tags: addons, heapster
Heapster 是通过调用 kubelet 的 http API 来获取 cAdvisor 的 metrics 数据的。
由于 kublet 只在 10250 端口接收 https 请求,故需要修改 heapster 的 deployment 配置。同时,需要赋予 kube-system:heapster ServiceAccount 调用 kubelet API 的权限。
注意:如果没有特殊指明,本文档的所有操作均在 m7-autocv-gpu01 节点上执行。
到 heapster release 页面 下载最新版本的 heapster
cd /opt/k8s/work
wget https://github.com/kubernetes/heapster/archive/v1.5.4.tar.gz
tar -xzvf v1.5.4.tar.gz
mv v1.5.4.tar.gz heapster-1.5.4.tar.gz
官方文件目录: heapster-1.5.4/deploy/kube-config/influxdb
$ cd heapster-1.5.4/deploy/kube-config/influxdb
$ cp grafana.yaml{,.orig}
$ diff grafana.yaml.orig grafana.yaml
< # type: NodePort
> type: NodePort
- 开启 NodePort;
$ cp heapster.yaml{,.orig}
$ diff heapster.yaml.orig heapster.yaml
< - --source=kubernetes:https://kubernetes.default
> - --source=kubernetes:https://kubernetes.default?kubeletHttps=true&kubeletPort=10250
- 由于 kubelet 只在 10250 监听 https 请求,故添加相关参数;
$ cd /opt/k8s/work/heapster-1.5.4/deploy/kube-config/influxdb
$ ls *.yaml
grafana.yaml heapster.yaml influxdb.yaml
$ kubectl create -f .
$ cd ../rbac/
$ cp heapster-rbac.yaml{,.orig}
$ diff heapster-rbac.yaml.orig heapster-rbac.yaml
> ---
> kind: ClusterRoleBinding
> apiVersion: rbac.authorization.k8s.io/v1beta1
> metadata:
> name: heapster-kubelet-api
> roleRef:
> apiGroup: rbac.authorization.k8s.io
> kind: ClusterRole
> name: system:kubelet-api-admin
> subjects:
> - kind: ServiceAccount
> name: heapster
> namespace: kube-system
$ kubectl create -f heapster-rbac.yaml
- 将 serviceAccount kube-system:heapster 与 ClusterRole system:kubelet-api-admin 绑定,授予它调用 kubelet API 的权限;
如果不修改,默认的 ClusterRole system:heapster 权限不足:
E1128 10:00:05.010716 1 manager.go:101] Error in scraping containers from kubelet: failed to get all container stats from Kubelet URL "": request failed - "403 Forbidden", response: "Forbidden (user=system:serviceaccount:kube-system:heapster, verb=create, resource=nodes, subresource=stats)" E1128 10:00:05.018556 1 manager.go:101] Error in scraping containers from kubelet: failed to get all container stats from Kubelet URL "": request failed - "403 Forbidden", response: "Forbidden (user=system:serviceaccount:kube-system:heapster, verb=create, resource=nodes, subresource=stats)" E1128 10:00:05.022664 1 manager.go:101] Error in scraping containers from kubelet: failed to get all container stats from Kubelet URL "": request failed - "403 Forbidden", response: "Forbidden (user=system:serviceaccount:kube-system:heapster, verb=create, resource=nodes, subresource=stats)" W1128 10:00:25.000467 1 manager.go:152] Failed to get all responses in time (got 0/3)
$ kubectl get pods -n kube-system | grep -E 'heapster|monitoring'
heapster-56c9dc749-j7hvz 1/1 Running 0 1m
monitoring-grafana-c797777db-lnwnc 1/1 Running 0 1m
monitoring-influxdb-cf9d95766-5wd28 1/1 Running 0 1m
检查 kubernets dashboard 界面,可以正确显示各 Nodes、Pods 的 CPU、内存、负载等统计数据和图表:
通过 kube-apiserver 访问:
获取 monitoring-grafana 服务 URL:
$ kubectl cluster-info Kubernetes master is running at Heapster is running at CoreDNS is running at kubernetes-dashboard is running at monitoring-grafana is running at monitoring-influxdb is running at To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
浏览器访问 URL:
对于 virtuabox 做了端口映射:
通过 kubectl proxy 访问:
kubectl proxy --address='' --port=8086 --accept-hosts='^*$' Starting to serve on
浏览器访问 URL:
对于 virtuabox 做了端口映射:
通过 NodePort 访问:
$ kubectl get svc -n kube-system|grep -E 'monitoring|heapster' heapster ClusterIP <none> 80/TCP 3m monitoring-grafana NodePort <none> 80:31470/TCP 3m monitoring-influxdb ClusterIP <none> 8086/TCP 3m
- grafana 监听 NodePort 31470;
浏览器访问 URL: