转载说明:
- 原创内容,请注明出处
官方提供了 Prometheus的端到端 Kubernetes 集群监控部署工具 kube-prometheus
包含如下组件:
- The Prometheus Operator
- Highly available Prometheus
- Highly available Alertmanager
- Prometheus node-exporter
- Prometheus blackbox-exporter
- Prometheus Adapter for Kubernetes Metrics APIs
- kube-state-metrics
- Grafana
1. 检查kubelet配置
默认情况下,kubelet 使用 token 身份验证和授权,否则 Prometheus 需要客户端证书,该证书赋予它对 kubelet 的完全访问权限,而不仅仅是 metrics。token 身份验证和授权可以实现更细粒度、更轻松的访问控制。
在控制平面查看 所有节点 的 kubelet 两项配置
authentication.webhook.enabled是否为trueauthorization.mode是否为Webhook
bash
# k8s-control是我控制平面的node name
$ kubectl get --raw /api/v1/nodes/k8s-control/proxy/configz | jq .kubeletconfig.authentication.webhook.enabled
true
$ kubectl get --raw /api/v1/nodes/k8s-control/proxy/configz | jq .kubeletconfig.authorization.mode
"Webhook"
# k8s-worker-1是我工作节点的node name
$ kubectl get --raw /api/v1/nodes/k8s-worker-1/proxy/configz | jq .kubeletconfig.authentication.webhook.enabled
true
$ kubectl get --raw /api/v1/nodes/k8s-worker-1/proxy/configz | jq .kubeletconfig.authorization.mode
"Webhook"2. 拉取 kube-prometheus 到控制平面
bash
git clone git@github.com:prometheus-operator/kube-prometheus.git3. 修改副本数
默认考虑到高可用,部分组件会多副本部署,但作为学习环境可以将副本数改为1节省云资源
bash
# 一般只有这三个组件使用多副本(node-exporter特殊)
vim ./manifests/prometheus-prometheus.yaml
vim ./manifests/prometheusAdapter-deployment.yaml
vim ./manifests/alertmanager-alertmanager.yaml特殊 :node-exporter 组件使用来收集节点级指标的,因此必须在每个节点部署,不要去修改副本数
4. 部署
bash
cd kube-prometheus
kubectl apply --server-side -f manifests/setup
kubectl wait \
--for condition=Established \
--all CustomResourceDefinition \
--namespace=monitoring
kubectl apply -f manifests/5. 通过 Ingress 暴露 Web
5.1. 修改 Web 端 URL
bash
# 修改 Prometheus web url
$ vim ./manifests/prometheus-prometheus.yaml
## spec下添加如下项
spec:
externalUrl: 'http://your-domain.com/prometheus'
---
# 修改 alertmanager web url
$ vim ./manifests/alertmanager-alertmanager.yaml
## spec下添加如下项
spec:
externalUrl: 'http://your-domain.com/alertmanager'
---
# 修改 grafana web url
$ vim ./manifests/grafana-deployment.yaml
## spec.template.spec.containers.env下添加环境变量
- name: GF_SERVER_ROOT_URL
value: "http://your-domain.com/grafana"
- name: GF_SERVER_SERVE_FROM_SUB_PATH
value: "true"5.2. 更新网络策略
bash
# 允许ingress-nginx的pod访问 grafana svc
$ vim ./manifests/grafana-networkPolicy.yaml
## 在spec.podSelector.matchLabels中添加一行
spec:
...
podSelector:
matchLabels:
app.kubernetes.io/component: grafana
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/name: ingress-nginx # 添加这行
## 应用资源修改
$ kubectl apply -f ./manifests/grafana-networkPolicy.yaml
---
# 允许ingress-nginx的pod访问 alertmanager svc
$ vim ./manifests/alertmanager-networkPolicy.yaml
## 在spec.podSelector.matchLabels中添加一行
spec:
...
podSelector:
matchLabels:
app.kubernetes.io/component: alert-router
app.kubernetes.io/instance: main
app.kubernetes.io/name: alertmanager
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/name: ingress-nginx # 添加这行
## 应用资源修改
$ kubectl apply -f ./manifests/alertmanager-networkPolicy.yaml5.3. 创建ingress资源
如下为 prometheus 的 ingress manifest ,grafana 和 alertmanager 类似
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: prometheus-ingress
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
ingressClassName: nginx
tls:
- hosts:
- your-domain.com
secretName: your-tls-secret
rules:
- host: "your-domain.com"
http:
paths:
- path: /prometheus/?(.*)
pathType: Prefix
backend:
service:
name: prometheus-k8s
port:
number: 9090创作不易,希望大家多多支持,文章持续更新,我们下期见.
程序员白话 | [原创]
点关注不迷路
可以抖音搜索「程序员白话」,大家有任何问题都可以私聊我,知无不言~