Prometheus监控神技--自动发现配置

作者：@skyflask
转载本文请注明出处：https://www.cnblogs.com/skyflask/p/11498834.html

---

目录

一、自动发现类型
1、Node
2、Service
3、Pod
4、endpoints
5、ingress
二、自动发现Pod配置
1、创建发现规则
2、创建对应的Secret对象
3、promethues添加资源对象
4、应用配置
5、添加权限

一、自动发现类型

在上一篇文中留了一个坑：

 

监控某个statefulset服务的时候，我在service文件中定义了个EP，然后把pod的ip写死在配置文件中，这样，当pod重启后，IP地址变化，就监控不到数据了，这肯定是不合理的。

如果在我们的 Kubernetes 集群中有了很多的 Service/Pod，那么我们都需要一个一个的去建立一个对应的 ServiceMonitor 对象来进行监控吗？这样岂不是也很麻烦么？

为解决上面的问题，Prometheus Operator 为我们提供了一个额外的抓取配置的来解决这个问题，我们可以通过额外的配置来获取k8s的资源监控（pod、service、node等）。

promethues支持多种文件发现。

 

 其中通过kubernetes_sd_configs，可以达到我们想要的目的，监控其各种资源。kubernetes SD 配置允许从kubernetes REST API接受搜集指标，且总是和集群保持同步状态，以下任何一种role类型都能够配置来发现我们想要的对象，来自官网翻译的。

1、Node

Node role发现每个集群中的目标是通过默认的kubelet的HTTP端口。目标地址默认是kubernetes如下地址中node的第一个地址（NodeInternalIP, NodeExternalIP,NodeLegacyHostIP, and NodeHostName.）

可用的meta标签有：

?

1 2 3 4 5 6

__meta_kubernetes_node_name: The name of the node object. __meta_kubernetes_node_label_<labelname>: Each label from the node object. __meta_kubernetes_node_labelpresent_<labelname>: true for each label from the node object. __meta_kubernetes_node_annotation_<annotationname>: Each annotation from the node object. __meta_kubernetes_node_annotationpresent_<annotationname>: true for each annotation from the node object. __meta_kubernetes_node_address_<address_type>: The first address for each node address type, if it exists.

此外，node的实例标签将会被设置成从API server传递过来的node的name。

2、Service

service角色会为每个服务发现一个服务端口。对于黑盒监控的服务，这个比较有用。address将会被设置成service的kubernetes DNS名称以及各自的服务端口。

Available meta labels:

?

1 2 3 4 5 6 7 8 9 10

__meta_kubernetes_namespace: The namespace of the service object. __meta_kubernetes_service_annotation_<annotationname>: Each annotation from the service object. __meta_kubernetes_service_annotationpresent_<annotationname>: "true" for each annotation of the service object. __meta_kubernetes_service_cluster_ip: The cluster IP address of the service. (Does not apply to services of type ExternalName) __meta_kubernetes_service_external_name: The DNS name of the service. (Applies to services of type ExternalName) __meta_kubernetes_service_label_<labelname>: Each label from the service object. __meta_kubernetes_service_labelpresent_<labelname>: true for each label of the service object. __meta_kubernetes_service_name: The name of the service object. __meta_kubernetes_service_port_name: Name of the service port for the target. __meta_kubernetes_service_port_protocol: Protocol of the service port for the target.

　　

3、Pod

Pod role会发现所有pods以及暴露的容器作为target。每个容器声明一个端口，一个单独的target就会生成。如果一个容器没有指定端口，通过relabel手动指定一个端口，一个port-free target容器将会生成。

Available meta labels:

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

__meta_kubernetes_namespace: The namespace of the pod object. __meta_kubernetes_pod_name: The name of the pod object. __meta_kubernetes_pod_ip: The pod IP of the pod object. __meta_kubernetes_pod_label_<labelname>: Each label from the pod object. __meta_kubernetes_pod_labelpresent_<labelname>: truefor each label from the pod object. __meta_kubernetes_pod_annotation_<annotationname>: Each annotation from the pod object. __meta_kubernetes_pod_annotationpresent_<annotationname>: true for each annotation from the pod object. __meta_kubernetes_pod_container_init: true if the container is an InitContainer __meta_kubernetes_pod_container_name: Name of the container the target address points to. __meta_kubernetes_pod_container_port_name: Name of the container port. __meta_kubernetes_pod_container_port_number: Number of the container port. __meta_kubernetes_pod_container_port_protocol: Protocol of the container port. __meta_kubernetes_pod_ready: Set to true or false for the pod's ready state. __meta_kubernetes_pod_phase: Set to Pending, Running, Succeeded, Failed or Unknown in the lifecycle. __meta_kubernetes_pod_node_name: The name of the node the pod is scheduled onto. __meta_kubernetes_pod_host_ip: The current host IP of the pod object. __meta_kubernetes_pod_uid: The UID of the pod object. __meta_kubernetes_pod_controller_kind: Object kind of the pod controller. __meta_kubernetes_pod_controller_name: Name of the pod controller.

　　

4、endpoints

endpoints role从每个服务监听的endpoints发现。每个endpoint都会发现一个port。如果endpoint是一个pod，所有包含的容器不被绑定到一个endpoint port，也会被targets被发现。

Available meta labels:

?

1 2 3 4 5 6 7 8 9 10 11 12

__meta_kubernetes_namespace: The namespace of the endpoints object. __meta_kubernetes_endpoints_name: The names of the endpoints object. For all targets discovered directly from the endpoints list (those not additionally inferred from underlying pods), the following labels are attached: __meta_kubernetes_endpoint_hostname: Hostname of the endpoint. __meta_kubernetes_endpoint_node_name: Name of the node hosting the endpoint. __meta_kubernetes_endpoint_ready: Set to true or false for the endpoint's ready state. __meta_kubernetes_endpoint_port_name: Name of the endpoint port. __meta_kubernetes_endpoint_port_protocol: Protocol of the endpoint port. __meta_kubernetes_endpoint_address_target_kind: Kind of the endpoint address target. __meta_kubernetes_endpoint_address_target_name: Name of the endpoint address target. If the endpoints belong to a service, all labels of the role: service discovery are attached. For all targets backed by a pod, all labels of the role: pod discovery are attached.

　　

5、ingress

ingress role将会发现每个ingress。ingress在黑盒监控上比较有用。address将会被设置成ingress指定的配置。

Available meta labels:

?

1 2 3 4 5 6 7 8

__meta_kubernetes_namespace: The namespace of the ingress object. __meta_kubernetes_ingress_name: The name of the ingress object. __meta_kubernetes_ingress_label_<labelname>: Each label from the ingress object. __meta_kubernetes_ingress_labelpresent_<labelname>: true for each label from the ingress object. __meta_kubernetes_ingress_annotation_<annotationname>: Each annotation from the ingress object. __meta_kubernetes_ingress_annotationpresent_<annotationname>: true for each annotation from the ingress object. __meta_kubernetes_ingress_scheme: Protocol scheme of ingress, https if TLS config is set. Defaults to http. __meta_kubernetes_ingress_path: Path from ingress spec. Defaults to /.

　　

二、自动发现Pod配置

比如业务上有一个微服务，类型为statefulset，启动后是2个pod的副本集，pod暴露的数据接口为http://pod_ip:7000/metrics。由于pod每次重启后，ip都会变化，所以只能通过自动发现的方式获取数据。

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69

apiVersion: apps/v1   kind: StatefulSet metadata:   labels:     run: jx3recipe   name: jx3recipe   annotations:     prometheus.io/scrape: "true" spec:   selector:     matchLabels:       app: jx3recipe   serviceName: jx3recipe-service   replicas: 2   template:     metadata:       labels:         app: jx3recipe         appCluster: jx3recipe-cluster     spec:       terminationGracePeriodSeconds: 20       containers:       - image: hub.kce.ooo.com/jx3pvp/jx3recipe:qa-latest         imagePullPolicy: Always         securityContext:           runAsUser: 1000         name: jx3recipe         lifecycle:           preStop:             exec:               command: ["kill","-s","SIGINT","1"]         volumeMounts:         - name: config-volume           mountPath: /data/conf.yml           subPath: conf.yml         resources:           requests:             cpu: "100m"             memory: "500Mi"         env:         - name: JX3PVP_ENV           value: "qa"         - name: JX3PVP_RUN_MODE           value: "k8s"         - name: JX3PVP_SERVICE_ID           valueFrom:             fieldRef:               fieldPath: metadata.name         - name: JX3PVP_LOCAL_IP           valueFrom:             fieldRef:               fieldPath: status.podIP         - name: JX3PVP_CONSUL_IP           value: $(CONSUL_AGENT_SERVICE_HOST)         ports:             - name: biz               containerPort: 8000               protocol: "TCP"             - name: admin               containerPort: 7000               protocol: "TCP"       volumes:         - name: config-volume           configMap:             name: app-configure-file-jx3recipe             items:             - key: jx3recipe.yml               path: conf.yml

　　

1、创建发现规则

设定发现pod规则：文件名为promethues-additional.yaml

• pod名称的label为jx3recipe
• pod的label_appCluster匹配为 jx3recipe-cluster
• pod的address为http://.*:7000/metrics格式

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

- job_name: 'kubernetes-service-pod'   kubernetes_sd_configs:   - role: pod   relabel_configs:   - source_labels: [__meta_kubernetes_pod_container_name]     action: replace     target_label: jx3recipe   - action: labelmap     regex: __meta_kubernetes_pod_label_(.+)   - source_labels:  ["__meta_kubernetes_pod_label_appCluster"]     regex: "jx3recipe-cluster"     action: keep   - source_labels: [__address__]     action: keep     regex: '(.*):7000'

　　

2、创建对应的Secret对象

?

1	kubectl create secret generic additional-configs --from-file=prometheus-additional.yaml -n monitoring

　

创建完成后，会将上面配置信息进行 base64 编码后作为 prometheus-additional.yaml 这个 key 对应的值存在：

?

1 2 3 4 5 6 7 8 9 10 11 12

apiVersion: v1 data:   prometheus-additional.yaml: LSBqb2JfbmFtZTogJ2t1YmVybmV0ZXMtc2VydmljZS1wb2QnCiAga3ViZXJuZXRlc19zZF9jb25maWdzOgogIC0gcm9sZTogcG9kCiAgcmVsYWJlbF9jb25maWdzOgogIC0gc291cmNlX2xhYmVsczogW19fbWV0YV9rdWJlcm5ldGVzX3BvZF9jb250YWluZXJfbmFtZV0KICAgIGFjdGlvbjogcmVwbGFjZQogICAgdGFyZ2V0X2xhYmVsOiBqeDNyZWNpcGUKICAtIGFjdGlvbjogbGFiZWxtYXAKICAgIHJlZ2V4OiBfX21ldGFfa3ViZXJuZXRlc19wb2RfbGFiZWxfKC4rKQogIC0gc291cmNlX2xhYmVsczogIFsiX19tZXRhX2t1YmVybmV0ZXNfcG9kX2xhYmVsX2FwcENsdXN0ZXIiXQogICAgcmVnZXg6ICJqeDNyZWNpcGUtY2x1c3RlciIKICAgIGFjdGlvbjoga2VlcAogIC0gc291cmNlX2xhYmVsczogW19fYWRkcmVzc19fXQogICAgYWN0aW9uOiBrZWVwCiAgICByZWdleDogJyguKik6NzAwMCcK kind: Secret metadata:   creationTimestamp: "2019-09-10T09:32:22Z"   name: additional-configs   namespace: monitoring   resourceVersion: "1004681"   selfLink: /api/v1/namespaces/monitoring/secrets/additional-configs   uid: e455d657-d3ad-11e9-95b4-fa163e3c10ff type: Opaque

　　然后我们只需要在声明 prometheus 的资源对象文件中添加上这个额外的配置：(prometheus-prometheus.yaml)

3、promethues添加资源对象

修改prometheus-prometheus.yaml文件

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

apiVersion: monitoring.coreos.com/v1 kind: Prometheus metadata:   labels:     prometheus: k8s   name: k8s   namespace: monitoring spec:   alerting:     alertmanagers:     - name: alertmanager-main       namespace: monitoring       port: web   baseImage: quay.io/prometheus/prometheus   nodeSelector:     beta.kubernetes.io/os: linux   replicas: 2   secrets:   - etcd-certs   resources:     requests:       memory: 400Mi   ruleSelector:     matchLabels:       prometheus: k8s       role: alert-rules   securityContext:     fsGroup: 2000     runAsNonRoot: true     runAsUser: 1000   additionalScrapeConfigs:     name: additional-configs     key: prometheus-additional.yaml   serviceAccountName: prometheus-k8s   serviceMonitorNamespaceSelector: {}   serviceMonitorSelector: {}   version: v2.5.0

　　增加了下面这一段：

?

1 2 3

additionalScrapeConfigs:     name: additional-configs     key: prometheus-additional.yaml

　　

4、应用配置

?

1	kubectl apply -f prometheus-prometheus.yaml

　　过一段时间，刷新promethues上的config，将会看到下面红色框框的配置。

 

 

5、添加权限

　在 Prometheus Dashboard 的配置页面下面我们可以看到已经有了对应的的配置信息了，但是我们切换到 targets 页面下面却并没有发现对应的监控任务，查看 Prometheus 的 Pod 日志：

 

 可以看到有很多错误日志出现，都是xxx is forbidden，这说明是 RBAC 权限的问题，通过 prometheus 资源对象的配置可以知道 Prometheus 绑定了一个名为 prometheus-k8s 的 ServiceAccount 对象，而这个对象绑定的是一个名为 prometheus-k8s 的 ClusterRole：（prometheus-clusterRole.yaml）

修改为：

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:   name: prometheus-k8s rules: - apiGroups:   - ""   resources:   - nodes   - services   - endpoints   - pods   - nodes/proxy   verbs:   - get   - list   - watch - apiGroups:   - ""   resources:   - configmaps   - nodes/metrics   verbs:   - get - nonResourceURLs:   - /metrics   verbs:   - get

　　更新上面的 ClusterRole 这个资源对象，然后重建下 Prometheus 的所有 Pod，正常就可以看到 targets 页面下面有 kubernetes-service-pod这个监控任务了：

 至此，一个自动发现pod的配置就完成了，其他资源（service、endpoint、ingress、node同样也可以通过自动发现的方式实现。）