iptables monitoring with Grafana (Not Completed)

  • kkumtree

2024-09-29T13:35:13+09:00

kans
kind
iptables
kubernetes
grafana

iptables๋ฅผ ์ˆ˜์ง‘ํ•˜์—ฌ Grafana๋กœ ํ‘œํ˜„ํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์•Œ์•„๋ด…๋‹ˆ๋‹ค.

CloudNet@์—์„œ ์ง„ํ–‰ํ•˜๊ณ  ์žˆ๋Š” K8s Advanced Network Study(์ดํ•˜, KANS)๋ฅผ ํ†ตํ•ด ํ•™์Šตํ•œ ๋‚ด์šฉ์„ ์ •๋ฆฌํ•ฉ๋‹ˆ๋‹ค.

0. ํ™˜๊ฒฝ ๊ตฌ์„ฑ (kind)

์ž‘์„ฑ์‹œ๊ฐ„ ์ด์Šˆ๋กœ featureGates, ConfigPatches, networking ์„ค์ • ์„ค๋ช…์€ ์Šคํ‚ต…ํ•ฉ๋‹ˆ๋‹ค.

a. 1 Master, 3 Slave ํ™˜๊ฒฝ ๊ตฌ์„ฑ

cat <<EOT> kind-svc-1w.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
  "InPlacePodVerticalScaling": true
  "MultiCIDRServiceAllocator": true
nodes:
- role: control-plane
  labels:
    mynode: control-plane
    topology.kubernetes.io/zone: ap-northeast-2a
  extraPortMappings:
  - containerPort: 30000
    hostPort: 30000
  - containerPort: 30001
    hostPort: 30001
  - containerPort: 30002
    hostPort: 30002
  kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    apiServer:
      extraArgs:
        runtime-config: api/all=true
    controllerManager:
      extraArgs:
        bind-address: 0.0.0.0
    etcd:
      local:
        extraArgs:
          listen-metrics-urls: http://0.0.0.0:2381
    scheduler:
      extraArgs:
        bind-address: 0.0.0.0
  - |
    kind: KubeProxyConfiguration
    metricsBindAddress: 0.0.0.0
- role: worker
  labels:
    mynode: worker1
    topology.kubernetes.io/zone: ap-northeast-2a
- role: worker
  labels:
    mynode: worker2
    topology.kubernetes.io/zone: ap-northeast-2b
- role: worker
  labels:
    mynode: worker3
    topology.kubernetes.io/zone: ap-northeast-2c
networking:
  podSubnet: 10.10.0.0/16
  serviceSubnet: 10.200.1.0/24
EOT

kind create cluster --config kind-svc-1w.yaml --name myk8s --image kindest/node:v1.31.0

b. ๊ธฐ๋ณธ ํˆด ์„ค์น˜

docker exec -it myk8s-control-plane sh -c 'apt update && apt install tree psmisc lsof wget bsdmainutils bridge-utils net-tools ipset ipvsadm nfacct tcpdump ngrep iputils-ping arping git vim arp-scan -y'

1. prometheus stack ์„ค์น˜ (helm)

a. repository ์ถ”๊ฐ€ ๋ฐ ๊ตฌ์„ฑ

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts

cat <<EOT > monitor-values.yaml
prometheus:
  prometheusSpec:
    podMonitorSelectorNilUsesHelmValues: false
    serviceMonitorSelectorNilUsesHelmValues: false
    nodeSelector:
      mynode: control-plane
    tolerations:
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Equal"
      effect: "NoSchedule"


grafana:
  defaultDashboardsTimezone: Asia/Tokyo
  adminPassword: kans7969

  service:
    type: NodePort
    nodePort: 30002
  nodeSelector:
    mynode: control-plane
  tolerations:
  - key: "node-role.kubernetes.io/control-plane"
    operator: "Equal"
    effect: "NoSchedule"

defaultRules:
  create: false
alertmanager:
  enabled: false

EOT

b. ์„ค์น˜

kubectl create ns monitoring
helm install kube-prometheus-stack prometheus-community/kube-prometheus-stack --version 62.3.0 -f monitor-values.yaml --namespace monitoring

c. prometheus ์ฝ˜์†” ์ ‘์†

์ƒˆ๋กœ์šด ํ„ฐ๋ฏธ๋„์„ ์—ด์–ด, port-forwarding์„ ํ†ตํ•ด ์ ‘์†ํ•ฉ๋‹ˆ๋‹ค.

# New Terminal
kubectl port-forward svc/kube-prometheus-stack-grafana -n monitoring 9090:9090

prometheus-first-mapping

๊ณจ์น˜ ์•„ํ”ˆ etcd ๋งˆ์ € ๋ถ™์€ ๊ฑธ ์•Œ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์‚ฌ์‹ค, ๋ฐ”๋กœ ์ถฉ๋Œ๋  ์ค„ ์•Œ๊ณ , ๊ธฐ๋Œ€ํ–ˆ๋Š”๋ฐ… ์ €๋Ÿฐ.

์ถฉ๋Œ๋‚œ๋‹ค๋ฉด, ์ฃผ์š”ํ•œ ์ด์Šˆ๋Š” ๋งจ ์œ„์˜ kind์—์„œ ์ง€์ •ํ•œ port ๋ถˆ์ผ์น˜์ž…๋‹ˆ๋‹ค.
์•„๋ž˜๋ฅผ ์ฐธ๊ณ ํ•˜์—ฌ ๊ณ ์ณ๋ณด์„ธ์š”.

helm upgrade --install \
  --namespace monitoring --create-namespace \
  --repo https://prometheus-community.github.io/helm-charts \
  kube-prometheus-stack kube-prometheus-stack --values - <<EOF
kubeEtcd:
  service:
    targetPort: 2381
EOF

2. Grafana dashboard ํ™•์ธ

Grafana์— ์ ‘์†ํ•ด๋ด…์‹œ๋‹ค.

kube-prometheus-stack์„ ๊ธฐ๋ณธ ์„ค์น˜ํ•˜๋ฉด, node-exporter์™€ grafana๋„ ํ•จ๊ป˜ ์„ค์น˜๋ฉ๋‹ˆ๋‹ค.

a. ์ ‘์† ์ •๋ณด ํ™•์ธ

์šฐ์„  ์ ‘์†ํ•  ID์™€ ํŒจ์Šค์›Œ๋“œ๋ฅผ ์•Œ์•„์•ผ๊ฒ ์ฃ .

kubectl get secret -n monitoring kube-prometheus-stack-grafana -o jsonpath="{.data.admin-user}" | base64 --decode ; echo
# admin
kubectl get secret -n monitoring kube-prometheus-stack-grafana -o jsonpath="{.data.admin-password}" | base64 --decode ; echo
# kans7969

์ด๋ ‡๊ฒŒ๋‚˜ ์œ„ํ—˜ํ•œ๊ฑธ ๋‹ค๋“ค ์“ฐ๊ณ ์žˆ๋‹ค๋‹ˆ ์กด๊ฒฝํ•ฉ๋‹ˆ๋‹ค.

b. Port ํ™•์ธ

์•ž์—์„œ Grafana์˜ ๊ฒฝ์šฐ NodePort๋กœ ๋ฏธ๋ฆฌ ์ง€์ •ํ–ˆ๊ธฐ ๋•Œ๋ฌธ์—, ํ”„๋กœ๋ฉ”ํ…Œ์šฐ์Šค ๋•Œ์™€๋Š” ๋‹ฌ๋ฆฌ ๋ณ„๋„์˜ port-forwarding ์„ค์ •์€ ํ•„์š”์—†์Šต๋‹ˆ๋‹ค.

kubectl get svc -A -owide | grep NodePort
# monitoring    kube-prometheus-stack-grafana                    NodePort    10.200.1.25    <none>        80:30002/TCP                   101m   app.kubernetes.io/instance=kube-prometheus-stack,app.kubernetes.io/name=grafana

์œ„์˜ ๊ฒฝ์šฐ์—๋Š” kind๋ฅผ ๊ตฌ์„ฑํ•œ, ์ปดํ“จํ„ฐ์˜ ๋ธŒ๋ผ์šฐ์ €์—์„œ localhost:30002๋กœ ์ ‘์†ํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค.

c. Dashboard ํ™•์ธ

์Œ ์—ญ์‹œ. ๋ญ๊ฐ€ ๋งŽ์ด ๋ถ€์กฑํ•˜์ฃ ? ๊ฐ ๋…ธ๋“œ์˜ iptables rule๊ณผ io up/down์ด ํ™•์ธ์ด ์•ˆ๋˜๋„ค์š”.

grafana-first-try

์ด์ œ ์ด๊ฑธํ•ด์•ผ๋ฉ๋‹ˆ๋‹ค.

3. iptables exporter ์„ค์ •

a. ์›์ธ ์•ˆ๋‚ด

๊ฐ„๋‹จํ•ฉ๋‹ˆ๋‹ค. ํ•ด๋‹น ๋Œ€์‹œ๋ณด๋“œ ํ…œํ”Œ๋ฆฟ ์•ˆ๋‚ด๋ฌธ์—, ํ…œํ”Œ๋ฆฟ ์ž‘์„ฑ์ž๊ฐ€ ๋”ฐ๋กœ ํฌํฌ๋– ์„œ ์ž‘์„ฑํ•œ node-exporter๋ฅผ ์•ˆ๋‚ดํ•˜๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์ด์ฃ . Wow!
๊ทธ๋ž˜๋„ ์•ˆ๋‚ด๋ผ๋„ ์žˆ์–ด์„œ ๋‹คํ–‰์ž…๋‹ˆ๋‹ค. ํ•œ๋ฒˆ ๋ณผ๊นŒ์š”?

leishi-commit-log

๋ญ”๊ฐ€ ๋ฐ”๋€๊ฑฐ๋„ ๋ณด์ด๊ณ … ์•„๋ฌด๋ž˜๋„ ์–ด๋–ป๊ฒŒ๋“  yaml์— ๋•Œ๋ ค๋„ฃ์–ด์•ผํ•˜๋Š” ๊ฑธ๊นŒ… ๊ณ ๋ฏผํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

b. ๊ณ ๋ฏผํ•ด๋ด…์‹œ๋‹ค, ๋ฌด์—‡์„?

helm์„ ์“ฐ๋Š” ๋Œ€๋‹ค์ˆ˜์˜ ์‚ฌ์šฉ์ž๋“ค์€ ์•Œ ํ•„์š”๋„ ์—†๊ณ … ์•Œ ๊ฒจ๋ฅผ๋„ ์—†๋Š” ์‚ฌํ•ญ์ธ๋ฐ,
ํ—ฌ๋ฆ„ ์ฐจํŠธ์—๋„ ๊ทธ ๋ญ๋ƒ, dependency๋ผ๋Š” ๊ฒƒ์ด ์กด์žฌํ•˜๋Š”๋ฐ์š”.

์ตœ์‹ ๋ฌธ์„œ ๊ธฐ์ค€ ์•„๋ž˜์™€ ๊ฐ™์ด ์•„ ๋งž๋‹ค ์˜์กด์„ฑ์ด์ง€. ์˜์กด์„ฑ์ด ๊ฑธ๋ ค์žˆ๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

dependencies

์Œ ์ฝ๊ณ  ๋” ๋ฏธ๊ถ ์†์œผ๋กœ ๋น ์ง‘๋‹ˆ๋‹ค. ์˜์กด์„ฑ ์ด๋ฆ„์ด prometheus-node-exporter … ์Œ ํฐ์ผ๋‚ฌ๋„ค์š”.

c. ๊ทธ๋ž˜๋„ ๊ทธ๋ƒฅ ๋” ๋ณผ๊นŒ

์ผ๋‹จ ์ง€๊ธˆ๊นŒ์ง€ ํƒœ์šด ์‹œ๊ฐ„์ด ์•„๊นŒ์šฐ๋‹ˆ, ๊ณ„์† ๋ด…๋‹ˆ๋‹ค.

๋Œ€์‹œ๋ณด๋“œ ๊ธฐ์ค€์œผ๋กœ ๋ˆ„๋ฝ๋œ ์œ„์ ฏ์—์„œ ์–ด๋– ํ•œ ๊ฐ’์„ ์š”์ฒญํ•˜๋Š”์ง€ ์‚ดํŽด๋ด…๋‹ˆ๋‹ค.

  • increase(node_iptables_download_bytes_total{job=~"$job",instance=~"$instance"}[$__range])
  • increase(node_iptables_upload_bytes_total{job=~"$job",instance=~"$instance"}[$__range])
  • irate(node_v2ray_download_bytes_total{job=~"$job",instance=~"$instance",dimension=~"$dimension",target=~"$target"}[5m])
  • irate(node_v2ray_upload_bytes_total{job=~"$job",instance=~"$instance",dimension=~"$dimension",target=~"$target"}[5m])
  • irate(node_v2ray_download_bytes_total{job=~"$job",instance=~"$instance",dimension=~"$dimension",target=~"$target"}[5m])
  • irate(node_iptables_download_bytes_total{job=~"$job",instance=~"$instance",chain=~"$dimension",rule=~"$target"}[5m])

์—ญ์‹œ, ๋ˆ„๋ฝ๋œ ์œ„์ ฏ์€ ์ฃ„๋‹ค ์ปค๋ฐ‹๋‚ด์—ญ๊ณผ ์—ฐ๋™๋œ ๋‚ด์šฉ์ด๋„ค์š”. ํŠนํžˆ v2ray ๋˜ํ•œ, ๋”ฐ๋กœ GitHub repository๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค.

์ด์ œ ์„ ํƒ์ง€๋Š” ์–ผ๋งˆ ์—†๋Š” ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.
p8s์—์„œ target ์‚ดํŽด๋ดค์„๋•Œ ์—†๋Š” ๊ฑธ ๋ณด๋‹ˆ, ํ™œ์„ฑํ™”ํ•ด์„œ๋˜๋ฉด okay ์•ˆ๋˜๋ฉด… GG

  • A์•ˆ) ๊ธฐ์กด node-exporter๋ฅผ ํ™œ์„ฑํ™”ํ•˜์—ฌ ์‚ฌ์šฉ.
    ๋ง์ด ๋˜์ง€ ์•Š์Œ. ์›๋ณธ node-exporter์—๋Š” v2ray ๊ฐ™์€ ๊ฑด ์žˆ์ง€ ์•Š์•˜์Œ.
  • B์•ˆ) ๊ธฐ์กด helm ์ฐจํŠธ๋ฅผ ์ˆ˜์ •ํ•˜์—ฌ node-exporter ์ฐธ์กฐ ๊ฒฝ๋กœ๋ฅผ ์‚ฌ์šฉ.
    ๊ทธ๋Ÿฐ, ํ—˜ํ•œ๊ฑฐ ํ•˜๋ฉด ์•ˆ๋  ๊ฒƒ ๊ฐ™๋„ค์š”.
  • C์•ˆ) ๋ญ”๊ฐ€ ์‹ ๋น„ํ•˜๊ณ  ๋†€๋ผ์šด Discussion์„ ํ†ตํ•ด, ๊ทธ์ € ๋” ์‚ฝ์งˆํ•˜๊ธฐ…
    ์ด๊ฑธ๋กœ… ํ•ด๋ณผ๊ป˜์š”.

์ด๊ฑธ ๋ณด๋‹ˆ, ๋ญ”๊ฐ€ ์‹ฌ์—ฐ์„ ๋Š๋ผ๊ธฐ ์‹œ์ž‘ํ•ฉ๋‹ˆ๋‹ค. ๋นจ๋ฆฌ ๋„๋ง์ณ

This horrifying cron one liner when set as a cron simulates an iptables exporter. At least on debian buster/stretch it does. It gives more or less the same output as the dedicated iptables exporter. It just uses awk to process the output of iptables-save -c into something prometheus can understand, and pops it in the folder the node exporter monitors.

SCRAPE_INTERVAL=15
OFFSET_INTERVAL=5
* * * * * root sleep $OFFSET_INTERVAL; for i in $(seq $SCRAPE_INTERVAL $SCRAPE_INTERVAL 60); do /usr/sbin/iptables-save -c | grep -v '^#' | grep -v 'COMMIT' | sed -e s'/\[//g;s/\]//g' | awk -F'[ :]' '{ if($0 ~ /\*/) { table=$0; gsub("^*","",table); } else if($0 ~ /^\:/){ print "iptables_rule_bytes_total{chain=\"" $2 "\",policy=\"" $3 "\",table=\"" table "\"} " $5 "\niptables_rule_packets_total{chain=\"" $2 "\",policy=\"" $3 "\",table=\"" table "\"} " $4; } else { rule=$5; for(i=6;i<=NF;i++){rule=rule" "$i} print "iptables_rule_bytes_total{chain=\"" $4 "\",rule=\"" rule "\",table=\"" table "\"} " $2 "\niptables_rule_packets_total{chain=\"" $4 "\",rule=\"" rule "\",table=\"" table "\"} " $1; } }' > /var/lib/prometheus/node-exporter/iptables.prom; echo "iptables_scrape_success $(date +\%s)" >> /var/lib/prometheus/node-exporter/iptables.prom; sleep $SCRAPE_INTERVAL; done

์•„์ €์”จ ๋ง์”€์œผ๋กœ ๋œ๋‹ค๋‹ˆ, ๊ทธ๋ƒฅ ๋น ๋ฅด๊ฒŒ ๋‹ค๋ฅธ ๊ฑธ ๋” ์ฐพ์•„๋ด…๋‹ˆ๋‹ค. $(date +\%s)๋ฅผ ์“ฐ๋ฉด ๊ทธ ๋กœ๊ทธ๋Š” ์กฐ์ƒ๋‹˜๊ป˜์„œ ์—†์• ์ค„๊ฑฐ๋ƒ๋ฉฐ ๊ถŒํ•œ ์ด์•ผ๊ธฐ๊ฐ€ ๋‚˜์˜ค๋„ค์š”.

์‚ฌ์‹ค ๋ญ discussion์—์„œ permission ์–ธ๊ธ‰๋˜๊ธธ๋ž˜ ์ฐพ์•„๋ณด๋‹ˆ, pypi/iptables-exporter๋„ ๋‚˜์˜ค๊ณ  ๋ญ”๊ฐ€ ์–ด์ง€๋Ÿฌ์›Œ๋ณด์ด๋‹ค๊ฐ€ ๋ช…๋ฃŒํ•˜๊ฒŒ ๊ถŒํ•œ ์–ธ๊ธ‰๋˜๋Š”๊ฑธ ๋ด์„œ ํ•ด๋ณด๊ธฐ๋กœ ํ–ˆ์Šต๋‹ˆ๋‹ค.

d. Do… It

๊ถŒํ•œ

  • ์ด 3๊ฐœ์˜ ๊ถŒํ•œ์„ ํ—ˆ์šฉํ•ด์•ผํ•ฉ๋‹ˆ๋‹ค.
    • CAP_DAC_READ_SEARCH
    • CAP_NET_ADMIN
    • CAP_NET_RAW

๊ถŒํ•œ์˜ ์ ์šฉ

  • retailnext/iptables_exporter
    • GitHub
    • ์ฒซ ๊ตฌ์ ˆ์„ ๋ณด๋ฉด, ์นœ์ ˆํ•˜๊ฒŒ systemd ์˜ต์…˜ ์žฌ์„ค์ •์ด ํ•„์š”ํ•˜๋‹ค๊ณ  ํ•ฉ๋‹ˆ๋‹ค.

Unfortunately, iptables-save (which this exporter uses) doesn’t work without special permissions.

Including the following systemd [Service] options will allow this exporter to work without running it as root:

CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
  • kbknapp/iptables_exporter
    • GitHub
    • ๊ถŒํ•œ ๋ถ€๋ถ„ ์™ธ์—๋Š” ๋”ฐ๋ผํ•ด๋ณผ๋งŒ ํ•˜๊ณ , ์ปค๋ฐ‹ ๊ธฐ์ค€ ์ตœ์‹ ์ด์–ด์„œ ์‹œ๋„๋ฅผ ํ•ด๋ด…๋‹ˆ๋‹ค.
    • buggy ํ•œ ๊ฒƒ์€ ์–ด์ฉ” ์ˆ˜ ์—†์„ ๋“ฏ ํ•ฉ๋‹ˆ๋‹ค.

iptables_exporter ์„ค์น˜

๊ฐ€๋งŒ ์ƒ๊ฐํ•ด๋ณด๋‹ˆ ์–ด์ฐจํ”ผ root๋กœ ์ ‘์†ํ•˜๋‹ˆ, ๋˜๋Š”์ง€ ์ •๋„๋งŒ ๋ณด๋Š” ๊ฑธ๋กœ ํ•ด๋ด…๋‹ˆ๋‹ค.

rust-toolkit์€ ์ƒ๊ฒฝํ•˜๋‹ˆ, ๋ฐ”์ด๋„ˆ๋ฆฌ(x86_64) ํŒŒ์ผ์„ ๋ฐ›์•„์„œ ํ•ด๋ด…๋‹ˆ๋‹ค.

docker exec -it myk8s-worker bash
root@myk8s-worker:/# echo $PATH
# /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
root@myk8s-worker:/# cd /tmp
root@myk8s-worker:/tmp# curl https://github.com/kbknapp/iptables_exporter/releases/download/v0.4.0/iptables_exporter-v0.4.0-x86_64-linux-musl.tar.gz -o iptables_exporter-v0.4.0-x86_64-linux-musl.tar.gz -L
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 3114k  100 3114k    0     0   436k      0  0:00:07  0:00:07 --:--:--  641k
root@myk8s-worker:/tmp# tar -xvf iptables_exporter-v0.4.0-x86_64-linux-musl.tar.gz ./iptables_exporter
./iptables_exporter
root@myk8s-worker:/tmp# mv iptables_exporter /usr/bin
root@myk8s-worker:/tmp# iptables_exporter -V
iptables_exporter v0.4.0 (f8d6fca92a)
root@myk8s-worker:/tmp# rm *
root@myk8s-worker:/tmp# cd -
/
root@myk8s-worker:/#

systemD ๋“ฑ๋ก

์ด์ œ background๋กœ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๋„๋ก systemd์— ๋“ฑ๋กํ•ฉ๋‹ˆ๋‹ค.

root@myk8s-worker:/# cat <<EOT > /etc/systemd/system/iptables_exporter.service
[Unit]
Description=iptables_exporter
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/iptables_exporter
Restart=always
RestartSec=5
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW

[Install]
WantedBy=multi-user.target
EOT

# permission
root@myk8s-worker:/# chmod a+x /etc/systemd/system/iptables_exporter.service

reload ํ›„, ์ƒํƒœ ์ฒดํฌ

root@myk8s-worker:/# systemctl daemon-reload
root@myk8s-worker:/# service status iptables_exporter
status: unrecognized service
root@myk8s-worker:/# service iptables_exporter status
โ—‹ iptables_exporter.service - iptables_exporter
     Loaded: loaded (/etc/systemd/system/iptables_exporter.service; disabled; preset: enabled)
     Active: inactive (dead)
root@myk8s-worker:/# service iptables_exporter start
root@myk8s-worker:/# service iptables_exporter status
โ— iptables_exporter.service - iptables_exporter
     Loaded: loaded (/etc/systemd/system/iptables_exporter.service; disabled; preset: enabled)
     Active: active (running) since Sun 2024-09-29 17:06:54 UTC; 2s ago
   Main PID: 8697 (iptables_export)
      Tasks: 1 (limit: 5729)
     Memory: 1.3M
        CPU: 13ms
     CGroup: /system.slice/iptables_exporter.service
             โ””โ”€8697 /usr/bin/iptables_exporter

Sep 29 17:06:54 myk8s-worker systemd[1]: Started iptables_exporter.service - iptables_exporter.
Sep 29 17:06:54 myk8s-worker iptables_exporter[8697]: 2024-09-29T17:06:54.686186Z  INFO iptables_exporter: Registering metrics...
Sep 29 17:06:54 myk8s-worker iptables_exporter[8697]: 2024-09-29T17:06:54.686280Z  INFO iptables_exporter: Spawning server...
Sep 29 17:06:54 myk8s-worker iptables_exporter[8697]: 2024-09-29T17:06:54.686338Z  INFO iptables_exporter: Collecting iptables metrics...
Sep 29 17:06:54 myk8s-worker iptables_exporter[8697]: 2024-09-29T17:06:54.687570Z  INFO iptables_exporter: Collecting iptables metrics...
root@myk8s-worker:/# exit

scrape_config ์„ค์ •

์ด์ œ ์œ„์—์„œ ์‚ฌ์šฉํ–ˆ๋˜, monitor-values.yaml์„ ์ˆ˜์ •ํ•ฉ๋‹ˆ๋‹ค.

cat <<EOT > monitor-values.yaml
prometheus:
  prometheusSpec:
    podMonitorSelectorNilUsesHelmValues: false
    serviceMonitorSelectorNilUsesHelmValues: false
    nodeSelector:
      mynode: control-plane
    tolerations:
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Equal"
      effect: "NoSchedule"
    additionalScrapeConfigs: |
      - job_name: 'iptables'
        static_configs:
        - targets: ['localhost:9455', '172.18.0.3:9455']
        relabel_configs:
        - source_labels: [ '__address__' ]
          regex: '(.*):\d+'
          target_label: instance
          


grafana:
  defaultDashboardsTimezone: Asia/Tokyo
  adminPassword: kans7969

  service:
    type: NodePort
    nodePort: 30002
  nodeSelector:
    mynode: control-plane
  tolerations:
  - key: "node-role.kubernetes.io/control-plane"
    operator: "Equal"
    effect: "NoSchedule"

defaultRules:
  create: false
alertmanager:
  enabled: false

EOT

helm upgrade --install \
  --namespace monitoring --create-namespace \
  --repo https://prometheus-community.github.io/helm-charts \
  kube-prometheus-stack kube-prometheus-stack --values monitor-values.yaml

๋‹ค์‹œ ์‚ดํŽด๋ณด๋‹ˆ.. ์—ญ์‹œ ์—๋Ÿฌ๊ฐ€ ๋‚˜์žˆ๋Š” ๊ตฐ์š”.
ํฌํŠธ ์•ˆ ์—ด๋ ค์žˆ์–ด์„œ ๊ทธ๋Ÿฐ๊ฑฐ ๊ฐ™์€๋ฐ, ์ผ๋‹จ ์ž์•ผ๊ฒ ์Šต๋‹ˆ๋‹ค.

custom-target-error

Reference

https://medium.com/@charled.breteche/kind-fix-missing-prometheus-operator-targets-1a1ff5d8c8ad
https://sbcode.net/prometheus/prometheus-node-exporter-2nd/
https://www.crybit.com/install-and-configure-node-exporter/
https://docs.redhat.com/ko/documentation/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-managing_services_with_systemd-unit_files#sect-Managing_Services_with_systemd-Unit_File_Create

kkumtree

plumber for infra

kkumtree

Source code on GitHub

ยฉ 2025 kkumtree and contributors All rights reserved.
Licensed under
CC BY-NC-ND 4.0