Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.polystack.tech/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Monitoring security encompasses agent authentication via per-node tokens, dashboard access control through Polystack identity roles, and TLS certificate lifecycle management for all platform communications.
Administrator Access Required — This operation requires the admin role. Contact your Polystack administrator if you do not have sufficient permissions.

Agent Authentication

Each Monitoring agent authenticates to the collector using a unique per-node token. Rotate tokens periodically and immediately when a node is decommissioned or suspected compromised.
Generate a new agent token
monitoring agent token create --node compute-node-04 --expires 365d
List all agent tokens with expiry
monitoring agent token list
Revoke an agent token
monitoring agent token revoke <TOKEN_ID>
Revoking a token immediately disconnects the associated agent. Ensure the replacement token is deployed to the agent configuration before revoking the old one, or the node will stop reporting metrics.

Dashboard Access Control

Monitoring dashboard access is controlled through Polystack identity roles. Assign roles based on job function to enforce least-privilege access.
RoleAccess LevelTypical Assignees
monitoring-viewerRead-only — dashboards and alert historyDevelopers, stakeholders
monitoring-editorCreate and edit dashboards, rules, and channelsOperations engineers
monitoring-adminFull access — agents, retention, security settingsPlatform administrators
Assign roles through the deployment console → Identity → Role Assignments.
Use the monitoring-viewer role for application teams who need to observe their service metrics without the ability to modify alert rules that affect other teams.

TLS Configuration

All Monitoring communication uses TLS:
  • Agent-to-collector: TLS 1.3 minimum
  • Dashboard and API: TLS 1.3 minimum, HSTS enabled
  • Internal service communication: mTLS for collector-to-store traffic
Certificates are managed by the deployment console and renewed automatically 30 days before expiry.
Check all certificate expiry dates
monitoring tls status
Expected output shows certificate subjects, expiry dates, and days remaining. Certificates within 30 days of expiry trigger an automatic renewal.

Next Steps

Agent Configuration

Deploy and configure agents whose tokens are managed here

Alert Channels

Secure notification channel credentials and SMTP authentication

Troubleshooting

Diagnose TLS and authentication errors

Polystack Identity

Manage the Polystack identity roles used for Monitoring access control