代码拉取完成,页面将自动刷新
cert-exporter 用于x509证书的prometheus监控exporter。用于解析证书和生成证书过期时间的prometheus 指标 ssl_certificate_expiry_seconds
。
用法:
# cert-exporter --path=指定证书目录,可以指定多个目录用逗号隔开
cert-exporter --path=/etc/kubernetes/ssl/,/etc/kubernetes/pki/
生成的指标:
metrics | 值(单位秒) |
---|---|
ssl_certificate_expiry_seconds{alg="SHA256-RSA",controller_revision_hash="5cfdb89c8",hostname="k8s.master.1",instance="x.x.x.x:9117",issuer="CN=kubernetes",job="k8s-pods",k8s_app="k8s-cert-exporter",namespace="monitoring",nodename="k8s.master.1",path="/host/etc/kubernetes/pki/ca.crt",pod="k8s-cert-exporter-2vq5d",pod_template_generation="1",subject="CN=kubernetes",version="3"} | 244188860.83742842 |
k8s证书在每台k8s master的 /etc/kubernetes/pki 目录下。只要在每台master启一个cert-exporter监控进程,监控 /etc/kubernetes/pki 目录下*.pem、*.crt 的证书文件。
在k8s部署一个cert-monitor的daemonset的并指定nodeselector:cert-monitor: "true"
, 这样 只要在需要监控的node打上 cert-monitor="true"
的标签就会自动安装cert-exporter。
cert-monitor-daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: k8s-cert-exporter
namespace: monitoring
labels:
k8s-app: k8s-cert-exporter
spec:
selector:
matchLabels:
k8s-app: k8s-cert-exporter
template:
metadata:
labels:
k8s-app: k8s-cert-exporter
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '9117'
spec:
tolerations:
- operator: Exists
effect: NoSchedule
nodeSelector:
cert-monitor: "true"
terminationGracePeriodSeconds: 30
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: k8s-cert-exporter
image: registry.xxxx.io/prometheus/cert_exporter:v1.0
args:
- "--v=2"
- "--logtostderr=true"
- "--path=/host/etc/kubernetes/ssl/,/host/etc/kubernetes/pki/"
imagePullPolicy: IfNotPresent
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- mountPath: /host/etc
name: etc
readOnly: true
volumes:
- name: etc
hostPath:
path: /etc
type: ""
在需要监控的节点打上label:
# kx
kubectl label node k8s.master.1 cert-monitor="true"
kubectl label node k8s.master.2 cert-monitor="true"
kubectl label node k8s.master.3 cert-monitor="true"
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
namespace: monitoring
name: k8s-certs-rule
labels:
role: k8s-certs-rule
spec:
groups:
- name: k8sCertExpiringSoon
rules:
- alert: k8s集群证书过期不到1年了
expr: ssl_certificate_expiry_seconds/86400 < 365
for: 3m
labels:
# 普通告警
severity: warning
annotations:
message: '节点{{$labels.hostname}}的{{$labels.path}}证书还有 {{ $value }} 天过期 .'
- alert: k8s集群证书过期不到半年了
expr: ssl_certificate_expiry_seconds/86400 < 182
for: 3m
labels:
# 重要告警
severity: critical
annotations:
message: '节点{{$labels.hostname}}的{{$labels.path}}证书还有 {{ $value }} 天过期 .'
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。