Select the Google Cloud project that you use to store logs and metrics. You can
find the Google Cloud project in the stackdriver.projectID field of
your user cluster configuration file.
Click Query editor.
Enter a query into the query editor. You can find Binary Authorization for
Distributed Cloud queries in the following sections.
Example queries
This section provides example monitoring query language (MQL) queries you can
use to monitor Binary Authorization for Distributed Cloud metrics. To
learn more about MQL, see Introduction to Monitoring Query Language.
Query for rejected deployments
To view deployment requests that were rejected by the Binary Authorization
enforcer, use the following query:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis guide explains how to use Cloud Monitoring to track metrics for Binary Authorization in Google Distributed Cloud software, focusing on supported environments like Distributed Cloud for bare metal 1.14+ and VMware 1.4+.\u003c/p\u003e\n"],["\u003cp\u003eTo begin using Cloud Monitoring, ensure the \u003ccode\u003estackdriver\u003c/code\u003e section is configured in your user cluster configuration file and then access the Metrics Explorer in the Google Cloud console.\u003c/p\u003e\n"],["\u003cp\u003eYou can monitor rejected deployment requests using a specific Monitoring Query Language (MQL) query that filters for errors related to the Binary Authorization enforcer.\u003c/p\u003e\n"],["\u003cp\u003eTo identify system failures affecting Binary Authorization, use an MQL query that specifically looks for \u003ccode\u003ecalling_webhook_error\u003c/code\u003e within the error types.\u003c/p\u003e\n"],["\u003cp\u003eTo see the total number of webhook calls related to Binary Authorization, there is a specific query that can filter the \u003ccode\u003eadmission_duration_seconds\u003c/code\u003e metric.\u003c/p\u003e\n"]]],[],null,["# Monitor metrics for Distributed Cloud\n\nThis document describes how to use [Cloud Monitoring](/monitoring/docs/monitoring-overview) for\nBinary Authorization for Google Distributed Cloud software. Learn more about\n[Distributed Cloud logging and monitoring](/anthos/gke/docs/on-prem/concepts/logging-and-monitoring).\n|\n| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nBefore you begin\n----------------\n\n1. To view Binary Authorization for Distributed Cloud metrics, you\n must use supported environments:\n\n - [Distributed Cloud for bare metal](/anthos/clusters/docs/bare-metal/latest/overview) 1.14 or later\n - [Distributed Cloud for VMware](/anthos/gke/docs/on-prem/latest/overview) 1.4 or later\n2. To use Cloud Monitoring, make sure the `stackdriver`\n section of your [User cluster configuration](/anthos/gke/docs/on-prem/how-to/user-cluster-configuration-file#stackdriver-section) file is filled in.\n\nSet up Cloud Monitoring queries for Binary Authorization\n--------------------------------------------------------\n\nThis section shows you how to access Cloud Monitoring and select the\nCloud Logging project that stores your GKE cluster logs.\n\n1. In the **Workspace** combo box, select the project ID from the `stackdriver`\n section of your [User cluster cluster configuration](/anthos/gke/docs/on-prem/how-to/user-cluster-configuration-file#stackdriver-section).\n\n2. View Cloud Monitoring:\n\n In the Google Cloud console, go to **Monitoring \\\u003e\n Metrics Explorer** or use the following button:\n\n [Go to Monitoring](https://console.cloud.google.com/monitoring/metrics-explorer)\n3. Select the Google Cloud project that you use to store logs and metrics. You can\n find the Google Cloud project in the `stackdriver.projectID` field of\n your user cluster configuration file.\n\n4. Click **Query editor**.\n\n5. Enter a query into the query editor. You can find Binary Authorization for\n Distributed Cloud queries in the following sections.\n\nExample queries\n---------------\n\nThis section provides example monitoring query language (MQL) queries you can\nuse to monitor Binary Authorization for Distributed Cloud metrics. To\nlearn more about MQL, see [Introduction to Monitoring Query Language](/monitoring/mql).\n\n### Query for rejected deployments\n\nTo view deployment requests that were rejected by the Binary Authorization\nenforcer, use the following query: \n\n fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_rejection_count'\n | filter\n (metric.error_type == 'no_error'\n && metric.name == 'binaryauthorization.googleapis.com')\n\n### Query for system failures\n\nThis section describes how to monitor for system failures that prevent\nnormal operation of Binary Authorization for Distributed Cloud.\n\nTo monitor for system failures, use the following query: \n\n fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_rejection_count'\n | filter\n (metric.error_type == 'calling_webhook_error'\n && metric.name == 'binaryauthorization.googleapis.com')\n\n### Sum the number of webhook calls related to Binary Authorization\n\nTo view the total number of webhook calls relating to Binary Authorization, use\nthe following query: \n\n fetch k8s_container::'kubernetes.io/anthos/apiserver_admission_webhook_admission_duration_seconds'\n | filter (metric.name == 'binaryauthorization.googleapis.com')\n | align delta(1m)\n | every 1m\n | group_by []\n | count\n\nWhat's next\n-----------\n\n- [Introduction to Cloud Monitoring](/monitoring/docs/monitoring-overview)\n- [Introduction to Monitoring Query Language](/monitoring/mql)\n- [View Binary Authorization for Distributed Cloud audit log entries](/binary-authorization/docs/viewing-on-prem-logs)"]]
