|NO.Z.00340|——————————|^^ 報錯 ^^|——|KuberNetes&運維.V57|-----------------------------------------------------------|Prometheus.v02|自動發現.v02|建立ClusterRoleBinding|
阿新 • • 發佈:2022-04-01
[CloudNative:KuberNetes&運維.V57] [Applications.KuberNetes] [|Altermanager|Prometheus自動發現|自動發現監控ratel地址krm.test.com|]
一、建立ClusterRoleBinding檢視Prometheus是否正確獲取資料
### --- 報錯現象:解決failed to list *v1beta1.Ingress ~~~ 檢視Prometheus日誌是否有報錯資訊 [root@k8s-master01 discovery]# kubectl get po -n monitoring NAME READY STATUS RESTARTS AGE prometheus-k8s-0 3/3 Running 1 20h
二、報錯分析~~~ 它會報這個錯誤 Failed to list *v1beta1.Ingress ~~~ 因為Prometheus是沒有許可權檢視k8s叢集中的ingress的 [root@k8s-master01 discovery]# kubectl logs -f prometheus-k8s-0 -n monitoring prometheus level=error ts=2021-05-29T06:19:00.719Z caller=klog.go:94 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:317: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User \"system:serviceaccount:monitoring:prometheus-k8s\" cannot list resource \"ingresses\" in API group \"extensions\" at the cluster scope"
### --- 報錯分析:
~~~ # 報錯分析:Failed to list *v1beta1.Ingress;
~~~ 需要加一個ClusterRoleBinding,繫結到ServiceAccount上面,
~~~ ratel-resource-readonly的許可權是比較大的### --- 檢視 ratel-namespace-readonly 的許可權 [root@k8s-master01 discovery]# kubectl get clusterrole NAME CREATED AT ratel-resource-readonly 2021-05-29T04:11:35Z
### --- 檢視許可權
~~~ 許可權裡面是有一個ingress
[root@k8s-master01 discovery]# kubectl get clusterrole ratel-resource-readonly -oyaml
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses ### --- 把這個clusterrole賦值給prometheus-k8s的ServiceAccount,
~~~ # 也就是說Prometheus這個容器
~~~ 這個容器是以這個ServiceAccount去執行的,
~~~ 也就是數這個容器就有了Prometheus的ServiceAccount的許可權,
~~~ 也就有了檢視叢集ingress的許可權[root@k8s-master01 discovery]# kubectl get po -n monitoring
NAME READY STATUS RESTARTS AGE
prometheus-k8s-0 3/3 Running 1 20h
[root@k8s-master01 discovery]# kubectl get po -n monitoring -oyaml | grep prometheus-k8s
hostname: prometheus-k8s-0
serviceAccount: prometheus-k8s
serviceAccountName: prometheus-k8s ### --- 解決方案:建立一個ClusterRoleBinding
~~~ # 解決報錯現象問題
~~~ 把這個ClusterRole:**name: ratel-resource-readonly**
~~~ 繫結到這個**ServiceAccount:name: prometheus-k8s** 上[root@k8s-master01 discovery]# vim ingress-view.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus-discovery
namespace: monitoring
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-resource-readonly
subjects:
- namespace: monitoring
kind: ServiceAccount
name: prometheus-k8s### --- 建立ClusterRoleBinding
[root@k8s-master01 discovery]# kubectl create -f ingress-view.yaml
clusterrolebinding.rbac.authorization.k8s.io/prometheus-discovery created### --- 檢視日誌資訊
~~~ 已經沒有了Failed to list *v1beta1.Ingress報錯資訊
[root@k8s-master01 discovery]# kubectl logs -f prometheus-k8s-0 -n monitoring prometheus
level=error ts=2021-05-29T07:01:53.338Z caller=klog.go:94 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:317: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User \"system:serviceaccount:monitoring:prometheus-k8s\" cannot list resource \"ingresses\" in API group \"extensions\" at the cluster scope"===============================END===============================
Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart ——W.S.Landor
來自為知筆記(Wiz)