metrics-server介绍
Metrics Server是一个集群范围的资源使用情况的数据聚合器。作为一个应用部署在集群中。Metric server从每个节点上KubeletAPI收集指标,通过Kubernetes聚合器注册在Master APIServer中。为集群提供Node、Pods资源利用率指标。
就像Linux 系统一样有一个命令 top 能够实时显示当前系统的 CPU 和内存利用率,它是性能分析和调优的基本工具,非常有用。Kubernetes 也提供了类似的命令,就是 kubectl top,不过默认情况下这个命令不会生效,必须要安装一个插件 Metrics Server 才可以。Metrics Server 是一个专门用来收集 Kubernetes 核心资源指标(metrics)的工具,它定时从所有节点的 kubelet 里采集信息,但是对集群的整体性能影响极小,每个节点只大约会占用 1m 的 CPU 和 2MB 的内存,所以性价比非常高。
下面的这张图来自 Kubernetes 官网,你可以对 Metrics Server 的工作方式有个大概了解:它调用 kubelet 的 API 拿到节点和 Pod 的指标,再把这些信息交给 apiserver,这样 kubectl、HPA 就可以利用 apiserver 来读取指标了:
Metrics Server项目的地址github:https://github.com/kubernetes-sigs/metrics-server
metrics-server作用
功能
metrics-server 是 Kubernetes 的一个集群范围的资源使用数据聚合器。它从各个节点上的 kubelet 收集资源使用数据(如 CPU、内存),并通过 Kubernetes API 服务器公开这些数据。metrics-server 使得 Kubernetes 控制平面和其他组件能够访问这些资源使用数据.
为 Kubernetes 控制平面提供实时的资源使用数据,支持水平 Pod 自动扩展 (HPA)、
HorizontalPodAutoscaler 实现了应用的自动水平伸缩功能,它从 Metrics Server 获取应用的运行指标,再实时调整 Pod 数量,可以很好地应对突发流量。还有k8s 的Dashboard 中的资源使用图表等功能。通过 kubectl top 命令查看节点和 Pod 的资源使用情况。 安装了这个服务之后就可以使用kubectl top指令
[root@master ~]# kubectl top
Display Resource (CPU/Memory) usage.The top command allows you to see the resource consumption for nodes or pods.This command requires Metrics Server to be correctly configured and working on the server.Available Commands:node Display resource (CPU/memory) usage of nodespod Display resource (CPU/memory) usage of podsUsage:kubectl top [flags] [options]Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).
[root@master ~]# kubectl get apiservices | grep metrics.k8s.io
v1beta1.metrics.k8s.io kube-system/metrics-server True 37d
[root@master ~]# kubectl top node
NAME CPU(cores) CPU% MEMORY(bytes) MEMORY%
master 258m 6% 5459Mi 71%
node1 308m 3% 12984Mi 84%
node2 105m 2% 5643Mi 74%
metrics-server安装
安装要求
Metrics Server 对集群和网络配置有特定的要求。这些要求并不是所有集群分布的默认要求。在使用 Metrics Server 之前,请确保您的集群分布支持这些要求:
1、kube-apiserver 必须启用聚合层。
api-server的配置: - --enable-aggregator-routing=true
2、Kubelet 证书需要由集群证书颁发机构签名;如果kubelet是有自己本地创建的证书,那么metrics-server需要配置args : "--kubelet-insecure-tls"
网上还有人提到: 节点必须启用 Webhook身份验证和授权。【没有找到配置的地方,可能是默认开启了】
安装资料准备
本次安装是: Release v0.7.2 · kubernetes-sigs/metrics-server · GitHub
安装的yaml文件:kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.7.2/components.yaml
修改镜像国内镜像地址:
apiVersion: v1
kind: ServiceAccount
metadata:labels:k8s-app: metrics-servername: metrics-servernamespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:labels:k8s-app: metrics-serverrbac.authorization.k8s.io/aggregate-to-admin: "true"rbac.authorization.k8s.io/aggregate-to-edit: "true"rbac.authorization.k8s.io/aggregate-to-view: "true"name: system:aggregated-metrics-reader
rules:
- apiGroups:- metrics.k8s.ioresources:- pods- nodesverbs:- get- list- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:labels:k8s-app: metrics-servername: system:metrics-server
rules:
- apiGroups:- ""resources:- nodes/metricsverbs:- get
- apiGroups:- ""resources:- pods- nodesverbs:- get- list- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:labels:k8s-app: metrics-servername: metrics-server-auth-readernamespace: kube-system
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccountname: metrics-servernamespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:labels:k8s-app: metrics-servername: metrics-server:system:auth-delegator
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: system:auth-delegator
subjects:
- kind: ServiceAccountname: metrics-servernamespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:labels:k8s-app: metrics-servername: system:metrics-server
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: system:metrics-server
subjects:
- kind: ServiceAccountname: metrics-servernamespace: kube-system
---
apiVersion: v1
kind: Service
metadata:labels:k8s-app: metrics-servername: metrics-servernamespace: kube-system
spec:ports:- name: httpsport: 443protocol: TCPtargetPort: httpsselector:k8s-app: metrics-server
---
apiVersion: apps/v1
kind: Deployment
metadata:labels:k8s-app: metrics-servername: metrics-servernamespace: kube-system
spec:selector:matchLabels:k8s-app: metrics-serverstrategy:rollingUpdate:maxUnavailable: 0template:metadata:labels:k8s-app: metrics-serverspec:containers:- args:- --cert-dir=/tmp- --secure-port=10250- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname- --kubelet-insecure-tls 【后面添加的】- --kubelet-use-node-status-port- --metric-resolution=15simage: xxxxxxx/metrics-server/metrics-server:v0.7.2imagePullPolicy: IfNotPresentlivenessProbe:failureThreshold: 3httpGet:path: /livezport: httpsscheme: HTTPSperiodSeconds: 10name: metrics-serverports:- containerPort: 10250name: httpsprotocol: TCPreadinessProbe:failureThreshold: 3httpGet:path: /readyzport: httpsscheme: HTTPSinitialDelaySeconds: 20periodSeconds: 10resources:requests:cpu: 100mmemory: 200MisecurityContext:allowPrivilegeEscalation: falsecapabilities:drop:- ALLreadOnlyRootFilesystem: truerunAsNonRoot: truerunAsUser: 1000seccompProfile:type: RuntimeDefaultvolumeMounts:- mountPath: /tmpname: tmp-dirnodeSelector:kubernetes.io/os: linuxpriorityClassName: system-cluster-criticalserviceAccountName: metrics-servervolumes:- emptyDir: {}name: tmp-dir
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:labels:k8s-app: metrics-servername: v1beta1.metrics.k8s.io
spec:group: metrics.k8s.iogroupPriorityMinimum: 100insecureSkipTLSVerify: trueservice:name: metrics-servernamespace: kube-systemversion: v1beta1versionPriority: 100
执行部署
kubectl apply -f metrics-server_v0.7.2.yaml
查看metrics-server的pod运行状态
kubectl get pods -n kube-system
查看metrics-server是否部署成功
[root@master pki]# kubectl get apiservices | grep metrics
v1beta1.metrics.k8s.io kube-system/metrics-server False (MissingEndpoints) 78m
false表示没有获取到信息。
查看metrics-server pod日志:
E1201 08:25:10.784262 1 scraper.go:149] "Failed to scrape node" err="Get \"https://172.30.218.120:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 172.30.218.120 because it doesn't contain any IP SANs" node="node2"
E1201 08:25:10.793010 1 scraper.go:149] "Failed to scrape node" err="Get \"https://172.30.218.119:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 172.30.218.119 because it doesn't contain any IP SANs" node="master"
E1201 08:25:10.797384 1 scraper.go:149] "Failed to scrape node" err="Get \"https://172.30.218.118:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for 172.30.218.118 because it doesn't contain any IP SANs" node="node1"
I1201 08:25:11.514112 1 server.go:191] "Failed probe" probe="metric-storage-ready" err="no metrics to serve"日志上看是证书验证不通过,就是说metrics-server作为客户端去采集kubelet服务端的信息时,使用的时: https://172.30.218.120:10250/metrics/resource 地址,但是kubelet提供的证书中san信息是没有这个ip的,所以客户端验证服务端证书就认为这个证书不合法,因为证书里面没有这个ip信息,然后去看下kubelet服务端证书【【k8s】kubelet 的相关证书-CSDN博客】具体信息:
解决方法是:
1、用上面安装要求中的: --kubelet-insecure-tls
就是告诉metrics-server不验证 kubelet的证书。
2、 修改配置为:- --kubelet-preferred-address-types=Hostname,InternalIP,ExternalIP
首先为主机名,但是由于coredns没有配置hostname的ip映射,可以自己手动到coredns中添加。kubectl edit configmap coredns -n kube-system,具体怎么修改大家可以查查
查看监控信息
效果: 在k8s中的dashboard就有了监控信息
测试kubectl top命令的使用
kubectl top nodes
kubectl top pods -n kube-system
