1.加域
vim /etc/grafana/grafana.ini [server] root_url = %(protocol)s://{ip}:%(http_port)s/proxy/grafana/kubernetes-dev/ serve_from_sub_path = true [auth.ldap] enabled = true config_file = /etc/grafana/ldap.toml allow_sign_up = true [smtp] enabled = true host = {smtp_ip}:{smtp_port} user = xxx@xxx password = xxx skip_verify = true from_address = xx@xxx from_name = Grafana [emails] welcome_email_on_sign_up = true vi /etc/grafana/ldap.toml ldap.toml: | [log] mode = 'console' filters = 'ldap:debug' [[servers]] host = "{ldap_ip/域名}" port = 389 use_ssl = false start_tls = false ssl_skip_verify = false bind_dn = "xx@xxx" bind_password = "xxx" search_filter = "(sAMAccountName=%s)" search_base_dns = ["dc=xx,dc=org"] [servers.attributes] name = "givenName" surname = "sn" username = "sAMAccountName" member_of = "dn" email = "email" [[servers.group_mappings]] group_dn = "*" org_role = "Viewer" org_id = 2
2.k8s项目限定权限
在一个集群中部署几个项目,每个项目一个命名空间,要求按照每个命名空间分配权限,只可以查看本命名空间中的监控
需要给每个命名空间创建一个org,grafana使用org来划分权限给每个org都配置prometeus源,给用户这个org的View权限。将grafana模板拷贝到每个org中创建dashboard。
设置项目权限
在配置-Variables中将namesapce改为常量
就可以限定项目namesapce权限了