next restart attempt. You can force an immediate restart by deleting the pod: <code>kubectl delete pod &lt;pod-name&gt;</code>.</p> <p><strong>Is an Exit Code 137 always an OOMKill?</strong><br> Almost always, but not exclusively. It means the process received a <code>SIGKILL</code> (Signal 9). While the kubelet usually sends this when a container exceeds its memory limit, it can also happen if an external process or the node's OOM killer terminates the process.</p> <p><strong>How can I prevent a crashing pod from affecting other pods on the same node?</strong><br> Define strict <code>resources.limits</code>. Without memory limits, a single leaking container can consume all node memory, triggering the Node-level OOM killer and causing unrelated pods to be evicted.</p> <h2> Conclusion and Next Steps </h2> <p><code>CrashLoopBackOff</code> is a safety mechanism, not a bug. By isolating the exit code and inspecting previous logs, you can quickly determine if you are facing a configuration error, a resource constraint, or a dependency failure.</p> <p>To further harden your production environment, take these next steps:</p> <ul> <li>Audit your <code>livenessProbes</code> to ensure they aren't too aggressive.</li> <li>Deploy a Vertical Pod Autoscaler (VPA) to get data-driven memory limits.</li> <li>Implement a structured logging pipeline (EFK/ELK) so you don't have to rely on <code>--previous</code> logs during an incident.</li> </ul> kubernetestroubleshooting crashloopbackoff kubernetesproduction devopsguide DevOps Start Thu, 18 Jun 2026 08:56:33 +0000 https://dev.to/devopsstart/senior-sre-interview-questions-answers-for-2026-42d6 https://dev.to/devopsstart/senior-sre-interview-questions-answers-for-2026-42d6 <h2> Introduction </h2> <p>Landing a Senior Site Reliability Engineering (SRE) role in 2026 requires more than just knowing how to write a YAML file or explaining the difference between a Pod and a Deployment. The industry has shifted. We have moved past the early adoption phase of Kubernetes and into the era of Platform Engineering, where the goal is not just to manage infrastructure but to build an Internal Developer Platform (IDP) that enables self-service.</p> <p>Interviewers no longer test for rote memorization of Linux commands. They look for architectural judgment, the ability to manage cognitive load for developers and a deep understanding of how reliability impacts the bottom line. A Senior SRE is expected to be a force multiplier, not just a firefighter.</p> <p>In this guide, you will find the high-signal questions currently being asked at top-tier tech companies, along with the senior-level reasoning required to answer them. We cover everything from cell-based architectures and OpenTelemetry to the psychological nuances of blameless post-mortems.</p> <h2> The Evolution of SRE in 2026 </h2> <p>Before diving into specific questions, you must understand the current landscape. SRE has largely merged with Platform Engineering. The focus is now on "Golden Paths" (standardized, supported ways to deploy software) to reduce developer friction.</p> <p>Furthermore, AIOps is no longer a buzzword. Senior SREs are now expected to integrate LLMs into their observability stacks for anomaly detection and automated root cause analysis. If you discuss observability, you should reference patterns for monitoring non-deterministic AI workloads, such as tracking token latency and prompt cache hit rates, to show you understand how to monitor LLM-integrated applications.</p> <h2> Advanced System Design for Reliability </h2> <p>At the senior level, scalability is not just about adding more replicas to a deployment. It is about blast radius reduction.</p> <h3> Question: How do you design a system to prevent a single regional failure from taking down your entire global platform? </h3> <p><strong>What they are looking for:</strong> Knowledge of Global Server Load Balancing (GSLB), Anycast routing and specifically "Cell-based Architecture."</p> <p><strong>The Senior Answer:</strong><br> Do not just say "I would use a multi-region deployment." Explain the trade-offs. Mention that while multi-region provides availability, it introduces data consistency challenges tied to the CAP theorem.</p> <p>Explain the concept of Cells. Instead of one giant regional cluster, divide infrastructure into isolated cells (smaller, independent units of deployment). If a bug is deployed or a database locks up, it only affects one cell (e.g., 5% of users) rather than the entire region.</p> <p><strong>Key components to mention:</strong></p> <ul> <li> <strong>Route53/Cloudflare:</strong> For traffic steering based on health checks.</li> <li> <strong>Cell Router:</strong> A thin layer that maps a User ID to a specific cell.</li> <li> <strong>Asynchronous Replication:</strong> Using tools like CockroachDB or DynamoDB Global Tables to handle state across regions without killing latency.</li> </ul> <h3> Question: How do you handle "Thundering Herd" problems in a distributed system? </h3> <p><strong>What they are looking for:</strong> Understanding of caching strategies and request shedding.</p> <p><strong>The Senior Answer:</strong><br> A thundering herd occurs when many clients retry a failed request simultaneously, crashing the recovering service. I implement three layers of defense:</p> <ol> <li> <strong>Exponential Backoff with Jitter:</strong> Ensure clients do not retry at the exact same millisecond. A simple <code>sleep(2^attempt + random_jitter)</code> prevents synchronized spikes.</li> <li> <strong>Circuit Breakers:</strong> Use a service mesh (like Istio or Linkerd) to trip the circuit and fail fast when a downstream service is overwhelmed.</li> <li> <strong>Request Prioritization:</strong> Implement a priority queue where critical traffic (e.g., checkout) is processed before background tasks (e.g., analytics).</li> </ol> <h2> Observability vs. Monitoring </h2> <p>Monitoring tells you that something is wrong; observability allows you to understand why it is wrong without shipping new code.</p> <h3> Question: We have millions of metrics, but our dashboards are noisy. How do you define "actionable" SLIs and SLOs? </h3> <p><strong>What they are looking for:</strong> The ability to link technical metrics to business value.</p> <p><strong>The Senior Answer:</strong><br> Most teams make the mistake of measuring CPU usage as an SLI. CPU is a cause, not a symptom. A senior SRE focuses on the user experience.</p> <p>I use the Four Golden Signals (Latency, Traffic, Errors, Saturation) but tie them to specific user journeys. For example, instead of "API Error Rate," I define the SLI as "Percentage of successful 'Add to Cart' requests completed within 500ms over a rolling 30-day window."</p> <p>If the Error Budget is exhausted, the action is a freeze on feature releases to focus on reliability. This turns a technical metric into a business decision.</p> <h3> Question: How do you handle high-cardinality data in a distributed tracing environment? </h3> <p><strong>What they are looking for:</strong> Experience with OpenTelemetry (OTel) and the cost implications of telemetry.</p> <p><strong>The Senior Answer:</strong><br> High cardinality (e.g., putting a unique UserID in every metric tag) can crash a Prometheus instance or lead to massive bills in Datadog.</p> <p>I recommend moving to OpenTelemetry for a vendor-agnostic approach. To handle cardinality, I implement Head-based or Tail-based Sampling. Instead of keeping 100% of traces, we keep 100% of errors and 5% of successful requests. This provides the necessary visibility into failures without the storage overhead of every single "200 OK" request.</p> <h2> Incident Management and the "SRE Mindset" </h2> <h3> Question: You are leading an incident where a cascading failure is occurring across three microservices. How do you manage the situation? </h3> <p><strong>What they are looking for:</strong> Command and control (ICS), communication skills and technical triage.</p> <p><strong>The Senior Answer:</strong><br> First, I establish roles: an Incident Commander (IC) to coordinate, a Communications Lead to update stakeholders and an Ops Lead to handle the technical fix. I avoid having too many people directing the technical execution.</p> <p>Technically, my first goal is to stop the bleeding, not find the root cause. I look for the bottleneck service and apply aggressive load shedding or disable non-essential features using feature flags to lower the pressure on the system. Once the system is stable, we move to the Post-Mortem phase.</p> <h3> Question: How do you handle a situation where a Product Manager insists on a feature release that you know will risk the Error Budget? </h3> <p><strong>What they are looking for:</strong> Negotiation skills and a commitment to the SRE philosophy.</p> <p><strong>The Senior Answer:</strong><br> I do not frame it as "No, we cannot do this." I frame it as a risk management conversation.</p> <p>I show the current Error Budget burn rate. If we are at 10% of our budget for the month, I explain that a failed release could lead to an outage that violates our SLA, potentially costing the company $X per hour in revenue. I suggest a Canary Deployment strategy, releasing to 1% of users first. This allows the PM to get the feature out while limiting the blast radius.</p> <h2> Infrastructure as Code (IaC) and GitOps at Scale </h2> <h3> Question: Terraform is becoming slow and state locking is a constant issue for our team of 50 engineers. How do you scale your IaC? </h3> <p><strong>What they are looking for:</strong> Experience with state management and modularization.</p> <p><strong>The Senior Answer:</strong><br> The monolithic state is a common failure point. I first implement state splitting, breaking the infrastructure into logical layers (e.g., Networking, Database, Application) so that a change to an app does not require locking the VPC state.</p> <p>For teams moving toward massive scale, I evaluate the transition to a programmatic IaC approach using Pulumi or OpenTofu, which allows for better testing and abstraction than HCL. To automate the rollout, I implement a GitOps pipeline using Argo CD or Flux to ensure the cluster state always matches the Git repository.</p> <h2> Cloud-Native Security (DevSecOps) </h2> <h3> Question: How do you implement a "Zero Trust" network in a Kubernetes environment? </h3> <p><strong>What they are looking for:</strong> Knowledge of Network Policies and eBPF.</p> <p><strong>The Senior Answer:</strong><br> Default Kubernetes networking is flat, meaning any pod can talk to any pod. To implement Zero Trust, I start with a Default Deny Network Policy for all namespaces.</p> <p>Then, I use a CNI that supports eBPF, such as Cilium. eBPF allows us to enforce security policies at the kernel level rather than relying on iptables, which provides better performance and deeper visibility into the network flow. I also integrate a service mesh like Istio to enforce Mutual TLS (mTLS) for all service-to-service communication, ensuring that identities are verified via certificates, not just IP addresses.</p> <h2> Practical Troubleshooting Scenarios </h2> <p>In senior interviews, you will often get a whiteboard scenario. The interviewer does not want the right answer immediately; they want to see your debugging methodology.</p> <h3> Scenario: "The database CPU is spiking to 90%, but the application traffic (requests per second) is flat. How do you debug this?" </h3> <p><strong>The Senior Approach:</strong><br> I follow a top-down diagnostic path:</p> <ol> <li> <strong>Identify the Workload:</strong> Is the CPU spike caused by an increase in total queries or is a small number of queries becoming more expensive? I check the Slow Query Log.</li> <li> <strong>Check for Locking/Contention:</strong> I look for long-running transactions or lock waits. A single unoptimized query hitting a table without an index can spike CPU even if traffic is flat.</li> <li> <strong>External Factors:</strong> I check for background jobs. Did a database backup start? Is an ETL process running a massive join?</li> <li> <strong>Resource Exhaustion:</strong> I check if the DB is swapping to disk or if there is a memory leak causing excessive Garbage Collection.</li> </ol> <h3> Scenario: "A new deployment caused a spike in 5xx errors. The pods are running, but the app is failing. What do you do?" </h3> <p><strong>The Senior Approach:</strong></p> <ol> <li> <strong>Immediate Mitigation:</strong> First, I trigger a rollback to the last known good image using <code>kubectl rollout undo deployment/&lt;deployment-name&gt;</code>. Speed of recovery is the priority.</li> <li> <strong>Log Analysis:</strong> I check the logs for "Panic" or "Out of Memory" (OOM) errors. If pods are restarting, I check if it is a probe failure (Liveness/Readiness).</li> <li> <strong>Diffing:</strong> I compare the configuration changes between the failed version and the previous version. Was a secret missing? Did an environment variable change?</li> <li> <strong>Trace Analysis:</strong> I use distributed tracing to see if the 5xx is coming from the app itself or a downstream dependency that the new version is calling differently.</li> </ol> <h2> FAQ </h2> <h3> What is the biggest difference between a DevOps Engineer and an SRE? </h3> <p>DevOps is a cultural philosophy focused on breaking down silos between Dev and Ops. SRE is a specific implementation of DevOps. SRE applies software engineering principles to operations problems, focusing on SLIs, SLOs and Error Budgets.</p> <h3> Which tool should I learn first: Terraform or Pulumi? </h3> <p>Terraform is the industry standard and essential for any resume. However, Pulumi is gaining traction in Platform Engineering because it allows you to use general-purpose languages (TypeScript, Python, Go), making it easier to build complex logic for internal platforms.</p> <h3> How do I handle "on-call burnout" as a Senior SRE? </h3> <p>Burnout is a systemic failure, not a personal one. I advocate for Operational Load tracking. If the team spends more than 50% of their time on toil (manual, repetitive work), I negotiate with leadership to halt feature work and dedicate a stability sprint to automate the causes of the alerts.</p> <h2> Conclusion and Next Steps </h2> <p>Passing a Senior SRE interview is about demonstrating that you can think in terms of systems, trade-offs and business risk. You are not just there to keep the lights on; you are there to build a system that can survive the failure of its individual components.</p> <p><strong>Your Action Plan:</strong></p> <ol> <li> <strong>Audit your experience:</strong> For every project on your resume, identify the trade-off. Why did you choose X over Y? What was the cost?</li> <li> <strong>Master the Golden Signals:</strong> Be ready to explain exactly how you would measure the reliability of a specific business feature.</li> <li> <strong>Practice the Cell mindset:</strong> Read up on how companies like AWS and Meta use cell-based architectures to limit blast radius.</li> <li> <strong>Hands-on with OTel:</strong> Deploy an OpenTelemetry collector in a lab environment to understand how traces and metrics flow.</li> </ol> sreinterviewquestions sitereliabilityengineering platformengineering systemdesignforreliability DevOps Start Wed, 17 Jun 2026 09:03:45 +0000 https://dev.to/devopsstart/llm-observability-on-kubernetes-a-practical-guide-3i62 https://dev.to/devopsstart/llm-observability-on-kubernetes-a-practical-guide-3i62 <p>Monitoring traditional applications often feels like a well-trodden path. You set up logs, grab some metrics, and perhaps add a few traces. However, integrating Large Language Models (LLMs) or AI agents, especially when running on Kubernetes, fundamentally changes this paradigm. <strong>LLM observability on Kubernetes</strong> is a different beast entirely, demanding a more nuanced approach than standard application monitoring.</p> <p>This tutorial is designed for DevOps, ML, or platform engineers grappling with the unique challenges of monitoring LLM-powered applications and AI agents on Kubernetes. You'll learn why traditional tools fall short and how to build a practical, end-to-end observability pipeline. We will use battle-tested Kubernetes-native tools like Prometheus, Grafana, Loki, and OpenTelemetry. The tutorial includes hands-on experience with a simple AI agent application, instrumenting it, deploying it to Kubernetes, and setting up a unified observability stack to monitor its performance, cost, and behavior.</p> <h2> Why Traditional Observability Fails for LLM-Powered AI Agents </h2> <p>Generative AI applications, particularly those powered by LLMs and complex AI agents, introduce a new dimension to observability that traditional methods struggle to address. It's no longer just about CPU and memory; it's about context, coherence, and cost per token. For effective LLM observability on Kubernetes, your standard monitoring stack needs an upgrade.</p> <p>Here’s why traditional monitoring falls short for LLMs and AI agents:</p> <ul> <li> <strong>Non-Determinism:</strong> LLMs are inherently non-deterministic. The same prompt can yield different responses, making it hard to track performance or identify regressions solely through request/response codes. You need to understand the <em>content</em> and <em>quality</em> of responses. For example, a successful HTTP 200 response doesn't indicate if an LLM response was a hallucination.</li> <li> <strong>Complex Prompt/Response Dynamics:</strong> The interaction isn't a simple input-output. It involves intricate prompt engineering, context windows, and diverse response formats. Observing just the HTTP status code tells you nothing about a hallucination or an off-topic answer.</li> <li> <strong>Token Usage &amp; Cost:</strong> Every interaction with an LLM consumes tokens, which directly translates to cost, especially with proprietary models like OpenAI's GPT-4. Monitoring token usage per request, per user, or per session is critical for cost control and capacity planning. Traditional metrics simply don't capture this. For example, a simple query might cost fractions of a cent, but 10,000 queries per minute can quickly escalate costs to thousands of dollars daily.</li> <li> <strong>Latency Nuances:</strong> LLM response times are often dominated by token generation, not just initial processing. You need to differentiate between prompt processing latency and response streaming latency for accurate performance tuning of your LLM applications.</li> <li> <strong>AI Agent Complexity:</strong> This is where it gets really interesting. AI agents involve multiple steps: planning, tool selection, tool execution, memory management, and iterative reasoning. Each step is a potential failure point. You need to trace the agent's entire decision path, track tool call successes/failures, and understand how the agent arrived at its final answer. A simple error log tells you <em>that</em> something failed, but not <em>why</em> the agent chose a particular path or tool.</li> <li> <strong>"Black Box" Nature:</strong> While you can control the inputs, the internal workings of large foundation models are opaque. Observability needs to shine a light on the model's <em>behavior</em> at the application layer.</li> </ul> <p>On Kubernetes, you're adept at monitoring resource utilization at the pod and container level. But for LLM applications, this is only half the story. You need to correlate Kubernetes infrastructure metrics with application-specific LLM and agent metrics to get a complete picture of your LLM observability on Kubernetes.</p> <h2> Core Observability Pillars for LLM Workloads on Kubernetes </h2> <p>The traditional pillars of observability (Logs, Metrics, and Traces) remain foundational, but they need to be adapted and extended for LLM workloads on Kubernetes. This integrated approach is key to achieving comprehensive LLM observability.</p> <h3> Logs: The Narrative of Your AI Agent's Decisions </h3> <p>For LLM applications and AI agents, logs are more than just error messages. They are the narrative of your agent's reasoning process, crucial for understanding and debugging <strong>LLM observability on Kubernetes</strong>.</p> <ul> <li> <strong>Prompt/Response Logging:</strong> Crucial for debugging and understanding model behavior. Log the full input prompt, context, and the LLM's raw response. This helps diagnose why a model might have hallucinated or gone off-topic.</li> <li> <strong>Agent Decision Logs:</strong> For AI agents, log every significant step: <ul> <li>Initial plan formulation.</li> <li>Tool selection decisions.</li> <li>Inputs and outputs of each tool call.</li> <li>Re-planning attempts.</li> <li>Intermediate reasoning steps.</li> </ul> </li> <li> <strong>Structured Logging:</strong> Absolutely essential. Use JSON logging to include metadata like <code>trace_id</code>, <code>span_id</code>, <code>user_id</code>, <code>session_id</code>, <code>model_name</code>, <code>temperature</code>, <code>token_counts</code>, and <code>safety_flags</code>. This makes logs queryable and correlatable with metrics and traces.</li> <li> <strong>Kubernetes Integration:</strong> Leverage Kubernetes' standard output (stdout/stderr) for logs. A log collector like Fluent Bit, deployed as a DaemonSet, can then ship these structured logs to a centralized logging solution like Loki, Elasticsearch, or Splunk.</li> </ul> <h3> Metrics: Quantifying LLM Performance and Cost </h3> <p>Metrics provide the quantitative insights into your LLM application's health, performance, and operational cost. These are vital for effective <strong>LLM observability on Kubernetes</strong>.</p> <ul> <li> <strong>Application-Level Metrics:</strong> These are paramount. We'll dive into specific examples shortly, but think latency, token usage, error rates for LLM calls, and specific agent action success rates.</li> <li> <strong>Resource Utilization:</strong> Standard Kubernetes metrics for CPU, memory, network I/O are still vital. For GPU-accelerated inference, monitoring GPU utilization, memory, and temperature is critical. Prometheus can scrape these from Kubernetes <code>kube-state-metrics</code> and <code>node-exporter</code> (or specific GPU exporters like <code>DCGM Exporter</code>).</li> <li> <strong>Cost Metrics:</strong> Beyond just resource utilization, track API calls to external LLMs and internal token consumption. This allows for real-time cost estimation and budgeting.</li> <li> <strong>Kubernetes Integration:</strong> Prometheus, with its <code>ServiceMonitor</code> and <code>PodMonitor</code> custom resources, is perfectly suited for scraping application-level metrics directly from your LLM application pods.</li> </ul> <h3> Traces: Following the AI Agent's Chain of Thought </h3> <p>Distributed tracing is arguably the most powerful pillar for debugging complex, multi-step AI agents, offering deep insights into <strong>LLM observability on Kubernetes</strong>. It visualizes the entire execution path.</p> <ul> <li> <strong>End-to-End Flow:</strong> A trace provides a timeline view of a single request or agent interaction, spanning across multiple services and internal functions. For an AI agent, this means seeing the initial user query, the LLM call, the tool selection logic, the tool execution, and the final response, all linked together.</li> <li> <strong>Span Granularity:</strong> Create spans for: <ul> <li>Incoming request.</li> <li>Each LLM API call (input prompt, model, temperature, output response).</li> <li>Each step of the agent's reasoning chain (e.g., "planning step", "tool invocation", "context retrieval").</li> <li>Each external tool call (e.g., database lookup, external API call).</li> </ul> </li> <li> <strong>Context Propagation:</strong> Essential for connecting spans across service boundaries. OpenTelemetry automatically handles this for many protocols.</li> <li> <strong>Semantic Conventions:</strong> Use OpenTelemetry's semantic conventions for LLM operations. This ensures consistency and makes traces easier to interpret across different tools.</li> <li> <strong>Kubernetes Integration:</strong> Deploy an OpenTelemetry Collector within your Kubernetes cluster to receive traces from your instrumented applications and export them to a tracing backend like Jaeger or Tempo.</li> </ul> <h2> Key Metrics for LLM Apps &amp; AI Agents on Kubernetes </h2> <p>Let's get specific about the metrics you <em>must</em> track for LLM-powered applications and AI agents to ensure comprehensive <strong>LLM observability on Kubernetes</strong>.</p> <h3> Performance Metrics for LLM Applications </h3> <p>These reveal how quickly and efficiently your LLM application is serving requests.</p> <ul> <li> <strong>Prompt Processing Latency:</strong> Time taken from receiving a prompt to sending it to the LLM API. <ul> <li> <em>Prometheus metric type:</em> <code>histogram</code> </li> <li> <em>Example:</em> <code>llm_prompt_processing_seconds_bucket</code> </li> </ul> </li> <li> <strong>Response Generation Latency:</strong> Time taken for the LLM to generate the full response, or the time until the first token is received for streaming. <ul> <li> <em>Prometheus metric type:</em> <code>histogram</code> </li> <li> <em>Example:</em> <code>llm_response_generation_seconds_bucket</code> </li> </ul> </li> <li> <strong>Total Request Latency:</strong> End-to-end time for a user query. <ul> <li> <em>Prometheus metric type:</em> <code>histogram</code> </li> <li> <em>Example:</em> <code>llm_agent_total_request_seconds_bucket</code> </li> </ul> </li> <li> <strong>Throughput (Queries Per Second):</strong> Number of requests or agent interactions handled per second. <ul> <li> <em>Prometheus metric type:</em> <code>counter</code> </li> <li> <em>Example:</em> <code>llm_agent_requests_total</code> </li> </ul> </li> <li> <strong>Tool Call Latency:</strong> Time taken for specific tools invoked by the agent (e.g., database query, external API call). <ul> <li> <em>Prometheus metric type:</em> <code>histogram</code> </li> <li> <em>Example:</em> <code>agent_tool_call_seconds_bucket{tool_name="weather_api"}</code> </li> </ul> </li> </ul> <h3> Resource Utilization Metrics for LLMs on Kubernetes </h3> <p>While standard Kubernetes metrics cover CPU and memory, pay special attention to:</p> <ul> <li> <strong>GPU Utilization:</strong> Percentage of GPU compute units being used. Critical for local inference. <ul> <li> <em>Prometheus metric type:</em> <code>gauge</code> </li> <li> <em>Example:</em> <code>gpu_utilization_percentage</code> </li> </ul> </li> <li> <strong>GPU Memory Usage:</strong> Amount of memory allocated on the GPU. <ul> <li> <em>Prometheus metric type:</em> <code>gauge</code> </li> <li> <em>Example:</em> <code>gpu_memory_usage_bytes</code> </li> </ul> </li> <li> <strong>CPU and Memory (per Pod):</strong> Standard <code>container_cpu_usage_seconds_total</code> and <code>container_memory_working_set_bytes</code> from <code>kube-state-metrics</code> and <code>node-exporter</code>.</li> </ul> <h3> LLM Cost Monitoring Metrics </h3> <p>Directly impacting your budget, these are often overlooked in initial deployments and are crucial for comprehensive LLM observability.</p> <ul> <li> <strong>Input Token Count:</strong> Number of tokens sent in the prompt. <ul> <li> <em>Prometheus metric type:</em> <code>counter</code> </li> <li> <em>Example:</em> <code>llm_input_tokens_total</code> </li> </ul> </li> <li> <strong>Output Token Count:</strong> Number of tokens received in the response. <ul> <li> <em>Prometheus metric type:</em> <code>counter</code> </li> <li> <em>Example:</em> <code>llm_output_tokens_total</code> </li> </ul> </li> <li> <strong>Total LLM API Calls:</strong> Number of requests made to the underlying LLM (internal or external). <ul> <li> <em>Prometheus metric type:</em> <code>counter</code> </li> <li> <em>Example:</em> <code>llm_api_calls_total{model_name="gpt-4"}</code> </li> </ul> </li> <li> <strong>Estimated Cost:</strong> A derived metric calculated by multiplying token counts or API calls by their respective per-unit costs. This is often best handled in Grafana using PromQL. For example, if input tokens cost $0.01 per 1000 and output tokens cost $0.03 per 1000, you can calculate real-time cost. <ul> <li> <em>Prometheus metric type:</em> (Derived in Grafana)</li> <li> <em>Example (PromQL):</em> <code>(sum(rate(llm_input_tokens_total[5m])) / 1000 * 0.01) + (sum(rate(llm_output_tokens_total[5m])) / 1000 * 0.03)</code> </li> </ul> </li> </ul> <h3> Model Quality &amp; AI Agent Behavior Metrics </h3> <p>These are more challenging to define but crucial for understanding the LLM's effectiveness and the performance of your AI agents.</p> <ul> <li> <strong>Safety Guardrail Activations:</strong> Count of times a safety or moderation filter was triggered (e.g., content flagged as unsafe). <ul> <li> <em>Prometheus metric type:</em> <code>counter</code> </li> <li> <em>Example:</em> <code>llm_safety_violations_total</code> </li> </ul> </li> <li> <strong>Hallucination Flags:</strong> If your application has logic to detect potential hallucinations, count these. This is often heuristic. <ul> <li> <em>Prometheus metric type:</em> <code>counter</code> </li> <li> <em>Example:</em> <code>llm_hallucinations_detected_total</code> </li> </ul> </li> <li> <strong>Agent Goal Completion Rate:</strong> For multi-step agents, track the percentage of interactions where the agent successfully achieved its objective. <ul> <li> <em>Prometheus metric type:</em> <code>counter</code> (for successes/failures)</li> <li> <em>Example:</em> <code>agent_goal_completions_total</code>, <code>agent_goal_failures_total</code> </li> </ul> </li> <li> <strong>Tool Call Success/Failure Rates:</strong> Track how often an agent's chosen tool executed successfully. <ul> <li> <em>Prometheus metric type:</em> <code>counter</code> </li> <li> <em>Example:</em> <code>agent_tool_call_success_total{tool_name="database_lookup"}</code>, <code>agent_tool_call_failure_total{tool_name="external_api"}</code> </li> </ul> </li> <li> <strong>Number of Agent Steps/Iterations:</strong> How many steps or LLM calls an agent took to complete a task. High numbers might indicate inefficiency. <ul> <li> <em>Prometheus metric type:</em> <code>histogram</code> or <code>gauge</code> </li> <li> <em>Example:</em> <code>agent_iteration_steps_count_bucket</code> </li> </ul> </li> </ul> <h2> Instrumenting LLM Applications &amp; Agents for Observability </h2> <p>Instrumentation is where you expose the internal state of your LLM application and AI agent. <a href="https://opentelemetry.io/" rel="noopener noreferrer">OpenTelemetry</a> is the gold standard here for its vendor-neutral approach and comprehensive support for traces, metrics, and logs, making it ideal for <strong>LLM observability on Kubernetes</strong>.</p> <h3> Why OpenTelemetry is Essential for LLM Observability </h3> <p>OpenTelemetry (OTel) provides a set of APIs, SDKs, and tools to instrument your application to generate and export telemetry data. It's language-agnostic and supports various exporters, allowing you to switch observability backends without re-instrumenting your code. For complex distributed systems like Kubernetes-hosted AI agents, OTel's distributed tracing capabilities are invaluable for understanding the flow of LLM interactions.</p> <h3> Instrumentation Methods for LLM Observability </h3> <h4> 1. OpenTelemetry for Tracing and Metrics </h4> <p>This is the recommended approach for deep, custom instrumentation for LLM observability.</p> <ul> <li> <strong>Traces:</strong> <ul> <li>Use the OpenTelemetry SDK for your language (e.g., <code>opentelemetry-python</code>).</li> <li>Wrap LLM calls, tool calls, and agent steps with spans.</li> <li>Add relevant attributes (e.g., <code>model_name</code>, <code>prompt_hash</code>, <code>token_counts</code>, <code>tool_name</code>, <code>status</code>) to spans.</li> </ul> </li> <li> <strong>Metrics:</strong> <ul> <li>While OpenTelemetry can also generate metrics, for simple counter/gauge/histogram metrics that Prometheus can scrape directly, using your language's Prometheus client library (e.g., <code>prometheus_client</code> for Python) is often simpler for HTTP exposition.</li> <li>For richer, more complex metrics or if you want to use OTLP for metrics, OpenTelemetry's metrics API is also powerful.</li> </ul> </li> </ul> <h4> 2. Framework Callbacks (e.g., LangChain) </h4> <p>If you're using an LLM framework like LangChain, many provide callback systems that are perfect for capturing agent activity for better LLM observability.</p> <ul> <li> <strong>LangChain Callbacks:</strong> Implement custom callbacks (<code>BaseCallbackHandler</code>) to log, emit metrics, or create traces at various points: <ul> <li> <code>on_llm_start</code>/<code>on_llm_end</code> </li> <li> <code>on_tool_start</code>/<code>on_tool_end</code> </li> <li> <code>on_chain_start</code>/<code>on_chain_end</code> </li> <li> <code>on_agent_action</code>/<code>on_agent_finish</code> </li> </ul> </li> <li> <strong>Integrating with OpenTelemetry:</strong> Within these callbacks, you can explicitly create OpenTelemetry spans and add attributes.</li> </ul> <h4> 3. Custom Wrappers </h4> <p>For simpler LLM integrations or when frameworks don't offer enough hooks, you can create custom wrapper functions around your LLM API calls and agent logic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">from</span> <span class="n">prometheus_client</span> <span class="kn">import</span> <span class="n">Histogram</span><span class="p">,</span> <span class="n">Counter</span> <span class="kn">from</span> <span class="n">opentelemetry</span> <span class="kn">import</span> <span class="n">trace</span> <span class="kn">from</span> <span class="n">opentelemetry.propagate</span> <span class="kn">import</span> <span class="n">set_global_textmap</span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.resources</span> <span class="kn">import</span> <span class="n">Resource</span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.trace</span> <span class="kn">import</span> <span class="n">TracerProvider</span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.trace.export</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">ConsoleSpanExporter</span><span class="p">,</span> <span class="n">BatchSpanProcessor</span><span class="p">,</span> <span class="p">)</span> <span class="kn">from</span> <span class="n">opentelemetry.exporter.otlp.proto.grpc.trace_exporter</span> <span class="kn">import</span> <span class="n">OTLPSpanExporter</span> <span class="kn">from</span> <span class="n">opentelemetry.instrumentation.requests</span> <span class="kn">import</span> <span class="n">RequestsInstrumentor</span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.trace.sampling</span> <span class="kn">import</span> <span class="n">ALWAYS_ON</span> <span class="kn">from</span> <span class="n">opel_propagate_b3</span> <span class="kn">import</span> <span class="n">B3Format</span> <span class="c1"># pip install opel-propagate-b3 </span> <span class="c1"># --- OpenTelemetry Setup (for Tracing) --- # For a real application, you'd configure the OTLPSpanExporter to point to your OpenTelemetry Collector. # For demonstration, we'll use ConsoleSpanExporter or a local OTLP endpoint if available. </span><span class="n">resource</span> <span class="o">=</span> <span class="n">Resource</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span><span class="sh">"</span><span class="s">service.name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">llm-agent-app</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">service.version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">1.0.0</span><span class="sh">"</span><span class="p">})</span> <span class="n">provider</span> <span class="o">=</span> <span class="nc">TracerProvider</span><span class="p">(</span><span class="n">resource</span><span class="o">=</span><span class="n">resource</span><span class="p">,</span> <span class="n">sampler</span><span class="o">=</span><span class="n">ALWAYS_ON</span><span class="p">)</span> <span class="c1"># In a K8s cluster, this endpoint should point to the OTel Collector service. </span><span class="n">otlp_exporter</span> <span class="o">=</span> <span class="nc">OTLPSpanExporter</span><span class="p">(</span><span class="n">endpoint</span><span class="o">=</span><span class="sh">"</span><span class="s">http://otel-collector.observability:4317</span><span class="sh">"</span><span class="p">,</span> <span class="n">insecure</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">span_processor</span> <span class="o">=</span> <span class="nc">BatchSpanProcessor</span><span class="p">(</span><span class="n">otlp_exporter</span><span class="p">)</span> <span class="n">provider</span><span class="p">.</span><span class="nf">add_span_processor</span><span class="p">(</span><span class="n">span_processor</span><span class="p">)</span> <span class="n">trace</span><span class="p">.</span><span class="nf">set_tracer_provider</span><span class="p">(</span><span class="n">provider</span><span class="p">)</span> <span class="n">tracer</span> <span class="o">=</span> <span class="n">trace</span><span class="p">.</span><span class="nf">get_tracer</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.agent.tracer</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Propagator for B3 headers (commonly used in microservices) </span><span class="nf">set_global_textmap</span><span class="p">(</span><span class="nc">B3Format</span><span class="p">())</span> <span class="c1"># Instrument requests library for outgoing HTTP calls (e.g., to actual LLM API) </span><span class="nc">RequestsInstrumentor</span><span class="p">().</span><span class="nf">instrument</span><span class="p">()</span> <span class="c1"># --- Prometheus Metrics Setup --- # Latency of the LLM call itself </span><span class="n">LLM_CALL_LATENCY_SECONDS</span> <span class="o">=</span> <span class="nc">Histogram</span><span class="p">(</span> <span class="sh">'</span><span class="s">llm_call_latency_seconds</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Latency of LLM API calls in seconds</span><span class="sh">'</span><span class="p">,</span> <span class="p">[</span><span class="sh">'</span><span class="s">model_name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">status_code</span><span class="sh">'</span><span class="p">],</span> <span class="n">buckets</span><span class="o">=</span><span class="p">[</span><span class="mf">0.1</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">,</span> <span class="mf">2.0</span><span class="p">,</span> <span class="mf">5.0</span><span class="p">,</span> <span class="mf">10.0</span><span class="p">,</span> <span class="mf">20.0</span><span class="p">]</span> <span class="p">)</span> <span class="c1"># Total input and output tokens </span><span class="n">LLM_INPUT_TOKENS_TOTAL</span> <span class="o">=</span> <span class="nc">Counter</span><span class="p">(</span> <span class="sh">'</span><span class="s">llm_input_tokens_total</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Total input tokens processed by LLM</span><span class="sh">'</span><span class="p">,</span> <span class="p">[</span><span class="sh">'</span><span class="s">model_name</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="n">LLM_OUTPUT_TOKENS_TOTAL</span> <span class="o">=</span> <span class="nc">Counter</span><span class="p">(</span> <span class="sh">'</span><span class="s">llm_output_tokens_total</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Total output tokens generated by LLM</span><span class="sh">'</span><span class="p">,</span> <span class="p">[</span><span class="sh">'</span><span class="s">model_name</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="c1"># Agent tool call success/failure </span><span class="n">AGENT_TOOL_CALLS_TOTAL</span> <span class="o">=</span> <span class="nc">Counter</span><span class="p">(</span> <span class="sh">'</span><span class="s">agent_tool_calls_total</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Total agent tool calls</span><span class="sh">'</span><span class="p">,</span> <span class="p">[</span><span class="sh">'</span><span class="s">tool_name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># status: 'success' or 'failure' </span><span class="p">)</span> <span class="c1"># Agent overall request latency </span><span class="n">AGENT_REQUEST_LATENCY_SECONDS</span> <span class="o">=</span> <span class="nc">Histogram</span><span class="p">(</span> <span class="sh">'</span><span class="s">agent_request_latency_seconds</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">End-to-end latency of agent requests in seconds</span><span class="sh">'</span><span class="p">,</span> <span class="n">buckets</span><span class="o">=</span><span class="p">[</span><span class="mf">0.5</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">,</span> <span class="mf">2.0</span><span class="p">,</span> <span class="mf">5.0</span><span class="p">,</span> <span class="mf">10.0</span><span class="p">,</span> <span class="mf">20.0</span><span class="p">,</span> <span class="mf">30.0</span><span class="p">,</span> <span class="mf">60.0</span><span class="p">]</span> <span class="p">)</span> <span class="c1"># --- Structured Logger Setup --- # Note: In a real Flask app, this would be integrated into the app's logger. # This is a simplified example. </span><span class="n">logging</span><span class="p">.</span><span class="nf">basicConfig</span><span class="p">(</span> <span class="n">level</span><span class="o">=</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">'</span><span class="s">%(message)s</span><span class="sh">'</span><span class="p">,</span> <span class="c1"># The formatter will produce JSON </span> <span class="n">datefmt</span><span class="o">=</span><span class="sh">"</span><span class="s">%Y-%m-%dT%H:%M:%S%z</span><span class="sh">"</span> <span class="p">)</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="c1"># Override the default formatter to inject trace_id and span_id </span><span class="k">class</span> <span class="nc">JsonFormatter</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">Formatter</span><span class="p">):</span> <span class="k">def</span> <span class="nf">format</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">record</span><span class="p">):</span> <span class="n">log_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">formatTime</span><span class="p">(</span><span class="n">record</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">datefmt</span><span class="p">),</span> <span class="sh">"</span><span class="s">level</span><span class="sh">"</span><span class="p">:</span> <span class="n">record</span><span class="p">.</span><span class="n">levelname</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="n">record</span><span class="p">.</span><span class="nf">getMessage</span><span class="p">(),</span> <span class="c1"># Default to plain message </span> <span class="sh">"</span><span class="s">service</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">llm-agent-app</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">component</span><span class="sh">"</span><span class="p">:</span> <span class="n">record</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="p">}</span> <span class="c1"># Attempt to parse message as JSON and merge </span> <span class="k">try</span><span class="p">:</span> <span class="n">msg_dict</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">record</span><span class="p">.</span><span class="nf">getMessage</span><span class="p">())</span> <span class="n">log_data</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">msg_dict</span><span class="p">)</span> <span class="k">if</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">msg_dict</span><span class="p">:</span> <span class="c1"># Ensure a 'message' field is always present </span> <span class="n">log_data</span><span class="p">[</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="nf">getMessage</span><span class="p">()</span> <span class="k">except</span> <span class="n">json</span><span class="p">.</span><span class="n">JSONDecodeError</span><span class="p">:</span> <span class="k">pass</span> <span class="c1"># Message is not JSON, use original record.getMessage() </span> <span class="c1"># Inject trace_id and span_id </span> <span class="n">current_span</span> <span class="o">=</span> <span class="n">trace</span><span class="p">.</span><span class="nf">get_current_span</span><span class="p">()</span> <span class="k">if</span> <span class="n">current_span</span> <span class="ow">and</span> <span class="n">current_span</span><span class="p">.</span><span class="nf">get_span_context</span><span class="p">().</span><span class="n">is_valid</span><span class="p">:</span> <span class="n">log_data</span><span class="p">[</span><span class="sh">"</span><span class="s">trace_id</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">format</span><span class="p">(</span><span class="n">current_span</span><span class="p">.</span><span class="nf">get_span_context</span><span class="p">().</span><span class="n">trace_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">x</span><span class="sh">'</span><span class="p">)</span> <span class="n">log_data</span><span class="p">[</span><span class="sh">"</span><span class="s">span_id</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">format</span><span class="p">(</span><span class="n">current_span</span><span class="p">.</span><span class="nf">get_span_context</span><span class="p">().</span><span class="n">span_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">x</span><span class="sh">'</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">log_data</span><span class="p">[</span><span class="sh">"</span><span class="s">trace_id</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">0</span><span class="sh">"</span> <span class="n">log_data</span><span class="p">[</span><span class="sh">"</span><span class="s">span_id</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">0</span><span class="sh">"</span> <span class="k">return</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">log_data</span><span class="p">)</span> <span class="c1"># Remove default handler and add one with custom formatter # Note: For Flask, actual integration may differ. </span><span class="k">for</span> <span class="n">handler</span> <span class="ow">in</span> <span class="n">logger</span><span class="p">.</span><span class="n">handlers</span><span class="p">[:]:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">removeHandler</span><span class="p">(</span><span class="n">handler</span><span class="p">)</span> <span class="n">handler</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nc">StreamHandler</span><span class="p">()</span> <span class="n">handler</span><span class="p">.</span><span class="nf">setFormatter</span><span class="p">(</span><span class="nc">JsonFormatter</span><span class="p">())</span> <span class="n">logger</span><span class="p">.</span><span class="nf">addHandler</span><span class="p">(</span><span class="n">handler</span><span class="p">)</span> <span class="c1"># --- Mock LLM and Agent Logic --- </span><span class="kn">import</span> <span class="n">json</span> <span class="k">def</span> <span class="nf">mock_llm_call</span><span class="p">(</span><span class="n">prompt</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">model_name</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">gpt-3.5-turbo</span><span class="sh">"</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Simulates an LLM API call.</span><span class="sh">"""</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">llm_api_call</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">span</span><span class="p">:</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">model_name</span><span class="sh">"</span><span class="p">,</span> <span class="n">model_name</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.request.type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">chat</span><span class="sh">"</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.prompts</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">prompt</span><span class="p">}))</span> <span class="c1"># Store as JSON string </span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.5</span> <span class="o">+</span> <span class="mf">0.5</span> <span class="o">*</span> <span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">prompt</span><span class="p">)</span> <span class="o">/</span> <span class="mi">100</span><span class="p">))</span> <span class="c1"># Simulate variable latency </span> <span class="n">end_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">latency</span> <span class="o">=</span> <span class="n">end_time</span> <span class="o">-</span> <span class="n">start_time</span> <span class="c1"># Simulate token usage </span> <span class="n">input_tokens</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">prompt</span><span class="p">.</span><span class="nf">split</span><span class="p">())</span> <span class="o">+</span> <span class="mi">10</span> <span class="c1"># Example </span> <span class="n">output_tokens</span> <span class="o">=</span> <span class="mi">50</span> <span class="o">+</span> <span class="nf">len</span><span class="p">(</span><span class="n">prompt</span><span class="p">.</span><span class="nf">split</span><span class="p">())</span> <span class="o">//</span> <span class="mi">2</span> <span class="c1"># Example </span> <span class="n">response_text</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">This is a simulated response to: </span><span class="sh">'</span><span class="si">{</span><span class="n">prompt</span><span class="si">}</span><span class="sh">'</span><span class="s">. </span><span class="sh">"</span> <span class="n">response_action</span> <span class="o">=</span> <span class="bp">None</span> <span class="c1"># Simulate agent action suggestion </span> <span class="k">if</span> <span class="sh">"</span><span class="s">weather</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">prompt</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="ow">or</span> <span class="sh">"</span><span class="s">forecast</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">prompt</span><span class="p">.</span><span class="nf">lower</span><span class="p">():</span> <span class="n">response_text</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">I recommend using a weather tool.</span><span class="sh">"</span> <span class="n">response_action</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">weather_tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">city</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">New York</span><span class="sh">"</span><span class="p">}</span> <span class="k">elif</span> <span class="sh">"</span><span class="s">time</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">prompt</span><span class="p">.</span><span class="nf">lower</span><span class="p">():</span> <span class="n">response_text</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">I recommend using a time tool.</span><span class="sh">"</span> <span class="n">response_action</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">time_tool</span><span class="sh">"</span><span class="p">}</span> <span class="k">elif</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">prompt</span><span class="p">.</span><span class="nf">lower</span><span class="p">():</span> <span class="n">response_text</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">Simulating an LLM error.</span><span class="sh">"</span> <span class="n">status_code</span> <span class="o">=</span> <span class="mi">500</span> <span class="k">else</span><span class="p">:</span> <span class="n">response_text</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">No tool suggested.</span><span class="sh">"</span> <span class="n">status_code</span> <span class="o">=</span> <span class="mi">200</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.response.model</span><span class="sh">"</span><span class="p">,</span> <span class="n">model_name</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.response.tokens.total</span><span class="sh">"</span><span class="p">,</span> <span class="n">input_tokens</span> <span class="o">+</span> <span class="n">output_tokens</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.response.tokens.prompt</span><span class="sh">"</span><span class="p">,</span> <span class="n">input_tokens</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.response.tokens.completion</span><span class="sh">"</span><span class="p">,</span> <span class="n">output_tokens</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.response.content</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_text</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">http.status_code</span><span class="sh">"</span><span class="p">,</span> <span class="n">status_code</span><span class="p">)</span> <span class="n">LLM_CALL_LATENCY_SECONDS</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span><span class="n">model_name</span><span class="o">=</span><span class="n">model_name</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="n">status_code</span><span class="p">).</span><span class="nf">observe</span><span class="p">(</span><span class="n">latency</span><span class="p">)</span> <span class="n">LLM_INPUT_TOKENS_TOTAL</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span><span class="n">model_name</span><span class="o">=</span><span class="n">model_name</span><span class="p">).</span><span class="nf">inc</span><span class="p">(</span><span class="n">input_tokens</span><span class="p">)</span> <span class="n">LLM_OUTPUT_TOKENS_TOTAL</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span><span class="n">model_name</span><span class="o">=</span><span class="n">model_name</span><span class="p">).</span><span class="nf">inc</span><span class="p">(</span><span class="n">output_tokens</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">llm_call_completed</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">LLM call finished</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">model</span><span class="sh">"</span><span class="p">:</span> <span class="n">model_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">prompt</span><span class="sh">"</span><span class="p">:</span> <span class="n">prompt</span><span class="p">,</span> <span class="sh">"</span><span class="s">response_summary</span><span class="sh">"</span><span class="p">:</span> <span class="n">response_text</span><span class="p">,</span> <span class="sh">"</span><span class="s">latency_sec</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">latency</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">input_tokens</span><span class="sh">"</span><span class="p">:</span> <span class="n">input_tokens</span><span class="p">,</span> <span class="sh">"</span><span class="s">output_tokens</span><span class="sh">"</span><span class="p">:</span> <span class="n">output_tokens</span><span class="p">,</span> <span class="sh">"</span><span class="s">status_code</span><span class="sh">"</span><span class="p">:</span> <span class="n">status_code</span> <span class="p">}))</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">response_text</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="n">response_action</span><span class="p">,</span> <span class="sh">"</span><span class="s">status_code</span><span class="sh">"</span><span class="p">:</span> <span class="n">status_code</span><span class="p">}</span> <span class="k">def</span> <span class="nf">mock_weather_tool</span><span class="p">(</span><span class="n">city</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Simulates an external weather API call.</span><span class="sh">"""</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">tool_call_weather</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">span</span><span class="p">:</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">weather_tool</span><span class="sh">"</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.parameters.city</span><span class="sh">"</span><span class="p">,</span> <span class="n">city</span><span class="p">)</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.3</span><span class="p">)</span> <span class="n">end_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">latency</span> <span class="o">=</span> <span class="n">end_time</span> <span class="o">-</span> <span class="n">start_time</span> <span class="n">result</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">The weather in </span><span class="si">{</span><span class="n">city</span><span class="si">}</span><span class="s"> is sunny with 25°C.</span><span class="sh">"</span> <span class="n">status</span> <span class="o">=</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.status</span><span class="sh">"</span><span class="p">,</span> <span class="n">status</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.result</span><span class="sh">"</span><span class="p">,</span> <span class="n">result</span><span class="p">)</span> <span class="n">AGENT_TOOL_CALLS_TOTAL</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span><span class="n">tool_name</span><span class="o">=</span><span class="sh">"</span><span class="s">weather_tool</span><span class="sh">"</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="n">status</span><span class="p">).</span><span class="nf">inc</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">tool_call</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Weather tool call</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">weather_tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">city</span><span class="sh">"</span><span class="p">:</span> <span class="n">city</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="n">status</span><span class="p">,</span> <span class="sh">"</span><span class="s">latency_sec</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">latency</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span> <span class="p">}))</span> <span class="k">return</span> <span class="n">result</span> <span class="k">def</span> <span class="nf">mock_time_tool</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Simulates an external time API call.</span><span class="sh">"""</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">tool_call_time</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">span</span><span class="p">:</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">time_tool</span><span class="sh">"</span><span class="p">)</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.1</span><span class="p">)</span> <span class="n">end_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">latency</span> <span class="o">=</span> <span class="n">end_time</span> <span class="o">-</span> <span class="n">start_time</span> <span class="n">result</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">The current time is </span><span class="si">{</span><span class="n">time</span><span class="p">.</span><span class="n">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%H</span><span class="si">:</span><span class="o">%</span><span class="n">M</span><span class="si">:</span><span class="o">%</span><span class="n">S</span><span class="sh">'</span><span class="s">)</span><span class="si">}</span><span class="s">.</span><span class="sh">"</span> <span class="n">status</span> <span class="o">=</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.status</span><span class="sh">"</span><span class="p">,</span> <span class="n">status</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.result</span><span class="sh">"</span><span class="p">,</span> <span class="n">result</span><span class="p">)</span> <span class="n">AGENT_TOOL_CALLS_TOTAL</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span><span class="n">tool_name</span><span class="o">=</span><span class="sh">"</span><span class="s">time_tool</span><span class="sh">"</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="n">status</span><span class="p">).</span><span class="nf">inc</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">tool_call</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Time tool call</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">time_tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="n">status</span><span class="p">,</span> <span class="sh">"</span><span class="s">latency_sec</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">latency</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span> <span class="p">}))</span> <span class="k">return</span> <span class="n">result</span> <span class="k">def</span> <span class="nf">llm_agent_handler</span><span class="p">(</span><span class="n">prompt</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">request_headers</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">):</span> <span class="sh">"""</span><span class="s">The core logic of our simple LLM agent.</span><span class="sh">"""</span> <span class="c1"># Extract trace context from incoming request headers </span> <span class="n">ctx</span> <span class="o">=</span> <span class="n">trace</span><span class="p">.</span><span class="nc">Context</span><span class="p">()</span> <span class="k">if</span> <span class="n">request_headers</span><span class="p">:</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nf">extract</span><span class="p">(</span><span class="n">request_headers</span><span class="p">)</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">llm_agent_request</span><span class="sh">"</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="n">ctx</span><span class="p">)</span> <span class="k">as</span> <span class="n">span</span><span class="p">:</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">user.query</span><span class="sh">"</span><span class="p">,</span> <span class="n">prompt</span><span class="p">)</span> <span class="n">agent_start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">agent_started</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Agent request initiated</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">query</span><span class="sh">"</span><span class="p">:</span> <span class="n">prompt</span><span class="p">}))</span> <span class="n">llm_response_data</span> <span class="o">=</span> <span class="nf">mock_llm_call</span><span class="p">(</span><span class="n">prompt</span><span class="p">,</span> <span class="sh">"</span><span class="s">gpt-3.5-turbo-mock</span><span class="sh">"</span><span class="p">)</span> <span class="n">final_answer</span> <span class="o">=</span> <span class="n">llm_response_data</span><span class="p">[</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Step 2: Agent decision making based on LLM response </span> <span class="k">if</span> <span class="n">llm_response_data</span><span class="p">[</span><span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">]:</span> <span class="n">action</span> <span class="o">=</span> <span class="n">llm_response_data</span><span class="p">[</span><span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">]</span> <span class="n">tool_name</span> <span class="o">=</span> <span class="n">action</span><span class="p">[</span><span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">]</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">agent_decision</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Agent decided to call tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">decision</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">call_tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_name</span><span class="p">}))</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">agent_decision_making</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">decision_span</span><span class="p">:</span> <span class="n">decision_span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">decision.type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tool_call</span><span class="sh">"</span><span class="p">)</span> <span class="n">decision_span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">decision.tool_name</span><span class="sh">"</span><span class="p">,</span> <span class="n">tool_name</span><span class="p">)</span> <span class="k">if</span> <span class="n">tool_name</span> <span class="o">==</span> <span class="sh">"</span><span class="s">weather_tool</span><span class="sh">"</span><span class="p">:</span> <span class="n">city</span> <span class="o">=</span> <span class="n">action</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">city</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">New York</span><span class="sh">"</span><span class="p">)</span> <span class="n">tool_result</span> <span class="o">=</span> <span class="nf">mock_weather_tool</span><span class="p">(</span><span class="n">city</span><span class="p">)</span> <span class="n">final_answer</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">final_answer</span><span class="si">}</span><span class="se">\n</span><span class="s">Tool result: </span><span class="si">{</span><span class="n">tool_result</span><span class="si">}</span><span class="sh">"</span> <span class="k">elif</span> <span class="n">tool_name</span> <span class="o">==</span> <span class="sh">"</span><span class="s">time_tool</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_result</span> <span class="o">=</span> <span class="nf">mock_time_tool</span><span class="p">()</span> <span class="n">final_answer</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">final_answer</span><span class="si">}</span><span class="se">\n</span><span class="s">Tool result: </span><span class="si">{</span><span class="n">tool_result</span><span class="si">}</span><span class="sh">"</span> <span class="k">else</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">unknown_tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Agent attempted to call unknown tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_name</span><span class="p">}))</span> <span class="n">AGENT_TOOL_CALLS_TOTAL</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span><span class="n">tool_name</span><span class="o">=</span><span class="n">tool_name</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="sh">'</span><span class="s">failure</span><span class="sh">'</span><span class="p">).</span><span class="nf">inc</span><span class="p">()</span> <span class="n">agent_end_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">total_latency</span> <span class="o">=</span> <span class="n">agent_end_time</span> <span class="o">-</span> <span class="n">agent_start_time</span> <span class="n">AGENT_REQUEST_LATENCY_SECONDS</span><span class="p">.</span><span class="nf">observe</span><span class="p">(</span><span class="n">total_latency</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">agent.total_latency_seconds</span><span class="sh">"</span><span class="p">,</span> <span class="n">total_latency</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">agent.final_response</span><span class="sh">"</span><span class="p">,</span> <span class="n">final_answer</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">agent_finished</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Agent request completed</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">final_response_summary</span><span class="sh">"</span><span class="p">:</span> <span class="n">final_answer</span><span class="p">,</span> <span class="sh">"</span><span class="s">total_latency_sec</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">total_latency</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span><span class="p">}))</span> <span class="k">return</span> <span class="n">final_answer</span> </code></pre> </div> <p>This Python code snippet demonstrates the principles for building LLM observability on Kubernetes:</p> <ul> <li> <strong>OpenTelemetry <code>tracer</code></strong>: Used to create spans for the overall agent request, the LLM call, and each tool call. Attributes are added to these spans for rich context. The <code>extract(request_headers)</code> ensures trace context propagation.</li> <li> <strong>Prometheus client metrics</strong>: <code>Histogram</code> for latencies and <code>Counter</code> for tokens and tool calls are exposed.</li> <li> <strong>Structured Logging</strong>: <code>logger.info</code> calls output JSON logs, including <code>trace_id</code> and <code>span_id</code> for easy correlation. The custom <code>JsonFormatter</code> ensures proper structure.</li> </ul> <h2> Leveraging Kubernetes-Native Observability Tools for LLMs </h2> <p>Now, let's tie this into your Kubernetes cluster using familiar tools to enhance LLM observability on Kubernetes.</p> <h3> Prometheus &amp; Grafana for LLM Metrics </h3> <p>Prometheus is the de-facto standard for metric collection in Kubernetes. Grafana provides powerful visualization.</p> <ol> <li> <strong>Prometheus Operator:</strong> The easiest way to deploy and manage Prometheus in Kubernetes is using the <a href="https://prometheus-operator.dev/" rel="noopener noreferrer">Prometheus Operator</a>. It introduces Custom Resource Definitions (CRDs) like <code>ServiceMonitor</code> and <code>PodMonitor</code> that simplify scraping configuration for your LLM applications.</li> <li> <strong>Grafana:</strong> A leading open-source dashboarding tool that integrates seamlessly with Prometheus for visualizing LLM metrics.</li> </ol> <h3> Logging Solutions with Fluent Bit and Loki/Elasticsearch </h3> <p>Centralized logging is non-negotiable for debugging microservices, including LLM-powered applications.</p> <ol> <li> <strong>Fluent Bit:</strong> A lightweight and efficient log processor and forwarder. Deploy it as a DaemonSet on your Kubernetes nodes to collect logs from container <code>stdout</code>/<code>stderr</code>.</li> <li> <strong>Loki:</strong> Grafana Labs' log aggregation system, designed for cost-effectiveness and scalability, especially when paired with Grafana for visualization. It indexes metadata (labels) rather than full log content, which is great for LLM observability.</li> <li> <strong>Elasticsearch/Kibana:</strong> Another popular stack for log aggregation and analysis, especially powerful for full-text search.</li> </ol> <h3> OpenTelemetry Collector for Traces and LLM Observability </h3> <p>The OpenTelemetry Collector is an essential component for distributed tracing within your Kubernetes environment.</p> <ul> <li> <strong>Role:</strong> It receives, processes, and exports telemetry data. Your LLM applications send traces to the collector, which then forwards them to your chosen tracing backend (e.g., Jaeger, Tempo).</li> <li> <strong>Deployment:</strong> Deploy the collector as a <code>Deployment</code> in your Kubernetes cluster, typically in your <code>observability</code> namespace.</li> <li> <strong>Configuration:</strong> Configure it to receive OTLP (OpenTelemetry Protocol) traces, process them (e.g., batching, sampling), and then export them to your backend.</li> </ul> <h2> Hands-on Guide: Building LLM Observability Pipeline on Kubernetes </h2> <p>Let's put theory into practice. We'll deploy our simple LLM agent application, then set up Prometheus, Grafana, OpenTelemetry Collector, and Loki to observe it, building out comprehensive <strong>LLM observability on Kubernetes</strong>.</p> <h3> Prerequisites </h3> <p>Ensure you have:</p> <ul> <li>A running Kubernetes cluster (Minikube, k3s, or a cloud-managed cluster).</li> <li> <code>kubectl</code> (v1.25+) installed and configured to connect to your cluster.</li> <li> <code>helm</code> (v3.10+) installed.</li> <li> <code>docker</code> installed (to build the application image).</li> <li>A Docker Hub account (or other container registry) to push your image.</li> </ul> <h3> Step 1: Prepare the LLM Agent Application </h3> <p>First, let's create our Python Flask application (<code>app.py</code>) which implements the agent logic and instrumentation we discussed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">jsonify</span> <span class="kn">from</span> <span class="n">prometheus_client</span> <span class="kn">import</span> <span class="n">Histogram</span><span class="p">,</span> <span class="n">Counter</span><span class="p">,</span> <span class="n">generate_latest</span><span class="p">,</span> <span class="n">REGISTRY</span> <span class="kn">from</span> <span class="n">opentelemetry</span> <span class="kn">import</span> <span class="n">trace</span> <span class="kn">from</span> <span class="n">opentelemetry.propagate</span> <span class="kn">import</span> <span class="n">set_global_textmap</span><span class="p">,</span> <span class="n">extract</span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.resources</span> <span class="kn">import</span> <span class="n">Resource</span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.trace</span> <span class="kn">import</span> <span class="n">TracerProvider</span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.trace.export</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">BatchSpanProcessor</span><span class="p">,</span> <span class="p">)</span> <span class="kn">from</span> <span class="n">opentelemetry.exporter.otlp.proto.grpc.trace_exporter</span> <span class="kn">import</span> <span class="n">OTLPSpanExporter</span> <span class="kn">from</span> <span class="n">opentelemetry.instrumentation.wsgi</span> <span class="kn">import</span> <span class="n">WsgiMiddleware</span> <span class="kn">from</span> <span class="n">opentelemetry.instrumentation.requests</span> <span class="kn">import</span> <span class="n">RequestsInstrumentor</span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.trace.sampling</span> <span class="kn">import</span> <span class="n">ALWAYS_ON</span> <span class="kn">from</span> <span class="n">opentelemetry.metrics</span> <span class="kn">import</span> <span class="n">set_meter_provider</span> <span class="kn">from</span> <span class="n">opentelemetry.sdk.metrics</span> <span class="kn">import</span> <span class="n">MeterProvider</span> <span class="kn">from</span> <span class="n">opentelemetry.exporter.prometheus</span> <span class="kn">import</span> <span class="n">PrometheusMetricReader</span> <span class="kn">from</span> <span class="n">opel_propagate_b3</span> <span class="kn">import</span> <span class="n">B3Format</span> <span class="c1"># pip install opel-propagate-b3 </span> <span class="c1"># --- OpenTelemetry Setup --- # Resource for the service </span><span class="n">resource</span> <span class="o">=</span> <span class="n">Resource</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="sh">"</span><span class="s">service.name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">llm-agent-app</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">service.version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">1.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">k8s.pod.name</span><span class="sh">"</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">HOSTNAME</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">k8s.namespace.name</span><span class="sh">"</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">KUBERNETES_NAMESPACE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">default</span><span class="sh">"</span><span class="p">)</span> <span class="p">})</span> <span class="c1"># Tracer Provider </span><span class="n">provider</span> <span class="o">=</span> <span class="nc">TracerProvider</span><span class="p">(</span><span class="n">resource</span><span class="o">=</span><span class="n">resource</span><span class="p">,</span> <span class="n">sampler</span><span class="o">=</span><span class="n">ALWAYS_ON</span><span class="p">)</span> <span class="c1"># Configure OTLP exporter to send traces to the OpenTelemetry Collector in the 'observability' namespace </span><span class="n">otlp_exporter</span> <span class="o">=</span> <span class="nc">OTLPSpanExporter</span><span class="p">(</span><span class="n">endpoint</span><span class="o">=</span><span class="sh">"</span><span class="s">http://otel-collector.observability:4317</span><span class="sh">"</span><span class="p">,</span> <span class="n">insecure</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">span_processor</span> <span class="o">=</span> <span class="nc">BatchSpanProcessor</span><span class="p">(</span><span class="n">otlp_exporter</span><span class="p">)</span> <span class="n">provider</span><span class="p">.</span><span class="nf">add_span_processor</span><span class="p">(</span><span class="n">span_processor</span><span class="p">)</span> <span class="n">trace</span><span class="p">.</span><span class="nf">set_tracer_provider</span><span class="p">(</span><span class="n">provider</span><span class="p">)</span> <span class="n">tracer</span> <span class="o">=</span> <span class="n">trace</span><span class="p">.</span><span class="nf">get_tracer</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.agent.tracer</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Propagator for B3 headers (commonly used in microservices for context propagation) </span><span class="nf">set_global_textmap</span><span class="p">(</span><span class="nc">B3Format</span><span class="p">())</span> <span class="c1"># Instrument requests library for outgoing HTTP calls (e.g., to actual LLM API) </span><span class="nc">RequestsInstrumentor</span><span class="p">().</span><span class="nf">instrument</span><span class="p">()</span> <span class="c1"># --- Prometheus Metrics Setup --- # Latency of the LLM call itself </span><span class="n">LLM_CALL_LATENCY_SECONDS</span> <span class="o">=</span> <span class="nc">Histogram</span><span class="p">(</span> <span class="sh">'</span><span class="s">llm_call_latency_seconds</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Latency of LLM API calls in seconds</span><span class="sh">'</span><span class="p">,</span> <span class="p">[</span><span class="sh">'</span><span class="s">model_name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">status_code</span><span class="sh">'</span><span class="p">],</span> <span class="n">buckets</span><span class="o">=</span><span class="p">[</span><span class="mf">0.1</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">,</span> <span class="mf">2.0</span><span class="p">,</span> <span class="mf">5.0</span><span class="p">,</span> <span class="mf">10.0</span><span class="p">,</span> <span class="mf">20.0</span><span class="p">]</span> <span class="p">)</span> <span class="c1"># Total input and output tokens </span><span class="n">LLM_INPUT_TOKENS_TOTAL</span> <span class="o">=</span> <span class="nc">Counter</span><span class="p">(</span> <span class="sh">'</span><span class="s">llm_input_tokens_total</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Total input tokens processed by LLM</span><span class="sh">'</span><span class="p">,</span> <span class="p">[</span><span class="sh">'</span><span class="s">model_name</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="n">LLM_OUTPUT_TOKENS_TOTAL</span> <span class="o">=</span> <span class="nc">Counter</span><span class="p">(</span> <span class="sh">'</span><span class="s">llm_output_tokens_total</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Total output tokens generated by LLM</span><span class="sh">'</span><span class="p">,</span> <span class="p">[</span><span class="sh">'</span><span class="s">model_name</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="c1"># Agent tool call success/failure </span><span class="n">AGENT_TOOL_CALLS_TOTAL</span> <span class="o">=</span> <span class="nc">Counter</span><span class="p">(</span> <span class="sh">'</span><span class="s">agent_tool_calls_total</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Total agent tool calls</span><span class="sh">'</span><span class="p">,</span> <span class="p">[</span><span class="sh">'</span><span class="s">tool_name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># status: 'success' or 'failure' </span><span class="p">)</span> <span class="c1"># Agent overall request latency </span><span class="n">AGENT_REQUEST_LATENCY_SECONDS</span> <span class="o">=</span> <span class="nc">Histogram</span><span class="p">(</span> <span class="sh">'</span><span class="s">agent_request_latency_seconds</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">End-to-end latency of agent requests in seconds</span><span class="sh">'</span><span class="p">,</span> <span class="n">buckets</span><span class="o">=</span><span class="p">[</span><span class="mf">0.5</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">,</span> <span class="mf">2.0</span><span class="p">,</span> <span class="mf">5.0</span><span class="p">,</span> <span class="mf">10.0</span><span class="p">,</span> <span class="mf">20.0</span><span class="p">,</span> <span class="mf">30.0</span><span class="p">,</span> <span class="mf">60.0</span><span class="p">]</span> <span class="p">)</span> <span class="c1"># --- Structured Logger Setup --- </span><span class="k">class</span> <span class="nc">JsonFormatter</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">Formatter</span><span class="p">):</span> <span class="k">def</span> <span class="nf">format</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">record</span><span class="p">):</span> <span class="c1"># Base log data </span> <span class="n">log_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">formatTime</span><span class="p">(</span><span class="n">record</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">datefmt</span><span class="p">),</span> <span class="sh">"</span><span class="s">level</span><span class="sh">"</span><span class="p">:</span> <span class="n">record</span><span class="p">.</span><span class="n">levelname</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="n">record</span><span class="p">.</span><span class="nf">getMessage</span><span class="p">(),</span> <span class="sh">"</span><span class="s">service</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">llm-agent-app</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">component</span><span class="sh">"</span><span class="p">:</span> <span class="n">record</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="sh">"</span><span class="s">filename</span><span class="sh">"</span><span class="p">:</span> <span class="n">record</span><span class="p">.</span><span class="n">filename</span><span class="p">,</span> <span class="sh">"</span><span class="s">lineno</span><span class="sh">"</span><span class="p">:</span> <span class="n">record</span><span class="p">.</span><span class="n">lineno</span><span class="p">,</span> <span class="sh">"</span><span class="s">funcName</span><span class="sh">"</span><span class="p">:</span> <span class="n">record</span><span class="p">.</span><span class="n">funcName</span><span class="p">,</span> <span class="p">}</span> <span class="c1"># Attempt to parse message as JSON and merge. This supports logger.info(json.dumps({"event": "..."})) </span> <span class="k">try</span><span class="p">:</span> <span class="n">msg_dict</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">record</span><span class="p">.</span><span class="nf">getMessage</span><span class="p">())</span> <span class="n">log_data</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">msg_dict</span><span class="p">)</span> <span class="c1"># If the JSON message didn't contain a 'message' field, keep the default one </span> <span class="k">if</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">msg_dict</span><span class="p">:</span> <span class="n">log_data</span><span class="p">[</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="nf">getMessage</span><span class="p">()</span> <span class="k">except</span> <span class="n">json</span><span class="p">.</span><span class="n">JSONDecodeError</span><span class="p">:</span> <span class="k">pass</span> <span class="c1"># Message is not JSON, use original record.getMessage() as the 'message' field </span> <span class="c1"># Inject trace_id and span_id if available </span> <span class="n">current_span</span> <span class="o">=</span> <span class="n">trace</span><span class="p">.</span><span class="nf">get_current_span</span><span class="p">()</span> <span class="k">if</span> <span class="n">current_span</span> <span class="ow">and</span> <span class="n">current_span</span><span class="p">.</span><span class="nf">get_span_context</span><span class="p">().</span><span class="n">is_valid</span><span class="p">:</span> <span class="n">log_data</span><span class="p">[</span><span class="sh">"</span><span class="s">trace_id</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">format</span><span class="p">(</span><span class="n">current_span</span><span class="p">.</span><span class="nf">get_span_context</span><span class="p">().</span><span class="n">trace_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">x</span><span class="sh">'</span><span class="p">)</span> <span class="n">log_data</span><span class="p">[</span><span class="sh">"</span><span class="s">span_id</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">format</span><span class="p">(</span><span class="n">current_span</span><span class="p">.</span><span class="nf">get_span_context</span><span class="p">().</span><span class="n">span_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">x</span><span class="sh">'</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">log_data</span><span class="p">[</span><span class="sh">"</span><span class="s">trace_id</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">0</span><span class="sh">"</span> <span class="n">log_data</span><span class="p">[</span><span class="sh">"</span><span class="s">span_id</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">0</span><span class="sh">"</span> <span class="k">return</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">log_data</span><span class="p">)</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">)</span> <span class="c1"># Clear existing handlers to prevent duplicate logs from Flask's default logger </span><span class="k">for</span> <span class="n">handler</span> <span class="ow">in</span> <span class="n">logger</span><span class="p">.</span><span class="n">handlers</span><span class="p">[:]:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">removeHandler</span><span class="p">(</span><span class="n">handler</span><span class="p">)</span> <span class="n">handler</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nc">StreamHandler</span><span class="p">()</span> <span class="n">handler</span><span class="p">.</span><span class="nf">setFormatter</span><span class="p">(</span><span class="nc">JsonFormatter</span><span class="p">())</span> <span class="n">logger</span><span class="p">.</span><span class="nf">addHandler</span><span class="p">(</span><span class="n">handler</span><span class="p">)</span> <span class="c1"># --- Mock LLM and Agent Logic --- </span><span class="k">def</span> <span class="nf">mock_llm_call</span><span class="p">(</span><span class="n">prompt</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">model_name</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">gpt-3.5-turbo</span><span class="sh">"</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Simulates an LLM API call.</span><span class="sh">"""</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">llm_api_call</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">span</span><span class="p">:</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">model_name</span><span class="sh">"</span><span class="p">,</span> <span class="n">model_name</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.request.type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">chat</span><span class="sh">"</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.prompts</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">([{</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">prompt</span><span class="p">}]))</span> <span class="c1"># Store as JSON string </span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.5</span> <span class="o">+</span> <span class="mf">0.5</span> <span class="o">*</span> <span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">prompt</span><span class="p">)</span> <span class="o">/</span> <span class="mi">100</span><span class="p">))</span> <span class="c1"># Simulate variable latency </span> <span class="n">end_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">latency</span> <span class="o">=</span> <span class="n">end_time</span> <span class="o">-</span> <span class="n">start_time</span> <span class="c1"># Simulate token usage </span> <span class="n">input_tokens</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">prompt</span><span class="p">.</span><span class="nf">split</span><span class="p">())</span> <span class="o">+</span> <span class="mi">10</span> <span class="c1"># Example: base 10 tokens + words </span> <span class="n">output_tokens</span> <span class="o">=</span> <span class="mi">50</span> <span class="o">+</span> <span class="nf">len</span><span class="p">(</span><span class="n">prompt</span><span class="p">.</span><span class="nf">split</span><span class="p">())</span> <span class="o">//</span> <span class="mi">2</span> <span class="c1"># Example: base 50 tokens + half of input words </span> <span class="n">response_text</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">This is a simulated response to: </span><span class="sh">'</span><span class="si">{</span><span class="n">prompt</span><span class="si">}</span><span class="sh">'</span><span class="s">. </span><span class="sh">"</span> <span class="n">response_action</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">status_code</span> <span class="o">=</span> <span class="mi">200</span> <span class="c1"># Simulate agent action suggestion </span> <span class="k">if</span> <span class="sh">"</span><span class="s">weather</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">prompt</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="ow">or</span> <span class="sh">"</span><span class="s">forecast</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">prompt</span><span class="p">.</span><span class="nf">lower</span><span class="p">():</span> <span class="n">response_text</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">I recommend using a weather tool.</span><span class="sh">"</span> <span class="n">response_action</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">weather_tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">city</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">New York</span><span class="sh">"</span><span class="p">}</span> <span class="k">elif</span> <span class="sh">"</span><span class="s">time</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">prompt</span><span class="p">.</span><span class="nf">lower</span><span class="p">():</span> <span class="n">response_text</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">I recommend using a time tool.</span><span class="sh">"</span> <span class="n">response_action</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">time_tool</span><span class="sh">"</span><span class="p">}</span> <span class="k">elif</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">prompt</span><span class="p">.</span><span class="nf">lower</span><span class="p">():</span> <span class="n">response_text</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">Simulating an LLM error.</span><span class="sh">"</span> <span class="n">status_code</span> <span class="o">=</span> <span class="mi">500</span> <span class="k">else</span><span class="p">:</span> <span class="n">response_text</span> <span class="o">+=</span> <span class="sh">"</span><span class="s">No tool suggested.</span><span class="sh">"</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.response.model</span><span class="sh">"</span><span class="p">,</span> <span class="n">model_name</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.response.tokens.total</span><span class="sh">"</span><span class="p">,</span> <span class="n">input_tokens</span> <span class="o">+</span> <span class="n">output_tokens</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.response.tokens.prompt</span><span class="sh">"</span><span class="p">,</span> <span class="n">input_tokens</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.response.tokens.completion</span><span class="sh">"</span><span class="p">,</span> <span class="n">output_tokens</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">llm.response.content</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_text</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">http.status_code</span><span class="sh">"</span><span class="p">,</span> <span class="n">status_code</span><span class="p">)</span> <span class="n">LLM_CALL_LATENCY_SECONDS</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span><span class="n">model_name</span><span class="o">=</span><span class="n">model_name</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="n">status_code</span><span class="p">).</span><span class="nf">observe</span><span class="p">(</span><span class="n">latency</span><span class="p">)</span> <span class="n">LLM_INPUT_TOKENS_TOTAL</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span><span class="n">model_name</span><span class="o">=</span><span class="n">model_name</span><span class="p">).</span><span class="nf">inc</span><span class="p">(</span><span class="n">input_tokens</span><span class="p">)</span> <span class="n">LLM_OUTPUT_TOKENS_TOTAL</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span><span class="n">model_name</span><span class="o">=</span><span class="n">model_name</span><span class="p">).</span><span class="nf">inc</span><span class="p">(</span><span class="n">output_tokens</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">llm_call_completed</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">LLM call finished</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">model</span><span class="sh">"</span><span class="p">:</span> <span class="n">model_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">prompt</span><span class="sh">"</span><span class="p">:</span> <span class="n">prompt</span><span class="p">,</span> <span class="sh">"</span><span class="s">response_summary</span><span class="sh">"</span><span class="p">:</span> <span class="n">response_text</span><span class="p">,</span> <span class="sh">"</span><span class="s">latency_sec</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">latency</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">input_tokens</span><span class="sh">"</span><span class="p">:</span> <span class="n">input_tokens</span><span class="p">,</span> <span class="sh">"</span><span class="s">output_tokens</span><span class="sh">"</span><span class="p">:</span> <span class="n">output_tokens</span><span class="p">,</span> <span class="sh">"</span><span class="s">status_code</span><span class="sh">"</span><span class="p">:</span> <span class="n">status_code</span> <span class="p">}))</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">response_text</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="n">response_action</span><span class="p">,</span> <span class="sh">"</span><span class="s">status_code</span><span class="sh">"</span><span class="p">:</span> <span class="n">status_code</span><span class="p">}</span> <span class="k">def</span> <span class="nf">mock_weather_tool</span><span class="p">(</span><span class="n">city</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Simulates an external weather API call.</span><span class="sh">"""</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">tool_call_weather</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">span</span><span class="p">:</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">weather_tool</span><span class="sh">"</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.parameters.city</span><span class="sh">"</span><span class="p">,</span> <span class="n">city</span><span class="p">)</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.3</span><span class="p">)</span> <span class="n">end_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">latency</span> <span class="o">=</span> <span class="n">end_time</span> <span class="o">-</span> <span class="n">start_time</span> <span class="n">result</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">The weather in </span><span class="si">{</span><span class="n">city</span><span class="si">}</span><span class="s"> is sunny with 25°C.</span><span class="sh">"</span> <span class="n">status</span> <span class="o">=</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.status</span><span class="sh">"</span><span class="p">,</span> <span class="n">status</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.result</span><span class="sh">"</span><span class="p">,</span> <span class="n">result</span><span class="p">)</span> <span class="n">AGENT_TOOL_CALLS_TOTAL</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span><span class="n">tool_name</span><span class="o">=</span><span class="sh">"</span><span class="s">weather_tool</span><span class="sh">"</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="n">status</span><span class="p">).</span><span class="nf">inc</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">tool_call</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Weather tool call</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">weather_tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">city</span><span class="sh">"</span><span class="p">:</span> <span class="n">city</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="n">status</span><span class="p">,</span> <span class="sh">"</span><span class="s">latency_sec</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">latency</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span> <span class="p">}))</span> <span class="k">return</span> <span class="n">result</span> <span class="k">def</span> <span class="nf">mock_time_tool</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Simulates an external time API call.</span><span class="sh">"""</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">tool_call_time</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">span</span><span class="p">:</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">time_tool</span><span class="sh">"</span><span class="p">)</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.1</span><span class="p">)</span> <span class="n">end_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">latency</span> <span class="o">=</span> <span class="n">end_time</span> <span class="o">-</span> <span class="n">start_time</span> <span class="n">result</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">The current time is </span><span class="si">{</span><span class="n">time</span><span class="p">.</span><span class="n">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%H</span><span class="si">:</span><span class="o">%</span><span class="n">M</span><span class="si">:</span><span class="o">%</span><span class="n">S</span><span class="sh">'</span><span class="s">)</span><span class="si">}</span><span class="s">.</span><span class="sh">"</span> <span class="n">status</span> <span class="o">=</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.status</span><span class="sh">"</span><span class="p">,</span> <span class="n">status</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">tool.result</span><span class="sh">"</span><span class="p">,</span> <span class="n">result</span><span class="p">)</span> <span class="n">AGENT_TOOL_CALLS_TOTAL</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span><span class="n">tool_name</span><span class="o">=</span><span class="sh">"</span><span class="s">time_tool</span><span class="sh">"</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="n">status</span><span class="p">).</span><span class="nf">inc</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">tool_call</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Time tool call</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">time_tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="n">status</span><span class="p">,</span> <span class="sh">"</span><span class="s">latency_sec</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">latency</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span> <span class="p">}))</span> <span class="k">return</span> <span class="n">result</span> <span class="k">def</span> <span class="nf">llm_agent_handler</span><span class="p">(</span><span class="n">prompt</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">request_headers</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="sh">"""</span><span class="s">The core logic of our simple LLM agent.</span><span class="sh">"""</span> <span class="c1"># Extract trace context from incoming request headers for distributed tracing </span> <span class="n">ctx</span> <span class="o">=</span> <span class="nf">extract</span><span class="p">(</span><span class="n">request_headers</span><span class="p">)</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">llm_agent_request</span><span class="sh">"</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="n">ctx</span><span class="p">)</span> <span class="k">as</span> <span class="n">span</span><span class="p">:</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">user.query</span><span class="sh">"</span><span class="p">,</span> <span class="n">prompt</span><span class="p">)</span> <span class="n">agent_start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">agent_started</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Agent request initiated</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">query</span><span class="sh">"</span><span class="p">:</span> <span class="n">prompt</span><span class="p">}))</span> <span class="n">llm_response_data</span> <span class="o">=</span> <span class="nf">mock_llm_call</span><span class="p">(</span><span class="n">prompt</span><span class="p">,</span> <span class="sh">"</span><span class="s">gpt-3.5-turbo-mock</span><span class="sh">"</span><span class="p">)</span> <span class="n">final_answer</span> <span class="o">=</span> <span class="n">llm_response_data</span><span class="p">[</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Step 2: Agent decision making based on LLM response </span> <span class="k">if</span> <span class="n">llm_response_data</span><span class="p">[</span><span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">]:</span> <span class="n">action</span> <span class="o">=</span> <span class="n">llm_response_data</span><span class="p">[</span><span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">]</span> <span class="n">tool_name</span> <span class="o">=</span> <span class="n">action</span><span class="p">[</span><span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">]</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">agent_decision</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Agent decided to call tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">decision</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">call_tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_name</span><span class="p">}))</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">agent_decision_making</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">decision_span</span><span class="p">:</span> <span class="n">decision_span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">decision.type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tool_call</span><span class="sh">"</span><span class="p">)</span> <span class="n">decision_span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">decision.tool_name</span><span class="sh">"</span><span class="p">,</span> <span class="n">tool_name</span><span class="p">)</span> <span class="k">if</span> <span class="n">tool_name</span> <span class="o">==</span> <span class="sh">"</span><span class="s">weather_tool</span><span class="sh">"</span><span class="p">:</span> <span class="n">city</span> <span class="o">=</span> <span class="n">action</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">city</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">New York</span><span class="sh">"</span><span class="p">)</span> <span class="n">tool_result</span> <span class="o">=</span> <span class="nf">mock_weather_tool</span><span class="p">(</span><span class="n">city</span><span class="p">)</span> <span class="n">final_answer</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">final_answer</span><span class="si">}</span><span class="se">\n</span><span class="s">Tool result: </span><span class="si">{</span><span class="n">tool_result</span><span class="si">}</span><span class="sh">"</span> <span class="k">elif</span> <span class="n">tool_name</span> <span class="o">==</span> <span class="sh">"</span><span class="s">time_tool</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_result</span> <span class="o">=</span> <span class="nf">mock_time_tool</span><span class="p">()</span> <span class="n">final_answer</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">final_answer</span><span class="si">}</span><span class="se">\n</span><span class="s">Tool result: </span><span class="si">{</span><span class="n">tool_result</span><span class="si">}</span><span class="sh">"</span> <span class="k">else</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">unknown_tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Agent attempted to call unknown tool</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tool_name</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_name</span><span class="p">}))</span> <span class="n">AGENT_TOOL_CALLS_TOTAL</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span><span class="n">tool_name</span><span class="o">=</span><span class="n">tool_name</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="sh">'</span><span class="s">failure</span><span class="sh">'</span><span class="p">).</span><span class="nf">inc</span><span class="p">()</span> <span class="n">agent_end_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">total_latency</span> <span class="o">=</span> <span class="n">agent_end_time</span> <span class="o">-</span> <span class="n">agent_start_time</span> <span class="n">AGENT_REQUEST_LATENCY_SECONDS</span><span class="p">.</span><span class="nf">observe</span><span class="p">(</span><span class="n">total_latency</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">agent.total_latency_seconds</span><span class="sh">"</span><span class="p">,</span> <span class="n">total_latency</span><span class="p">)</span> <span class="n">span</span><span class="p">.</span><span class="nf">set_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">agent.final_response</span><span class="sh">"</span><span class="p">,</span> <span class="n">final_answer</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">agent_finished</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Agent request completed</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">final_response_summary</span><span class="sh">"</span><span class="p">:</span> <span class="n">final_answer</span><span class="p">,</span> <span class="sh">"</span><span class="s">total_latency_sec</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">total_latency</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span><span class="p">}))</span> <span class="k">return</span> <span class="n">final_answer</span> <span class="c1"># --- Flask App --- </span><span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="c1"># Wrap Flask app with OpenTelemetry WSGI middleware for automatic request tracing </span><span class="n">app</span><span class="p">.</span><span class="n">wsgi_app</span> <span class="o">=</span> <span class="nc">WsgiMiddleware</span><span class="p">(</span><span class="n">app</span><span class="p">.</span><span class="n">wsgi_app</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/healthz</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">GET</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">healthz</span><span class="p">():</span> <span class="k">return</span> <span class="sh">"</span><span class="s">OK</span><span class="sh">"</span><span class="p">,</span> <span class="mi">200</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/metrics</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">GET</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">metrics</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Expose Prometheus metrics.</span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">generate_latest</span><span class="p">(),</span> <span class="mi">200</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/query</span><span class="sh">'</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">POST</span><span class="sh">'</span><span class="p">])</span> <span class="k">def</span> <span class="nf">query_agent</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Handle LLM agent queries.</span><span class="sh">"""</span> <span class="n">data</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">json</span> <span class="n">prompt</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">prompt</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">prompt</span><span class="p">:</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Prompt is required</span><span class="sh">"</span><span class="p">}),</span> <span class="mi">400</span> <span class="c1"># Pass request headers for context propagation </span> <span class="n">response</span> <span class="o">=</span> <span class="nf">llm_agent_handler</span><span class="p">(</span><span class="n">prompt</span><span class="p">,</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">)</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span><span class="sh">"</span><span class="s">response</span><span class="sh">"</span><span class="p">:</span> <span class="n">response</span><span class="p">})</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">'</span><span class="s">__main__</span><span class="sh">'</span><span class="p">:</span> <span class="c1"># PrometheusMetricReader needs to be set up globally for default registry </span> <span class="n">reader</span> <span class="o">=</span> <span class="nc">PrometheusMetricReader</span><span class="p">()</span> <span class="n">meter_provider</span> <span class="o">=</span> <span class="nc">MeterProvider</span><span class="p">(</span><span class="n">metric_readers</span><span class="o">=</span><span class="p">[</span><span class="n">reader</span><span class="p">],</span> <span class="n">resource</span><span class="o">=</span><span class="n">resource</span><span class="p">)</span> <span class="nf">set_meter_provider</span><span class="p">(</span><span class="n">meter_provider</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="sh">'</span><span class="s">0.0.0.0</span><span class="sh">'</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">5000</span><span class="p">)</span> </code></pre> </div> <p>Now, create a <code>Dockerfile</code> for our application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Dockerfile</span> <span class="k">FROM</span><span class="s"> python:3.10-slim-buster</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> requirements.txt .</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="nt">-r</span> requirements.txt <span class="k">COPY</span><span class="s"> app.py .</span> <span class="k">EXPOSE</span><span class="s"> 5000</span> <span class="k">CMD</span><span class="s"> ["python", "app.py"]</span> </code></pre> </div> <p>And <code>requirements.txt</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Flask==2.3.3 prometheus_client==0.18.0 opentelemetry-api==1.25.0 opentelemetry-sdk==1.25.0 opentelemetry-exporter-otlp-proto-grpc==1.25.0 opentelemetry-instrumentation-requests==0.45b0 opentelemetry-instrumentation-wsgi==0.45b0 opel-propagate-b3==1.0.0 </code></pre> </div> <p>Build and push your Docker image. Remember to replace <code>your-dockerhub-user</code> with your actual Docker Hub username.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> your-dockerhub-user/llm-agent-app:v1.0.0 <span class="nb">.</span> docker push your-dockerhub-user/llm-agent-app:v1.0.0 </code></pre> </div> <h3> Step 2: Deploy Observability Stack to Kubernetes </h3> <p>We'll use Helm to deploy the core components for robust LLM observability. Create an <code>observability</code> namespace first.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create namespace observability </code></pre> </div> <h4> 2.1 Deploy Prometheus Operator and Grafana </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update <span class="c"># Install kube-prometheus-stack which includes Prometheus, Grafana, and Alertmanager</span> helm <span class="nb">install </span>prometheus prometheus-community/kube-prometheus-stack <span class="se">\</span> <span class="nt">--namespace</span> observability <span class="se">\</span> <span class="nt">--set</span> prometheus.prometheusSpec.serviceMonitorSelectorNilUsesLabels<span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">--set</span> prometheus.prometheusSpec.podMonitorSelectorNilUsesLabels<span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">--set</span> grafana.enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> grafana.adminPassword<span class="o">=</span><span class="s2">"prom-operator"</span> <span class="se">\ </span> <span class="c"># pragma: allowlist secret</span> <span class="nt">--set</span> grafana.service.type<span class="o">=</span><span class="s2">"LoadBalancer"</span> <span class="c"># Use "NodePort" for Minikube or local clusters</span> </code></pre> </div> <p>Wait for Prometheus and Grafana pods to be ready. You can get Grafana's LoadBalancer IP (or NodePort):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get svc <span class="nt">-n</span> observability grafana </code></pre> </div> <p>Log in to Grafana using <code>admin</code> as the username and <code>prom-operator</code> as the password.</p> <h4> 2.2 Deploy Loki and Fluent Bit for Logging </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add grafana https://grafana.github.io/helm-charts helm repo update <span class="c"># Install Loki</span> helm <span class="nb">install </span>loki grafana/loki <span class="se">\</span> <span class="nt">--namespace</span> observability <span class="se">\</span> <span class="nt">--set</span> service.type<span class="o">=</span><span class="s2">"ClusterIP"</span> <span class="se">\</span> <span class="nt">--set</span> persistence.enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> persistence.size<span class="o">=</span>10Gi <span class="c"># Adjust size as needed</span> <span class="c"># Install Fluent Bit</span> helm <span class="nb">install </span>fluent-bit grafana/fluent-bit <span class="se">\</span> <span class="nt">--namespace</span> observability <span class="se">\</span> <span class="nt">--set</span> config.service.flush<span class="o">=</span>1 <span class="se">\</span> <span class="nt">--set</span> config.inputs[0].name<span class="o">=</span><span class="nb">tail</span> <span class="se">\</span> <span class="nt">--set</span> config.inputs[0].path<span class="o">=</span><span class="s2">"/var/log/containers/*.log"</span> <span class="se">\</span> <span class="nt">--set</span> config.inputs[0].multiline.parser<span class="o">=</span>docker,cri <span class="se">\</span> <span class="nt">--set</span> config.inputs[0].db<span class="o">=</span>/var/log/flb_kube.db <span class="se">\</span> <span class="nt">--set</span> config.inputs[0].mem_buf_limit<span class="o">=</span>5MB <span class="se">\</span> <span class="nt">--set</span> config.outputs[0].name<span class="o">=</span>loki <span class="se">\</span> <span class="nt">--set</span> config.outputs[0].host<span class="o">=</span><span class="s2">"loki.observability.svc.cluster.local"</span> <span class="se">\</span> <span class="nt">--set</span> config.outputs[0].port<span class="o">=</span>3100 <span class="se">\</span> <span class="nt">--set</span> config.outputs[0].labels<span class="o">=</span><span class="s2">"job=fluent-bit"</span> <span class="se">\</span> <span class="nt">--set</span> config.outputs[0].removeKeys<span class="o">=</span><span class="s2">"kubernetes.host,kubernetes.labels,kubernetes.annotations,kubernetes.pod_id,kubernetes.container_id,kubernetes.docker_id,kubernetes.container_hash,kubernetes.container_image,kubernetes.daemonset,kubernetes.deployment"</span> <span class="se">\</span> <span class="nt">--set</span> config.outputs[0].labelMapPath<span class="o">=</span><span class="s2">"/fluent-bit/config/label_map.json"</span> <span class="se">\</span> <span class="nt">--set</span> extraFiles.label_map_json<span class="o">=</span><span class="s2">"{</span><span class="se">\"</span><span class="s2">kubernetes</span><span class="se">\"</span><span class="s2">: {</span><span class="se">\"</span><span class="s2">container_name</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">container</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">namespace_name</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">namespace</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">pod_name</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">pod</span><span class="se">\"</span><span class="s2">}}"</span> <span class="c"># Maps K8s metadata to Loki labels</span> </code></pre> </div> <h4> 2.3 Deploy OpenTelemetry Collector </h4> <p>Create <code>otel-collector.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># otel-collector.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">otel-collector</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">observability</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">otel-collector</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">otel-collector</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">otel-collector</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">otel-collector</span> <span class="na">image</span><span class="pi">:</span> <span class="s">otel/opentelemetry-collector:0.100.0</span> <span class="c1"># Use a specific, stable version</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/otelcol"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--config=/conf/otel-collector-config.yaml"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">4317</span> <span class="c1"># OTLP gRPC receiver</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">4318</span> <span class="c1"># OTLP HTTP receiver</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">otel-collector-config-vol</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/conf</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">otel-collector-config-vol</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">otel-collector-config</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">otel-collector-config</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">observability</span> <span class="na">data</span><span class="pi">:</span> <span class="na">otel-collector-config.yaml</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">receivers:</span> <span class="s">otlp:</span> <span class="s">protocols:</span> <span class="s">grpc:</span> <span class="s">http:</span> <span class="s">processors:</span> <span class="s">batch: # Batching for efficiency</span> <span class="s">send_batch_size: 100</span> <span class="s">timeout: 10s</span> <span class="s">exporters:</span> <span class="s">logging: # For demo purposes, logs traces to stdout. Replace with Jaeger/Tempo for a full setup.</span> <span class="s">verbosity: detailed</span> <span class="s"># Example for Jaeger/Tempo exporters:</span> <span class="s"># jaeger:</span> <span class="s"># endpoint: "jaeger-collector.observability:14250" # Assuming Jaeger is deployed</span> <span class="s"># tls:</span> <span class="s"># insecure: true</span> <span class="s"># tempo:</span> <span class="s"># endpoint: "tempo.observability:4317" # Assuming Tempo is deployed</span> <span class="s"># tls:</span> <span class="s"># insecure: true</span> <span class="s">service:</span> <span class="s">pipelines:</span> <span class="s">traces:</span> <span class="s">receivers: [otlp]</span> <span class="s">processors: [batch]</span> <span class="s">exporters: [logging] # Change to [jaeger] or [tempo] if you have them configured</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> otel-collector.yaml <span class="nt">-n</span> observability </code></pre> </div> <h3> Step 3: Deploy the LLM Agent Application to Kubernetes </h3> <p>Now, deploy your instrumented application. Create <code>llm-agent-app.yaml</code>. Remember to replace <code>your-dockerhub-user</code> with your actual Docker Hub username.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># llm-agent-app.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">llm-agent-app</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="c1"># Deploy in default or your app namespace</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">llm-agent-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">llm-agent-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">llm-agent-app</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">prometheus.io/scrape</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="c1"># Enable Prometheus scraping</span> <span class="na">prometheus.io/port</span><span class="pi">:</span> <span class="s2">"</span><span class="s">5000"</span> <span class="c1"># Port where metrics are exposed by the application</span> <span class="na">prometheus.io/path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/metrics"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">llm-agent-app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">your-dockerhub-user/llm-agent-app:v1.0.0</span> <span class="c1"># Replace with your image</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">5000</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http-app</span> <span class="c1"># This port will serve both the application and /metrics</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KUBERNETES_NAMESPACE</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.namespace</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">200m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1000m"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1Gi"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">llm-agent-app</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">llm-agent-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">llm-agent-app</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="c1"># Service exposed port</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="s">http-app</span> <span class="c1"># Maps to containerPort: 5000</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="c1"># Name of this service port</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="c1"># Use "NodePort" for local clusters like Minikube/k3s</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">monitoring.coreos.com/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceMonitor</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">llm-agent-app-sm</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">observability</span> <span class="c1"># ServiceMonitor should be in the same namespace as Prometheus</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">release</span><span class="pi">:</span> <span class="s">prometheus</span> <span class="c1"># This label links to the Prometheus instance from kube-prometheus-stack</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">llm-agent-app</span> <span class="c1"># Selects services with this label</span> <span class="na">endpoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="s">http</span> <span class="c1"># Name of the port in the Service that exposes the metrics endpoint</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/metrics</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">15s</span> <span class="na">scrapeTimeout</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">namespaceSelector</span><span class="pi">:</span> <span class="na">matchNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">default</span> <span class="c1"># Or the namespace where your app is deployed</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> llm-agent-app.yaml <span class="nt">-n</span> default </code></pre> </div> <p>Wait for the <code>llm-agent-app</code> pod and service to be ready. Get its external IP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get svc llm-agent-app <span class="nt">-n</span> default </code></pre> </div> <h3> Step 4: Interact with the Agent to Generate Data </h3> <p>Use <code>curl</code> or a simple script to send queries to your agent. This will generate logs, metrics, and traces, populating your LLM observability stack.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># For LoadBalancer, get the external IP</span> <span class="nv">AGENT_IP</span><span class="o">=</span><span class="si">$(</span>kubectl get svc llm-agent-app <span class="nt">-n</span> default <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.status.loadBalancer.ingress[0].ip}'</span><span class="si">)</span> <span class="c"># For NodePort (e.g., Minikube), get Minikube IP and NodePort</span> <span class="c"># AGENT_IP=$(minikube ip)</span> <span class="c"># AGENT_PORT=$(kubectl get svc llm-agent-app -n default -o jsonpath='{.spec.ports[?(@.name=="http")].nodePort}')</span> <span class="c"># export AGENT_URL="http://$AGENT_IP:$AGENT_PORT"</span> <span class="c"># Use AGENT_IP for LoadBalancer, or AGENT_URL for NodePort</span> <span class="nb">export </span><span class="nv">TARGET_URL</span><span class="o">=</span><span class="s2">"http://</span><span class="nv">$AGENT_IP</span><span class="s2">"</span> <span class="c"># or $AGENT_URL if using NodePort</span> <span class="nb">echo</span> <span class="s2">"Sending requests to </span><span class="nv">$TARGET_URL</span><span class="s2">/query"</span> <span class="c"># Send some queries</span> curl <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s1">'{"prompt": "What is the weather like in London today?"}'</span> <span class="nv">$TARGET_URL</span>/query curl <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s1">'{"prompt": "Tell me a fun fact about Kubernetes."}'</span> <span class="nv">$TARGET_URL</span>/query curl <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s1">'{"prompt": "What time is it?"}'</span> <span class="nv">$TARGET_URL</span>/query curl <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s1">'{"prompt": "Simulate an error now."}'</span> <span class="nv">$TARGET_URL</span>/query <span class="c"># Test error paths</span> <span class="c"># Send more queries to generate enough data for dashboards</span> <span class="k">for </span>i <span class="k">in</span> <span class="si">$(</span><span class="nb">seq </span>1 10<span class="si">)</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s1">'{"prompt": "Give me another interesting fact."}'</span> <span class="nv">$TARGET_URL</span>/query &amp;&gt;/dev/null <span class="nb">sleep </span>0.5 curl <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s1">'{"prompt": "What is the current weather?"}'</span> <span class="nv">$TARGET_URL</span>/query &amp;&gt;/dev/null <span class="nb">sleep </span>0.5 <span class="k">done </span><span class="nb">echo</span> <span class="s2">"Requests sent. Data should now be flowing into your observability stack."</span> </code></pre> </div> <p>Repeat these calls a few times to generate sufficient data for visualization.</p> <h3> Step 5: Visualize LLM Observability Data in Grafana </h3> <p>Access Grafana using the LoadBalancer IP or NodePort you obtained earlier.</p> <h4> 5.1 Prometheus Dashboard for LLM Metrics </h4> <ol> <li>Go to <strong>Connections -&gt; Data sources</strong> and ensure Prometheus is configured (it should be automatically set up by <code>kube-prometheus-stack</code>).</li> <li>Create a new Dashboard (<strong>+ -&gt; New Dashboard</strong>).</li> <li>Add new panels with the following PromQL queries to monitor your LLM observability on Kubernetes: <ul> <li> <strong>LLM Call Latency (95th Percentile):</strong> <ul> <li>Query: <code>histogram_quantile(0.95, sum by(le, model_name) (rate(llm_call_latency_seconds_bucket{app="llm-agent-app", namespace="default"}[5m])))</code> </li> </ul> </li> <li> <strong>LLM Token Usage (Input/Output Rate):</strong> <ul> <li>Query: <code>sum by(model_name) (rate(llm_input_tokens_total{app="llm-agent-app", namespace="default"}[5m]))</code> </li> <li>Query: <code>sum by(model_name) (rate(llm_output_tokens_total{app="llm-agent-app", namespace="default"}[5m]))</code> </li> </ul> </li> <li> <strong>Agent Request Latency (99th Percentile):</strong> <ul> <li>Query: <code>histogram_quantile(0.99, sum by(le) (rate(agent_request_latency_seconds_bucket{app="llm-agent-app", namespace="default"}[5m])))</code> (99th percentile end-to-end agent latency)</li> </ul> </li> <li> <strong>Agent Tool Call Success/Failure Rates:</strong> <ul> <li>Query: <code>sum by(tool_name, status) (rate(agent_tool_calls_total{app="llm-agent-app", namespace="default"}[5m]))</code> </li> </ul> </li> <li> <strong>Estimated Cost (Example, adjust token costs as per your LLM provider):</strong> <ul> <li>Query: <code>(sum(rate(llm_input_tokens_total{app="llm-agent-app", namespace="default"}[5m])) / 1000 * 0.01) + (sum(rate(llm_output_tokens_total{app="llm-agent-app", namespace="default"}[5m])) / 1000 * 0.03)</code> </li> <li> <em>Explanation:</em> This query calculates an estimated cost based on a hypothetical rate of $0.01 per 1000 input tokens and $0.03 per 1000 output tokens.</li> </ul> </li> </ul> </li> </ol> <h4> 5.2 Loki Dashboard for LLM Logs </h4> <ol> <li>Go to <strong>Connections -&gt; Data sources</strong> and add Loki as a new data source: <ul> <li>Name: <code>Loki</code> </li> <li>URL: <code>http://loki.observability.svc.cluster.local:3100</code> </li> </ul> </li> <li>Add a new panel to your dashboard. Set the visualization type to <code>Logs</code>.</li> <li>Select <code>Loki</code> as your data source.</li> <li> <p><strong>Log Queries (examples):</strong></p> <ul> <li>Show all logs from your app: <code>{container="llm-agent-app", namespace="default"}</code> </li> <li>Filter for LLM calls: <code>{container="llm-agent-app", namespace="default"} | json | event="llm_call_completed"</code> </li> <li>Filter for agent tool calls: <code>{container="llm-agent-app", namespace="default"} | json | event="tool_call"</code> </li> <li>Filter for specific trace ID: <code>{container="llm-agent-app", namespace="default"} | json | trace_id="&lt;your-trace-id&gt;"</code> (You can pick a <code>trace_id</code> from the Prometheus data or another log query).</li> <li>Filter for LLM errors: <code>{container="llm-agent-app", namespace="default"} | json | status_code="500"</code> </li> </ul> <p>The <code>| json</code> pipe command is crucial as our application emits structured JSON logs, allowing you to filter and parse fields within the log lines. You can then use <code>| line_format "{{.message}}"</code> to display only the message, <code>| level="ERROR"</code> to filter by log level, or <code>| prompt=~".*weather.*"</code> to search within specific fields.</p> </li> </ol> <h4> 5.3 OpenTelemetry Traces (Optional: If Jaeger/Tempo is set up) </h4> <p>If you had deployed a full tracing backend like Jaeger (or Tempo), you would typically configure Jaeger as a data source in Grafana. Then you could navigate to the Traces section in Grafana, search by service name (<code>llm-agent-app</code>) and trace ID to visualize the full agent execution flow with all its spans, greatly enhancing your LLM observability.</p> <p>For this tutorial, since we configured the OpenTelemetry Collector to log traces to stdout, you can inspect the collector's logs to see the trace data being received.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-f</span> <span class="nt">-n</span> observability deployment/otel-collector </code></pre> </div> <p>You'll see detailed output for each trace, confirming that your application is successfully sending trace data to the collector. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span> <span class="s2">"resource"</span>: <span class="o">{</span> <span class="s2">"attributes"</span>: <span class="o">[</span> <span class="o">{</span><span class="s2">"key"</span>: <span class="s2">"service.name"</span>, <span class="s2">"value"</span>: <span class="o">{</span><span class="s2">"stringValue"</span>: <span class="s2">"llm-agent-app"</span><span class="o">}}</span>, <span class="o">{</span><span class="s2">"key"</span>: <span class="s2">"k8s.pod.name"</span>, <span class="s2">"value"</span>: <span class="o">{</span><span class="s2">"stringValue"</span>: <span class="s2">"llm-agent-app-..."</span><span class="o">}}</span>, <span class="o">{</span><span class="s2">"key"</span>: <span class="s2">"k8s.namespace.name"</span>, <span class="s2">"value"</span>: <span class="o">{</span><span class="s2">"stringValue"</span>: <span class="s2">"default"</span><span class="o">}}</span> <span class="o">]</span> <span class="o">}</span>, <span class="s2">"scopeSpans"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"scope"</span>: <span class="o">{</span><span class="s2">"name"</span>: <span class="s2">"llm.agent.tracer"</span>, <span class="s2">"version"</span>: <span class="s2">"1.0.0"</span><span class="o">}</span>, <span class="s2">"spans"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"traceId"</span>: <span class="s2">"..."</span>, <span class="s2">"spanId"</span>: <span class="s2">"..."</span>, <span class="s2">"parentSpanId"</span>: <span class="s2">"..."</span>, <span class="s2">"name"</span>: <span class="s2">"llm_agent_request"</span>, <span class="s2">"kind"</span>: <span class="s2">"SPAN_KIND_SERVER"</span>, <span class="c"># Due to WSGIMiddleware</span> <span class="s2">"startTimeUnixNano"</span>: <span class="s2">"..."</span>, <span class="s2">"endTimeUnixNano"</span>: <span class="s2">"..."</span>, <span class="s2">"attributes"</span>: <span class="o">[</span> <span class="o">{</span><span class="s2">"key"</span>: <span class="s2">"user.query"</span>, <span class="s2">"value"</span>: <span class="o">{</span><span class="s2">"stringValue"</span>: <span class="s2">"..."</span><span class="o">}}</span>, <span class="o">{</span><span class="s2">"key"</span>: <span class="s2">"agent.total_latency_seconds"</span>, <span class="s2">"value"</span>: <span class="o">{</span><span class="s2">"doubleValue"</span>: 1.23<span class="o">}}</span>, ... <span class="o">]</span>, <span class="s2">"events"</span>: <span class="o">[]</span>, <span class="s2">"status"</span>: <span class="o">{</span><span class="s2">"code"</span>: <span class="s2">"STATUS_CODE_UNSET"</span><span class="o">}</span> <span class="o">}</span>, <span class="o">{</span> <span class="s2">"traceId"</span>: <span class="s2">"..."</span>, <span class="s2">"spanId"</span>: <span class="s2">"..."</span>, <span class="s2">"parentSpanId"</span>: <span class="s2">"..."</span>, <span class="c"># Parent will be llm_agent_request's spanId</span> <span class="s2">"name"</span>: <span class="s2">"llm_api_call"</span>, <span class="s2">"kind"</span>: <span class="s2">"SPAN_KIND_INTERNAL"</span>, <span class="s2">"attributes"</span>: <span class="o">[</span> <span class="o">{</span><span class="s2">"key"</span>: <span class="s2">"model_name"</span>, <span class="s2">"value"</span>: <span class="o">{</span><span class="s2">"stringValue"</span>: <span class="s2">"gpt-3.5-turbo-mock"</span><span class="o">}}</span>, <span class="o">{</span><span class="s2">"key"</span>: <span class="s2">"llm.response.tokens.total"</span>, <span class="s2">"value"</span>: <span class="o">{</span><span class="s2">"intValue"</span>: 120<span class="o">}}</span>, ... <span class="o">]</span>, ... <span class="o">}</span> <span class="c"># ... more spans for agent_decision_making, tool_call_weather etc.</span> <span class="o">]</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <p>This confirms traces are being generated and processed by the collector. Integrating a full Jaeger or Tempo setup is a worthy next step, but is beyond the immediate scope of this tutorial.</p> <h2> Actionable Insights, Alerting, and Troubleshooting for LLM Observability </h2> <p>Collecting data is only half the battle. You need to interpret it to derive actionable insights and set up effective alerts for your <strong>LLM observability on Kubernetes</strong>.</p> <h3> Interpreting LLM Observability Data </h3> <ul> <li> <strong>Performance Bottlenecks:</strong> <ul> <li> <strong>High LLM Call Latency (P95/P99):</strong> Check <code>llm_call_latency_seconds_bucket</code>. Is it the model itself, network, or rate limiting from the LLM provider? If your average LLM call latency is consistently above 5 seconds, it might indicate network issues or an overloaded LLM endpoint.</li> <li> <strong>High Agent Request Latency:</strong> Examine traces (<code>llm_agent_request</code> span) to pinpoint which step (LLM call, tool call, internal logic) is contributing most to the delay. Look for unusually long <code>tool_call</code> spans.</li> <li> <strong>Low Throughput:</strong> Is <code>llm_agent_requests_total</code> not meeting expectations? Check CPU/memory utilization of the pod. Is the LLM model slow or is the application itself bottlenecked? A drop of 20% in QPS without a corresponding reduction in load might indicate an issue.</li> </ul> </li> <li> <strong>Cost Overruns:</strong> <ul> <li> <strong>Spikes in Token Usage:</strong> Monitor <code>llm_input_tokens_total</code> and <code>llm_output_tokens_total</code>. Are prompts getting unexpectedly long? Is the model generating excessively verbose responses? This could indicate a prompt engineering issue or model drift. An sudden increase of 50% in output tokens per request could drastically raise costs.</li> <li> <strong>Frequent LLM API Calls:</strong> <code>llm_api_calls_total</code> can highlight agents engaging in too many iterative LLM calls, indicating inefficiency.</li> </ul> </li> <li> <strong>Model Degradation &amp; Agent Failures:</strong> <ul> <li> <strong>Increased LLM Error Rates:</strong> Monitor <code>sum by(status_code) (rate(llm_call_latency_seconds_count{status_code!="200"}[5m]))</code>. Correlate with logs to see actual error messages and prompts.</li> <li> <strong>Increased Agent Goal Failures:</strong> <code>agent_goal_failures_total</code>. What type of queries are failing? Dive into traces for these failed requests to see the agent's decision path.</li> <li> <strong>Decreased Tool Call Success Rates:</strong> <code>agent_tool_call_failure_total</code>. Is a specific external tool failing? This points to external dependency issues.</li> <li> <strong>Unexpected Agent Behavior:</strong> Use Loki to search for keywords in prompt/response logs or agent decision logs. "Why did the agent choose X tool here?" can often be answered by reviewing the log of its thought process.</li> </ul> </li> </ul> <h3> Setting Up Effective Alerts for LLM Workloads </h3> <p>Alerts should be proactive and actionable. Use Grafana Alerting (integrated with Prometheus Alertmanager).</p> <ul> <li> <strong>Critical Alerts (PagerDuty, Slack):</strong> <ul> <li> <strong>High Error Rate:</strong> <code>sum(rate(llm_call_latency_seconds_count{status_code!="200"}[5m])) &gt; 5</code> (more than 5 LLM errors per 5 minutes for instance).</li> <li> <strong>Service Unavailability:</strong> <code>up{app="llm-agent-app", namespace="default"} == 0</code> (agent service is down).</li> <li> <strong>Critical Latency Spike:</strong> <code>histogram_quantile(0.99, sum by(le) (rate(agent_request_latency_seconds_bucket{app="llm-agent-app", namespace="default"}[5m]))) &gt; 15</code> (99th percentile request latency exceeds 15 seconds).</li> </ul> </li> <li> <strong>Warning Alerts (Slack, Email):</strong> <ul> <li> <strong>High Token Consumption Rate:</strong> <code>sum(rate(llm_output_tokens_total{app="llm-agent-app", namespace="default"}[1h])) &gt; 1000000</code> (e.g., more than 1 million output tokens in the last hour, indicating potential cost overrun).</li> <li> <strong>Increased Agent Tool Failures:</strong> <code>sum(rate(agent_tool_calls_total{status="failure", app="llm-agent-app", namespace="default"}[5m])) &gt; 1</code> (any tool failures in a 5-minute window could warrant investigation).</li> <li> <strong>High GPU Utilization:</strong> <code>gpu_utilization_percentage{pod="llm-agent-app-..."} &gt; 90</code> (indicates resource saturation, potentially leading to performance degradation on GPU-accelerated workloads).</li> </ul> </li> <li> <strong>Informational Alerts:</strong> Track trends without immediate action, e.g., daily cost reports.</li> </ul> <h3> Troubleshooting Workflow for LLM Observability </h3> <ol> <li> <strong>Alert Triggered:</strong> Receive an alert about high latency or errors.</li> <li> <strong>Dashboard Check:</strong> Go to your Grafana dashboard. Look at the specific metric that triggered the alert. Correlate with other metrics (e.g., if latency is high, are CPU/memory also high? Are token counts spiking?).</li> <li> <strong>Logs Investigation:</strong> If metrics point to an application-specific issue, jump to Loki. Use the trace ID from the metric context (if available, or infer from timestamps) to find relevant logs. Search for errors, warnings, or specific agent decision steps around the time of the incident. Review the full prompt/response pairs.</li> <li> <strong>Traces Deep Dive:</strong> If the issue is complex and spans multiple steps or services (especially for agents), use your tracing backend (Jaeger/Tempo). Find the trace for a representative failing request. Visualize the spans to identify the exact step (LLM call, tool call, external API) that introduced latency or an error. Examine attributes attached to spans for detailed context like LLM model, parameters, or tool call arguments.</li> <li> <strong>Identify Root Cause:</strong> Based on the correlated data, pinpoint the root cause: an inefficient prompt, a slow external tool, a bug in agent logic, or an overloaded Kubernetes node.</li> <li> <strong>Remediate and Verify:</strong> Implement the fix, then monitor your observability stack to verify the issue is resolved and new alerts are not triggered.</li> </ol> <h2> Frequently Asked Questions About LLM Observability on Kubernetes </h2> <h3> What is LLM observability and why is it important on Kubernetes? </h3> <p>LLM observability is the ability to understand the internal state, performance, cost, and behavior of Large Language Model (LLM) powered applications and AI agents. It's crucial on Kubernetes because traditional monitoring tools don't capture the unique non-deterministic nature, token usage, and complex decision-making processes inherent to LLMs and AI agents, leading to blind spots in performance and cost management.</p> <h3> How do I monitor LLM costs on Kubernetes? </h3> <p>To monitor LLM costs on Kubernetes, track metrics like <code>llm_input_tokens_total</code>, <code>llm_output_tokens_total</code>, and <code>llm_api_calls_total</code>. These application-level metrics, collected by Prometheus, can then be used in Grafana with PromQL queries to calculate real-time estimated costs based on your LLM provider's pricing for tokens or API calls.</p> <h3> Can OpenTelemetry be used for LLM metrics and traces? </h3> <p>Yes, OpenTelemetry is the recommended standard for instrumenting LLM applications to generate both metrics and traces. It provides APIs and SDKs to create detailed spans for LLM calls and agent steps, and to emit custom metrics like token usage and latency, all of which can be collected and exported by the OpenTelemetry Collector.</p> <h3> Why do traditional monitoring tools fail for AI agents? </h3> <p>Traditional monitoring tools primarily focus on infrastructure metrics (CPU, memory) and simple request/response codes. They fail for AI agents because agents have non-deterministic behavior, complex multi-step reasoning processes, rely on token usage for cost, and can hallucinate or go off-topic even with successful HTTP responses. Understanding these nuances requires deep application-level metrics, structured logs, and distributed traces.</p> <h3> What key metrics should I track for LLM performance on Kubernetes? </h3> <p>Key metrics for LLM performance on Kubernetes include:</p> <ul> <li><strong>Prompt Processing Latency</strong></li> <li><strong>Response Generation Latency</strong></li> <li><strong>Total Agent Request Latency</strong></li> <li><strong>Throughput (Queries Per Second)</strong></li> <li><strong>Tool Call Latency (for AI agents)</strong></li> <li><strong>Input and Output Token Counts</strong></li> <li> <strong>LLM API Call Counts</strong> These provide a comprehensive view of speed, efficiency, and resource consumption.</li> </ul> <h2> Conclusion </h2> <p>Building robust <strong>LLM observability on Kubernetes</strong> is not just about extending your existing monitoring stack; it requires a paradigm shift. You need to look beyond infrastructure metrics and delve deep into the nuances of LLM behavior, token economics, and agent decision-making.</p> <p>By leveraging OpenTelemetry for rich instrumentation, Prometheus and Grafana for comprehensive metrics, and Loki with Fluent Bit for structured logging, you can construct a powerful, integrated observability pipeline. This pipeline gives you the visibility needed to understand performance, control costs, and proactively troubleshoot the complex, often non-deterministic world of generative AI on Kubernetes.</p> <p>Your next steps should be:</p> <ol> <li> <strong>Refine your application instrumentation:</strong> Integrate your actual LLM calls and agent logic with OpenTelemetry and Prometheus client metrics.</li> <li> <strong>Experiment with diverse prompts:</strong> Send various types of queries to your agent, including edge cases and error-inducing prompts, to see how your observability stack reacts.</li> <li> <strong>Build custom Grafana dashboards:</strong> Create dashboards tailored to your specific LLM applications, focusing on the most critical performance, cost, and quality metrics for LLM observability on Kubernetes.</li> <li> <strong>Implement robust alerting:</strong> Define clear, actionable alerts based on thresholds that matter for your application's reliability and cost efficiency.</li> <li> <strong>Explore tracing backends:</strong> Consider deploying Jaeger or Tempo to gain full end-to-end distributed tracing capabilities, which are invaluable for complex AI agent debugging.</li> </ol> <p>The journey to effective LLM observability is iterative. Continuously refine your instrumentation, dashboards, and alerts as your AI agents evolve and your understanding of their behavior deepens.</p> kubernetes llm observability aiagents