[英]Monitoring Kubernetes cluster using prometheus outside the k8 cluster
ca.crt
和用戶token
(由 kubernetes 管理員提供)使用 https api 連接到 k8 集群時,它會引發多個錯誤。錯誤信息:
component="discovery manager scrape" msg="Cannot create service discovery" err="unable to use specified CA cert /root/prometheus/ca.crt" type=*kubernetes.SDConfig
component="discovery manager scrape" msg="Cannot create service discovery" err="unable to use specified CA cert /root/prometheus/ca.crt" type=*kubernetes.SDConfig
普羅米修斯配置:
- job_name: 'kubernetes-apiservers'
scheme: https
tls_config:
ca_file: /root/prometheus/ca.crt
bearer_token_file: /root/prometheus/user_token
kubernetes_sd_configs:
- role: endpoints
api_server: https://example.com:1234
bearer_token_file: /root/prometheus/user_token
tls_config:
ca_file: /root/prometheus/prometheus-2.12.0.linux-amd64/ca.crt
relabel_configs:
- source_labels: [monitoring, monitoring-sa, 6443]
action: keep
regex: default;kubernetes;https
- job_name: 'kubernetes-nodes'
scheme: https
tls_config:
ca_file: /root/prometheus/ca.crt
bearer_token_file: /root/prometheus/user_token
kubernetes_sd_configs:
- role: node
api_server: https://example.com:1234
bearer_token_file: /root/prometheus/user_token
tls_config:
ca_file: /root/prometheus/ca.crt
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: https://example.com:1234
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics
您面臨的主要問題是: "unable to use specified CA cert /root/prometheus/ca.crt"
最近有人遇到同樣的問題: https://github.com/prometheus/prometheus/issues/6015#issuecomment-532058465
他通過重新安裝新版本解決了這個問題。
2.13.1
版已發布。 嘗試安裝最新版本,它也可能解決您的問題。
您的ca.crt
很可能仍采用base64
格式,因為在描述它們時,秘密是以這種方式編碼的,如此處所述。
也許你的ca.crt
有一些錯誤,檢查你的 ca cert 文件,確保這個文件格式是這樣的:
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
I think your ca.crt
is get by kubectl get serviceaccount -o yaml
, but this is a public key with your kubernetes cluster, so, if you want to get the token, you can specify the serviceAccountName
in the yaml file with a new Deployment
, 像這樣:
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: test
spec:
replicas: 1
template:
metadata:
labels:
app: test
version: v1
spec:
serviceAccountName: prometheus
containers:
- name: test
image: alpine
imagePullPolicy: Always
command: ["ping", "127.0.0.1"]
imagePullSecrets:
- name: harbor-secret
restartPolicy: Always
然后,在/var/run/secrets/kubernetes.io/serviceaccount/
下獲取您的token
和ca.crt
。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.