Comments (1)
Local monitoring
If for example there is an agent running on each node, this agent can simply fetch the local healthz port: http://localhost:10248/healthz
.
e.g with curl: curl -i http://localhost:10248/healthz
Remote monitoring
There is two way to fetch endpoints (metrics, healthz...), the both methods use HTTPS
and a token (1.) and are exectued against the APISERVER
or directly to Kubelet
on each nodes.
The first one is mostly use with Prometheus and Kubernetes discovery (https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config), it allows one to automatically discover the nodes and hence avoid the task of defining monitoring for each node.
The second one can be used in more traditional monitoring where one must configure each node to be checked.
Configuration
1. Create service account and permissions
Create a Service Account (monitoring) with a secondary Token (monitoring-secret-token) associated, it is best practice to not use the default created Token. Using a secondary token is easier for management. This Service Account can only fetch information about nodes and pods. The token will be used in https requests to Authenticate against the APIserver
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: monitoring
namespace: kube-system
secrets:
- name: monitoring-secret-token
---
apiVersion: v1
kind: Secret
metadata:
name: monitoring-secret-token
namespace: kube-system
annotations:
kubernetes.io/service-account.name: monitoring
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: monitoring-clusterrole
namespace: kube-system
rules:
- apiGroups: [""]
resources:
- nodes
- nodes/proxy
- pods
verbs: ["get", "list"]
- nonResourceURLs: ["/metrics", "/healthz", "/healthz/*"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: monitoring-clusterrole-binding
namespace: kube-system
roleRef:
kind: ClusterRole
name: monitoring-clusterrole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: monitoring
namespace: kube-system
e.g, how to export the token:
kubectl -n kube-system get secrets monitoring-secret-token -ojsonpath='{.data.token}' | base64 -d
This token can now be passed in headers in the form: "Authorization: Bearer $TOKEN"
2. Test token remotely
--> Choose a Kubernetes node
NODE="vm154162"
--> Get TOKEN with kubectl and APISERVER
from configuration file
TOKEN=$(kubectl -n kube-system get secrets monitoring-secret-token -ojsonpath='{.data.token}' | base64 -d)
APISERVER=$(kubectl config view | grep server | cut -f 2- -d ":" | tr -d " ")
--> Fetch the Kubelet
endpoints
curl -k $APISERVER/api/v1/nodes/$NODE/proxy/metrics --header "Authorization: Bearer $TOKEN"
curl -k $APISERVER/api/v1/nodes/$NODE/proxy/metrics/cadvisor --header "Authorization: Bearer $TOKEN"
curl -k $APISERVER/api/v1/nodes/$NODE/proxy/healthz --header "Authorization: Bearer $TOKEN"
--> Fetch the endpoints directly on Kubelet
curl -k https://$NODE:10250/metrics --header "Authorization: Bearer $TOKEN"
curl -k https://$NODE:10250/metrics/cadvisor --header "Authorization: Bearer $TOKEN"
curl -k https://$NODE:10250/heathz --header "Authorization: Bearer $TOKEN"
from doc-caasp.
Related Issues (20)
- [doc] 5.1.2 Upgrade the cluster HOT 4
- Provide documentation on how to migrate with SUMA HOT 3
- [doc] 5.1.2 Upgrade the cluster
- [doc] 13.4.2 Backup Kubernetes Cluster - how to trust a custom/self-signed CA? HOT 4
- Add back to 4.5.2 and 4.2.4
- [doc] 1.1 Platform missing Azure HOT 1
- [doc] 7.4.4 Deployment HOT 2
- [doc] 13.8.2 Cluster Migration HOT 2
- [doc] Release Notes 4.5.1 HOT 3
- Please update the way on how to adjust addons for customer needs HOT 2
- Re-add PR #919 (New command: skuba addon refresh localconfig) HOT 2
- Include new skuba command on v4.2.4 release HOT 3
- Update docs to reflect Helm 3 as new default HOT 4
- [doc] 6.9.8.1 Renewing Control Plane Certificates -> how to create the kubelet certificate for worker nodes?? HOT 5
- [doc] 3.3 Note about - ESXi in KVM with nested virtualization - network problems after upgrading to SLES 15 SP2 HOT 2
- [doc][cuda][gpu] 11.1.2.1 Install the Device Plugin from nvidia - {nvidia} placeholder in URL
- [doc][cuda][gpu] 11.1.1.1 Install the GPU drivers - do not install full X11
- [doc] 3.1.2.2.3 Migration Procedure (Air gap) -> helm should be "helm3" during helm plugin install
- 4.5.3 is released but no documentation is present
- [doc] 6.8.1.2 Deploy ingress controller from helm chart
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from doc-caasp.