# 怎么在Kubernetes中手動方式部署Prometheus聯邦
## 前言
在現代云原生架構中,監控系統是確保應用可靠性和性能的關鍵組件。Prometheus作為CNCF畢業項目,已成為云原生監控的事實標準。但當監控規模擴展到多個集群或數據中心時,單一Prometheus實例可能面臨存儲和計算瓶頸。Prometheus聯邦架構通過分層聚合的方式解決了大規模監控的挑戰。
本文將深入探討在Kubernetes環境中手動部署Prometheus聯邦的完整流程,涵蓋架構設計、配置優化和實戰技巧,幫助您構建企業級監控解決方案。
## 第一部分:Prometheus聯邦基礎
### 1.1 聯邦架構核心概念
Prometheus聯邦采用分層數據收集模型:
Global Prometheus ↑ ┌───┴───┐ Region1 Region2 ↑ ↑ ClusterA ClusterB
**組件角色說明**:
- 葉子Prometheus(Level 1):直接抓取目標metrics
- 中間聚合層(Level 2):按區域/環境聚合
- 全局聚合層(Level 3):全集群視圖
### 1.2 聯邦 vs 其他方案對比
| 方案 | 優點 | 缺點 |
|-----------------|--------------------------|--------------------------|
| 單一Prometheus | 部署簡單 | 擴展性差 |
| 聯邦 | 天然分片,靈活聚合 | 配置復雜度高 |
| Thanos | 全局視圖,長期存儲 | 架構復雜,資源消耗大 |
| Cortex | 多租戶支持 | 運維復雜度高 |
### 1.3 適用場景分析
適合選擇聯邦架構的情況:
- 多Kubernetes集群監控
- 需要按地域/環境隔離數據
- 監控目標超過10萬+
- 已有Prometheus使用經驗
## 第二部分:Kubernetes部署準備
### 2.1 環境需求
**最低配置要求**:
- Kubernetes 1.16+
- 每個Prometheus實例:
- CPU: 2核
- 內存: 4GB
- 存儲: 50GB持久卷
- 網絡策略允許跨集群通信
### 2.2 命名空間規劃
建議的命名空間結構:
```yaml
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
labels:
prometheus-tier: "federated"
示例StorageClass配置(AWS EBS):
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: prometheus-ebs
provisioner: kubernetes.io/aws-ebs
parameters:
type: gp3
fsType: ext4
reclaimPolicy: Retain
volumeBindingMode: WaitForFirstConsumer
ConfigMap配置示例:
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus-leaf-config
namespace: monitoring
data:
prometheus.yml: |
global:
scrape_interval: 15s
evaluation_interval: 15s
scrape_configs:
- job_name: 'kubernetes-nodes'
kubernetes_sd_configs:
- role: node
relabel_configs:
- source_labels: [__address__]
regex: '(.*):10250'
replacement: '${1}:9100'
target_label: __address__
關鍵參數說明:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: prometheus-leaf
spec:
serviceName: "prometheus-leaf"
replicas: 2 # 建議至少2個實例實現HA
template:
spec:
containers:
- name: prometheus
args:
- "--config.file=/etc/prometheus/prometheus.yml"
- "--storage.tsdb.path=/prometheus"
- "--storage.tsdb.retention.time=15d" # 葉子節點保留周期較短
- "--web.enable-lifecycle" # 啟用配置熱加載
resources:
limits:
memory: 8Gi
cpu: 2
NodePort服務示例:
apiVersion: v1
kind: Service
metadata:
name: prometheus-leaf
spec:
type: NodePort
ports:
- name: web
port: 9090
targetPort: 9090
nodePort: 30900
selector:
app: prometheus-leaf
關鍵配置參數:
scrape_configs:
- job_name: 'federate-leaf'
scrape_interval: 30s
honor_labels: true
metrics_path: '/federate'
params:
'match[]':
- '{job=~".+"}' # 匹配所有指標
static_configs:
- targets:
- 'prometheus-leaf.monitoring.svc.cluster.local:9090'
Ingress配置示例:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: prometheus-federation
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
spec:
rules:
- host: federate.monitoring.example.com
http:
paths:
- path: /federate
pathType: Prefix
backend:
service:
name: prometheus-leaf
port:
number: 9090
優化聯邦查詢的匹配規則:
params:
'match[]':
- 'up{job="kubernetes-nodes"}'
- 'sum by (job)(rate(http_requests_total[5m]))'
ResourceQuota示例:
apiVersion: v1
kind: ResourceQuota
metadata:
name: prometheus-quota
spec:
hard:
requests.cpu: "8"
requests.memory: 16Gi
limits.cpu: "16"
limits.memory: 32Gi
分級保留策略配置:
# 葉子節點(15天)
--storage.tsdb.retention.time=360h
# 區域聚合層(30天)
--storage.tsdb.retention.time=720h
# 全局層(90天)
--storage.tsdb.retention.time=2160h
Pod反親和性示例:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values: ["prometheus-leaf"]
topologyKey: "kubernetes.io/hostname"
ServiceAccount配置:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: prometheus-federated
rules:
- apiGroups: [""]
resources: ["nodes", "services", "pods"]
verbs: ["get", "list", "watch"]
NetworkPolicy示例:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: prometheus-allow-federation
spec:
podSelector:
matchLabels:
app: prometheus-leaf
ingress:
- from:
- namespaceSelector:
matchLabels:
prometheus-tier: federated
ports:
- port: 9090
生成證書的示例命令:
openssl req -x509 -newkey rsa:4096 \
-keyout federate-key.pem -out federate-cert.pem \
-days 365 -nodes -subj "/CN=federate.monitoring.svc"
Readiness Probe示例:
readinessProbe:
httpGet:
path: /-/ready
port: 9090
initialDelaySeconds: 30
periodSeconds: 5
關鍵監控指標:
- prometheus_target_interval_length_seconds
- prometheus_tsdb_head_samples_appended_total
- process_resident_memory_bytes
聯邦特有告警規則:
groups:
- name: federation-rules
rules:
- alert: FederationScrapeFailure
expr: up{job="federate-leaf"} == 0
for: 10m
labels:
severity: critical
annotations:
summary: "Prometheus federation scrape failure"
問題1:聯邦數據延遲
- 檢查scrape_duration_seconds指標
- 調整scrape_interval和scrape_timeout
問題2:OOMKilled
- 增加內存限制
- 優化match[]參數減少數據量
檢查聯邦端點:
curl -G "http://prometheus-global:9090/federate" \
--data-urlencode 'match[]={job="kubernetes-nodes"}'
關鍵日志模式:
# 配置加載成功
level=info ts=2023-01-01T00:00:00Z msg="Loading configuration file" filename=/etc/prometheus/prometheus.yml
# 聯邦抓取錯誤
level=error ts=2023-01-01T00:00:00Z msg="Error scraping target" err="context deadline exceeded"
rule_files:
- /etc/prometheus/rules/*.yml
- job_name: 'federate-shard1'
params:
'match[]':
- '{__name__=~"node_.*", cluster="east"}'
JVM參數調整:
env:
- name: JAVA_OPTS
value: "-Xms4g -Xmx4g -XX:MaxRAMPercentage=80"
當監控目標超過50萬時:
- 每個葉子節點負責5-8個namespace
- 使用hashmod分片:
relabel_configs:
- source_labels: [__address__]
modulus: 4
target_label: __hash__
action: hashmod
聯邦架構升級路徑: 1. 保持現有聯邦結構 2. 添加Thanos Sidecar組件 3. 逐步遷移到對象存儲
基于namespace的隔離:
- job_name: 'tenant-a'
params:
'match[]':
- '{namespace="tenant-a"}'
使用Prometheus Operator自動發現:
additionalScrapeConfigs:
- job_name: 'auto-federate'
kubernetes_sd_configs:
- role: service
relabel_configs:
- source_labels: [__meta_kubernetes_service_label_prometheus_federate]
action: keep
regex: true
