一、前言
在集群外部prometheus想要调用k8s集群的apiserver获取监控数据需要通过token和ca验证,在集群内部部署的prometheus就不会有这个情况,因为集群内部部署prometheus pod的时候就已经注入了访问集群的token和ca文件,所以以下就针对k8s集群外部署的prometheus创建token和ca文件使得prometheus能够访问k8s集群的apiserver获取监控数据
二、k8s集群创建RBAC对象
vi prometheus-rabc.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus
namespace: prometheus
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: prometheus
rules:
- apiGroups:
- ""
resources:
- nodes
- services
- endpoints
- pods
- nodes/proxy
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- nodes/metrics
verbs:
- get
- nonResourceURLs:
- /metrics
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus
subjects:
- kind: ServiceAccount
name: prometheus
namespace: prometheus创建命名空间
kubectl create namespace prometheus
创建rbac
kubectl create -f prometheus-rabc.yaml
在新版本的k8s中创建ServiceAccount不会默认创建secret,需要自己手动创建
vi prometheus-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: prometheus
namespace: prometheus
annotations:
kubernetes.io/service-account.name: prometheus #这里需要填写创建的ServiceAccount的名称
type: kubernetes.io/service-account-token查看token
kubectl describe secret prometheus -n prometheus
查看一下ServiceAccount
kubectl describe sa prometheus -n prometheus
prometheus调用k8s集群接口获取监控数据,使用以上的token和集群ca证书即可
k8s集群的ca证书在以下目录中
ls /etc/kubenetes/pki
