51工具盒子https://hub.docker.com/r/enix/x509-certificate-exporter/tags
使用 x509-certificate-exporter 监控 Kubernetes 集群组件的证书 :连接
1- 镜像 x509-certificate-exporter
nix/x509-certificate-exporter:3.12.0
2- 部署:
3- 添加报警规则:
ssl_exporter_rules.yml
groups:
- name: SSL证书监测
rules:
- alert: 证书还有30天过期
expr: probe_ssl_earliest_cert_expiry - time() < 86400 * 300
for: 5m
labels:
severity: 重要告警
annotations:
summary: "SSL证书即将过期 (instance {{ $labels.instance }})"
description: "SSL证书即将30天内过期 VALUE = {{ $value }}\n LABELS: {{ $labels }}"
- alert: 证书已过期
expr: probe_ssl_earliest_cert_expiry - time() <= 0
for: 5m
labels:
severity: 严重告警
annotations:
summary: "SSL证书已经过期 (instance {{ $labels.instance }})"
description: "SSL证书已经过期\n VALUE = {{ $value }}\n LABELS: {{ $labels }}"
这里没有数据 说明 x509-certificate-exporter 没有获取到数据。
因为要指定到证书路径,
这里就放弃这种方法了
直接用 现成的模版 x509-certificate-exporter
1-添加 enix 应用仓库
https://charts.enix.io
进入应用配置页面。
需要手动编辑配置清单,指定证书文件的路径。
daemonSets:
master:
nodeSelector:
node-role.kubernetes.io/master: ''
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
watchFiles:
- /var/lib/kubelet/pki/kubelet-client-current.pem
- /etc/kubernetes/pki/apiserver.crt
- /etc/kubernetes/pki/apiserver-kubelet-client.crt
- /etc/kubernetes/pki/ca.crt
- /etc/kubernetes/pki/front-proxy-ca.crt
- /etc/kubernetes/pki/front-proxy-client.crt
watchKubeconfFiles:
- /etc/kubernetes/admin.conf
- /etc/kubernetes/controller-manager.conf
- /etc/kubernetes/scheduler.conf
nodes:
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/ingress
operator: Exists
watchFiles:
- /var/lib/kubelet/pki/kubelet-client-current.pem
- /etc/kubernetes/pki/ca.crt
