[英]Monitoring Kubernetes cluster using prometheus outside the k8 cluster
ca.crt
and user token
(given by kubernetes admin), it throws multiple errors.当我尝试使用ca.crt
和用户token
(由 kubernetes 管理员提供)使用 https api 连接到 k8 集群时,它会引发多个错误。Error messages:错误信息:
component="discovery manager scrape" msg="Cannot create service discovery" err="unable to use specified CA cert /root/prometheus/ca.crt" type=*kubernetes.SDConfig
component="discovery manager scrape" msg="Cannot create service discovery" err="unable to use specified CA cert /root/prometheus/ca.crt" type=*kubernetes.SDConfig
Prometheus configuration:普罗米修斯配置:
- job_name: 'kubernetes-apiservers'
scheme: https
tls_config:
ca_file: /root/prometheus/ca.crt
bearer_token_file: /root/prometheus/user_token
kubernetes_sd_configs:
- role: endpoints
api_server: https://example.com:1234
bearer_token_file: /root/prometheus/user_token
tls_config:
ca_file: /root/prometheus/prometheus-2.12.0.linux-amd64/ca.crt
relabel_configs:
- source_labels: [monitoring, monitoring-sa, 6443]
action: keep
regex: default;kubernetes;https
- job_name: 'kubernetes-nodes'
scheme: https
tls_config:
ca_file: /root/prometheus/ca.crt
bearer_token_file: /root/prometheus/user_token
kubernetes_sd_configs:
- role: node
api_server: https://example.com:1234
bearer_token_file: /root/prometheus/user_token
tls_config:
ca_file: /root/prometheus/ca.crt
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: https://example.com:1234
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics
The main problem you're facing is: "unable to use specified CA cert /root/prometheus/ca.crt"
您面临的主要问题是: "unable to use specified CA cert /root/prometheus/ca.crt"
Someone recently faced the same problem: https://github.com/prometheus/prometheus/issues/6015#issuecomment-532058465最近有人遇到同样的问题: https://github.com/prometheus/prometheus/issues/6015#issuecomment-532058465
He solved it by reinstalling the new version.他通过重新安装新版本解决了这个问题。
Version 2.13.1
is out. 2.13.1
版已发布。 Try installing the latest version, it might solve your problem too.尝试安装最新版本,它也可能解决您的问题。
Maybe your ca.crt
have some error, check your ca cert file, make sure this file format like this:也许你的ca.crt
有一些错误,检查你的 ca cert 文件,确保这个文件格式是这样的:
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
I think your ca.crt
is get by kubectl get serviceaccount -o yaml
, but this is a public key with your kubernetes cluster, so, if you want to get the token, you can specify the serviceAccountName
in the yaml file with a new Deployment
, like this: I think your ca.crt
is get by kubectl get serviceaccount -o yaml
, but this is a public key with your kubernetes cluster, so, if you want to get the token, you can specify the serviceAccountName
in the yaml file with a new Deployment
, 像这样:
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: test
spec:
replicas: 1
template:
metadata:
labels:
app: test
version: v1
spec:
serviceAccountName: prometheus
containers:
- name: test
image: alpine
imagePullPolicy: Always
command: ["ping", "127.0.0.1"]
imagePullSecrets:
- name: harbor-secret
restartPolicy: Always
Then, get your token
and ca.crt
under /var/run/secrets/kubernetes.io/serviceaccount/
.然后,在/var/run/secrets/kubernetes.io/serviceaccount/
下获取您的token
和ca.crt
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.