Hi
I have been struggling with a RBAC issue and I cannot figure it out.
Help please!
I have node exporter running in my cluster.
As you know, it is a deamonSet and there is a node_exporter pod running on
each node.
I also have a Prometheus server also running in the same namespace as the
node_exporter deamonSet i.e. the default namespace.
The scrape job for node _exporter is using a SD configuration for pods as
follows:
- job_name: prometheus_node_exporter
honor_timestamps: true
scrape_interval: 15s
scrape_timeout: 10s
metrics_path: /metrics
scheme: http
kubernetes_sd_configs:
- role: pod
...
If I setup my Prometheus Server to use a cluster role, the node_exporter
targets are properly discovered. So far so good!
Now if I try to reduce the Prometheus Server to use a role instead, then it
does not work.
As far as I know if the role includes listing any pods within the same
namespace of the Prometheus Server service account, then the API server
should grant access.
However, this is not the case. This is the log message I get from
Prometheus Server:
level=error ts=2020-03-25T13:57:53.652Z caller=klog.go:94
component=k8s_client_runtime func=ErrorDepth
msg="/app/discovery/kubernetes/kubernetes.go:385: Failed to list *v1.Pod:
pods is forbidden: User \"system:serviceaccount:default:prometheus-server\"
cannot list resource \"pods\" in API group \"\" at the cluster scope"
Below is role I used for the Prometheus Server service account:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2020-03-25T13:40:13Z"
labels:
app: prometheus
component: server
heritage: Helm
release: my-server
name: prometheus-server
namespace: default
resourceVersion: "1943"
selfLink:
/apis/rbac.authorization.k8s.io/v1/namespaces/default/roles/prometheus-server
uid: 28d3c869-894d-4797-9146-6137f60c7232
rules:
- apiGroups:
- ""
resources:
- pods
- configmaps
verbs:
- get
- list
- watch
Below is the role binding I used for Prometheus Server service account:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2020-03-25T13:40:13Z"
labels:
app: prometheus
chart: prometheus-10.5.1-steve-server-12
component: server
heritage: Helm
release: my-server
name: prometheus-server
namespace: default
resourceVersion: "1946"
selfLink:
/apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/prometheus-server
uid: d581c497-52d6-4080-8ade-e33008c019fd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: prometheus-server
subjects:
- kind: ServiceAccount
name: prometheus-server
namespace: default
Thank you!
Regards
Steve B
--
You received this message because you are subscribed to the Google Groups
"Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/prometheus-users/2b7bd5cf-4fb8-4b5c-991a-f755aaf86106%40googlegroups.com.
