# 以旧版本etcd为例。新版本etcd的指标输出以http形式监听在127.0.0.1(可修改为0.0.0.0)的2381端口因此可以免证书配置。
vim /etc/kubernetes/manifests/etcd.yaml
# - --listen-metrics-urls=http://127.0.0.1:2381
- --listen-metrics-urls=http://0.0.0.0:2381
# 1.创建secret资源,其中包含以https访问etcd集群的证书和私钥
kubectl create secret generic etcd-certs \
--from-file=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
--from-file=/etc/kubernetes/pki/etcd/healthcheck-client.key \
--from-file=/etc/kubernetes/pki/etcd/ca.crt -n monitoring
# 2.修改prometheus的资源对象,将上步生成的secret挂载至prometheus中
kubectl edit prometheus k8s -n monitoring
secrets:
- etcd-certs
# 查看证书挂载情况
kubectl exec -it prometheus-k8s-0 -n monitoring -- ls /etc/prometheus/secrets/etcd-certs/
# 3.创建etcd的endpoints对象并关联至headless service
cat > etcd-service.yaml << EOF
apiVersion: v1
kind: Service
metadata:
name: etcd-k8s
namespace: kube-system
labels:
k8s-app: etcd
spec:
type: ClusterIP
clusterIP: None
ports:
- name: port
port: 2379
protocol: TCP
---
apiVersion: v1
kind: Endpoints
metadata:
name: etcd-k8s
namespace: kube-system
labels:
k8s-app: etcd
subsets:
- addresses:
- ip: 192.168.200.11
- ip: 192.168.200.12
- ip: 192.168.200.13
nodeName: etcd-master
ports:
- name: port
port: 2379
protocol: TCP
EOF
kubectl apply -f etcd-service.yaml
# 4.创建etcd的servicemonitor资源对象并应用到集群
cat > etcd-monitor.yaml << EOF
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: etcd-k8s
namespace: monitoring
labels:
k8s-app: etcd-k8s
spec:
jobLabel: k8s-app
endpoints:
- port: port
interval: 30s
scheme: https
tlsConfig:
caFile: /etc/prometheus/secrets/etcd-certs/ca.crt
certFile: /etc/prometheus/secrets/etcd-certs/healthcheck-client.crt
keyFile: /etc/prometheus/secrets/etcd-certs/healthcheck-client.key
insecureSkipVerify: true
selector:
matchLabels:
k8s-app: etcd
namespaceSelector:
matchNames:
- kube-system
EOF
kubectl apply -f etcd-monitor.yaml