CadolesKube/typhoon
7
0
Fork 0
mirror of https://github.com/puppetmaster/typhoon.git synced 2025-07-01 07:24:36 +02:00
Code Issues Packages Projects Releases Wiki Activity

Configure Prometheus to scrape Kubelets directly

Browse Source 
* Use Kubelet bearer token authn/authz to scrape metrics
* Drop RBAC permission from nodes/proxy to nodes/metrics
* Stop proxying kubelet scrapes through the apiserver, since
this required higher privilege (nodes/proxy) and can add
load to the apiserver on large clusters
This commit is contained in:
Dalton Hubble
2018-05-13 23:49:45 -07:00
parent 37981f9fb1
commit c2b719dc75
7 changed files with 40 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
google-cloud/container-linux/kubernetes/network.tf
View File

@ -121,7 +121,7 @@ resource "google_compute_firewall" "internal-node-exporter" {
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
}
# kubelet API to allow kubectl exec and log
# kubelet API to allow apiserver exec and log or metrics scraping
resource "google_compute_firewall" "internal-kubelet" {
name = "${var.cluster_name}-internal-kubelet"
network = "${google_compute_network.network.name}"
@ -131,7 +131,7 @@ resource "google_compute_firewall" "internal-kubelet" {
ports = [10250]
}
source_tags = ["${var.cluster_name}-controller"]
source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
}