• kubernetes operator 监控etcd集群(二进制安装的k8s)


    1)建立一个ServiceMonitor对象,用于Prometheus添加监控项
    查看etcd引用的证书文件
    [root@k8s-master diy]# find / -name etcd.service
    /sys/fs/cgroup/devices/system.slice/etcd.service
    /sys/fs/cgroup/pids/system.slice/etcd.service
    /sys/fs/cgroup/memory/system.slice/etcd.service
    /sys/fs/cgroup/blkio/system.slice/etcd.service
    /sys/fs/cgroup/cpu,cpuacct/system.slice/etcd.service
    /sys/fs/cgroup/systemd/system.slice/etcd.service
    /etc/systemd/system/multi-user.target.wants/etcd.service
    /usr/lib/systemd/system/etcd.service


    [root@k8s-master diy]# cat /usr/lib/systemd/system/etcd.service
    [Unit]
    Description=Etcd Server
    After=network.target
    After=network-online.target
    Wants=network-online.target
    [Service]
    Type=notify
    EnvironmentFile=/opt/etcd/cfg/etcd.conf
    ExecStart=/opt/etcd/bin/etcd --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem --logger=zap
    Restart=on-failure
    LimitNOFILE=65536
    [Install]
    WantedBy=multi-user.target

    主要用到这3个证书
    --cert-file=/opt/etcd/ssl/server.pem
    --key-file=/opt/etcd/ssl/server-key.pem
    --trusted-ca-file=/opt/etcd/ssl/ca.pem

    创建一个secret,让prometheus pod节点挂载
    kubectl -n monitoring create secret generic etcd-certs
    --from-file=/opt/etcd/ssl/server.pem
    --from-file=/opt/etcd/ssl/server-key.pem
    --from-file=/opt/etcd/ssl/ca.pem

    2)为ServiceMonitor对象关联metrics数据接口的一个Service对象
    vim prometheus-prometheus.yaml
    apiVersion: monitoring.coreos.com/v1
    kind: Prometheus
    metadata:
    labels:
    prometheus: k8s
    name: k8s
    namespace: monitoring
    spec:
    alerting:
    alertmanagers:
    - name: alertmanager-main
    namespace: monitoring
    port: web
    image: quay.io/prometheus/prometheus:v2.19.2
    nodeSelector:
    kubernetes.io/os: linux
    podMonitorNamespaceSelector: {}
    podMonitorSelector: {}
    replicas: 2
    resources:
    requests:
    memory: 400Mi
    ruleSelector:
    matchLabels:
    prometheus: k8s
    role: alert-rules
    secrets: ##此次增加,目的:使prometheus使用etcd证书。
    - etcd-certs ##此次增加,目的:使prometheus使用etcd证书。
    securityContext:
    fsGroup: 2000
    runAsNonRoot: true
    runAsUser: 1000
    serviceAccountName: prometheus-k8s
    serviceMonitorNamespaceSelector: {}
    serviceMonitorSelector: {}
    version: v2.19.2


    kubectl apply -f prometheus-prometheus.yaml
    #等到pod重启后,进入pod查看是否可以看到证书
    kubectl exec -it -n monitoring prometheus-k8s-0 -- /bin/sh

    /prometheus $ ls -l /etc/prometheus/secrets/etcd-certs/
    total 0
    lrwxrwxrwx 1 root root 13 Jul 20 04:01 ca.pem -> ..data/ca.pem
    lrwxrwxrwx 1 root root 21 Jul 20 04:01 server-key.pem -> ..data/server-key.pem
    lrwxrwxrwx 1 root root 17 Jul 20 04:01 server.pem -> ..data/server.pem

    创建 ServiceMonitor
    vim prometheus-serviceMonitorEtcd.yaml
    apiVersion: monitoring.coreos.com/v1
    kind: ServiceMonitor
    metadata:
    name: etcd-k8s
    namespace: monitoring
    labels:
    k8s-app: etcd-k8s
    spec:
    jobLabel: k8s-app
    endpoints:
    - port: port
    interval: 30s
    scheme: https
    tlsConfig:
    caFile: /etc/prometheus/secrets/etcd-certs/ca.pem
    certFile: /etc/prometheus/secrets/etcd-certs/server.pem
    keyFile: /etc/prometheus/secrets/etcd-certs/server-key.pem
    insecureSkipVerify: true
    selector:
    matchLabels:
    k8s-app: etcd
    namespaceSelector:
    matchNames:
    - kube-system
    注:此文件内的证书路径为prometheus-k8s-0 里的etcd证书路径!!!

    kubectl apply -f prometheus-serviceMonitorEtcd.yaml

    创建 Service
    vim prometheus-etcdService.yaml
    apiVersion: v1
    kind: Service
    metadata:
    name: etcd-k8s
    namespace: kube-system
    labels:
    k8s-app: etcd
    spec:
    type: ClusterIP
    clusterIP: None
    ports:
    - name: port
    port: 2379
    protocol: TCP
    ---
    apiVersion: v1
    kind: Endpoints
    metadata:
    name: etcd-k8s
    namespace: kube-system
    labels:
    k8s-app: etcd
    subsets:
    - addresses:
    - ip: 10.1.9.170
    nodeName: k8s-master
    - ip: 10.1.9.171
    nodeName: k8s-node1
    - ip: 10.1.9.172
    nodeName: k8s-node2
    ports:
    - name: port
    port: 2379
    protocol: TCP

    kubectl apply -f prometheus-etcdService.yaml

  • 相关阅读:
    洛谷 P3808 【模板】AC自动机(简单版) 题解
    O3优化模板
    洛谷 P3909 异或之积 题解
    洛谷 P3870 [TJOI2009]开关 题解
    洛谷 P1891 疯狂LCM 题解
    洛谷 P5221 Product 题解
    洛谷 P2568 GCD 题解
    洛谷 P5639 【CSGRound2】守序者的尊严 题解
    扩展kmp板子
    [JZOJ3167] 【GDOI2013模拟3】查税
  • 原文地址:https://www.cnblogs.com/ccielife/p/13366076.html
Copyright © 2020-2023  润新知