一、前言

在集群外部prometheus想要调用k8s集群的apiserver获取监控数据需要通过token和ca验证，在集群内部部署的prometheus就不会有这个情况，因为集群内部部署prometheus pod的时候就已经注入了访问集群的token和ca文件，所以以下就针对k8s集群外部署的prometheus创建token和ca文件使得prometheus能够访问k8s集群的apiserver获取监控数据

二、k8s集群创建RBAC对象

vi prometheus-rabc.yaml

apiVersion: v1
kind: ServiceAccount
metadata:name: prometheusnamespace: prometheus
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:name: prometheus
rules:
- apiGroups:- ""resources:- nodes- services- endpoints- pods- nodes/proxyverbs:- get- list- watch
- apiGroups:- "extensions"resources:- ingressesverbs:- get- list- watch
- apiGroups:- ""resources:- configmaps- nodes/metricsverbs:- get
- nonResourceURLs:- /metricsverbs:- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: prometheus
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: prometheus
subjects:
- kind: ServiceAccountname: prometheusnamespace: prometheus

创建命名空间

kubectl create namespace prometheus

创建rbac

kubectl create -f prometheus-rabc.yaml

在新版本的k8s中创建ServiceAccount不会默认创建secret，需要自己手动创建

vi prometheus-secret.yaml 

apiVersion: v1
kind: Secret
metadata:name: prometheusnamespace: prometheusannotations:kubernetes.io/service-account.name: prometheus   #这里需要填写创建的ServiceAccount的名称
type: kubernetes.io/service-account-token

查看token

kubectl describe secret prometheus -n prometheus

 查看一下ServiceAccount

kubectl describe sa prometheus -n prometheus

 prometheus调用k8s集群接口获取监控数据，使用以上的token和集群ca证书即可

k8s集群的ca证书在以下目录中

ls /etc/kubenetes/pki