Prerrequisites
- Kubernetes API Connectivity
The plugin must be able to reach API remotely in order to extract the information. - Permissions
To make requests through the API, the account used to authenticate during execution requires certain permissions.
Permission Assignment
The steps to follow to create a user with sufficient permissions to obtain the monitoring data are described below.
1. Creation of a readreading “"Cluster role” called “api-read-only”:role". A role.yaml willfile must be created thatwith grantsthe “get”,following “list”content and “watch” permissions to all resources of Kubernetes.:.
catapiVersion: <<EOFrbac.authorization.k8s.io/v1
|kind: kubectlClusterRole
applymetadata:
name: node-reader
rules:
-f apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
name: api-read-onlypod-reader
rules:
- apiGroups: - '*'[""]
resources: - '*'["pods"]
verbs: ["get", "list"]
---
getapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deployment-reader
rules:
- listapiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: metrics-reader
rules:
- watchapiGroups: ["metrics.k8s.io"]
resources: ["*"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-reader
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: component-status-reader
rules:
- apiGroups: [""]
resources: ["componentstatuses"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: node-reader-binding
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: node-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pod-reader-binding
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: pod-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: deployment-reader-binding
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: deployment-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metrics-reader-binding
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: metrics-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: namespace-reader-binding
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: namespace-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: component-status-reader-binding
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: component-status-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-reader
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list"]
- nonResourceURLs: -["/healthz", '*'"/healthz/ping", "/healthz/log", "/healthz/etcd", "/healthz/poststarthook/crd-informer-synced", "/healthz/poststarthook/generic-apiserver-start-informers", "/healthz/poststarthook/start-apiextensions-controllers", "/healthz/poststarthook/start-apiextensions-informers"]
verbs: ["get"]
---
getapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: service-reader
rules:
- listapiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "watch"]
- watchnonResourceURLs: EOF["/api/v1/services"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: service-reader-binding
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: service-reader
apiGroup: rbac.authorization.k8s.io2. CreationThe of a “Clustercluster role binding”must called “bind-api-read-only”: The role willthen be linked previously created to an already existing “service account”.applied:
kubectl create clusterrolebinding bind-api-read-only \apply --clusterrole=api-read-onlyf \
--serviceaccount=namespace:userfile.yaml- Install metrics server
To install the “metrics-server” addon, it will be necessary to download it in the Kubernetes environment. You can get it from their github project:
https://github.com/kubernetes-incubator/metrics-server
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yamlYou can verify that the deployment has been successful if when you launch the following command the status of your API appears as “true”:
kubectl get apiservices | grep metrics-server
v1beta1.metrics.k8s.io kube-system/metrics-server True 1mIf the deployment is successful, the metrics-server API should be accessible:
kubectl get --raw "/apis/metrics.k8s.io/v1beta1/"
{"kind":"APIResourceList","apiVersion":"v1","groupVersion":"metrics.k8s.io/v1beta1","res
ources":[{"name":"nodes","singularName":"","namespaced":false,"kind":"NodeMetrics
","verbs":["get","list"]},{"name":"pods","singularName":"","namespaced":true,"kind":"P
odMetrics","verbs":["get","list"]}]}Additionally, after a few seconds, you should be able to obtain CPU and memory usage data for containers and nodes:
$ kubectl top node
NAMECPU(cores) CPU%MEMORY(bytes)MEMORY%
kube93m968Mi56%4%
$ kubectl top pod
NAMECPU(cores)MEMORY(bytes)
pod10m3Mi
pod20m3Mi
pod30m2Mi
pod40m3Mi
pod50m1Mi