Kube-Prometheus-Stack 和保护外部节点导出器

Kube-Prometheus-Stack and securing external node-exporter

我想用 tls 和身份验证来保护我的外部节点导出器,这样在我的网络中,并不是每个人都能访问节点导出器公开的指标。

在普罗米修斯方面,我有服务、Servicemonitor 和端点:

apiVersion: v1
kind: Service
metadata:
  annotations:
    meta.helm.sh/release-name: prom00
    meta.helm.sh/release-namespace: monitoring-dev
    prometheus.io/scrape: 'true'
  labels:
    app: node-exporter-vm-agent
    jobLabel: node-exporter-vm-agent
    release: prom00
  name: prom00-node-exporter-vm-agent
  namespace: monitoring-dev
spec:
  externalName: 192.168.1.72
  ports:
  - name: metrics
    port: 9100
    protocol: TCP
    targetPort: 9100
  selector:
    app: vm-agent
    release: prom00
  type: ExternalName

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  annotations:
    meta.helm.sh/release-name: prom00
    meta.helm.sh/release-namespace: monitoring-dev
  labels:
    app: node-exporter-vm-agent
    release: prom00
  name: prom00-node-exporter-vm-agent
  namespace: monitoring-dev
spec:
  endpoints:
    - port: metrics
      scheme: https
      tlsConfig:
        insecureSkipVerify: true
  jobLabel: jobLabel
  selector:
    matchLabels:
      app: node-exporter-vm-agent
      release: prom00

apiVersion: v1
kind: Endpoints
metadata:
  labels:
    app: node-exporter-vm-agent
    jobLabel: node-exporter-vm-agent
    release: prom00
  name: prom00-node-exporter-vm-agent
  namespace: monitoring-dev
subsets:
- addresses:
  - ip: 192.168.1.72
    nodeName: 192.168.1.72
  ports:
  - name: metrics
    port: 9100
    protocol: TCP

在外部节点导出器上,我有 web.yml 生成的 crt 和密钥文件以及使用 htpasswd 生成的密码。

tls_server_config:
  cert_file: node_exporter.crt
  key_file: node_exporter.key
  # basic_auth_users:
  # prometheus: y$V2RmZ2wKC7S8jhEz1OXRKOLkq1UHw4qlgpHT.hMg7B447dJQl7RqS

我可以通过使用 insecureSkipVerify: true 使用自行生成的证书。 如果我使用用户启用 basic_auth_users:prometheus 和密码,当我尝试访问节点导出器并输入 user/password.

时它会起作用

但是如何将 basic_auth 实施到 yaml 中以创建凭据/或者什么是正确的命令。? 如果使用 helm 部署 prometheus,是否有更好的方法来保护外部节点导出器?

感谢您的帮助!

要完成这个,请在​​本主题的注释下方:

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  annotations:
    meta.helm.sh/release-name: prom00
    meta.helm.sh/release-namespace: monitoring-dev
  labels:
    app: node-exporter-vm-agent
    release: prom00
  name: prom00-node-exporter-vm-agent
  namespace: monitoring-dev
spec:
  endpoints:
    - port: metrics
      scheme: https
      basicAuth:
        username:
          key: username
          name: basic-auth
        password:
          key: password
          name: basic-auth
      tlsConfig:
        insecureSkipVerify: true
  jobLabel: jobLabel
  selector:
    matchLabels:
      app: node-exporter-vm-agent
      release: prom00

秘密:我用以下方法创建了它: kubectl -n monitoring-dev create secret generic basic-auth --from-literal=username='prometheus' --from-literal=password='password'

在节点导出器上,我创建了一个 web-config.yml 文件:

tls_server_config: cert_file: ../cert/prom_node_exp.crt key_file: ../cert/prom_node_expnopass.key basic_auth_users: 普罗米修斯:$2y$10$W.nywLSnmQjagtmT6k4uLedGhk1sWMMG3Rspv2r6Z0CzGmLJUveFC

--> 用户密码创建方式:htpasswd -nBC 10 "" | tr -d ':\n'