Prometheus学习笔记之微服务kube-state-metrics报错
0x00 概述
在K8S集群部署kube-state-metrics微服务的时候,发现容器日志不停刷报错日志,主要报错日志如下:
E0824 13:09:36.768882 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list secrets at the cluster scope E0824 13:09:36.742450 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1.Job: jobs.batch is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list jobs.batch at the cluster scope E0824 13:09:36.743385 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1beta1.PodDisruptionBudget: poddisruptionbudgets.policy is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list poddisruptionbudgets.policy at the cluster scope E0824 13:09:36.568839 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list endpoints at the cluster scope E0824 13:09:36.379898 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list configmaps at the cluster scope E0824 13:09:36.317600 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v2beta1.HorizontalPodAutoscaler: horizontalpodautoscalers.autoscaling is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list horizontalpodautoscalers.autoscaling at the cluster scope E0824 13:09:36.316554 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1beta1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list statefulsets.apps at the cluster scope E0824 13:09:36.318569 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1beta1.CronJob: cronjobs.batch is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list cronjobs.batch at the cluster scope E0824 13:09:35.768772 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list namespaces at the cluster scope E0824 13:09:36.168855 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1.PersistentVolume: persistentvolumes is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list persistentvolumes at the cluster scope E0824 13:09:35.742782 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1beta1.PodDisruptionBudget: poddisruptionbudgets.policy is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list poddisruptionbudgets.policy at the cluster scope E0824 13:09:35.568827 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list secrets at the cluster scope E0824 13:09:35.741814 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1.Job: jobs.batch is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list jobs.batch at the cluster scope E0824 13:09:35.968853 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1.PersistentVolumeClaim: persistentvolumeclaims is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list persistentvolumeclaims at the cluster scope E0824 13:09:35.318064 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1beta1.CronJob: cronjobs.batch is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list cronjobs.batch at the cluster scope E0824 13:09:35.368786 1 reflector.go:205] k8s.io/kube-state-metrics/pkg/collectors/builder.go:508: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:monitoring:kube-state-metrics" cannot list endpoints at the cluster scope
发现是kube-state-metrics在集群权限不足;
在github上下载的yaml文件在执行clusterrolebing那一步,并没有给kube-state-metrics提供cluster层级的权限;
0x02 给kube-state-metrics赋权cluster-admin
执行如下命令,给system:serviceaccount:monitoring:kube-state-metrics做clusterrolebing
kubectl create clusterrolebinding kube-state-metrics-admin-binding \
--clusterrole=cluster-admin \
--user=system:serviceaccount:monitoring:kube-state-metrics
分类:
Prometheus监控学习笔记
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 基于Microsoft.Extensions.AI核心库实现RAG应用
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· TypeScript + Deepseek 打造卜卦网站:技术与玄学的结合
· Manus的开源复刻OpenManus初探
· AI 智能体引爆开源社区「GitHub 热点速览」
· 三行代码完成国际化适配,妙~啊~
· .NET Core 中如何实现缓存的预热?
2019-08-26 Prometheus监控学习笔记之Prometheus 2.x版本的常用变化