衡水淘宝的网站建设宁波公司网站首页优化
张小明 2025/12/31 1:15:44
衡水淘宝的网站建设,宁波公司网站首页优化,腾讯域名注册官网,wordpress迁站到阿里云、创建Prometheus工作区1.创建工作区为了可以把Prometheus数据写入到AWS managed Prometheus#xff0c;需要先在AWS Prometheus控制台中创建工作区image2.保存工作区配置 点击AWS Prometheus工作区ID进入详情#xff0c;将提取/收集 中的配置保存为prometheus.yaml#xff…、创建Prometheus工作区1.创建工作区为了可以把Prometheus数据写入到AWS managed Prometheus需要先在AWS Prometheus控制台中创建工作区image2.保存工作区配置点击AWS Prometheus工作区ID进入详情将提取/收集 中的配置保存为prometheus.yaml后面会在安装prometheus时使用。image3.创建从EKS提取指标的role使用以下内容创建名为 createIRSA-AMPIngest.sh 的文件。将 my_amazon_eks_clustername 替换为您集群的名称并将 my_prometheus_namespace 替换为您的 Prometheus 命名空间复制代码#!/bin/bash -eCLUSTER_NAMEmy_amazon_eks_clusternameSERVICE_ACCOUNT_NAMESPACEmy_prometheus_namespaceAWS_ACCOUNT_ID$(aws sts get-caller-identity --query Account --output text)OIDC_PROVIDER$(aws eks describe-cluster --name $CLUSTER_NAME --query cluster.identity.oidc.issuer --output text | sed -e s/^https:\/\///)SERVICE_ACCOUNT_AMP_INGEST_NAMEamp-iamproxy-ingest-service-accountSERVICE_ACCOUNT_IAM_AMP_INGEST_ROLEamp-iamproxy-ingest-roleSERVICE_ACCOUNT_IAM_AMP_INGEST_POLICYAMPIngestPolicy## Set up a trust policy designed for a specific combination of K8s service account and namespace to sign in from a Kubernetes cluster which hosts the OIDC Idp.#cat EOF TrustPolicy.json{Version: 2012-10-17,Statement: [{Effect: Allow,Principal: {Federated: arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}},Action: sts:AssumeRoleWithWebIdentity,Condition: {StringEquals: {${OIDC_PROVIDER}:sub: system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_AMP_INGEST_NAME}}}}]}EOF## Set up the permission policy that grants ingest (remote write) permissions for all AMP workspaces#cat EOF PermissionPolicyIngest.json{Version: 2012-10-17,Statement: [{Effect: Allow,Action: [aps:RemoteWrite,aps:GetSeries,aps:GetLabels,aps:GetMetricMetadata],Resource: *}]}EOFfunction getRoleArn() {OUTPUT$(aws iam get-role --role-name $1 --query Role.Arn --output text 21)# Check for an expected exceptionif [[ $? -eq 0 ]]; thenecho $OUTPUTelif [[ -n $(grep NoSuchEntity $OUTPUT) ]]; thenecho else2 echo $OUTPUTreturn 1fi}## Create the IAM Role for ingest with the above trust policy#SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE_ARN$(getRoleArn $SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE)if [ $SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE_ARN ];then## Create the IAM role for service account#SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE_ARN$(aws iam create-role \--role-name $SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE \--assume-role-policy-document file://TrustPolicy.json \--query Role.Arn --output text)## Create an IAM permission policy#SERVICE_ACCOUNT_IAM_AMP_INGEST_ARN$(aws iam create-policy --policy-name $SERVICE_ACCOUNT_IAM_AMP_INGEST_POLICY \--policy-document file://PermissionPolicyIngest.json \--query Policy.Arn --output text)## Attach the required IAM policies to the IAM role created above#aws iam attach-role-policy \--role-name $SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE \--policy-arn $SERVICE_ACCOUNT_IAM_AMP_INGEST_ARNelseecho $SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE_ARN IAM role for ingest already existsfiecho $SERVICE_ACCOUNT_IAM_AMP_INGEST_ROLE_ARN## EKS cluster hosts an OIDC provider with a public discovery endpoint.# Associate this IdP with AWS IAM so that the latter can validate and accept the OIDC tokens issued by Kubernetes to service accounts.# Doing this with eksctl is the easier and best approach.#eksctl utils associate-iam-oidc-provider --cluster $CLUSTER_NAME --approve复制代码执行以上脚本创建rolebash createIRSA-AMPIngest.sh使用以下内容创建名为 createIRSA-AMPQuery.sh 的文件。将 my_amazon_eks_clustername 替换为集群的名称并将 my_prometheus_namespace 替换为您的 Prometheus 命名空间。复制代码#!/bin/bash -eCLUSTER_NAMEmy_amazon_eks_clusternameSERVICE_ACCOUNT_NAMESPACEmy_prometheus_namespaceAWS_ACCOUNT_ID$(aws sts get-caller-identity --query Account --output text)OIDC_PROVIDER$(aws eks describe-cluster --name $CLUSTER_NAME --query cluster.identity.oidc.issuer --output text | sed -e s/^https:\/\///)SERVICE_ACCOUNT_AMP_QUERY_NAMEamp-iamproxy-query-service-accountSERVICE_ACCOUNT_IAM_AMP_QUERY_ROLEamp-iamproxy-query-roleSERVICE_ACCOUNT_IAM_AMP_QUERY_POLICYAMPQueryPolicy## Setup a trust policy designed for a specific combination of K8s service account and namespace to sign in from a Kubernetes cluster which hosts the OIDC Idp.#cat EOF TrustPolicy.json{Version: 2012-10-17,Statement: [{Effect: Allow,Principal: {Federated: arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}},Action: sts:AssumeRoleWithWebIdentity,Condition: {StringEquals: {${OIDC_PROVIDER}:sub: system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_AMP_QUERY_NAME}}}}]}EOF## Set up the permission policy that grants query permissions for all AMP workspaces#cat EOF PermissionPolicyQuery.json{Version: 2012-10-17,Statement: [{Effect: Allow,Action: [aps:QueryMetrics,aps:GetSeries,aps:GetLabels,aps:GetMetricMetadata],Resource: *}]}EOFfunction getRoleArn() {OUTPUT$(aws iam get-role --role-name $1 --query Role.Arn --output text 21)# Check for an expected exceptionif [[ $? -eq 0 ]]; thenecho $OUTPUTelif [[ -n $(grep NoSuchEntity $OUTPUT) ]]; thenecho else2 echo $OUTPUTreturn 1fi}## Create the IAM Role for query with the above trust policy#SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE_ARN$(getRoleArn $SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE)if [ $SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE_ARN ];then## Create the IAM role for service account#SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE_ARN$(aws iam create-role \--role-name $SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE \--assume-role-policy-document file://TrustPolicy.json \--query Role.Arn --output text)## Create an IAM permission policy#SERVICE_ACCOUNT_IAM_AMP_QUERY_ARN$(aws iam create-policy --policy-name $SERVICE_ACCOUNT_IAM_AMP_QUERY_POLICY \--policy-document file://PermissionPolicyQuery.json \--query Policy.Arn --output text)## Attach the required IAM policies to the IAM role create above#aws iam attach-role-policy \--role-name $SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE \--policy-arn $SERVICE_ACCOUNT_IAM_AMP_QUERY_ARNelseecho $SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE_ARN IAM role for query already existsfiecho $SERVICE_ACCOUNT_IAM_AMP_QUERY_ROLE_ARN## EKS cluster hosts an OIDC provider with a public discovery endpoint.# Associate this IdP with AWS IAM so that the latter can validate and accept the OIDC tokens issued by Kubernetes to service accounts.# Doing this with eksctl is the easier and best approach.#eksctl utils associate-iam-oidc-provider --cluster $CLUSTER_NAME --approve复制代码执行以上脚本创建rolebash createIRSA-AMPQuery.sh二、部署Prometheus1.添加helm仓库helm repo add prometheus-community https://prometheus-community.github.io/helm-chartshelm repo add kube-state-metrics https://kubernetes.github.io/kube-state-metricshelm repo update2.创建部署Prometheus的命名空间kubectl create namespace monitoring3.检查Amazon EBS CSI如果EBS CSI组件没有附加对应的IAM role需要在IAM 控制台中创建附有AmazonEBSCSIDriverPolicy权限且类型为AWS账号的role否则EKS创建PVC时会报错image4.创建storageClass复制代码#cat sc.yamlapiVersion: storage.k8s.io/v1kind: StorageClassmetadata:name: ebs-scannotations:storageclass.kubernetes.io/is-default-class: trueprovisioner: ebs.csi.aws.comallowVolumeExpansion: truevolumeBindingMode: WaitForFirstConsumerparameters:type: gp3#kubectl apply -f sc.yaml复制代码5.部署Prometheushelm install prometheus prometheus -n monitoring -f prometheus.yaml6.查看Prometheus是否部署成功kubectl get pods -n monitoring7.部署grafana复制代码#cat grafana.yaml---apiVersion: v1kind: PersistentVolumeClaimmetadata:name: grafana-pvcspec:accessModes:- ReadWriteOnceresources:requests:storage: 1Gi---apiVersion: apps/v1kind: Deploymentmetadata:labels:app: grafananame: grafanaspec:selector:matchLabels:app: grafanatemplate:metadata:labels:app: grafanaspec:securityContext:fsGroup: 472supplementalGroups:- 0containers:- name: grafanaimage: grafana/grafana:latestimagePullPolicy: IfNotPresentports:- containerPort: 3000name: http-grafanaprotocol: TCPreadinessProbe:failureThreshold: 3httpGet:path: /robots.txtport: 3000scheme: HTTPinitialDelaySeconds: 10periodSeconds: 30successThreshold: 1timeoutSeconds: 2livenessProbe:failureThreshold: 3initialDelaySeconds: 30periodSeconds: 10successThreshold: 1tcpSocket:port: 3000timeoutSeconds: 1resources:requests:cpu: 250mmemory: 750MivolumeMounts:- mountPath: /var/lib/grafananame: grafana-pvvolumes:- name: grafana-pvpersistentVolumeClaim:claimName: grafana-pvc---apiVersion: v1kind: Servicemetadata:name: grafanaspec:ports:- port: 3000protocol: TCPtargetPort: http-grafanaselector:app: grafanasessionAffinity: Nonetype: ClusterIP#kubectl apply -f grafana.yaml -n monitoring复制代码三、访问Prometheus和grafanaPrometheus和grafana部署完成以后可以将SVC类型改为nodeport然后通过ALB暴露出来通过公网进行访问grafana默认用户密码为admin/adminimage