|NO.Z.00340|——————————|^^ 报错 ^^|——|KuberNetes&运维.V57|——|Prometheus.v02|自动发现.v02|创建ClusterRoleBinding|
一、创建ClusterRoleBinding查看Prometheus是否正确获取数据
### --- 报错现象:解决failed to list *v1beta1.Ingress
~~~ 查看Prometheus日志是否有报错信息
[root@k8s-master01 discovery]# kubectl get po -n monitoring
NAME READY STATUS RESTARTS AGE
prometheus-k8s-0 3/3 Running 1 20h~~~ 它会报这个错误 Failed to list *v1beta1.Ingress
~~~ 因为Prometheus是没有权限查看k8s集群中的ingress的
[root@k8s-master01 discovery]# kubectl logs -f prometheus-k8s-0 -n monitoring prometheus
level=error ts=2021-05-29T06:19:00.719Z caller=klog.go:94 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:317: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User \"system:serviceaccount:monitoring:prometheus-k8s\" cannot list resource \"ingresses\" in API group \"extensions\" at the cluster scope"二、报错分析
### --- 报错分析:
~~~ # 报错分析:Failed to list *v1beta1.Ingress;
~~~ 需要加一个ClusterRoleBinding,绑定到ServiceAccount上面,
~~~ ratel-resource-readonly的权限是比较大的### --- 查看 ratel-namespace-readonly 的权限
[root@k8s-master01 discovery]# kubectl get clusterrole
NAME CREATED AT
ratel-resource-readonly 2021-05-29T04:11:35Z### --- 查看权限
~~~ 权限里面是有一个ingress
[root@k8s-master01 discovery]# kubectl get clusterrole ratel-resource-readonly -oyaml
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses ### --- 把这个clusterrole赋值给prometheus-k8s的ServiceAccount,
~~~ # 也就是说Prometheus这个容器
~~~ 这个容器是以这个ServiceAccount去运行的,
~~~ 也就是数这个容器就有了Prometheus的ServiceAccount的权限,
~~~ 也就有了查看集群ingress的权限[root@k8s-master01 discovery]# kubectl get po -n monitoring
NAME READY STATUS RESTARTS AGE
prometheus-k8s-0 3/3 Running 1 20h
[root@k8s-master01 discovery]# kubectl get po -n monitoring -oyaml | grep prometheus-k8s
hostname: prometheus-k8s-0
serviceAccount: prometheus-k8s
serviceAccountName: prometheus-k8s 三、解决方案
### --- 解决方案:创建一个ClusterRoleBinding
~~~ # 解决报错现象问题
~~~ 把这个ClusterRole:**name: ratel-resource-readonly**
~~~ 绑定到这个**ServiceAccount:name: prometheus-k8s** 上[root@k8s-master01 discovery]# vim ingress-view.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus-discovery
namespace: monitoring
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ratel-resource-readonly
subjects:
- namespace: monitoring
kind: ServiceAccount
name: prometheus-k8s### --- 创建ClusterRoleBinding
[root@k8s-master01 discovery]# kubectl create -f ingress-view.yaml
clusterrolebinding.rbac.authorization.k8s.io/prometheus-discovery created### --- 查看日志信息
~~~ 已经没有了Failed to list *v1beta1.Ingress报错信息
[root@k8s-master01 discovery]# kubectl logs -f prometheus-k8s-0 -n monitoring prometheus
level=error ts=2021-05-29T07:01:53.338Z caller=klog.go:94 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:317: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User \"system:serviceaccount:monitoring:prometheus-k8s\" cannot list resource \"ingresses\" in API group \"extensions\" at the cluster scope"Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart
——W.S.Landor
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 【自荐】一款简洁、开源的在线白板工具 Drawnix
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY