Kube-Prometheus-Stack 和保护外部节点导出器
Kube-Prometheus-Stack and securing external node-exporter
我想用 tls 和身份验证来保护我的外部节点导出器,这样在我的网络中,并不是每个人都能访问节点导出器公开的指标。
在普罗米修斯方面,我有服务、Servicemonitor 和端点:
apiVersion: v1
kind: Service
metadata:
annotations:
meta.helm.sh/release-name: prom00
meta.helm.sh/release-namespace: monitoring-dev
prometheus.io/scrape: 'true'
labels:
app: node-exporter-vm-agent
jobLabel: node-exporter-vm-agent
release: prom00
name: prom00-node-exporter-vm-agent
namespace: monitoring-dev
spec:
externalName: 192.168.1.72
ports:
- name: metrics
port: 9100
protocol: TCP
targetPort: 9100
selector:
app: vm-agent
release: prom00
type: ExternalName
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
annotations:
meta.helm.sh/release-name: prom00
meta.helm.sh/release-namespace: monitoring-dev
labels:
app: node-exporter-vm-agent
release: prom00
name: prom00-node-exporter-vm-agent
namespace: monitoring-dev
spec:
endpoints:
- port: metrics
scheme: https
tlsConfig:
insecureSkipVerify: true
jobLabel: jobLabel
selector:
matchLabels:
app: node-exporter-vm-agent
release: prom00
apiVersion: v1
kind: Endpoints
metadata:
labels:
app: node-exporter-vm-agent
jobLabel: node-exporter-vm-agent
release: prom00
name: prom00-node-exporter-vm-agent
namespace: monitoring-dev
subsets:
- addresses:
- ip: 192.168.1.72
nodeName: 192.168.1.72
ports:
- name: metrics
port: 9100
protocol: TCP
在外部节点导出器上,我有 web.yml 生成的 crt 和密钥文件以及使用 htpasswd 生成的密码。
tls_server_config:
cert_file: node_exporter.crt
key_file: node_exporter.key
# basic_auth_users:
# prometheus: y$V2RmZ2wKC7S8jhEz1OXRKOLkq1UHw4qlgpHT.hMg7B447dJQl7RqS
我可以通过使用 insecureSkipVerify: true 使用自行生成的证书。
如果我使用用户启用 basic_auth_users:prometheus 和密码,当我尝试访问节点导出器并输入 user/password.
时它会起作用
但是如何将 basic_auth 实施到 yaml 中以创建凭据/或者什么是正确的命令。?
如果使用 helm 部署 prometheus,是否有更好的方法来保护外部节点导出器?
感谢您的帮助!
要完成这个,请在本主题的注释下方:
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
annotations:
meta.helm.sh/release-name: prom00
meta.helm.sh/release-namespace: monitoring-dev
labels:
app: node-exporter-vm-agent
release: prom00
name: prom00-node-exporter-vm-agent
namespace: monitoring-dev
spec:
endpoints:
- port: metrics
scheme: https
basicAuth:
username:
key: username
name: basic-auth
password:
key: password
name: basic-auth
tlsConfig:
insecureSkipVerify: true
jobLabel: jobLabel
selector:
matchLabels:
app: node-exporter-vm-agent
release: prom00
秘密:我用以下方法创建了它:
kubectl -n monitoring-dev create secret generic basic-auth --from-literal=username='prometheus' --from-literal=password='password'
在节点导出器上,我创建了一个 web-config.yml 文件:
tls_server_config:
cert_file: ../cert/prom_node_exp.crt
key_file: ../cert/prom_node_expnopass.key
basic_auth_users:
普罗米修斯:$2y$10$W.nywLSnmQjagtmT6k4uLedGhk1sWMMG3Rspv2r6Z0CzGmLJUveFC
--> 用户密码创建方式:htpasswd -nBC 10 "" | tr -d ':\n'
我想用 tls 和身份验证来保护我的外部节点导出器,这样在我的网络中,并不是每个人都能访问节点导出器公开的指标。
在普罗米修斯方面,我有服务、Servicemonitor 和端点:
apiVersion: v1
kind: Service
metadata:
annotations:
meta.helm.sh/release-name: prom00
meta.helm.sh/release-namespace: monitoring-dev
prometheus.io/scrape: 'true'
labels:
app: node-exporter-vm-agent
jobLabel: node-exporter-vm-agent
release: prom00
name: prom00-node-exporter-vm-agent
namespace: monitoring-dev
spec:
externalName: 192.168.1.72
ports:
- name: metrics
port: 9100
protocol: TCP
targetPort: 9100
selector:
app: vm-agent
release: prom00
type: ExternalName
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
annotations:
meta.helm.sh/release-name: prom00
meta.helm.sh/release-namespace: monitoring-dev
labels:
app: node-exporter-vm-agent
release: prom00
name: prom00-node-exporter-vm-agent
namespace: monitoring-dev
spec:
endpoints:
- port: metrics
scheme: https
tlsConfig:
insecureSkipVerify: true
jobLabel: jobLabel
selector:
matchLabels:
app: node-exporter-vm-agent
release: prom00
apiVersion: v1
kind: Endpoints
metadata:
labels:
app: node-exporter-vm-agent
jobLabel: node-exporter-vm-agent
release: prom00
name: prom00-node-exporter-vm-agent
namespace: monitoring-dev
subsets:
- addresses:
- ip: 192.168.1.72
nodeName: 192.168.1.72
ports:
- name: metrics
port: 9100
protocol: TCP
在外部节点导出器上,我有 web.yml 生成的 crt 和密钥文件以及使用 htpasswd 生成的密码。
tls_server_config:
cert_file: node_exporter.crt
key_file: node_exporter.key
# basic_auth_users:
# prometheus: y$V2RmZ2wKC7S8jhEz1OXRKOLkq1UHw4qlgpHT.hMg7B447dJQl7RqS
我可以通过使用 insecureSkipVerify: true 使用自行生成的证书。 如果我使用用户启用 basic_auth_users:prometheus 和密码,当我尝试访问节点导出器并输入 user/password.
时它会起作用但是如何将 basic_auth 实施到 yaml 中以创建凭据/或者什么是正确的命令。? 如果使用 helm 部署 prometheus,是否有更好的方法来保护外部节点导出器?
感谢您的帮助!
要完成这个,请在本主题的注释下方:
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
annotations:
meta.helm.sh/release-name: prom00
meta.helm.sh/release-namespace: monitoring-dev
labels:
app: node-exporter-vm-agent
release: prom00
name: prom00-node-exporter-vm-agent
namespace: monitoring-dev
spec:
endpoints:
- port: metrics
scheme: https
basicAuth:
username:
key: username
name: basic-auth
password:
key: password
name: basic-auth
tlsConfig:
insecureSkipVerify: true
jobLabel: jobLabel
selector:
matchLabels:
app: node-exporter-vm-agent
release: prom00
秘密:我用以下方法创建了它: kubectl -n monitoring-dev create secret generic basic-auth --from-literal=username='prometheus' --from-literal=password='password'
在节点导出器上,我创建了一个 web-config.yml 文件:
tls_server_config: cert_file: ../cert/prom_node_exp.crt key_file: ../cert/prom_node_expnopass.key basic_auth_users: 普罗米修斯:$2y$10$W.nywLSnmQjagtmT6k4uLedGhk1sWMMG3Rspv2r6Z0CzGmLJUveFC
--> 用户密码创建方式:htpasswd -nBC 10 "" | tr -d ':\n'