Have you found any solution to not have to run as root? El miércoles, 15 de enero de 2020, 14:45:10 (UTC+1), Louis Bougeard escribió: > > Hopefully this is useful to someone: > > I've raised a PR with the chart changes here: > https://github.com/helm/charts/pull/20162. > > I was using version 0.6.0 of cloudwatch exporter ( > prom/cloudwatch-exporter:cloudwatch_exporter-0.6.0), however this doesn't > contain a sufficiently up-to-date version of the AWS SDK. By upgrading to > 0.7.0 it does contain the correct version of the SDK and thus can grab the > credentials. There is however one big caveat for this, which is that I need > to set securityContext.runAsUser to run as root to be able to access the > token file. This obviously isn't ideal, but it does at least work, for > now... > > If anyone has any thoughts on this, or better solutions, that would be > much appreciated. > > > On Wednesday, 15 January 2020 10:44:29 UTC, Louis Bougeard wrote: >> >> Some context I missed off... >> >> It seems to be recommended to run as nobody, not root: >> >> https://github.com/helm/charts/blob/master/stable/prometheus-cloudwatch-exporter/values.yaml#L164 >> >> As similar issue is referenced here: >> https://github.com/aws/containers-roadmap/issues/23#issuecomment-535176333 >> >> >> On Wednesday, 15 January 2020 10:36:12 UTC, Louis Bougeard wrote: >>> >>> I'm trying to use prometheus-cloudwatch-exporter in EKS, using >>> serviceAccounts rather than Kube2IAM with a OIDC IAM Role attached to the >>> pod. This is the new-ish official Amazon way of doing things. >>> >>> I've fixed the helmchart for this and will be raising a PR to allow >>> annotations on serviceAccounts and to add them to the deployments, in the >>> coming days to get the issuing of the AWS_WEB_IDENTITY_TOKEN_FILE. >>> >>> Where I'm now stuck is that the serviceAccount mounts a JWT in >>> /var/run/secrets/eks.amazonaws.com/serviceaccount in a file called token >>> by default. >>> >>> This is owned by root and I can't see how to change this in the official >>> documentation ( >>> https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/). >>> >>> The issue is that the user in the container doesn't appear to have >>> permissions to read the JWT to exchange for an AWS secret and token and I >>> don't want to be running as root in the container or have to roll my own. >>> >>> The logs show the following: >>> >>> WARNING: CloudWatch scrape failed >>> com.amazonaws.services.cloudwatch.model.AmazonCloudWatchException: User: >>> arn:aws:sts::123456789:assumed-role/aaa202001010000000000000000/i-abcdefghijklmnop >>> >>> is not authorized to perform: cloudwatch:ListMetrics (Service: >>> AmazonCloudWatch; Status Code: 403; Error Code: AccessDenied; Request ID: >>> XXXX >>> >>> I've checked the POM and the version of the AWS SDK used (1.11.658) is >>> modern enough to pick up the token file credentials provider in the default >>> credentials chain. >>> >>> Has anyone worked out a way to by default change the owner of the mount >>> without having to manually mount the secret etc.? >>> >>
-- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/547a5c7b-63e8-4b05-9b99-8b2f1261eca7%40googlegroups.com.
