diff --git a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
index 86d0475aeb80c51d19493af2a9c2577ccb0df487..f5f26d3e21627f14bcb82b6528f9664d5e04bfec 100644
--- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
@@ -172,6 +172,21 @@ function(params) {
insecureSkipVerify: true,
},
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
+ metricRelabelings: [
+ {
+ sourceLabels: ['__name__'],
+ action: 'drop',
+ regex: '(' + std.join('|',
+ [
+ 'apiserver_client_certificate_.*', // The only client supposed to connect to the aggregated API is the apiserver so it is not really meaningful to monitor its certificate.
+ 'apiserver_envelope_.*', // Prometheus-adapter isn't using envelope for storage.
+ 'apiserver_flowcontrol_.*', // Prometheus-adapter isn't using flowcontrol.
+ 'apiserver_storage_.*', // Prometheus-adapter isn't using the apiserver storage.
+ 'apiserver_webhooks_.*', // Prometeus-adapter doesn't make use of apiserver webhooks.
+ 'workqueue_.*', // Metrics related to the internal apiserver auth workqueues are not very useful to prometheus-adapter.
+ ]) + ')',
+ },
+ ],
},
],
},
diff --git a/manifests/prometheus-adapter-serviceMonitor.yaml b/manifests/prometheus-adapter-serviceMonitor.yaml
index a75158526ca84b834d2155b9442f85018ba23fcb..46a5c95c526e9d53d5f6b79765f4acfd95f5dd36 100644
--- a/manifests/prometheus-adapter-serviceMonitor.yaml
+++ b/manifests/prometheus-adapter-serviceMonitor.yaml
@@ -12,6 +12,11 @@ spec:
endpoints:
- bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
interval: 30s
+ metricRelabelings:
+ - action: drop
+ regex: (apiserver_client_certificate_.*|apiserver_envelope_.*|apiserver_flowcontrol_.*|apiserver_storage_.*|apiserver_webhooks_.*|workqueue_.*)
+ sourceLabels:
+ - __name__
port: https
scheme: https
tlsConfig: