七点半的菜市场

large picture of the cover

使用Istio的错误日志

一、为使用 istio默认安装 Prometheus报错

思路先查看 istio默认配置的 Prometheus是如何

apiVersion: v1
kind: Service
metadata:
  labels:
    component: "server"
    app: prometheus
    release: prometheus
    chart: prometheus-14.6.1
    heritage: Helm
  name: prometheus
  namespace: istio-system
spec:
  ports:
    - name: http
      port: 9090
      protocol: TCP
      targetPort: 9090
  selector:
    component: "server"
    app: prometheus
    release: prometheus
  sessionAffinity: None
  type: "ClusterIP"

清晰明了,将 Prometheussvc修改为 nodeport(我本来就是)就好解决了,直接拿 endpoint对接宿主机 ipPrometheusnodeport即可

[root@k8s-master istio]# cat prometheus-istio.yaml 
apiVersion: v1
kind: Endpoints
metadata:
  name: prometheus
  namespace: istio-system
subsets:
  - addresses:
    - ip: 192.168.200.10
    ports:
      - port: 30080
---
apiVersion:  v1
kind: Service
metadata:
  name: prometheus
  namespace: istio-system
spec:
  ports:
  - port: 9090

进入 kiali面板即可查看

image-20241024221653467

二、使用 Promethues监控 istio名称空间没有权限

使用 kube-Prometheus搭建

🍹 具体报错为:

level=error ts=2024-10-24T13:52:51.871Z caller=klog.go:94 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:362: Failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:monitoring:prometheus-k8s\" cannot list resource \"services\" in API group \"\" in the namespace \"istio-system\""

我是使用ServiceMonitor来发现 istio具体配置如下

[root@k8s-master istio]# cat istio-SvcMonitor.yaml 
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: istio-monitor
  namespace: monitoring
  labels:
    app: istiod
spec:
  jobLabel: k8s-istio
  endpoints:
  - interval: 10s
    port: http-monitoring
    scheme: http
  selector:
    matchLabels:
      app: istiod
  namespaceSelector:
    matchNames:
    - istio-system

报错没有权限咱就加权限,在 kube-Prometheusmanifests中找到了关于 SpecificNamespace的配置,我直接复制了两个文件,一个是 SpecificNamespaceRole,还有一个是 SpecificNamespaceBind的配置分别如下

[root@k8s-master mall]# cat prometheus-istioNamespace.yaml 
apiVersion: rbac.authorization.k8s.io/v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: prometheus-k8s
    namespace: istio-system
  rules:
  - apiGroups:
    - ""
    resources:
    - services
    - endpoints
    - pods
    verbs:
    - get
    - list
    - watch
kind: RoleList

[root@k8s-master mall]# cat prometheus-roleBindingIstio.yaml 
apiVersion: rbac.authorization.k8s.io/v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: prometheus-k8s
    namespace: istio-system
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: prometheus-k8s
  subjects:
  - kind: ServiceAccount
    name: prometheus-k8s
    namespace: monitoring
kind: RoleBindingList

执行查看是否创建成功

[root@k8s-master mall]# kubectl  get -n istio-system  rolebindings.rbac.authorization.k8s.io prometheus-k8s 
NAME             ROLE                  AGE
prometheus-k8s   Role/prometheus-k8s   7m39s
[root@k8s-master mall]# kubectl  get -n istio-system  role prometheus-k8s 
NAME             CREATED AT
prometheus-k8s   2024-10-24T13:58:15Z

site logo

Hi,Friend

© 2024 七点半的菜市场