一、找回密码
root@k8s-01:~# kubectl -n monitoring get pod | grep grafana
grafana-7ff454c477-l9x2k 1/1 Running 0 8d
root@k8s-01:~# kubectl -n monitoring exec -it grafana-7ff454c477-l9x2k -- sh
/usr/share/grafana $ grafana-cli admin reset-admin-password '33070595Abc'
Deprecation warning: The standalone 'grafana-cli' program is deprecated and will be removed in the future. Please update all uses of 'grafana-cli' to 'grafana cli'
INFO [01-29|12:45:37] Starting Grafana logger=settings version= commit= branch= compiled=1970-01-01T00:00:00Z
INFO [01-29|12:45:37] Config loaded from logger=settings file=/usr/share/grafana/conf/defaults.ini
INFO [01-29|12:45:37] Config overridden from Environment variable logger=settings var="GF_PATHS_DATA=/var/lib/grafana"
INFO [01-29|12:45:37] Config overridden from Environment variable logger=settings var="GF_PATHS_LOGS=/var/log/grafana"
INFO [01-29|12:45:37] Config overridden from Environment variable logger=settings var="GF_PATHS_PLUGINS=/var/lib/grafana/plugins"
INFO [01-29|12:45:37] Config overridden from Environment variable logger=settings var="GF_PATHS_PROVISIONING=/etc/grafana/provisioning"
INFO [01-29|12:45:37] Target logger=settings target=[all]
INFO [01-29|12:45:37] Path Home logger=settings path=/usr/share/grafana
INFO [01-29|12:45:37] Path Data logger=settings path=/var/lib/grafana
INFO [01-29|12:45:37] Path Logs logger=settings path=/var/log/grafana
INFO [01-29|12:45:37] Path Plugins logger=settings path=/var/lib/grafana/plugins
INFO [01-29|12:45:37] Path Provisioning logger=settings path=/etc/grafana/provisioning
INFO [01-29|12:45:37] App mode production logger=settings
INFO [01-29|12:45:37] FeatureToggles logger=featuremgmt recoveryThreshold=true panelMonitoring=true lokiQuerySplitting=true nestedFolders=true logsContextDatasourceUi=true cloudWatchNewLabelParsing=true logRowsPopoverMenu=true kubernetesPlaylists=true dataplaneFrontendFallback=true recordedQueriesMulti=true transformationsVariableSupport=true addFieldFromCalculationStatFunctions=true cloudWatchCrossAccountQuerying=true prometheusAzureOverrideAudience=true lokiQueryHints=true logsExploreTableVisualisation=true annotationPermissionUpdate=true lokiMetricDataplane=true prometheusMetricEncyclopedia=true lokiStructuredMetadata=true topnav=true alertingInsights=true exploreMetrics=true formatString=true ssoSettingsApi=true autoMigrateXYChartPanel=true tlsMemcached=true prometheusConfigOverhaulAuth=true logsInfiniteScrolling=true alertingSimplifiedRouting=true awsAsyncQueryCaching=true managedPluginsInstall=true cloudWatchRoundUpEndTime=true transformationsRedesign=true alertingNoDataErrorExecution=true dashgpt=true influxdbBackendMigration=true prometheusDataplane=true groupToNestedTableTransformation=true correlations=true publicDashboards=true angularDeprecationUI=true
INFO [01-29|12:45:37] Connecting to DB logger=sqlstore dbtype=sqlite3
INFO [01-29|12:45:37] Locking database logger=migrator
INFO [01-29|12:45:37] Starting DB migrations logger=migrator
INFO [01-29|12:45:37] migrations completed logger=migrator performed=0 skipped=594 duration=359.617µs
INFO [01-29|12:45:37] Unlocking database logger=migrator
INFO [01-29|12:45:37] Envelope encryption state logger=secrets enabled=true current provider=secretKey.v1
Admin password changed successfully ✔
/usr/share/grafana $ exit
root@k8s-01:~#
cat <<'EOF' | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-traefik-to-grafana
namespace: monitoring
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: grafana
app.kubernetes.io/name: grafana
app.kubernetes.io/part-of: kube-prometheus
policyTypes: ["Ingress"]
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: traefik
ports:
- protocol: TCP
port: 3000
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-traefik-to-prometheus
namespace: monitoring
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: prometheus
app.kubernetes.io/instance: k8s
app.kubernetes.io/name: prometheus
app.kubernetes.io/part-of: kube-prometheus
policyTypes: ["Ingress"]
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: traefik
ports:
- protocol: TCP
port: 9090
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-traefik-to-alertmanager
namespace: monitoring
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: alert-router
app.kubernetes.io/instance: main
app.kubernetes.io/name: alertmanager
app.kubernetes.io/part-of: kube-prometheus
policyTypes: ["Ingress"]
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: traefik
ports:
- protocol: TCP
port: 9093
EOF
需要放行
monitoring 里原来的 NetworkPolicy 没放行 traefik → 导致 Traefik 转发到 grafana/prometheus/alertmanager 全部被丢包,最后表现成 504/超时。#添加节点 创建 additionalScrapeConfigs 的 Secret(把外部节点加进去)
#我这里用 job_name: node-exporter 是为了让你现成的 Node Exporter / Nodes 仪表盘直接复用(很多面板按 job 过滤)。
cat <<'EOF' | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: prometheus-additional-scrape-configs
namespace: monitoring
type: Opaque
stringData:
additional-scrape-configs.yaml: |
- job_name: node-exporter
static_configs:
- targets:
- 192.168.1.12:9100
- 192.168.1.15:9100
- 192.168.1.30:9100
labels:
origin: external
relabel_configs:
- source_labels: [__address__]
target_label: instance
regex: '([^:]+):\d+'
replacement: '$1'
EOF
#把 Secret 挂到 Prometheus(prometheus-k8s)
kubectl -n monitoring patch prometheus prometheus-k8s --type merge -p '
{
"spec": {
"additionalScrapeConfigs": {
"name": "prometheus-additional-scrape-configs",
"key": "additional-scrape-configs.yaml"
}
}
}'
#验证
kubectl -n monitoring port-forward svc/prometheus-k8s 9090:9090
评论 (0)