我尝试设置了Amazon托管的Prometheus服务
首先
以下是我设置Amazon Managed Service for Prometheus(以下简称AMP)的笔记。
設置的步驟
创建AMP的工作空间
从AWS托管控制台简单地创建。
只需选择工作区名称,没有令人烦恼的地方。
将IAM角色和ServiceAccount与AMP的相关设置进行绑定。
我按照AWS文档中提到的步骤执行了操作。
创建用于收集指标的IAM角色。
将上述AWS文档中的内容保存到createIRSA-AMPIngest.sh并执行。
需要将CLUSTER_NAME和SERVICE_ACCOUNT_NAMESPACE分别更改为EKS集群名称和Prometheus的命名空间。
ec2-user:~/environment $ chmod a+x createIRSA-AMPIngest.sh
ec2-user:~/environment $ ./createIRSA-AMPIngest.sh
arn:aws:iam::XXXXXXXXXXXX:role/amp-iamproxy-ingest-role
2021-12-28 10:15:05 [?] eksctl version 0.62.0
2021-12-28 10:15:05 [?] using region ap-northeast-1
2021-12-28 10:15:06 [?] will create IAM Open ID Connect provider for cluster "eks-work-cluster" in "ap-northeast-1"
2021-12-28 10:15:06 [?] created IAM Open ID Connect provider for cluster "eks-work-cluster" in "ap-northeast-1"
通过此操作将为AMP创建一个用于获取指标的IAM角色。
-
- ロール名: amp-iamproxy-ingest-role
-
- ポリシー名: AMPIngestPolicy
- ポリシーの中身:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aps:RemoteWrite",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricMetadata"
],
"Resource": "*"
}
]
}
2-2. 创建用于查询的IAM角色
将上述的AWS文件中提到的内容保存到createIRSA-AMPQuery.sh中并执行。
需要将CLUSTER_NAME和SERVICE_ACCOUNT_NAMESPACE分别更改为EKS集群名称和Prometheus的命名空间。
ec2-user:~/environment $ ./createIRSA-AMPQuery.sh
arn:aws:iam::XXXXXXXXXXXX:role/amp-iamproxy-query-role
2021-12-28 10:38:20 [?] eksctl version 0.62.0
2021-12-28 10:38:20 [?] using region ap-northeast-1
2021-12-28 10:38:21 [?] IAM Open ID Connect provider is already associated with cluster "eks-work-cluster" in "ap-northeast-1"
-
- ロール名: amp-iamproxy-query-role
-
- ポリシー名: AMPQueryPolicy
- ポリシーの中身:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aps:QueryMetrics",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricMetadata"
],
"Resource": "*"
}
]
}
3. 安装 Prometheus 并配置适用于 AMP 的设置变更。
OR
3. 进行 Prometheus 的安装并进行适用于 AMP 的配置修改。
3-1. 安装 Prometheus
首先,使用Helm工具安装Prometheus。
ec2-user:~ $ helm install prometheus -n prometheus --create-namespace prometheus-community/prometheus
NAME: prometheus
LAST DEPLOYED: Wed Dec 29 05:44:17 2021
NAMESPACE: prometheus
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The Prometheus server can be accessed via port 80 on the following DNS name from within your cluster:
prometheus-server.prometheus.svc.cluster.local
Get the Prometheus server URL by running these commands in the same shell:
export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus,component=server" -o jsonpath="{.items[0].metadata.name}")
kubectl --namespace prometheus port-forward $POD_NAME 9090
The Prometheus alertmanager can be accessed via port 80 on the following DNS name from within your cluster:
prometheus-alertmanager.prometheus.svc.cluster.local
Get the Alertmanager URL by running these commands in the same shell:
export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus,component=alertmanager" -o jsonpath="{.items[0].metadata.name}")
kubectl --namespace prometheus port-forward $POD_NAME 9093
#################################################################################
###### WARNING: Pod Security Policy has been moved to a global property. #####
###### use .Values.podSecurityPolicy.enabled with pod-based #####
###### annotations #####
###### (e.g. .Values.nodeExporter.podSecurityPolicy.annotations) #####
#################################################################################
The Prometheus PushGateway can be accessed via port 9091 on the following DNS name from within your cluster:
prometheus-pushgateway.prometheus.svc.cluster.local
Get the PushGateway URL by running these commands in the same shell:
export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus,component=pushgateway" -o jsonpath="{.items[0].metadata.name}")
kubectl --namespace prometheus port-forward $POD_NAME 9091
For more information on running Prometheus, visit:
https://prometheus.io/
3-2. 下载 Prometheus 的 Helm chart。
为了添加AMP的设置,下载Helm chart。
ec2-user:~ $ helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
"prometheus-community" already exists with the same configuration, skipping
ec2-user:~ $ helm pull prometheus-community/prometheus --untar
ec2-user:~ $ ll | grep prometheus
drwxr-xr-x 4 ec2-user ec2-user 128 Dec 29 05:22 prometheus
ec2-user:~ $ ll prometheus/
total 80
-rw-r--r-- 1 ec2-user ec2-user 247 Dec 29 05:22 Chart.lock
drwxr-xr-x 3 ec2-user ec2-user 32 Dec 29 05:22 charts
-rw-r--r-- 1 ec2-user ec2-user 956 Dec 29 05:22 Chart.yaml
-rw-r--r-- 1 ec2-user ec2-user 9348 Dec 29 05:22 README.md
drwxr-xr-x 6 ec2-user ec2-user 117 Dec 29 05:22 templates
-rw-r--r-- 1 ec2-user ec2-user 57644 Dec 29 05:22 values.yaml
在Helm配置文件中添加AMP的配置
在prometheus/values.yaml文件的末尾添加了以下配置。
serviceAccounts:
server:
name: "amp-iamproxy-ingest-service-account"
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::XXXXXXXXXXXX:role/amp-iamproxy-ingest-role"
server:
remoteWrite:
- url: https://aps-workspaces.ap-northeast-1.amazonaws.com/workspaces/#{AMPのworkspace ID}/api/v1/remote_write
sigv4:
region: ap-northeast-1
queue_config:
max_samples_per_send: 1000
max_shards: 200
capacity: 2500
3-3. AMP配置設定的應用
使用helm upgrade命令将AMP相关配置应用于Prometheus k8s资源。
ec2-user:~ $helm upgrade prometheus prometheus-community/prometheus -n prometheus -f ./prometheus/values.yaml --version 15.0.1
Release "prometheus" has been upgraded. Happy Helming!
NAME: prometheus
LAST DEPLOYED: Wed Dec 29 06:25:44 2021
NAMESPACE: prometheus
STATUS: deployed
REVISION: 2
TEST SUITE: None
NOTES:
The Prometheus server can be accessed via port 80 on the following DNS name from within your cluster:
prometheus-server.prometheus.svc.cluster.local
Get the Prometheus server URL by running these commands in the same shell:
export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus,component=server" -o jsonpath="{.items[0].metadata.name}")
kubectl --namespace prometheus port-forward $POD_NAME 9090
The Prometheus alertmanager can be accessed via port 80 on the following DNS name from within your cluster:
prometheus-alertmanager.prometheus.svc.cluster.local
Get the Alertmanager URL by running these commands in the same shell:
export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus,component=alertmanager" -o jsonpath="{.items[0].metadata.name}")
kubectl --namespace prometheus port-forward $POD_NAME 9093
#################################################################################
###### WARNING: Pod Security Policy has been moved to a global property. #####
###### use .Values.podSecurityPolicy.enabled with pod-based #####
###### annotations #####
###### (e.g. .Values.nodeExporter.podSecurityPolicy.annotations) #####
#################################################################################
The Prometheus PushGateway can be accessed via port 9091 on the following DNS name from within your cluster:
prometheus-pushgateway.prometheus.svc.cluster.local
Get the PushGateway URL by running these commands in the same shell:
export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus,component=pushgateway" -o jsonpath="{.items[0].metadata.name}")
kubectl --namespace prometheus port-forward $POD_NAME 9091
For more information on running Prometheus, visit:
https://prometheus.io/
创建Amazon Managed Grafana(以下简称AMG)的工作区。
需要选择AWS Single Sign-On(SSO)或SAML认证作为认证方法。
如果使用SSO,必须为其中一个相关用户设置为管理员!否则,在注册AMP作为后续的数据源时,将被拒绝访问权限。
5. 登录AMG
在AMG的设置界面中选择AMP的工作区。
现在可以通过AMG在AMP中参考指标了!
