k8集群外使用prometheus监控Kubernetes集群
[英]Monitoring Kubernetes cluster using prometheus outside the k8 cluster
问题描述
- We have kubernetes cluster where I have service account "kube", namespace "monitoring" with cluster role binding created to monitor cluster
我们有 kubernetes 集群,其中我有服务帐户“kube”,命名空间“监控”,并创建了集群角色绑定来监控集群 - We have prometheus installed on a linux system (on prem) outside the cluster and is installed using "root"我们在集群外部的 linux 系统(本地)上安装了 prometheus,并使用“root”安装
- When I try to connect to the k8 cluster with the https api using
ca.crtand usertoken(given by kubernetes admin), it throws multiple errors.当我尝试使用ca.crt和用户token(由 kubernetes 管理员提供)使用 https api 连接到 k8 集群时,它会引发多个错误。
Error messages:错误信息:
component="discovery manager scrape" msg="Cannot create service discovery" err="unable to use specified CA cert /root/prometheus/ca.crt" type=*kubernetes.SDConfig
component="discovery manager scrape" msg="Cannot create service discovery" err="unable to use specified CA cert /root/prometheus/ca.crt" type=*kubernetes.SDConfig
Prometheus configuration:普罗米修斯配置:
- job_name: 'kubernetes-apiservers'
scheme: https
tls_config:
ca_file: /root/prometheus/ca.crt
bearer_token_file: /root/prometheus/user_token
kubernetes_sd_configs:
- role: endpoints
api_server: https://example.com:1234
bearer_token_file: /root/prometheus/user_token
tls_config:
ca_file: /root/prometheus/prometheus-2.12.0.linux-amd64/ca.crt
relabel_configs:
- source_labels: [monitoring, monitoring-sa, 6443]
action: keep
regex: default;kubernetes;https
- job_name: 'kubernetes-nodes'
scheme: https
tls_config:
ca_file: /root/prometheus/ca.crt
bearer_token_file: /root/prometheus/user_token
kubernetes_sd_configs:
- role: node
api_server: https://example.com:1234
bearer_token_file: /root/prometheus/user_token
tls_config:
ca_file: /root/prometheus/ca.crt
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: https://example.com:1234
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics
3 个解决方案
解决方案1
1 2019-10-23 12:31:52
The main problem you're facing is: "unable to use specified CA cert /root/prometheus/ca.crt"您面临的主要问题是: "unable to use specified CA cert /root/prometheus/ca.crt"
Someone recently faced the same problem: https://github.com/prometheus/prometheus/issues/6015#issuecomment-532058465最近有人遇到同样的问题: https://github.com/prometheus/prometheus/issues/6015#issuecomment-532058465
He solved it by reinstalling the new version.他通过重新安装新版本解决了这个问题。
Version 2.13.1 is out. 2.13.1版已发布。 Try installing the latest version, it might solve your problem too.尝试安装最新版本,它也可能解决您的问题。
解决方案2
1 2020-10-29 14:59:31
解决方案3
0 2019-11-07 04:12:03
Maybe your ca.crt have some error, check your ca cert file, make sure this file format like this:也许你的ca.crt有一些错误,检查你的 ca cert 文件,确保这个文件格式是这样的:
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
I think your ca.crt is get by kubectl get serviceaccount -o yaml , but this is a public key with your kubernetes cluster, so, if you want to get the token, you can specify the serviceAccountName in the yaml file with a new Deployment , like this: I think your ca.crt is get by kubectl get serviceaccount -o yaml , but this is a public key with your kubernetes cluster, so, if you want to get the token, you can specify the serviceAccountName in the yaml file with a new Deployment , 像这样:
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: test
spec:
replicas: 1
template:
metadata:
labels:
app: test
version: v1
spec:
serviceAccountName: prometheus
containers:
- name: test
image: alpine
imagePullPolicy: Always
command: ["ping", "127.0.0.1"]
imagePullSecrets:
- name: harbor-secret
restartPolicy: Always
Then, get your token and ca.crt under /var/run/secrets/kubernetes.io/serviceaccount/ .然后,在/var/run/secrets/kubernetes.io/serviceaccount/下获取您的token和ca.crt 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.