当前位置：首页 > news >正文

采集集群外的k8s(prometheus监控)

news 2025/9/13 6:37:55

1，创建token

# 一定要cluster-admin角色
#步骤一： 创建sa
[root@k8s-master01 ~]# kubectl create ns monitoring
namespace/monitoring created

[root@k8s-master01 ~]# kubectl create sa -n monitoring thanos
serviceaccount/thanos created
# 步骤二： 创建角色绑定
[root@k8s-master01 ~]#  kubectl create clusterrolebinding thanos --clusterrole cluster-admin --serviceaccount=monitoring:thanos
clusterrolebinding.rbac.authorization.k8s.io/thanos created
[root@k8s-master01 ~]# 
# 步骤三： 获取sa中的secret
[root@k8s-master01 ~]# kubectl get sa -n monitoring thanos -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:creationTimestamp: "2025-09-12T02:46:26Z"name: thanosnamespace: monitoringresourceVersion: "5532775"uid: 683fb80a-de74-4ec2-9ec4-4a96c017369f

#kubernetes v1.24.0 更新之后进行创建 ServiceAccount 不会自动生成 Secret 需要对其手动创建。

cat > thanos-Secret.yaml << EOF
apiVersion: v1
kind: Secret
metadata:name: thanosnamespace: monitoringannotations:kubernetes.io/service-account.name: "thanos"
type: kubernetes.io/service-account-token
EOF

kubectl apply -f thanos-Secret.yaml
# 获取 Secret
kubectl -n monitoring get secrets
# 查看 Secret 详情
kubectl -n monitoring describe secrets thanos
# 获取 Token
kubectl -n monitoring get secrets thanos -o go-template --template '{{index .data "token"}}' | base64 --decode
[root@k8s-master01 prometheus-k8s-token]# kubectl  apply -f thanos-Secret.yaml
secret/thanos created
[root@k8s-master01 prometheus-k8s-token]# 
[root@k8s-master01 prometheus-k8s-token]# kubectl -n monitoring get secrets
NAME     TYPE                                  DATA   AGE
thanos   kubernetes.io/service-account-token   3      11s
[root@k8s-master01 prometheus-k8s-token]# # 查看 Secret 详情
[root@k8s-master01 prometheus-k8s-token]# kubectl -n monitoring describe secrets thanos
Name:         thanos
Namespace:    monitoring
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: thanoskubernetes.io/service-account.uid: 683fb80a-de74-4ec2-9ec4-4a96c017369f

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1363 bytes
namespace:  10 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IkRnWkpzRDNLelRvLVUtcFZ4dDFYLXdjT29oY3h1NjdsOWFydm1IeGhsajAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtb25pdG9yaW5nIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRoYW5vcyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ0aGFub3MiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2ODNmYjgwYS1kZTc0LTRlYzItOWVjNC00YTk2YzAxNzM2OWYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bW9uaXRvcmluZzp0aGFub3MifQ.Gkp572wArTrJZPNL0aGbH7vTUEbu5lvdKeI2KwyHNwA_4HX7zKCaXmjVgOflfCmSpUlTLjbbLsakU_7qs7TgJ-T_dMeduo3BAnj5kBI9zCwzoLVE9D_LstDUJyJ6M7mlO4opJIVw7bTwA9kJubmMpqOvcJy3VhWNDKI64hU66D75KbbCuRdvp68ocVkqgH0PnxFxU_S4NEAMRyp8AXSXFJiVoGyHjpfo9YlC0-XiyXQr-_Mu-YljkVQYNcfjGnVziMLBlo7gtgbSLwU-3Jj9LWqB8I0TlxqLkAz-cQ63ixiVyVVKBX5rOSj8n8sH9qHslJjsGd5kCXS41lT8kM6xwg
[root@k8s-master01 prometheus-k8s-token]# 
[root@k8s-master01 prometheus-k8s-token]# kubectl -n monitoring get secrets thanos -o go-template --template '{{index .data "token"}}' | base64 --decode
eyJhbGciOiJSUzI1NiIsImtpZCI6IkRnWkpzRDNLelRvLVUtcFZ4dDFYLXdjT29oY3h1NjdsOWFydm1IeGhsajAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtb25pdG9yaW5nIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRoYW5vcyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ0aGFub3MiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2ODNmYjgwYS1kZTc0LTRlYzItOWVjNC00YTk2YzAxNzM2OWYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bW9uaXRvcmluZzp0aGFub3MifQ.Gkp572wArTrJZPNL0aGbH7vTUEbu5lvdKeI2KwyHNwA_4HX7zKCaXmjVgOflfCmSpUlTLjbbLsakU_7qs7TgJ-T_dMeduo3BAnj5kBI9zCwzoLVE9D_LstDUJyJ6M7mlO4opJIVw7bTwA9kJubmMpqOvcJy3VhWNDKI64hU66D75KbbCuRdvp68ocVkqgH0PnxFxU_S4NEAMRyp8AXSXFJiVoGyHjpfo9YlC0-XiyXQr-_Mu-YljkVQYNcfjGnVziMLBlo7gtgbSLwU-3Jj9LWqB8I0TlxqLkAz-cQ63ixiVyVVKBX5rOSj8n8sH9qHslJjsGd5kCXS41lT8kM6xwg

[root@devops02]# kubectl create sa -n monitoring thanos      
serviceaccount/thanos created

[root@devops02]# kubectl get sa -n monitoring thanos -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:creationTimestamp: "2022-08-30T10:51:48Z"name: thanosnamespace: monitoringresourceVersion: "412483591"selfLink: /api/v1/namespaces/monitoring/serviceaccounts/thanosuid: fd5390e9-103f-498f-8eaf-cc02ed79c9e6
secrets:
- name: thanos-token-mmkgh
步骤三： 获取token
[root@devops02]# kubectl describe secrets -n monitoring thanos-token-mmkgh  
Name:         thanos-token-mmkgh
Namespace:    monitoring
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: thanoskubernetes.io/service-account.uid: fd5390e9-103f-498f-8eaf-cc02ed79c9e6

Type:  kubernetes.io/service-account-token

Data
====
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IkQ4a3FFN20tdk5ObUwzTXdMbkZjVVBEV0lxRloyRmRUNjgyMWtFeDA2ak0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtb25pdG9yaW5nIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRoYW5vcy10b2tlbi1tbWtnaCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ0aGFub3MiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmZDUzOTBlOS0xMDNmLTQ5OGYtOGVhZi1jYzAyZWQ3OWM5ZTYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6bW9uaXRvcmluZzp0aGFub3MifQ.4URBz3HffPi0XOiGAoMfx24L56d65F2XkfnWdnAL3S8Z-mMpMjOedr2i_91_lcFRY4a-iroyrSdLuR7yQRVOkxCSZAhoQD0f3g3oGz_DvUPxIcMF55As7yk4vE4NuaseKYCpIlS24DcTll4a76q-ANBcvCOFM5NlhuKSIg8pUGSDgtnBVTqkYlk__TCjuJ3vBf9lbHTLWlvkv8p0wqUyGzPg_8FltNNsulFDu6L-6WybkQEZ6LIvgqIUvuGM3U5KjAGT0T6UHy-CnOoIBDVioEbu0B1xsq3qANmBmvvjIFnJcYyVyO50iVcH4hpmiNI9oY6ftWoa2fV_wXNRAfHXsw
ca.crt:     1066 bytes
namespace:  10 bytes

#kubernetes v1.24.0 更新之后进行创建 ServiceAccount 不会自动生成 Secret 需要对其手动创建。

cat > thanos-Secret.yaml << EOF
apiVersion: v1
kind: Secret
metadata:name: thanosnamespace: monitoringannotations:kubernetes.io/service-account.name: "thanos"
type: kubernetes.io/service-account-token
EOF

kubectl apply -f thanos-Secret.yaml
# 获取 Secret
kubectl -n monitoring get secrets
# 查看 Secret 详情
kubectl -n monitoring describe secrets thanos
# 获取 Token
kubectl -n monitoring get secrets thanos -o go-template --template '{{index .data "token"}}' | base64 --decode

2，测试token

获取kube-apiserver数据

[root@devops02]# cat k8s/token 
eyJhbGciOiJSUzI1NiIsImtpZCI6IkQ4a3FFN20tdk5ObUwzTXdMbkZjVVBEV0lxRloyRmRUNjgyMWtFeDA2ak0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJwcm9tZXRoZXVzLXRva2VuLXNmZDVoIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InByb21ldGhldXMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzNmIwZjJiNi04MTQ3LTQ3NjgtOWI4YS01ZDYxY2I0NmZiMTYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06cHJvbWV0aGV1cyJ9.aVdZ5wXVE7z3ofiWgqZIMSFYlNxFv86ylRvfKlxmu6vFMOFeznk5XGkiQttJY9OJ2Tu-OHbtmmaX-2pwPPipNURfn0G-9_ZF0S4u4PdndUIbeIuCthGI6nN8G5P-0DHKb76bocP9dquDFDnpijSqN-8GXarpJ39kCIO9gyzJZfcQ6FQZExjnOGX3UKJuBJvwCJ3peN_79Tp5KlcgcesoBMxJV4kN0r-n_qbgnVkX6V1ywdaj7GiYjvTJzdC6B0v_dEOo3lcLc8-uXU4TTfFsENuo0lV_y5efW6nGcLAcw8MXkVo2bvc8wYv5vHoviU8c_qFqKAswzqelMDDhDOElrQ
[root@devops02]# TOKEN=`cat k8s/token`
[root@devops02]# curl --header "Authorization: Bearer $TOKEN" --insecure -X  GET https://10.50.4.158:6443/metrics
获取kubelet数据[root@devops02]# curl --header "Authorization: Bearer $TOKEN" --insecure -X  GET https://10.50.4.18:10250/metrics获取node_exporter数据[root@devops02]# curl --header "Authorization: Bearer $TOKEN" --insecure -X  GET https://10.50.4.117:9100/metrics