Accessing the built-in observability tools of Kyma runtime

Included with Kyma is the tool Grafana which provides a centralized view of the logs and a number of dashboards to view various metrics of workloads running in the Kyma runtime. For more information you can find a nice overview of Grafana by Gaurav Abbi.

The latest release of Kyma now utilizes SAP Identity Authentication Service IAS for authentication and Kubernetes Role Based Access Control (RBAC) to manage authorizations within the runtime. Kubernetes provides a number of resources, such as deployments, config maps, etc, that users interact with via the Kubernetes API. The API itself can also be extended to provide additional functionality, this is how Kyma API Rules are provided. RBAC provides a mechanism to control the access of the resources of the Kubernetes API by providing verbs, read, create delete, that control user access to these resources.

Unfortunately Grafana is not part of or an extension of the Kuberenetes API, so it does not support the RBAC methodology.  For this reason Grafana by default is not exposed externally, but there are a few options to do so. Most effortlessly, after setting up kubectl, you can use the port-forward feature of kubectl to access Grafana locally. You also have the option to configure your own custom SAP IAS tenant to manage the access using the provided Oauth2 Proxy. You can find the configuration steps for both of these methods within the help documentation. The Oauth2 Proxy also supports a number of other providers, such as Github, which can be used to manage access. The next sections will walk through this procedure.


Start by creating a new OAuth Application and providing the values. You can find the cluster domain URL of your Kyma runtime on the main dashboard, listed under API Server Address, replace api with Grafana.

  • Application Name: Grafana

  • Homepage URL: https://grafana.<your cluster domain>

  • Authorization callback URL: https://grafana.<your cluster domain>

  • Choose Register application

On the next screen choose the option to generate a new client secret

Copy both the Client ID and the Client secret. These values will be used in the next steps.

Configuration of the Oauth2 Proxy

The configuration of the Oauth2 proxy is accomplished by creating a Kubernetes secret which is read by the proxy once it is restarted. There are a number of different configuration parameters of the provider to adjust how it works. Please note that a parameter listed as –github-user will be assigned within the secret as OAUTH2_PROXY_GITHUB_USER. Using the script below, replace the client Id and secret from the github application and your github email address. Multiple email addresses can be added by comma separating them. The secret could also be created within the dashboard, by choosing the namespace kyma-system and choosing the menu option Configuration -> Secrets and using the option to Create Secret.

kubectl -n kyma-system create secret generic monitoring-auth-proxy-grafana-user \ --from-literal="OAUTH2_PROXY_CLIENT_ID=<your client id>" \ --from-literal="OAUTH2_PROXY_CLIENT_SECRET=<your client secret>" \ --from-literal="OAUTH2_PROXY_PROVIDER=github" \ --from-literal="OAUTH2_PROXY_GITHUB_USER=<your email address>" \ --from-literal="OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true"

After the secret has been applied restart the Oauth2 proxy pod by running

kubectl -n kyma-system rollout restart deployment monitoring-auth-proxy-grafana

After the pod has restarted choosing the link to Grafana within the dashboard should now prompt you requesting authorization. After choosing Authorize you should now be redirected to Grafana.