k8s集群授权prometheus（集群外部署）

一、前言

在集群外部prometheus想要调用k8s集群的apiserver获取监控数据需要通过token和ca验证，在集群内部部署的prometheus就不会有这个情况，因为集群内部部署prometheus pod的时候就已经注入了访问集群的token和ca文件，所以以下就针对k8s集群外部署的prometheus创建token和ca文件使得prometheus能够访问k8s集群的apiserver获取监控数据

二、k8s集群创建RBAC对象

vi prometheus-rabc.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: prometheus
  namespace: prometheus
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: prometheus
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - services
  - endpoints
  - pods
  - nodes/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - "extensions"
  resources:
    - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  - nodes/metrics
  verbs:
  - get
- nonResourceURLs:
  - /metrics
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: prometheus
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: prometheus
subjects:
- kind: ServiceAccount
  name: prometheus
  namespace: prometheus

创建命名空间

kubectl create namespace prometheus

创建rbac

kubectl create -f prometheus-rabc.yaml

在新版本的k8s中创建ServiceAccount不会默认创建secret，需要自己手动创建

vi prometheus-secret.yaml 

apiVersion: v1
kind: Secret
metadata:
  name: prometheus
  namespace: prometheus
  annotations:
    kubernetes.io/service-account.name: prometheus   #这里需要填写创建的ServiceAccount的名称
type: kubernetes.io/service-account-token

查看token

kubectl describe secret prometheus -n prometheus

 查看一下ServiceAccount

kubectl describe sa prometheus -n prometheus

 prometheus调用k8s集群接口获取监控数据，使用以上的token和集群ca证书即可

k8s集群的ca证书在以下目录中

ls /etc/kubenetes/pki