• 监控日志

  • 二进制k8s kube-controller-manager server returned HTTP status 403 Forbidden


kube-controller-manager kube-schedule 日志没有问题,但不能显示数据

11568134 更改标题为「二进制k8s kube-controller-manager server returned HTTP status 403 Forbidden

看看prometheus所使用的service account(prometheus-k8s)是否正确,该sa绑定的clusterRole(kubesphere-prometheus-k8s)所设置的权限是否正确,是否包含"/metrics"权限

    kevendeng 不知道在这里了,是否包含"/metrics"权限
    kubectl describe sa prometheus-k8s -n kubesphere-monitoring-system
    Name: prometheus-k8s
    Namespace: kubesphere-monitoring-system
    Labels: <none>
    Annotations: Image pull secrets: <none>
    Mountable secrets: prometheus-k8s-token-gkxkl
    Tokens: prometheus-k8s-token-gkxkl
    Events: <none>

    kubectl describe clusterrolebinding kubesphere-prometheus-k8s
    Name: kubesphere-prometheus-k8s
    Labels: <none>
    Annotations: Role:
    Kind: ClusterRole
    Name: kubesphere-prometheus-k8s
    Subjects:
    Kind Name Namespace

    ServiceAccount prometheus-k8s kubesphere-monitoring-system

    kubectl get clusterrole kubesphere-prometheus-k8s -n kubesphere-monitoring-system -o yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
    {“apiVersion”:“rbac.authorization.k8s.io/v1”,“kind”:“ClusterRole”,“metadata”:{“annotations”:{},“name”:“kubesphere-prometheus-k8s”},“rules”:[{“apiGroups”:[""],“resources”:[“nodes/metrics”,“nodes”,“services”,“endpoints”,“pods”],“verbs”:[“get”,“list”,“watch”]},{“nonResourceURLs”:[“/metrics”],“verbs”:[“get”]}]}
    creationTimestamp: “2021-07-06T08:23:44Z”
    managedFields:

    • apiVersion: rbac.authorization.k8s.io/v1
      fieldsType: FieldsV1
      fieldsV1:
      f:metadata:
      f:annotations:
      .: {}
      f:kubectl.kubernetes.io/last-applied-configuration: {}
      f:rules: {}
      manager: kubectl
      operation: Update
      time: “2021-07-06T08:23:44Z”
      name: kubesphere-prometheus-k8s
      resourceVersion: “3596238”
      selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/kubesphere-prometheus-k8s
      uid: 94dd6989-2d07-4cf8-bd71-b1e03a56ff6c
      rules:
    • apiGroups:
    • ""
      resources:
    • nodes/metrics
    • nodes
    • services
    • endpoints
    • pods
      verbs:
    • get
    • list
    • watch
    • nonResourceURLs:
    • /metrics
      verbs:
    • get

        11568134 nonResourceURLs:
        /metrics
        verbs:
        get

        ClusterRole是包含这个接口的权限的,访问失败应该是另外的原因