15 Prometheus 身份认证功能
|
85
|
0
|
Linux,Prometheus,云原生

557 字
|
9 分钟

15 Prometheus 身份认证功能

官方链接:https://prometheus.io/docs/guides/basic-auth/

前言:

在工作中我们需要使用到大量的监控软件这里我已 Prometheus 为例,因为我们需要将不同的 Prometheus 单独提供给业务组的同事,所以添加身份认证是为了提示相对的安全。

假设您想要求访问 Prometheus 实例的所有用户提供用户名和密码。对于这个示例,使用 admin 作为用户名并选择您想要的任何密码。

首先需要,生成密码的 bcrypt 散列。

让我们通过运行 apt install python3-bcrypt 来安装它,假设您正在运行类似于 debian 的发行版。还有其他替代方法可以生成哈希密码; 对于测试,您也可以在 Web 上使用 bcrypt 生成器。

15.1 生成密码

在线 web 方式生成 bcrypt:https://www.bejson.com/encrypt/bcrpyt_encode/

python 方式:

在本例中,我使用“ test”作为密码。

import getpass
import bcrypt

password = getpass.getpass("password: ")
hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
print(hashed_password.decode())
$ python3 gen-pass.py
password:
$2a$10$h4qTn3X5Z0VzNL2/zjdi2OoYet1.ZkLOpz/okpPPm2N.LaquPCgUe

15.2 创建 Prometheus

1 创建 Prometheus config-map

apiVersion: v1
kind: ConfigMap
metadata:
  name: prometheus-config
  namespace: monitoring
data:
  prometheus.yaml: |
    global:
      scrape_interval: 100s
      scrape_timeout: 100s                          # 这里我将时间调长一点为了数据的抓取
    scrape_configs:
      # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
      - job_name: 'prometheus'
        # metrics_path defaults to '/metrics'
        # scheme defaults to 'http'.
        static_configs:
          - targets: ['localhost:9090']

2 创建身份认证文件

apiVersion: v1
kind: ConfigMap
metadata:
  name: web-config-map
  namespace: monitoring
data:
  web_config.yaml: |
    basic_auth_users:
        "admin": "$2a$10$h4qTn3X5Z0VzNL2/zjdi2OoYet1.ZkLOpz/okpPPm2N.LaquPCgUe" # hash加密后的字符串

3 同样要给 Prometheus 数据做持久化,所以也需要创建一个对应的 PVC 资源对象:

# cat prom-pvc.yaml 
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: prometheus-data
spec:
  accessModes:
    - ReadWriteOnce
  capacity:
    storage: 20Gi
  storageClassName: local-storage
  local:
    path: /data/k8s/prometheus
  persistentVolumeReclaimPolicy: Retain
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: In
              values:
                - node-2  # 这里指定将 pv 绑定至 node-2 节点上
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: prometheus-data
  namespace: monitoring
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
  storageClassName: local-storage

安装 local-storage 存储:

$ kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/master/deploy/local-path-storage.yaml

SC 和 pvc 可以看到已经创建成功

[10:53:49 root@master prom]#kubectl get storageclasses.storage.k8s.io 
NAME         PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
local-path   rancher.io/local-path   Delete          WaitForFirstConsumer   false                  52s
[10:53:52 root@master prom]#kubectl get pvc -n monitoring 
NAME              STATUS   VOLUME            CAPACITY   ACCESS MODES   STORAGECLASS    AGE
prometheus-data   Bound    prometheus-data   20Gi       RWO            local-storage   3m34s

4 创建 Prometheus 实例

# vim vm-prom-deploy.yaml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: prometheus
  namespace: monitoring
spec:
  selector:
    matchLabels:
      app: prometheus
  template:
    metadata:
      labels:
        app: prometheus
    spec:
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: prometheus-data
        - name: config-volume
          configMap:
            name: prometheus-config
        - name: web-config-volume
          configMap:
            name: web-config-map
      containers:
        - image: prom/prometheus:v2.35.0
          name: prometheus
          args:
            - "--config.file=/etc/prometheus/prometheus.yaml"
            - "--web.config.file=/etc/prometheus_web/web_config.yaml" # 
            - "--storage.tsdb.path=/prometheus" # 指定tsdb数据路径
            - "--storage.tsdb.retention.time=2d"
            - "--web.enable-lifecycle" # 支持热更新,直接执行localhost:9090/-/reload立即生效
          ports:
            - containerPort: 9090
              name: http
          securityContext:
            runAsUser: 0
          volumeMounts:
            - mountPath: "/etc/prometheus"
              name: config-volume
            - mountPath: "/etc/prometheus_web"
              name: web-config-volume
            - mountPath: "/prometheus"
              name: data
---
apiVersion: v1
kind: Service
metadata:
  name: prometheus
  namespace: monitoring
spec:
  selector:
    app: prometheus
  type: NodePort
  ports:
    - name: web
      port: 9090
      targetPort: http

15.3 访问验证

查看 svc

[11:17:59 root@master prom]#kubectl get svc -n monitoring 
NAME         TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)          AGE
prometheus   NodePort   172.30.0.225   <none>        9090:31000/TCP   24s

浏览器访问,这里我通过谷歌浏览器无痕模式,可以看到已经成功

账号:admin

密码:test

暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇