51工具盒子https://hub.docker.com/r/enix/x509-certificate-exporter/tags
使用 x509-certificate-exporter 监控 Kubernetes 集群组件的证书 :连接
1- 镜像 x509-certificate-exporter
nix/x509-certificate-exporter:3.12.0
2- 部署:
3- 添加报警规则:
ssl_exporter_rules.yml
groups: - name: SSL证书监测 rules: - alert: 证书还有30天过期 expr: probe_ssl_earliest_cert_expiry - time() < 86400 * 300 for: 5m labels: severity: 重要告警 annotations: summary: "SSL证书即将过期 (instance {{ $labels.instance }})" description: "SSL证书即将30天内过期 VALUE = {{ $value }}\n LABELS: {{ $labels }}"- alert: 证书已过期 expr: probe_ssl_earliest_cert_expiry - time() <= 0 for: 5m labels: severity: 严重告警 annotations: summary: "SSL证书已经过期 (instance {{ $labels.instance }})" description: "SSL证书已经过期\n VALUE = {{ $value }}\n LABELS: {{ $labels }}"
这里没有数据 说明 x509-certificate-exporter 没有获取到数据。
因为要指定到证书路径,
这里就放弃这种方法了
直接用 现成的模版 x509-certificate-exporter
1-添加 enix 应用仓库
https://charts.enix.io
进入应用配置页面。
需要手动编辑配置清单,指定证书文件的路径。
daemonSets:master: nodeSelector: node-role.kubernetes.io/master: '' tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists watchFiles: - /var/lib/kubelet/pki/kubelet-client-current.pem - /etc/kubernetes/pki/apiserver.crt - /etc/kubernetes/pki/apiserver-kubelet-client.crt - /etc/kubernetes/pki/ca.crt - /etc/kubernetes/pki/front-proxy-ca.crt - /etc/kubernetes/pki/front-proxy-client.crt watchKubeconfFiles: - /etc/kubernetes/admin.conf - /etc/kubernetes/controller-manager.conf - /etc/kubernetes/scheduler.conf nodes: tolerations: - effect: NoSchedule key: node-role.kubernetes.io/ingress operator: Exists watchFiles: - /var/lib/kubelet/pki/kubelet-client-current.pem - /etc/kubernetes/pki/ca.crt
