Skip to main content

Prerrequisites

  • Kubernetes API Connectivity
    The plugin must be able to reach API remotely in order to extract the information.
  • Permissions
    To make requests through the API, the account used to authenticate during execution requires certain permissions.

Permission Assignment

The steps to follow to create a user with sufficient permissions to obtain the monitoring data are described below. 

1. Creation of a readreading "Cluster role” called “​api-read-only​”:role". A role.yaml willfile must be created thatwith grantsthe “​get​”,following “​list​”content and “​watch​” permissions to all resources of Kubernetes.:.

catapiVersion: <<EOFrbac.authorization.k8s.io/v1
|kind: kubectlClusterRole
applymetadata:
  name: node-reader
rules:
-f apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
name: ​api-read-onlypod-reader
rules:
- apiGroups: - '*'[""]
  resources: - '*'["pods"]
  verbs: ["get", "list"]

---

getapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: deployment-reader
rules:
- listapiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: metrics-reader
rules:
- watchapiGroups: ["metrics.k8s.io"]
  resources: ["*"]
  verbs: ["get", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: namespace-reader
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: component-status-reader
rules:
- apiGroups: [""]
  resources: ["componentstatuses"]
  verbs: ["get", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: node-reader-binding
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: pod-reader-binding
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: ClusterRole
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: deployment-reader-binding
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: ClusterRole
  name: deployment-reader
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metrics-reader-binding
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: ClusterRole
  name: metrics-reader
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: namespace-reader-binding
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: ClusterRole
  name: namespace-reader
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: component-status-reader-binding
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: ClusterRole
  name: component-status-reader
  apiGroup: rbac.authorization.k8s.io
  
---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list"]
- nonResourceURLs: -["/healthz", '*'"/healthz/ping", "/healthz/log", "/healthz/etcd", "/healthz/poststarthook/crd-informer-synced", "/healthz/poststarthook/generic-apiserver-start-informers", "/healthz/poststarthook/start-apiextensions-controllers", "/healthz/poststarthook/start-apiextensions-informers"]
  verbs: ["get"]
  
---
    
getapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: service-reader
rules:
- listapiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list", "watch"]
- watchnonResourceURLs: EOF["/api/v1/services"]
  verbs: ["get"]
  
---
  
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: service-reader-binding
subjects:
- kind: ServiceAccount
  name: default
  namespace: default  
roleRef:
  kind: ClusterRole
  name: service-reader
  apiGroup: rbac.authorization.k8s.io

2. CreationThe of a “​Clustercluster role binding​”must called “​bind-api-read-only​”: The role willthen be linked previously created to an already existing “​service account​”.applied:

kubectl create clusterrolebinding ​bind-api-read-only​ \apply --clusterrole=​api-read-only​f \
--serviceaccount=​namespace​:userfile.yaml
  • Install metrics server

To install the “metrics-server” addon, it will be necessary to download it in the Kubernetes environment. You can get it from their github project:

https://github.com/kubernetes-incubator/metrics-server

kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml

You can verify that the deployment has been successful if when you launch the following command the status of your API appears as “​true​”:

kubectl get apiservices | grep metrics-server
v1beta1.metrics.k8s.io    kube-system/metrics-server True 1m

If the deployment is successful, the metrics-server API should be accessible:

​kubectl get --raw "/apis/metrics.k8s.io/v1beta1/"
{"kind":"APIResourceList","apiVersion":"v1","groupVersion":"metrics.k8s.io/v1beta1","res
ources":[{"name":"nodes","singularName":"","namespaced":false,"kind":"NodeMetrics
","verbs":["get","list"]},{"name":"pods","singularName":"","namespaced":true,"kind":"P
odMetrics","verbs":["get","list"]}]}

Additionally, after a few seconds, you should be able to obtain CPU and memory usage data for containers and nodes:

$ ​kubectl top node
NAMECPU(cores) CPU%MEMORY(bytes)MEMORY%
kube93m968Mi56%4%
$ ​kubectl top pod
NAMECPU(cores)MEMORY(bytes)
pod10m3Mi
pod20m3Mi
pod30m2Mi
pod40m3Mi
pod50m1Mi