prometheus 无法监控 kubernetes 中的所有 pod
[英]prometheus cannot able to monitor all the pods in kubernetes
问题描述
So i have 3 name spaces when i deployed prometheus on kubernetes i see the error in the logs.
所以当我在 kubernetes 上部署 prometheus 时我有 3 个命名空间,我在日志中看到了错误。 it is unable to monitor all the name spaces.它无法监视所有名称空间。
Error :错误 :
\"system:serviceaccount:development:default\" cannot list endpoints at the cluster scope"
level=error ts=2018-06-28T21:22:07.390161824Z caller=main.go:216 component=k8s_client_runtime err="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:268: Failed to list *v1.Endpoints: endpoints is forbidden: User \"system:serviceaccount:devops:default\" cannot list endpoints at the cluster scope"
1 个解决方案
解决方案1
1 已采纳 2018-06-29 02:06:19
You'd better use a service account to access the kubernetes, and give the sa special privilidge that the prometheus needed.最好使用服务帐号访问kubernetes,并赋予prometheus需要的sa特殊权限。 like the following:像下面这样:
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: prometheus
rules:
- apiGroups: [""]
resources:
- nodes
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- configmaps
verbs: ["get"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: prometheus
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus
subjects:
- kind: ServiceAccount
name: prometheus
namespace: kube-system
Presumes that you deploy prometheus in the kube-system namespace.假设您在 kube-system 命名空间中部署了 prometheus。 Also you need specify the sa like ' serviceAccount: prometheus' in your prometheus deployment file .您还需要在 prometheus 部署文件中指定类似“serviceAccount: prometheus”的 sa 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.