Prometheus-Prometheus-Opterator中添加监控etcd集群

一、环境声明

  • kubeadm kubernetes 1.15
  • etcd 也是集群内 pod 部署方式,自带metrics接口
  • Prometheus-Operator

二、监控etcd集群

2.1、查看接口信息

# https
	# curl --cert /etc/kubernetes/pki/etcd/server.crt --key /etc/kubernetes/pki/etcd/server.key https://127.0.0.1:2379/metrics -k
	
# http
	# curl -L http://localhost:2379/metrics

2.2、查看etcd集群信息获取使用的证书信息

# kubectl describe pods -n kube-system etcd-wt-rd-k8s-control-plane-01-beijing
Name:                 etcd-wt-rd-k8s-control-plane-01-beijing
Namespace:            kube-system
Priority:             2000000000
Priority Class Name:  system-cluster-critical
Node:                 wt-rd-k8s-control-plane-01-beijing/10.2.3.141
Start Time:           Thu, 27 May 2021 07:19:25 +0000
Labels:               component=etcd
                      tier=control-plane
Annotations:          kubernetes.io/config.hash: 2c510faa262b7e6cc922f5c10917a5a4
                      kubernetes.io/config.mirror: 2c510faa262b7e6cc922f5c10917a5a4
                      kubernetes.io/config.seen: 2019-09-03T07:15:31.882345426Z
                      kubernetes.io/config.source: file
Status:               Running
IP:                   10.2.3.141
Containers:
  etcd:
    Container ID:  docker://7c0fece5de2b5ea89b5b648bebf2f076320d379500ee2f677dd0619963449bc5
    Image:         k8s.gcr.io/etcd:3.3.10
    Image ID:      docker://sha256:2c4adeb21b4ff8ed3309d0e42b6b4ae39872399f7b37e0856e673b13c4aba13d
    Port:          <none>
    Host Port:     <none>
    Command:
      etcd
      --advertise-client-urls=https://10.2.3.141:2379
      --cert-file=/etc/kubernetes/pki/etcd/server.crt
      --client-cert-auth=true
      --data-dir=/var/lib/etcd
      --initial-advertise-peer-urls=https://10.2.3.141:2380
      --initial-cluster=wt-rd-k8s-control-plane-01-beijing=https://10.2.3.141:2380
      --key-file=/etc/kubernetes/pki/etcd/server.key
      --listen-client-urls=https://127.0.0.1:2379,https://10.2.3.141:2379
      --listen-peer-urls=https://10.2.3.141:2380
      --name=wt-rd-k8s-control-plane-01-beijing
      --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
      --peer-client-cert-auth=true
      --peer-key-file=/etc/kubernetes/pki/etcd/peer.key
      --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
      --snapshot-count=10000
      --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt

2.3、利用 kubectl 命令将三个证书文件存入 Kubernetes 的 Secret 资源下

  • 可以看出etcd使用的证书都在对应节点的/etc/kubernetes/pki/etcd/目录下面。所以先将需要使用的证书通过secret对象保存到集群中:
# kubectl -n monitoring create secret generic etcd-certs  \
--from-file=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
--from-file=/etc/kubernetes/pki/etcd/healthcheck-client.key \
--from-file=/etc/kubernetes/pki/etcd/ca.crt

2.4、创建etcd-certs对象配置到prometheus资源对象

# kubectl edit prometheus k8s -n monitoring

# 添加secrets的如下属性:
  nodeSelector:
    kubernetes.io/os: linux
  podMonitorSelector: {}
  replicas: 2
  # 添加如下两行
  secrets:
  - etcd-certs
  
# 更新完成后,就可以在Prometheus的Pod中获取之前创建的etcd证书文件了。先查看一下pod名字
kubectl get po -n monitoring 
NAME                                  READY   STATUS    RESTARTS   AGE
...
prometheus-k8s-0                      3/3     Running   1          2m20s
prometheus-k8s-1                      3/3     Running   1          3m19s
...

# 进入两个容器,查看一下证书的具体路径
kubectl exec -it prometheus-k8s-0 /bin/sh -n monitoring
Defaulting container name to prometheus.
Use 'kubectl describe pod/prometheus-k8s-0 -n monitoring' to see all of the containers in this pod.
/prometheus $ ls /etc/prometheus/secrets/etcd-certs/
ca.crt                  healthcheck-client.crt  healthcheck-client.key

2.5、创建ServiceMonitor

MonitorEtcd# cat prometheus-serviceMonitorEtcd.yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: etcd-k8s
  namespace: monitoring
  labels:
    k8s-app: etcd-k8s
spec:
  jobLabel: k8s-app
  endpoints:
  - port: port
    interval: 15s
    scheme: https
    tlsConfig:
      caFile: /etc/prometheus/secrets/etcd-certs/ca.crt
      certFile: /etc/prometheus/secrets/etcd-certs/healthcheck-client.crt
      keyFile: /etc/prometheus/secrets/etcd-certs/healthcheck-client.key
    insecureSkipVerify: true
  selector:
    matchLabels:
      k8s-app: etcd
  namespaceSelector:
    matchNames:
    - kube-system
	
# kubectl apply -f prometheus-serviceMonitorEtcd.yaml 
	servicemonitor.monitoring.coreos.com/etcd-k8s created

2.6、创建Service

  • ServiceMonitor已经创建完成了,需要创建一个对应的Service对象。prometheus-etcdService.yaml内容如下:
MonitorEtcd# cat prometheus-etcdService.yaml
apiVersion: v1
kind: Service
metadata:
  name: etcd-k8s
  namespace: kube-system
  labels:
    k8s-app: etcd
spec:
  type: ClusterIP
  clusterIP: None  #设置为None,不分配Service IP
  ports:
  - name: port
    port: 2379
---
apiVersion: v1
kind: Endpoints
metadata:
  name: etcd-k8s
  namespace: kube-system
  labels:
    k8s-app: etcd
subsets:
- addresses:
  - ip: 10.2.3.141   # 指定etcd节点地址,如果是集群则继续向下添加
  - ip: 10.2.3.179
  - ip: 10.2.4.121
  ports:
  - name: port
    port: 2379            # ETCD端口
    protocol: TCP
	
# etcd集群独立于集群之外,所以需要定义一个Endpoints。Endpoints的metadata区域的内容要和Service保持一致,并且将Service的clusterIP设置为None。
# 在Endpoints的subsets中填写etcd的地址,如果是集群,则在addresses属性下面添加多个地址。

# kubectl apply -f prometheus-etcdService.yaml 
	service/etcd-k8s created
	endpoints/etcd-k8s created

三、查看 Prometheus 规则及Grafana 引入 ETCD 仪表盘

3.1、查看 Prometheus 规则

Prometheus-Prometheus-Opterator中添加监控etcd集群

3.2、Grafana 引入 ETCD 仪表盘

Prometheus-Prometheus-Opterator中添加监控etcd集群
Prometheus-Prometheus-Opterator中添加监控etcd集群

上一篇:ansible 安装etcd


下一篇:Kubernetes安装单点及集群部署