github.com/galamsiva2020/kubernetes-heapster-monitoring@v0.0.0-20210823134957-3c1baa7c1e70/docs/source-configuration.md

github.com/galamsiva2020/kubernetes-heapster-monitoring@v0.0.0-20210823134957-3c1baa7c1e70/docs/source-configuration.md (about)

     1  Configuring sources
     2  ===================
     3  
     4  Heapster can get data from multiple sources (although at this moment we support only one kind - Kubernetes).
     5  They are specified in the command line via the `--source` flag. The flag takes an argument of the form `PREFIX:CONFIG[?OPTIONS]`.
     6  Options (optional!) are specified as URL query parameters, separated by `&` as normal.
     7  This allows each source to have custom configuration passed to it without needing to
     8  continually add new flags to Heapster as new sources are added. This also means
     9  Heapster can capture metrics from multiple sources at once, potentially even multiple
    10  Kubernetes clusters.
    11  
    12  ## Current sources
    13  ### Kubernetes
    14  To use the kubernetes source add the following flag:
    15  
    16  	--source=kubernetes:<KUBERNETES_MASTER>[?<KUBERNETES_OPTIONS>]
    17  
    18  If you're running Heapster in a Kubernetes pod you can use the following flag:
    19  
    20  	--source=kubernetes
    21  
    22  Heapster requires an authentication token to connect with the apiserver securely. By default, Heapster will use the inClusterConfig system to configure the secure connection. This requires Kubernetes version `v1.0.3` or higher and a couple extra Kubernetes configuration steps. Firstly, for your apiserver you must create an SSL certificate pair with a SAN that includes the ClusterIP of the Kubernetes service. Look [here](https://github.com/kubernetes/kubernetes/blob/e4fde6d2cae2d924a4eb72d1e3b2639f057bb8c1/cluster/gce/util.sh#L497-L559) for an example of how to properly generate certs. Secondly, you need to pass the `ca.crt` that you generated to the `--root-ca-file` option of the controller-manager. This will distribute the root CA to `/var/run/secrets/kubernetes.io/serviceaccount/` of all pods. If you are using `ABAC` authorization (as opposed to `AllowAll` which is the default), you will also need to give the `system:serviceaccount:<namespace-of-heapster>:default` readonly access to the cluster (look [here](https://kubernetes.io/docs/admin/authorization/abac/#a-quick-note-on-service-accounts) for more info).
    23  
    24  If you don't want to setup inClusterConfig, you can still use Heapster! To run without auth, use the following config:
    25  
    26  	--source=kubernetes:http://<address-of-kubernetes-master>:<http-port>?inClusterConfig=false
    27  
    28  This requires the apiserver to be setup completely without auth, which can be done by binding the insecure port to all interfaces (see the apiserver `--insecure-bind-address` option) but *WARNING* be aware of the security repercussions. Only do this if you trust *EVERYONE* on your network.
    29  
    30  *Note: Remove "monitoring-token" volume from heapster controller config if you are running without auth.*
    31  
    32  Alternatively, you can use a heapster-only serviceaccount like this:
    33  
    34  ```shell
    35  cat <<EOF | kubectl create -f -
    36  apiVersion: v1
    37  kind: ServiceAccount
    38  metadata:
    39    name: heapster
    40  EOF
    41  ```
    42  
    43  This will generate a token on the API server. You will then need to reference the service account in your Heapster pod spec like this:
    44  
    45  ```yaml
    46  apiVersion: "v1"
    47  kind: "ReplicationController"
    48  metadata:
    49    labels:
    50      name: "heapster"
    51    name: "monitoring-heapster-controller"
    52  spec:
    53    replicas: 1
    54    selector:
    55      name: "heapster"
    56    template:
    57      metadata:
    58        labels:
    59          name: "heapster"
    60      spec:
    61        serviceAccount: "heapster"
    62        containers:
    63          -
    64            image: "kubernetes/heapster:v0.13.0"
    65            name: "heapster"
    66            command:
    67              - "/heapster"
    68              - "--source=kubernetes:http://kubernetes-ro?inClusterConfig=false&useServiceAccount=true&auth="
    69              - "--sink=influxdb:http://monitoring-influxdb:80"
    70  ```
    71  
    72  This will mount the generated token at `/var/run/secrets/kubernetes.io/serviceaccount/token` in the Heapster container.
    73  
    74  
    75  The following options are available:
    76  * `inClusterConfig` - Use kube config in service accounts associated with Heapster's namespace. (default: true)
    77  * `kubeletPort` - kubelet port to use (default: `10255`)
    78  * `kubeletHttps` - whether to use https to connect to kubelets (default: `false`)
    79  * `insecure` - whether to trust Kubernetes certificates (default: `false`)
    80  * `auth` - client auth file to use. Set auth if the service accounts are not usable.
    81  * `useServiceAccount` - whether to use the service account token if one is mounted at `/var/run/secrets/kubernetes.io/serviceaccount/token` (default: `false`)
    82  
    83  There is also a sub-source for metrics - `kubernetes.summary_api` - that uses a slightly different, memory-efficient API for passing data from Kubelet/cAdvisor to Heapster. It supports the same set of options as `kubernetes`. Sample usage:
    84  ```
    85   - --source=kubernetes.summary_api:''
    86  ```