我有一个 3 节点 Consul 设置。我已经按照他们的文档
引导了 ACL 系统我想用Datadog来监控它。 Datadog 的 Consul 集成的文档 没有指出需要 ACL 令牌,因此 Datadog 代理在尝试访问 Consul 时会收到此错误:
403 Client Error: Forbidden for url: http://localhost:8500/v1/agent/self
我创建了一个具有以下规则的策略:readonly-policy.hcl
agent "" {
policy = "read"
}
key_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
然后为该策略创建一个令牌,并将 acl_token 添加到 Datadog 代理的 Consul 配置中,如下所示:
init_config:
service: consul
instances:
## @param url - string - required
## Where your Consul HTTP server lives,
## point the URL at the leader to get metrics about your Consul cluster.
## Use HTTPS instead of HTTP if your Consul setup is configured to do so.
#
- url: http://localhost:8500
acl_token: REDACTED
logs:
- type: file
path: /var/log/consul_server.log
source: consul
service: consul
但我仍然遇到错误。如果我将 acl_token 设置为我创建的引导管理令牌,它确实可以工作(Datadog 可以从 Consul 收集数据),但我宁愿让 Datadog 使用更受限制的令牌以防万一。
我缺少什么规则?
agent_prefix "" {
policy = "read"
}
operator_prefix "" {
policy = "read"
}
key_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
acl = "read"