Red Hat Insights Frequently Asked Questions
This page includes frequently asked questions (FAQs) for Red Hat Insights.
Note that some of the common components that Insights leverages are actually features of the Hybrid Cloud Console, so we have also included FAQs for the Hybrid Cloud Console.
For additional Red Hat Insights Resources, refer to the Red Hat Insights Information and Resources page.
General Red Hat Insights Frequently Asked Questions
Q: What is Red Hat Insights?
A: Red Hat Insights is a suite of hosted services on the Hybrid Cloud Console. Insights is included with Red Hat subscriptions for Red Hat Ansible Automation Platform, Red Hat Enterprise Linux, and Red Hat OpenShift. Insights gathers configuration and utilization data to provide you with insights into your data. Instead of needing to open a support ticket, Insights can proactively identify and troubleshoot common issues. The predictive analytics and targeted recommendations Red Hat provides help: improve stability and performance; reduce vulnerability and compliance risks; and track and optimize costs.
You can access these insights via user-friendly dashboards on the Hybrid Cloud Console, receive them in notification emails, or have them pushed to third-party applications with which you are already familiar. Because the reports and predictive analytics are specific to your operating environment, Insights is a powerful tool in automation toolchains and can help define and execute business processes.
Q: Do I have access to Insights?
A: Red Hat Insights is included with any Red Hat Ansible Automation Platform, Red Hat OpenShift, and Red Hat Enterprise Linux subscriptions as part of your value of subscription.
Q: Will Insights work in a disconnected or air-gapped environment?
A: This will depend on the platform. Generally speaking, Insights is only available as a Software-as-a-Service (SaaS) offering and requires a connection to the internet either directly or via a web proxy.
For OpenShift, an air-gapped environment is supported. Please refer to the documentation.
If a Red Hat Enterprise Linux host is connected via Satellite or a web proxy, then only the Satellite Server or the proxy server would need internet access.
Q: Since Insights is SaaS - what country is the data stored in?
A: Insights runs in an OpenShift Dedicated Cluster running on the US East Coast. This is a fixed instance and cannot be changed or relocated in a different geography.
Q: Does Insights have APIs available?
A: Yes, Insights has a full set of APIs. Refer to the API documentation for full information [login required for API docs]. You can also refer to the Red Hat Insights API cheat sheet.
Q: What reporting does Insights offer?
A: Insights has a variety of reports available, depending on the service in question. Most pages inside of Insights offer an export to CSV or JSON capability for information as presented on screen.
The Advisor and Vulnerability for RHEL services offer an executive report for download on demand.
Vulnerability for RHEL offers a customizable CVE report.
Compliance has a customizable report per compliance policy.
Additional reporting may be able to be customized using Insight's full suite of APIs.
Q: What kind of alerts/integrations does Insights offer?
A: The Notifications service defines how notifications are sent. Examples of notifications are emails, webhooks, or integrations with third party applications such as Splunk, ServiceNow, and Slack. You can define notifications on a per service basis so that, for example, your security team can get slack notifications for vulnerabilities for RHEL while your system administrators have Advisor recommendations for OpenShift and RHEL.
Note: To receive emails you must opt into email notifications in your Insights User Preferences.
For details on the integrtions, as well as link to blog post examples on the integrations, visit the Red Hat Insights Integrations KB article.
Prerequisites
Q: How do I get Insights?
A: Insights is included with Red Hat subscriptions such as Ansible Automation Platform, Red Hat Enterprise Linux, and Red Hat OpenShift. There is no separate item to buy.
The benefits of Insights are only available with Red Hat subscriptions.
Q: Does Insights work with CentOS / Fedora / Ubuntu / Windows / etc?
A: Insights primarily works with Red Hat platforms.
There is limited support for adding CentOS 7 hosts to Insights for the purposes of converting them to Red Hat Enterprise Linux.
Through the Insights Tasks service you can perform a pre-upgrade analysis and even convert a CentOS 7 host to RHEL.
For more information please see the videos on Pre-conversion Analysis and Conversions.
Outside of converting systems to RHEL, there are no plans to support other vendors or other linux distributions.
Q: Is the purchase of Satellite required for Insights?
A: No. Satellite is not required for use with Insights however it complements Insights when used with Red Hat Enterprise Linux by allowing action and remediation at scale.
Enabling the Cloud Connector capability will let you fix the issues that Insights finds with just a few clicks.
Data Handling and Privacy
Q: What data is collected with Insights?
A: The design principle with Insights is simple: collect only the minimum data that is needed for analysis, issue identification, and remediation. Complete volumes of system information such as core dumps or full log files are not collected. Insights, by default, does not target personal information.
Q: How does Red Hat Insights secure my data?
A: Your data is encrypted in three key ways: on your host system at the point of collection; in transit across the network; and when it is at rest on Red Hat infrastructure that supports the Insights service. In addition, you may also choose to alter the name chosen to represent the system (eg, apache01.prod instead of a fully qualified domain name).
A few other points to note:
All communication with Red Hat occurs over encrypted channels using Transport Layer Security (TLS).
The default communication model from client systems to Red Hat servers occurs with mutual TLS or two-way authentication using digital certificates.
AllTLS traffic with Red Hat servers is verified with a trusted certificate that is bundled with the application, ensuring that communications can not be intercepted, such as by a “man in the middle” attack.
All volumes containing your data at rest are encrypted with Linux Unified Key Setup (LUKS) encryption. More details are available on the Red Hat Insights data and application security page
Q: What connectivity does the server need to use Insights?
A: Ensure active network connection to:
https://api.access.redhat.com:443
https://cert-api.access.redhat.com:443 [needed for Insights data upload]
https://cert.cloud.redhat.com:443. [needed for Inventory upload and Cloud Connector connection]
https://console.redhat.com/api/ingress
http://console.redhat.com/openshift [needed to obtain results from Insights and present within OpenShift Web Console]
If the system is already registered to RHSM or Red Hat Satellite, there should be no additional network ports to open as all communications are over port 443.
Note that each system can also be proxied through an http proxy. Details on configuring direct or http proxy connections can be found in Accessing Red Hat Insights Through a Firewall/Proxy.
If you are using the notification service to integrate with applications such as ServiceNow or Splunk, please also review the article on Firewall Configuration for accessing Red Hat Insights / Console.redhat Integrations & Notifications.
Q: How to make sure that data at rest and transit to Red Hat Insights is secure?
A: This is the default behavior of Insights - data is encrypted before it leaves the host and remains encrypted while in transit and at rest.
Q: Can I use two-factor authentication?
A: Red Hat Insights leverages the existing Red Hat SSO mechanisms on cloud.redhat.com and the customer portal. It is currently possible to use a two-factor authentication using OTP or Google Authentication, please see the following for implementation details Two Factor authentication (2FA) for Red Hat Customer Portal.
Q: I have multiple Red Hat account numbers. How do I enable multi-tenancy with Insights so I can see all account numbers in a single view?
A: Insights leverages Red Hat Single Sign On (SSO) and the tenancy is based on the individual Red Hat account number. From within the Hybrid Cloud Console you can only see the single account that you are logged into.
If you have multiple accounts, one option of interest would be the Splunk integration. Configure the integration through the Splunk Marketplace app on each account and you will be able to see the combined results in your Splunk dashboard.
Q: When I delete a system from my environment, is the system removed from Insights as well?
A: This may depend on how you delete the system.
For Ansible Automation Platform and Red Hat Enterprise Linux, Red Hat recommends that you add to any automation or manual steps the “insights-client --unregister” command when you are removing systems. This will properly unregister a system from Insights.
For OpenShift you should archive the Openshift Container Platform cluster. Review the documentation for full details.
When a system is removed from the Insights Inventory, the archive data is deleted from Insights. Systems that stop checking into our service (which default is daily) will be automatically removed after 14 days of not checking in to the service.
Q: What information does Red Hat Insights collect for Red Hat Enterprise Linux?
A: Red Hat Insights collects metadata about the runtime configuration of a system. The data collected is a fraction of what would be collected through an sosreport during a support case. Examples of information that may be collected include a line of a log file matching a recommendation, host configuration metadata, and runtime information.
Q: How can I see what information has been collected?
A: Before any data is sent, you have the option to inspect and redact data. The insights-client -- no-upload command lets you view the metadata that has been collected. This will let you look at the exact information that Insights is sending to Red Hat. Details are available in these two articles:
Q: Can some information be excluded from collection?
A: Yes - you have full control over the data collected by Insights.
One of the most common requests is to Obfuscate IP Addresses and Host Names in Red Hat Insights.
If you need to block further information, review the article on setting up a YAML-style denylist configuration for Red Hat Insights Client.
Keep in mind that the more information you redact from Insights, the less valuable the findings become.
Q: How long does Red Hat retain the data collected by Red Hat Insights?
A: By default, the Red Hat Insights client collects and uploads the data once a day. Hence, the collected data will normally be kept for 24 hours. Data uploaded by previous runs will be deleted when the same client uploads new data as part of the daily run. Data from Insights clients that no longer upload new data will be deleted after 14 days from the date of the last data upload.
When Red Hat processes the upload, there may be certain “recommendations hits” or issues identified. These recommendation hits are retained for historical reporting purposes and may be used by Red Hat as input into feature enhancements.
Q: What is the impact of the Insights agent and the data collection process on my systems?
A: The Insights agent is designed to be lightweight. It runs as a daily cron job or systemd timer that installs with a default schedule. It also has capabilities that let you customize the schedule for when the data collection agent runs and when the data is uploaded to the Insights service to minimize impacts on your networks and workloads. Note, however, that the collection process is lightweight and the data sets are small.
To help prevent any runaway processes, in the short time that it runs the Insights client is capped at consuming an absolute max of 30% of CPU and 2GB RAM.
Red Hat Enterprise Linux & Red Hat Insights Frequently Asked Questions
Q: Does Insights work on all Linux distributions?
A: Insights only works for Red Hat Enterprise Linux, versions 6.4 and above including RHEL 7, 8, and 9 versions.
Q: Is Insights included with all Red Hat Enterprise Linux versions, or are there exclusions?
A: Insights is available with all active RHEL subscriptions versions 6.4 and above.
Note that embedded versions of Red Hat Enterprise Linux will not include Insights.
While Insights can be activated for many versions of RHEL, Support is based on the Supported Versions of Red Hat Enterprise Linux page.
Q: If I am using Insights through Satellite, do the hosts need direct internet connection?
A: No. Hosts connected through Satellite use the Satellite Server as a web proxy by default.
However the Satellite Server DOES need internet connectivity.
The Satellite Server does not perform any analysis or processing of Insights information- this is done exclusively on the Hybrid Cloud Console.
Q: Do any services need additional configuration?
A: Yes - several Insights services require additional configuration or setup before results can be provided via Insights.
Compliance needs to have the OpenSCAP and RHEL security guide packages installed on each host that needs to be properly evaluated for regulatory compliance. Review the documentation for full details.
Image Builder needs to have a public cloud source configured in order to launch an image in a cloud provider. In addition, if you want to include a third party repository in an image, you will need to configure a custom repository.
Malware needs to have YARA installed on each host that will be scanned for malware. Review the documentation for full details.
Policy needs to have policies created in the [Hybrid Cloud Console. These are policies that you will need to create based on your own internal policies. Review the documentation for full details.
Resource optimization needs to have performance co-pilot (pcp) installed as well as some pcp configuration on each host where resources will be monitored. This can be automated using an ansible playbook or can be performed manually. Review the documentation for full details
Q: If I use RHEL from a public cloud provider can I still access Insights?
A: Yes. Insights is included with RHEL as a unique additional value to your subscription, which no other Linux provides, regardless of where you are running your RHEL workload. As long as your hosts have direct or proxied access to cloud.redhat.com on the internet you can utilize Insights.
You must have a Red Hat customer portal ID. Full details are available on the How to register a Red Hat Enterprise Linux system running on AWS to Insights page (though the page is titled for AWS, the same process works on other public cloud providers).
Q: Does Insights support Red Hat Enterprise Linux running on IBM Power Systems and IBM Z systems?
A:Yes, Insights works on these hardware platforms and provides an analysis of general RHEL operations on these platforms.
Q: Does Insights have hardware-specific recommendations?
A: Yes. There is a series of Advisor recommendations designed to analyze the interaction between Red Hat Enterprise Linux and hardware including server, network, and storage devices as well as cloud platforms. Here are a few examples:
Network interface card is not operating at maximum speed due to faulty cable, network interface card, switchport, SFP, etc.
Unsupported kernel version on Intel Purley Platform with Intel Skylake CPU
Kdump Does Not Work Due To XEN/AWS's Limitation
Q: Does Insights have workload-specific recommendations?
A: Yes. There are Advisor recommendations for workloads such as SAP, Microsoft SQL, PostgreSQL, and Oracle Databases. There are also recommendations for hypervisors and for cloud providers such as AWS and Azure. There are also Red Hat specific recommendations for products such as OpenShift, OpenStack, and Satellite. These are listed in Advisor in the Topics submenu and are easily referenced.
Q: In Insights created playbooks, why are there signatures in the playbook?
A: Insights has the ability to directly run generated playbooks via Red Hat Satellite Server or RHC (Remote Host Configuration). The signatures are added so that RHC or Satellite can verify that the playbooks are coming from Red Hat and are safe to execute. This is typically not something that a user needs to worry about, but if you download the playbook you will see these present in the playbook.
If you download the playbook and execute if outside of RHC or Satellite, the signatures will be ignored and you will still be able to execute the playbook with, for example, Ansible Automation Platform.
Service Specific FAQs for RHEL Insights
Advisor
Q: How can I see a list of all Insights Advisor recommendations?
A: Insights recommendations can be seen in the Insights user interface.
The default behavior is to show you only recommendations that affect your systems, but if you want to see the full list all you need to do is adjust the filters.
Within the Advisor service select Recommendations.
Near the top of the screen you will see two filters which are enabled by default:
Systems impacted: 1 or more
Status: Enabled
Click the “X” next to each of these filters to remove them and you will see the entire list of Insights recommendations. You can easily filter the list by name if desired.
You can repeat the same process with any of the Advisor Topics. Select a Topic such as SAP and remove the filters as mentioned above to see all SAP recommendations.
Q: Can I create my own recommendations?
A: No. Advisor recommendations are created by Red Hat. The Insights Policy service might meet your needs as it allows you to create your own custom internal policies.
Vulnerability
Q: Does the Vulnerability service show Vulnerabilities from all repositories, or only enabled ones?**
A: The Vulnerability service only shows vulnerabilities from the enabled repositories on a system. If the Vulnerability service showed results from all repositories the results would include irrelevant updates for a system.
Q: Are there any issues with 3rd party repositories when looking at vulnerabilities?
A: Insights may not know details for some 3rd party repositories. It is recommended that you use Red Hat provided repositories instead of local mirror repositories.
For example, if you mirror the Red Hat appstream repository to ‘myrepo’ and use ‘myrepo’ on your systems, vulnerable packages in ‘myrepo’ may not be properly detected.
Q: How long does it take for a CVE with Errata to appear within Insights Vulnerability once it has been published to the Red Hat Customer Portal?
A: It can take 12-18 hours for a CVE with Errata to appear within the Insights Vulnerability service.
Compliance
Q: Using Insights can you define a custom compliance policy?
A: You can create new SCAP policies and edit/tailor them as needed within the Compliance service. Review the documentation for full details.
Q: Can Insights detect an unsupported compliance configuration?
A: Yes - Accurate compliance reporting requires that you use the supported version of the SCAP Security Guide (SSG) for the minor version of RHEL you are using. Using an unsupported version of SSG on RHEL results in an unsupported configuration, which will be reflected in results for the policy displayed in the compliance service. Refer to the Insights Compliance - Supported configurations article for more information.
If you use an unsupported combination of RHEL and the SCAP security guide, then your system will be listed as being in an unsupported status.
Q: The Insights Compliance service is showing my system as unsupported. What does that mean?
A: This likely indicates that you are using an unsupported version of the SCAP Security Guide (SSG) for the RHEL minor version running on the system. The security guide version can either be too old or too new for you to be in a supported state.
Refer to the Insights Compliance - Supported configurations article for more information.
Q:Can I upload OpenSCAP reports from other products like Satellite into Insights?
A: No - Compliance policies must be created in the Insights compliance service. While the compliance service uses OpenSCAP to perform a system evaluation, reports from OpenSCAP outside of Insights cannot be uploaded to Insights.
Drift
Q: How long in time can I go back to for my RHEL configuration comparisons?
A: Insights currently keeps 7 days of data for historical system comparison. This means Drift is able to perform RHEL configuration comparisons between insights-client playloads uploaded within the last 7 days.
Additionally, baselines can be created to define system configurations and used as standard/guideline for system comparison. The 7 day limit does not apply to baselines.
Q: Where can I find information about each configuration fact?
A: System facts are documented in Drift documentation under Available Facts and Their Functions.
Q: Can I add my own facts using the Drift service?
A: Drift comparisons can be performed on configuration facts and tags collected by Insights. As such, additional metadata associated to systems as a tag can be compared using Drift.
Q: For baselines, if you delete or edit facts can you get those back?
A: If you delete a fact, it is removed from the Insights DB and not available. If you want to change what is included as part of a baseline it is best to duplicate an existing Baseline to keep history/versioning. You can also manage baselines as JSON files and upload them using Insights REST APIs. See System Comparison API documentation.
Malware
Q: Who is the intended user of Malware Detection?
A: There are a couple of possible users:
For a security-minded enterprise, Insights Malware Detection is an IBM-backed, RHEL-focused component of a multi-layered security strategy, which enables enterprises to bring RHEL expertise to their detection plans.
For the Linux customer who values the added security benefits of the RHEL subscription.
Please refer to the 2023 Global Tech Outlook: A Red Hat report for more information on the types of companies a service like Malware detection may help.
Q: Can the Insights Malware service replace <Vendor/Product X>?
A: Each organization has unique security requirements and needs to evaluate where Red Hat Insights Malware service fits with their multi-layered security approach.
The Insight Malware service should be considered as a complementary service to any existing solutions a customer might have in their environment.
Q: Does the Insights Malware service satisfy PCI compliance requirements?
A: Red Hat is not in a position to evaluate individual regulatory requirements and makes no such claims.
Q: I thought open source Linux was inherently secure? Why do I need to have a malware signature scanner?
A: Most industry security professionals agree that enterprises should use a multilayered security approach to reduce the risk to their environments. Red Hat is partnering with industry leaders in Linux threat intelligence to provide an additional layer of risk assessment as part of their Red Hat subscription.
Q: When new malware signatures are discovered, what is the turnaround time to get the signature added to Insights?
A: We are getting a new batch of malware signatures about once a month. The feedback loop on that is typically that Red Hat's Threat Intel team will identify an emerging malware threat to Linux and submit a request to the IBM X-Force team who researches and writes a new signature for identification, then passes back to Red Hat for testing and inclusion in the next batch of signature updates in Insights. The time for that feedback loop varies from signature to signature, available samples to research, etc., but is typically on a scale of weeks, rather than days or months.
Q: What is the key difference between Insights Malware Detection service and traditional commercial antivirus products?
A: Insights Malware Detection provides on-demand analysis by execution of the 'insights-client --collector malware-detection' command while many traditional AV offerings have a daemon or agent that is actively scanning files on-access.
Q: Does YARA support multiprocessing/multithreading?
A: Yes, YARA supports multithreading, and Red Hat Insights will inherit that with the malware-detection collector.
Q: Where are the signatures for the Malware service stored? Are they on the RHEL hosts?
A: Signatures are stored on console.redhat.com and the insights-client reaches pulls them down for each scan. This ensures the signatures are inclusive of any additions that have been made. These signatures are not stored locally on the RHEL host.
Q: Does the Insights Malware service work with container images?
A: If a user were to run Insights-client within a container, it should find the issues/malware of that file system, however, if there are container images within that host/file system, it would not pick those up issues or report on any malware within those images.
Q: Does the Malware service only scan Red Hat packages?
A: The service scans anything on the host including packages, files, running processes, configuration files, etc. Specifically however, the network traffic on the RHEL server is not analyzed by the Malware service.
Red Hat OpenShift & Red Hat Insights Frequently Asked Questions
Q: How do I install Insights for Openshift?
A: Insights operator is installed and enabled by default as of OCP 4.2.
If you want to use the Cost management service you will need to install the Cost Management Metrics Operator.
For more information refer to the Getting started with cost management guide.
Q: What data is the Insights operator collecting about my cluster?
A: The Insights operator is complementary to OpenShift Container Platform Telemetry and collects information used for proactively identifying cluster issues. This includes:
Important configuration information about the environment that the cluster runs in
Details about the state of the cluster and its major components
Debugging information about infrastructure Pods or nodes that are reporting failures.
See the Remote health monitoring section of the OpenShift documentation for more information.
Q: Can I review data Insights is collecting before an upload??
A: Yes, for most of the services the documentation is listed in the Showing data collected Telemetry section of the OpenShift documentation.
Q: Can I use Insights with a restricted network?
A: Insights services are recommended for users who are running their clusters with open connection to console.redhat.com.
If necessary, Insights data can be uploaded manually as documented in the Using remote health reporting in a restricted network section of the OpenShift documentation.
Q: How do I disable insights for OpenShift 4.x?
A: In OpenShift Container Platform, you can opt out of reporting health and usage information. However, connected clusters allow Red Hat to react more quickly to problems and better support our customers, as well as better understand how product upgrades impact clusters.
Red Hat strongly recommends leaving health and usage reporting enabled for pre-production and test clusters even if it is necessary to opt out for production clusters. This allows Red Hat to be a participant in qualifying OpenShift Container Platform in your environments and react more rapidly to product issues.
See the Opting out of remote health monitoring in the OpenShift documentation for more information.
Q: What information do I get from the OpenShift Insights Vulnerability Dashboard?
A: The Insights Vulnerability Dashboard shows the OpenShift clusters affected by CVEs.
For more information about capabilities and positioning with Red Hat Advanced Cluster Security for Kubernetes (RHACS), please refer to this article.
Cost Management FAQs
Q: Why do I see "You do not have access to Cost Management" when I navigate to Cost Management?
A: You likely do not have the correct User Access configured. You need to be an org administrator or have the RBAC admin role to configure User Access.
See the documentation for a description of relevant User Access roles.
Q: I’ve installed the operator on a cluster and I don’t see data. What’s wrong?
A: Here are some things to ask before reaching out to engineering for help.
Has a source been created for this cluster? Check console.redhat.com.
How long has the operator been running? If it’s less than 12 hours. It may not have uploaded a payload yet.
Check the operator last upload status. If the last upload was successful Cost Management should have received the payload and should process it within the next few hours.
If you still have no data with successful uploads longer than a 24 hour period reach out to the team for further investigation:
The CostManagementMetricsConfig which must be created after the operator is installed contains many status fields. Are there any errors in this CR? If so, please provide a copy of the CR to the team
Alternatively check Insights Advisor for recommendations about missing configuration
Q: I’ve installed the operator on a cluster and can see usage data but costs are zero ($0). What’s wrong?
A: Costs for an Openshift cluster come from 2 things: 1. a cost model or 2. a cloud source (AWS/Azure/GCP)
To see costs from an associated cost model, the cost model must be created and associated with the source corresponding to the cluster sending data
To see costs associated with a cloud source, a second source must be created here.
Cost management needs the information for the cloud source in order to import billing data. During data ingestion, the costs are correlated to the usage of Openshift clusters.A cost model or a cloud source is required for Cost management to show any costs for an Openshift cluster.
Q: When should I create an OpenShift Cost Model?
A: The Cost Management Metrics Operator only collects usage data. It does NOT collect cost data. There are two scenarios in which this data can be used to help customers understand their usage costs
Scenario One: correlate OpenShift usage to a cloud bill.
Cost Management requires:
1. The OpenShift source
2. A Cloud source (AWS/Azure/GCP)In this scenario, no cost model is required in order for cost management to show the cost of Openshift usage.
Scenario Two: The cluster is running on-premise.
Without a cloud provider, we do not have any cost information to correlate with the reported usage metrics. A cost model is required to generate costs for the usage data. Otherwise the costs will always be zero ($0).
Q: How many cost models should I create?
A: A source can only be assigned to a single cost model. A cost model can have multiple sources assigned to it.
Q: It’s the first of the month. Where did my data go?
A: It can take each cloud provider several days to start publishing data at the start of a month. As soon as that data is published, it will be available in the application. Visit the Cost Explorer to analyze the previous month's data.
Q: Does Cost Management work with ARO or ROSA?
A: Yes, ARO and ROSA are fully supported.
When installing the Cost Management Metrics Operator, the cluster must be configured for basic authentication. See the documentation for full details.
Q: Does Cost Management include other (non-computation) services?
A: Yes. Some services included are: ROSA/ARO and RHEL. Other services can be distributed by using tagging and a cost model. For example, you can tag services in AWS/Azure/GCP to group with an OpenShift resource.
Q: What is Tagging and how can it help me?
A: Tagging can help group cost logically. Be aware that tagging can be expensive for the Cost Management service, so users must enable only what they need.
Q: I see different numbers depending on where I look. Where can I find the actual cost for my cluster/project/etc?
A: Where to look depends on what you want to find out.
For example, if you are using OpenShift on AWS (but it’s similar for other clouds). These are all the places where you can find your costs:
Cost Management > Cost Explorer: Perspective = Amazon Web Services.
This is the data we get from the AWS Cost and Usage Report (CUR). It represents all the AWS costs, including those that cannot be attributed to OpenShift (e. g. DynamoDB, RDS, RHEL, etc).
If you are using a cost model, this perspective does not include any additional costs (rates in the price list or markup/discounts). It’s purely the raw costs, i. e. costs coming from the cloud provider. ROSA costs (ARO, in the case of Azure) are reported here as its own service.
AWS can report billing data in three formats (blended, unblinded, and amortized).
Blended - Forget about blended; it’s there only for historical reasons
Unblended - Unblended is generally helpful but will show wrong per-cluster/per-node/per-project/per-tag costs if you have savings plans. In the AWS CURs, savings plans are reported as “this is how much your costs are, and here’s a discount,” but that discount is not associated with the specific infrastructure, so we don’t know what to apply it to.
Amortized - Amortized is the right choice if you have AWS savings plans.
Cost Management > Cost Explorer: Perspective = Amazon Web Services filtered by OpenShift
This is a subset of the above data, filtering out everything that was not attributed to OpenShift.
If you are using a cost model, this perspective does not include any additional costs (rates in the price list or markup/discounts). It’s purely the raw costs, i. e. costs coming from the cloud provider.
ROSA costs (ARO, in the case of Azure) are already included here because Cost Management distributes that cost to the specific cluster since November 2022.
This should be equal or smaller than what Perspective = Amazon Web Services shows because it's a subset of that.
AWS Console
You can find your costs also in the AWS console. In the ongoing month, you should not be surprised if these costs are slightly different from what you see in Cost Management: AWS usually reports data first in the Cost and Usage Reports (which Cost Management downloads using the AWS API and ingests) and then process them on the AWS end, so Cost Management may show costs one day before AWS web tools do.
Clouds typically close the month around the second or third of the month and then reprocess all the data, so a report is not 100% reliable until the fifth-sixth of the following month. E. g. for October:
AWS closes report on November 2nd
AWS ingests data and makes the final report available on November 5th
Cost Management will download the final report and reprocess the data so the final report that customers can use for their accounting purposes will be available around November 7th
Q: Can Cost Management run On-premise (on a customer’s cluster)?
A: The Cost Management Metrics Operator can operate in “air-gapped” mode. You would then manually download and send reports to Cost Management and view the data on console.redhat.com. See the documentation for full details.
There is no fully on-premise version of the cost management service.
The Curator Project leverages the Cost Management Metrics Operator to provide a reduced-functionality version, where usage is reported, but cost models are not available. Based on the usage reports from Curator, users can build their own cost models (e.g. using a spreadsheet, or some script).
Q: What does "filtered by OpenShift" mean?
A: The terminology “filtered by OpenShift” is used to describe what portion of the cloud provider’s cost is associated with running an OpenShift cluster. When both a cloud provider and OpenShift source have been added with matching tags or resource ids in the cost reports, Cost Management can correlate the two reports to calculate how much of your cloud provider cost is related to running OpenShift.
Q: If I select "All OpenShift" in cost explorer, I can group by project/cluster/node/tag to get different breakdowns, but how are these costs broken down?
A: The “All OpenShift” view in the cost explorer is all cloud costs and cost model costs. This view includes both the clusters running on cloud providers, and the clusters running on premises.
The group by options provided for the perspectives in the cost explorer allow users to create different data aggregations. This can be particularly useful when trying to exclude or filter on specific data field values.
A more detailed cost breakdown can be viewed by exporting the data in the cost explorer. Below are columns specific to cost categories found in the csv export and their definitions:
All cost_{type} are combined total of the infrastructure & supplementary costs of that type. ( e.g. cost distributed = supplementary distributed cost + infrastructure distributed cost)
cost_markup | Cost of the markup defined in the cost model |
cost_raw | All raw costs from cloud providers |
cost_total | The combined total of the infrastructure & supplementary distributed, markup, and raw cost. |
infra_markup | Markup cost marked as infrastructure in the cost model. |
infra_raw | The cloud cost from your cluster |
infra_total | The combined total of the infrastructure distributed, markup, and raw cost. |
sup_markup | Not currently being used in the cost management backend |
sup_raw | Not currently being used in the cost management backend |
sup_total | The combined total of the supplementary distributed, markup, and raw cost. |
Q: If I have a "Monthly Storage Rate" configured in my cost model. How is a particular PV added in a per-node cost breakdown?
A: Cost Management amortizes the monthly costs with the following equations:
1 - Monthly Node Rate:
(Node’s effective usage / node’s capacity) * node rate
This equation is run for each day during our daily aggregation
2 - Monthly Cluster Rate:
This equation is run for each day during our daily aggregation
(Cluster’s effective usage/ cluster’s capacity) * cluster rate
3 - Monthly PVC Rate
PVC Rate / number of persistent volume claims in the namespace for the cluster
Q: Are my cloud costs (ex: EC2) also used to calculate for example a per-project cost?
A: Yes, once the cloud source and our operator are providing data, Cost Management can correlate the cloud cost for your cluster. This is how we determine what slice of your cloud cost is associated with running OpenShift, and on the OpenShift detail’s page this will be added to the cost breakdown as raw cost:
Q: How does Cost Management Distribute Cloud Costs to the OpenShift Projects?
A: We assign a portion of the cloud provider’s cost based off of the effective usage of the pod’s memory or cpu with the following equation:
(pod effective usage / node capacity) * (cloud provider cost)
