我创建了一个python脚本来加载节点资源。通过运行以下脚本。错误是禁止的。在脚本调用之前,已经调用了config.load_incluster_config()
。
脚本:
def fetch_node_resource(cls, node_name: str) -> Resources:
# config.load_kube_config()
api_client = client.CoreV1Api()
node = api_client.read_node(node_name)
# Fetch all node resources
capacity: dict = node.status.capacity
cpu_capacity = Maybe.from_optional(capacity.get("cpu", Nothing))
memory_capacity = Maybe.from_optional(capacity.get("memory", Nothing))
network_bandwidth_capacity = Maybe.from_optional(
capacity.get("network_bandwidth", Nothing)
)
gpu_capacity = Maybe.from_optional(capacity.get("nvidia.com/gpu", Nothing))
return Resources(
cpu=cpu_capacity,
gpu=gpu_capacity,
memory=memory_capacity,
net_bandwidth=network_bandwidth_capacity,
)
错误:
"node-exporter-simulator-sbcqr\" is forbidden: User \"system:serviceaccount:monitoring:node-exporter-simulator-account\" cannot get resource \"nodes\" in API group
服务帐户被赋予CLusterRole & binded。脚本本身作为DaemonSet运行。
爆破:
{{- if .Values.nodeExporterSimulator.enabled }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: node-exporter-simulator
namespace: {{ .Values.namespace }}
labels:
app: node-exporter-simulator
spec:
selector:
matchLabels:
app: node-exporter-simulator
template:
metadata:
labels:
app: node-exporter-simulator
spec:
serviceAccountName: node-exporter-simulator-account
containers:
- name: metrics-generator
image: dev0guy/node-exporter-simulator:v0.0.5
env:
- name: PROMETHEUS_GATEWAY_URL
value: "pushgateway:9091"
- name: PUSH_INTERVAL
value: {{ .Values.nodeExporterSimulator.interval }}
{{- end }}
角色:
apiVersion: v1
kind: ServiceAccount
metadata:
name: node-exporter-simulator-account
namespace: {{ .Values.namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-exporter-simulator-role
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: node-exporter-simulator-binding
namespace: {{ .Values.namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: node-exporter-simulator-role
subjects:
- kind: ServiceAccount
name: node-exporter-simulator-account
namespace: {{ .Values.namespace }}
我已经运行helm install
命令如何以往我总是得到403禁止错误。我已经kubectl描述了所有的资源,但他们似乎都是正确的。
如以前有没有人解决过这个问题,或者有什么建议?
编辑:
问题已修复,存在名称错误。(没有给出帐户服务的相同名称)。但是问题是我需要得到节点名,而不是pod名
1条答案
按热度按时间xwbd5t1u1#
首先,我通过节点名进行搜索,但实际上是pod主机名。修复后,我在daemonset中传递了一个pod名称及其名称空间。但是,我没有将pod添加到集群角色中。