Warning: file_get_contents(/data/phpspider/zhask/data//catemap/4/powerbi/2.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Kubernetes 普罗米修斯在GKE中被库伯内特斯api禁止获得403_Kubernetes_Google Kubernetes Engine_Prometheus - Fatal编程技术网
Fatal编程技术网
  • kubernetes/
  • Kubernetes 普罗米修斯在GKE中被库伯内特斯api禁止获得403

Kubernetes 普罗米修斯在GKE中被库伯内特斯api禁止获得403

kubernetes prometheus

Kubernetes 普罗米修斯在GKE中被库伯内特斯api禁止获得403,kubernetes,google-kubernetes-engine,prometheus,Kubernetes,Google Kubernetes Engine,Prometheus,对于普罗米修斯部署的集群角色,我有 # ClusterRole for the deployment apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: prometheus rules: - apiGroups: [""] resources: - nodes - nodes/proxy - nodes/metrics - services

对于普罗米修斯部署的集群角色,我有

# ClusterRole for the deployment
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: prometheus
rules:
- apiGroups: [""]
  resources:
  - nodes
  - nodes/proxy
  - nodes/metrics
  - services
  - endpoints
  - pods
  verbs: ["get", "list", "watch"]
- apiGroups:
  - extensions
  resources:
  - ingresses
  verbs: ["get", "list", "watch"]
- nonResourceURLs: ["/metrics"]
  verbs: ["get"]
ServiceAccount和ClusterRoleBinding也已经就位

下面是
prometheus.yml
中作业的设置,这些作业将出现403错误

- job_name: 'kubernetes-cadvisor'

      scheme: https

      tls_config:
        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
      bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token

      kubernetes_sd_configs:
      - role: node

      relabel_configs:
      - action: labelmap
        regex: __meta_kubernetes_node_label_(.+)
      - target_label: __address__
        replacement: kubernetes.default.svc:443
      - source_labels: [__meta_kubernetes_node_name]
        regex: (.+)
        target_label: __metrics_path__
        replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor

- job_name: 'kubernetes-nodes'

      scheme: https

      tls_config:
        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
      bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token

      kubernetes_sd_configs:
      - role: node

      relabel_configs:
      - action: labelmap
        regex: __meta_kubernetes_node_label_(.+)
      - target_label: __address__
        replacement: kubernetes.default.svc:443
      - source_labels: [__meta_kubernetes_node_name]
        regex: (.+)
        target_label: __metrics_path__
        replacement: /api/v1/nodes/${1}/proxy/metrics
即使
servicecomport
ClusterRole
已绑定在一起,我也不明白为什么我一直出现403错误。

确保
/var/run/secrets/kubernetes.io/servicecomport/token
文件包含正确的令牌。为此,您可以通过以下方式进入普罗米修斯吊舱:

kubectl exec-it-n--bash

和cat标记文件。然后退出pod并执行:

echo$(kubectl get secret-n-o jsonpath='{.data.token}')| base64——解码

如果令牌匹配,您可以尝试使用Postman或失眠查询Kubernetes API服务器,以查看您在
ClusterRole
中输入的规则是否正确。我建议您查询
/proxy/metrics/cadvisor
/proxy/metrics
URL

确保
/var/run/secrets/kubernetes.io/servicecomport/token
文件包含正确的令牌。为此,您可以通过以下方式进入普罗米修斯吊舱:

kubectl exec-it-n--bash

和cat标记文件。然后退出pod并执行:

echo$(kubectl get secret-n-o jsonpath='{.data.token}')| base64——解码

如果令牌匹配,您可以尝试使用Postman或失眠查询Kubernetes API服务器,以查看您在
ClusterRole
中输入的规则是否正确。我建议您同时查询
/proxy/metrics/cadvisor
/proxy/metrics
URL

结果我有一个特定于GKE的问题,我想我会在另一个问题中提问,非常感谢。结果我有一个特定于GKE的问题,我想我会在另一个问题中提问,非常感谢。