Happywzy

enjoy coding...

0%

发表于 分类于

介绍

首先我们先来了解下 Prometheus-Operator的架构图:
Prometheus-Operator

上图是Prometheus-Operator官方提供的架构图,其中Operator是最核心的部分,作为一个控制器,他会去创建PrometheusServiceMonitorAlertManager以及PrometheusRule4个CRD资源对象,然后会一直监控并维持这4个资源对象的状态。

其中创建的prometheus这种资源对象就是作为Prometheus Server存在,而ServiceMonitor就是exporter的各种抽象,exporter前面我们已经学习了,是用来提供专门提供metrics数据接口的工具,Prometheus就是通过ServiceMonitor提供的metrics数据接口去 pull 数据的,当然alertmanager这种资源对象就是对应的AlertManager的抽象,而PrometheusRule是用来被Prometheus实例使用的报警规则文件。

这样我们要在集群中监控什么数据,就变成了直接去操作 Kubernetes 集群的资源对象了,是不是方便很多了。上图中的 Service ServiceMonitor 都是 Kubernetes 的资源,一个 ServiceMonitor 可以通过 labelSelector 的方式去匹配一类 ServicePrometheus 也可以通过 labelSelector 去匹配多个ServiceMonitor

查看stable/prometheus-operator的默认值

helm inspect values stable/prometheus-operator

将默认配置导出,备用

helm inspect values stable/prometheus-operator > prometheus-operator.yaml

提前将配置中涉及到的镜像下载好

#!/bin/sh
docker pull hub.deri.org.cn/k8s_monitor/alertmanager:v0.19.0
docker tag hub.deri.org.cn/k8s_monitor/alertmanager:v0.19.0 quay.io/prometheus/alertmanager:v0.19.0
docker rmi hub.deri.org.cn/k8s_monitor/alertmanager:v0.19.0
 
docker pull hub.deri.org.cn/k8s_monitor/ghostunnel:v1.4.1 
docker tag hub.deri.org.cn/k8s_monitor/ghostunnel:v1.4.1 squareup/ghostunnel:v1.4.1
docker rmi hub.deri.org.cn/k8s_monitor/ghostunnel:v1.4.1 
 
docker pull hub.deri.org.cn/k8s_monitor/kube-webhook-certgen:v1.0.0 
docker tag hub.deri.org.cn/k8s_monitor/kube-webhook-certgen:v1.0.0  jettech/kube-webhook-certgen:v1.0.0
docker rmi hub.deri.org.cn/k8s_monitor/kube-webhook-certgen:v1.0.0 
 
docker pull hub.deri.org.cn/k8s_monitor/prometheus-operator:v0.34.0
docker tag hub.deri.org.cn/k8s_monitor/prometheus-operator:v0.34.0 quay.io/coreos/prometheus-operator:v0.34.0
docker rmi hub.deri.org.cn/k8s_monitor/prometheus-operator:v0.34.0
 
docker pull hub.deri.org.cn/k8s_monitor/configmap-reload:v0.0.1
docker tag hub.deri.org.cn/k8s_monitor/configmap-reload:v0.0.1 quay.io/coreos/configmap-reload:v0.0.1
docker rmi pull hub.deri.org.cn/k8s_monitor/configmap-reload:v0.0.1
 
docker pull hub.deri.org.cn/k8s_monitor/prometheus-config-reloader:v0.34.0
docker tag hub.deri.org.cn/k8s_monitor/prometheus-config-reloader:v0.34.0 quay.io/coreos/prometheus-config-reloader:v0.34.0
docker rmi hub.deri.org.cn/k8s_monitor/prometheus-config-reloader:v0.34.0
 
docker pull hub.deri.org.cn/k8s_monitor/hyperkube:v1.12.1
docker tag hub.deri.org.cn/k8s_monitor/hyperkube:v1.12.1 k8s.gcr.io/hyperkube:v1.12.1
docker rmi  hub.deri.org.cn/k8s_monitor/hyperkube:v1.12.1
 
docker pull hub.deri.org.cn/k8s_monitor/prometheus:v2.13.1
docker tag hub.deri.org.cn/k8s_monitor/prometheus:v2.13.1 quay.io/prometheus/prometheus:v2.13.1
docker rmi hub.deri.org.cn/k8s_monitor/prometheus:v2.13.1
 
docker pull hub.deri.org.cn/k8s_monitor/kube-state-metrics:v1.8.0
docker tag hub.deri.org.cn/k8s_monitor/kube-state-metrics:v1.8.0 quay.io/coreos/kube-state-metrics:v1.8.0
docker rmi hub.deri.org.cn/k8s_monitor/kube-state-metrics:v1.8.0
 
docker pull hub.deri.org.cn/k8s_monitor/node-exporter:v0.18.1
docker tag hub.deri.org.cn/k8s_monitor/node-exporter:v0.18.1 quay.io/prometheus/node-exporter:v0.18.1
docker rmi hub.deri.org.cn/k8s_monitor/node-exporter:v0.18.1
 
docker pull hub.deri.org.cn/k8s_monitor/k8s-sidecar:0.1.20
docker tag hub.deri.org.cn/k8s_monitor/k8s-sidecar:0.1.20 kiwigrid/k8s-sidecar:0.1.20
docker rmi hub.deri.org.cn/k8s_monitor/k8s-sidecar:0.1.20
 
docker pull hub.deri.org.cn/k8s_monitor/grafana:6.4.2
docker tag hub.deri.org.cn/k8s_monitor/grafana:6.4.2 grafana/grafana:6.4.2
docker rmi hub.deri.org.cn/k8s_monitor/grafana:6.4.2

用默认配置安装,指定了name、namespace等信息

helm install stable/prometheus-operator  --name prometheus-operator --namespace monitoring -f prometheus-operator.yaml --set grafana.adminPassword=admin

查看pod运行情况

kubectl get pod -n monitoring

修改Grafana的service类型为NodePort,便于访问测试

kubectl edit svc prometheus-operator-grafana -n monitoring

通过下面命令,查看绑定宿主机的端口 ,访问测试密码安装时指定了admin/admin

kubectl get svc -n monitoring

卸载

helm delete prometheus-operator

helm delete --purge prometheus-operator

Prometheus-Operator安装时会去创建PrometheusServiceMonitorAlertManager以及PrometheusRule4个CRD资源对象,卸载时一并删掉

kubectl delete crd prometheuses.monitoring.coreos.com
kubectl delete crd prometheusrules.monitoring.coreos.com
kubectl delete crd servicemonitors.monitoring.coreos.com
kubectl delete crd podmonitors.monitoring.coreos.com
kubectl delete crd alertmanagers.monitoring.coreos.com

修改prometheus-operator.yaml,配置ingress

# 例如AlterManager配置,默认情况enabled: false修改成true,hosts: []填入alterManager的域名
alertmanager:
  ingress:
    enabled: true
    hosts: ["alert.deri.com"]

修改prometheus-operator.yaml,配置数据持久化

# 例如AlterManager,默认如下,是被注释掉的,取消注释,并填入你的storageClassName
    storage: {}
    # volumeClaimTemplate:
    #   spec:
    #     storageClassName: gluster
    #     accessModes: ["ReadWriteOnce"]
    #     resources:
    #       requests:
    #         storage: 50Gi
    #   selector: {}
 
alertmanager:
  alertmanagerSpec:
    storage: 
      volumeClaimTemplate:
        spec:
          storageClassName: nfs-client
          accessModes: ["ReadWriteOnce"]
          resources:
            requests:
              storage: 5Gi
        selector: {}

其它配置可以在默认配置prometheus-operator.yaml中查看并修改。

问题

问题一:

【摘自https://github.com/helm/charts/tree/master/stable/prometheus-operator

KubeProxy【改完重启kubelet、docker服务】

The metrics bind address of kube-proxy is default to 127.0.0.1:10249 that prometheus instances cannot access to. You should expose metrics by changing metricsBindAddress field value to 0.0.0.0:10249 if you want to collect them.

Depending on the cluster, the relevant part config.conf will be in ConfigMap kube-system/kube-proxy or kube-system/kube-proxy-config. For example:

kubectl -n kube-system edit cm kube-proxy

apiVersion: v1
data:
  config.conf: |-
    apiVersion: kubeproxy.config.k8s.io/v1alpha1
    kind: KubeProxyConfiguration
    # ...
    # metricsBindAddress: 127.0.0.1:10249
    metricsBindAddress: 0.0.0.0:10249
    # ...
  kubeconfig.conf: |-
    # ...
kind: ConfigMap
metadata:
  labels:
    app: kube-proxy
  name: kube-proxy
  namespace: kube-system

问题二:

在不同环境安装时发现结果不一样,所有配置都一样,可能原因:

由于上述是通过helm安装的,首先通过命令helm repo list检查源是否一致;

通过helm search | grep prometheus查看 CHART VERSION    APP VERSION 是否一致;

如果不一致通过helm repo update更新一下就可以了。

参考链接

发表于 分类于

安装htpasswd

htpasswd不是centos7自带的命令,需要使用yum安装。

yum install httpd-tools

选项

  • -c: 创建一个新的密码文件
  • -b: 在命令行中一并输入用户名和密码而不是根据提示输入密码
  • -D: 删除指定的用户
  • -n: 不更新密码文件,只将加密后的用户名密码输出到屏幕上
  • -p: 不对密码进行加密,采用明文的方式
  • -m: 采用MD5算法对密码进行加密(默认的加密方式)
  • -d: 采用CRYPT算法对密码进行加密
  • -s: 采用SHA算法对密码进行加密
  • -B: 采用bcrypt算法对密码进行加密(非常安全)

参数

  • 用户名: 要创建或者更新的用户名
  • 密码: 用户的新密码

创建用户,设置密码

用下面的三个操作,创建 basic-auth 用户 foo,密码 123456,将用户信息提交到 kubernetes

$ htpasswd -c auth foo
$ kubectl -n demo-echo create secret generic basic-auth --from-file=auth

注意其中命名空间demo-echosecret 与目标服务echo在同一个 namespace 中。

为目标服务设置 ingress

注意其中的basic-auth改成你的

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-echo-with-auth-basic
  annotations:
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    # message to display with an appropriate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
  rules:
  - host: auth-basic.echo.example
    http:
      paths:
      - path: /
        backend:
          serviceName: echo
          servicePort: 80

访问测试

ingress-nginx

原文链接

发表于 分类于

创建自签署证书

注意证书中的CN=tls.echo.example改成自己的域名地址。

echo "生成自签署的 ca 证书"
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=My Cert Authority'
 
echo "生成用上述 ca 签署的 server 证书"
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=tls.echo.example'
openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

将 server 证书上传到 kubernetes

注意其中的命名空间demo-echo和secret名称tls-echo-exmaple-secret,改成自己的。

kubectl -n demo-echo create secret generic tls-echo-exmaple-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key

配置ingress

ignress 中的 host 一定要与证书的 CN 相同,在 tls 配置中引用前面创建的 secret

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-echo-with-tls
spec:
  rules:
  - host: tls.echo.example
    http:
      paths:
      - path: /
        backend:
          serviceName: echo
          servicePort: 80
  tls:
  - hosts:
    - tls.echo.example
    secretName: tls-echo-exmaple-secret

为多个域名配置证书

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: foo-tls
  namespace: default
spec:
  tls:
  - hosts:
    - foo.bar.com
    # This secret must exist beforehand
    # The cert must also contain the subj-name foo.bar.com
    # https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/PREREQUISITES.md#tls-certificates
    secretName: foobar
  - hosts:
    - bar.baz.com
    # This secret must exist beforehand
    # The cert must also contain the subj-name bar.baz.com
    # https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/PREREQUISITES.md#tls-certificates
    secretName: barbaz
  rules:
  - host: foo.bar.com
    http:
      paths:
      - backend:
          serviceName: http-svc
          servicePort: 80
        path: /
  - host: bar.baz.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80
        path: /

参考链接

发表于 分类于

前文:在所有节点安装nfs-utils并启动相关服务。

NFS服务端新建一个挂载目录

echo "/home/nfs *(rw,async,no_root_squash)" >> /etc/exports
exportfs -r
showmount -e localhost

安装nfs-client

helm install stable/nfs-client-provisioner --name test-storageclass --set nfs.server=192.168.1.210 --set nfs.path=/home/nfs

注意

可以先用命令helm inspect values stable/nfs-client-provisioner查看所有配置项,并提前下载好镜像。

replicaCount: 1
strategyType: Recreate
 
image:
  repository: quay.io/external_storage/nfs-client-provisioner
  tag: v3.1.0-k8s1.11
  pullPolicy: IfNotPresent
 
nfs:
  server:
  path: /ifs/kubernetes
  mountOptions:
 
# For creating the StorageClass automatically:
storageClass:
  create: true
 
  # Set a provisioner name. If unset, a name will be generated.
  # provisionerName:
 
  # Set StorageClass as the default StorageClass
  # Ignored if storageClass.create is false
  defaultClass: false
 
  # Set a StorageClass name
  # Ignored if storageClass.create is false
  name: nfs-client
 
  # Allow volume to be expanded dynamically
  allowVolumeExpansion: true
 
  # Method used to reclaim an obsoleted volume
  reclaimPolicy: Delete
 
  # When set to false your PVs will not be archived by the provisioner upon deletion of the PVC.
  archiveOnDelete: true
 
## For RBAC support:
rbac:
  # Specifies whether RBAC resources should be created
  create: true
 
# If true, create & use Pod Security Policy resources
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
podSecurityPolicy:
  enabled: false
 
## Set pod priorityClassName
# priorityClassName: ""
 
serviceAccount:
  # Specifies whether a ServiceAccount should be created
  create: true
 
  # The name of the ServiceAccount to use.
  # If not set and create is true, a name is generated using the fullname template
  name:
 
resources: {}
  # limits:
  #  cpu: 100m
  #  memory: 128Mi
  # requests:
  #  cpu: 100m
  #  memory: 128Mi

也可以修改下上面的yaml,直接通过nfs-client.yaml创建:

replicaCount: 1
strategyType: Recreate
 
image:
  repository: quay.io/external_storage/nfs-client-provisioner
  tag: v3.1.0-k8s1.11
  pullPolicy: IfNotPresent
 
nfs:
  server: 192.168.1.210
  path: /home/nfs
  mountOptions:
 
storageClass:
  create: true
  defaultClass: false
  name: nfs-client
  allowVolumeExpansion: true
  reclaimPolicy: Delete
  archiveOnDelete: true
 
rbac:
  create: true
 
podSecurityPolicy:
  enabled: false

执行安装命令:

helm install stable/nfs-client-provisioner -n test-storageclass -f nfs-client.yaml

创建PVC测试

创建test-pvc.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: testclaim
spec:
  storageClassName: "nfs-client"
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Mi

kubectl apply -f test-pvc.yaml

查看结果

[root@k8s-master home]# kubectl get sc
NAME         PROVISIONER                                              AGE
nfs-client   cluster.local/test-storageclass-nfs-client-provisioner   36m
[root@k8s-master home]# kubectl get pv,pvc
NAME                                                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS        CLAIM                 STORAGECLASS    REASON   AGE
persistentvolume/pvc-d9bdfa45-6417-4ad9-bbf0-02301f928342   10Mi       RWX            Delete           Bound         default/testclaim     nfs-client               33m
 
NAME                              STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
persistentvolumeclaim/testclaim   Bound    pvc-d9bdfa45-6417-4ad9-bbf0-02301f928342   10Mi       RWX            nfs-client     34m

发表于 分类于

多条件模糊查询

select * from t_log where (LOCATE('wu', user_name) > 0 or  LOCATE('wu', params ) > 0)and  (method='POST' or method='GET');

查询id在列表中的所有结果

select * from t_user where tenant_id in (1,2,3);

发表于 分类于

k8s所有节点安装NFS

yum install nfs-utils
 
#所有节点,不论NFS服务端还是客户端
systemctl enable rpcbind
systemctl start rpcbind
 
#NFS服务端
systemctl enable nfs
systemctl start nfs

在NFS服务端配置挂载磁盘

  • 创建目录:mkdir /data
  • 修改权限:chmod 755 /data
  • 编辑NFS配置:vi /etc/exports
  • 添加:/data/ 192.168.0.0/24(rw,sync,no_root_squash,no_all_squash)
  • 重启:systemctl restart nfs
  • 或者执行exportfs -r生效
  • 检查:showmount -e localhost

K8s中创建PersistentVolume

apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv0003
spec:
  capacity: #容量
     storage:5Gi
  volumeMode: Filesystem #存储卷模式
  accessModes: #访问模式
  - ReadWriteOnce
  persistentVolumeReclaimPolicy: Recycle #持久化卷回收策略
  storageClassName: slow #存储类
  mountOptions: #挂接选项
   - hard
   - nfsvers=4.1
  nfs:
     path: /data
     server: 172.17.0.2

访问模式(Access Modes)

只要资源提供者支持,持久卷能够通过任何方式加载到主机上。每种存储都会有不同的能力,每个PV的访问模式也会被设置成为该卷所支持的特定模式。例如NFS能够支持多个读写客户端,但某个NFS PV可能会在服务器上以只读方式使用。每个PV都有自己的一系列的访问模式,这些访问模式取决于PV的能力。

访问模式的可选范围如下:

  • ReadWriteOnce:该卷能够以读写模式被加载到一个节点上。
  • ReadOnlyMany:该卷能够以只读模式加载到多个节点上。
  • ReadWriteMany:该卷能够以读写模式被多个节点同时加载。

类(Class)

在PV中可以指定存储类,通过设置storageClassName字段进行设置。如果设置了存储类,则此PV只能被绑定到也指定了此存储类的PVC。

回收策略

当前的回收策略可选值包括:

  • Retain-持久化卷被释放后,需要手工进行回收操作。
  • Recycle-基础擦除(rm-rf /thevolume/*
  • Delete-相关的存储资产,例如AWSEBS或GCE PD卷一并删除。
    目前,只有NFSHostPath支持Recycle策略,AWSEBS、GCE PD支持Delete策略。

K8s中创建PersistentVolumeClaim

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: myclaim
spec:
  accessModes: #访问模式
    - ReadWriteOnce
  volumeMode: Filesystem #存储卷模式
  resources: #资源
    requests:
      storage: 8Gi
  storageClassName: slow #存储类
  selector: #选择器
    matchLabels:
      release: "stable"
    matchExpressions: #匹配表达式
      - {key: environment, operator: In, values: [dev]}

选择器

在PVC中,可以通过标签选择器来进一步的过滤PV。仅仅与选择器匹配的PV才会被绑定到PVC中。选择器的组成如下:

  • matchLabels: 只有存在与此处的标签一样的PV才会被PVC选中;
  • matchExpressions :匹配表达式由键、值和操作符组成,操作符包括In, NotIn, ExistsDoesNotExist,只有符合表达式的PV才能被选择。
    如果同时设置了matchLabelsmatchExpressions,则会进行求与,即只有同时满足上述匹配要求的PV才会被选择。

存储类

如果PVC使用storageClassName字段指定一个存储类,那么只有指定了同样的存储类的PV才能被绑定到PVC上。对于PVC来说,存储类并不是必须的。依赖于安装方法,可以在安装过程中使用add-on管理器将默认的StorageClass部署至Kubernetes集群中。当PVC指定了选择器,并且指定了StorageClass,则在匹配PV时,取两者之间的与:即仅仅同时满足存储类和带有要求标签值的PV才能被匹配上。

Pod使用刚刚创建的持久化存储

kind: Pod
apiVersion: v1
metadata:
  name: mypod
spec:
  containers:
  - name: myfrontend
    image: dockerfile/nginx
     volumeMounts: #挂接存储卷
     - mountPath: "/var/www/html" #POD内挂接的路径
       name: mypd #所要挂接的存储卷的名称
 volumes: #定义存储卷
 - name: mypd
   persistentVolumeClaim: #所使用的持久化存储卷声明
     claimName: myclaim