将 Kubernetes 抓取目标添加到不在 Kubernetes 中的 Prometheus 实例
[英]Add Kubernetes scrape target to Prometheus instance that is NOT in Kubernetes
问题描述
I run prometheus locally as http://localhost:9090/targets with
我在本地运行普罗米修斯http ://localhost:9090/targets
docker run --name prometheus -d -p 127.0.0.1:9090:9090 prom/prometheus
and want to connect it to several Kubernetes (cluster) instances we have.并希望将其连接到我们拥有的几个 Kubernetes(集群)实例。 See that scraping works, try Grafana dashboards etc.看到抓取工作,尝试Grafana 仪表板等。
And then I'll do the same on dedicated server that will be specially for monitoring.然后我将在专门用于监控的专用服务器上执行相同的操作。 However all googling gives me all different ways to configure prometheus that is already within one Kubernetes instance, and no way to read metrics from external Kubernetes.然而,所有谷歌搜索都为我提供了所有不同的方式来配置已经在一个 Kubernetes 实例中的普罗米修斯,并且无法从外部 Kubernetes 读取指标。
How to add Kubernetes scrape target to Prometheus instance that is NOT in Kubernetes?如何将 Kubernetes 抓取目标添加到不在 Kubernetes 中的 Prometheus 实例?
I have read Where Kubernetes metrics come from and checked that my (first) Kubernetes cluster has the Metrics Server .我已阅读Where Kubernetes 指标来自哪里,并检查了我的(第一个) Kubernetes 集群是否具有Metrics Server 。
kubectl get pods --all-namespaces | grep metrics-server
There is definitely no sense to add Prometheus instance into every Kubernetes (cluster) instance.将 Prometheus 实例添加到每个 Kubernetes(集群)实例中绝对没有意义。 One Prometheus must be able to read metrics from many Kubernetes clusters and every node within them.一个 Prometheus 必须能够从许多 Kubernetes 集群和其中的每个节点读取指标。
PS Some old question has answer to install Prometheus in every Kubernetes and then use federation, that is just opposite from what I am looking for. PS Some old question has answer to install Prometheus in each Kubernetes 然后使用联邦,这与我正在寻找的正好相反。
PPS It is also strange for me, why Kubernetes and Prometheus that are #1 and #2 projects from Cloud Native Foundation don't have simple "add Kubernetes target in Prometheus" button or simple step. PPS 这对我来说也很奇怪,为什么 Kubernetes 和 Prometheus 是来自 Cloud Native Foundation 的 #1 和 #2 项目没有简单的“在 Prometheus 中添加 Kubernetes 目标”按钮或简单的步骤。
3 个解决方案
解决方案1
1 2021-12-28 14:47:55
In my opinion, deploying a Prometheus instance in each cluster is more simple and clean way than organizing external access.在我看来,在每个集群中部署一个 Prometheus 实例比组织外部访问更简单、更干净。 The problem is that the targets discovered with kubernetes_sd_configs are cluster-internal DNS-names and IP-addresses (or at least, it is so in my AWS EKS cluster).问题是使用kubernetes_sd_configs发现的目标是集群内部的 DNS 名称和 IP 地址(或者至少在我的 AWS EKS 集群中是这样)。 To resolve these, you have to be inside the cluster.要解决这些问题,您必须在集群内部。
This problem can be resolved by using a proxy.这个问题可以通过使用代理来解决。 The configuration below uses API-server proxy endpoint to reach targets.下面的配置使用 API-server 代理端点来到达目标。 I'm not sure about its performance in large clusters, I guess a dedicated proxy in this case would be a better fit.我不确定它在大型集群中的性能,我想在这种情况下使用专用代理会更合适。
External access via API-server proxy通过 API 服务器代理进行外部访问
First thing you need to get things running is a CA certificate of your API-server.您需要运行的第一件事是您的 API 服务器的 CA 证书。 There are several ways to get it but getting it from kubeconfig appears to me as the simplest:有几种方法可以获取它,但从kubeconfig获取它在我看来是最简单的:
❯ k config view --raw
apiVersion: v1
clusters:
- cluster: # you need this ⤋ long value
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJ...
server: https://api-server.example.com
name: default
...
The certificate in kubeconfig is base64-encoded so you have to decode it first: kubeconfig中的证书是 base64 编码的,因此您必须先对其进行解码:
echo LS0tLS1CRUdJTiBDRVJUSUZJ... | base64 -d > CA.crt
You also need a service account token with proper permission but this is out of the scope of this answer.您还需要具有适当权限的服务帐户令牌,但这不在此答案的 scope 范围内。 Assuming you already have it, let's proceed to Prometheus configuration:假设您已经拥有它,让我们继续进行 Prometheus 配置:
- job_name: 'kubelet-cadvisor'
scheme: https
kubernetes_sd_configs:
- role: node
api_server: https://api-server.example.com
# TLS and auth settings to perform service discovery
authorization:
credentials_file: /kube/token # the file with your service account token
tls_config:
ca_file: /kube/CA.crt # the file with the CA certificate you got from kubeconfig
# The same as above but for actual scrape request.
# We're going to request API-server to be a proxy so the creds are the same.
bearer_token_file: /kube/token
tls_config:
ca_file: /kube/CA.crt
relabel_configs:
# This is just to drop this long __meta_kubernetes_node_label_ prefix
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
# By default Prometheus goes to /metrics endpoint.
# This relabeling changes it to /api/v1/nodes/[kubernetes_io_hostname]/proxy/metrics/cadvisor
- source_labels: [kubernetes_io_hostname]
replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
target_label: __metrics_path__
# This relabeling defines that Prometheus should connect to the
# API-server instead of the actual instance. Together with the relabeling
# from above this will make the scrape request proxied to the node kubelet.
- replacement: api-server.example.com
target_label: __address__
The above is tailored for scraping role: node .以上是为抓取role: node 。 To make it working with other roles, you've got to change __metrics_path__ label.要使其与其他角色一起使用,您必须更改__metrics_path__ label。 This doc can help constructing the path. 该文档可以帮助构建路径。
解决方案2
0 2021-12-23 03:38:10
There are many agents capable of doing remote Prometheus write to export metrics collected in K8s and send to remote Prometheus (global) server outside the cluster, example Prometheus agent mode , Opentelemetry exporter etc.有许多代理能够进行远程 Prometheus 写入以导出 K8s 中收集的指标并发送到集群外的远程 Prometheus(全局)服务器,例如Prometheus 代理模式、 Opentelemetry 导出器等。
I run prometheus locally as http://localhost:9090/targets with
docker run --name prometheus -d -p 127.0.0.1:9090:9090 prom/prometheus
You should start your Promethues with 0.0.0.0 in order to accept write from remote agents.您应该以 0.0.0.0 启动 Promethues,以便接受来自远程代理的写入。
解决方案3
0 2021-12-28 12:47:24
If I understand your question, you want to monitor kubernetes cluster where prometheus is not installed or remote kubernetes cluster.如果我理解您的问题,您想监控未安装 prometheus 的 kubernetes 集群或远程 kubernetes 集群。
I monitor many different kubernetes cluster from one prometheus which is installed on a standalone server.
You can do this by generating a token on the kubernetes server using a service account which has proper permission to access the kubernetes api.您可以通过使用具有访问 kubernetes api 的适当权限的服务帐户在 kubernetes 服务器上生成令牌来执行此操作。
Kubernetes-api: Kubernetes-api:
Following are the details required to configure prometheus scrape job.以下是配置 prometheus 抓取作业所需的详细信息。
- Create a service account which has permissions to read and watch the pods.创建一个有权读取和观看 Pod 的服务帐户。
- Generate token from the service account.从服务帐户生成令牌。
- Create scrape job as following.创建刮作业如下。
- job_name: kubernetes
kubernetes_sd_configs:
- role: node
api_server: https://kubernetes-cluster-api.com
tls_config:
insecure_skip_verify: true
bearer_token: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
bearer_token: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
scheme: https
tls_config:
insecure_skip_verify: true
relabel_configs:
- separator: ;
regex: __meta_kubernetes_node_label_(.+)
replacement: $1
action: labelmap
I have explained the same in detail in the below article.我在下面的文章中详细解释了相同的内容。
https://amjadhussain3751.medium.com/monitor-remote-kubernetes-cluster-using-prometheus-a3781b041745 https://amjadhussain3751.medium.com/monitor-remote-kubernetes-cluster-using-prometheus-a3781b041745
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.