You can make do with rolebinding - but you need a ClusterRole correct. If you don't need to scrape /metrics on pods (f.ex. because you expose it as a service on the ones you need to) - then AFAIK you could do away with nonResourceUrls and hence only need Role.
fredag den 29. maj 2020 kl. 09.38.34 UTC+2 skrev [email protected]: > Able to solve the issue. There is a configuration error in one config file > where namespaces were not added. Also if we add node role, then > clusterrole, clusterolebinding is needed, as node resource is cluster > scoped. > > Thanks n Regards, > Chalapathi > > On Tue, May 26, 2020 at 10:31 PM Venkata Bhagavatula <[email protected]> > wrote: > >> Hi All, >> >> Currently Prometheus needs ClusterRole and ClusterRoleBinding for >> scrapping the metrics on Kubernetes. We want to restrict the prometheus to >> a particular namespace. >> So we changed RBAC to using Role and RoleBinding and in the >> Prometheus configuration we added namespaces to kubernetes_sd_configs >> section. we see that we are able to scrape metrics >> from the configured namespace, but continuously seeing the errors saying >> access forbidden to *v1.Pod etc. Currently my cluster is down. will share >> the exact error once it is available. >> >> Following is the Prometheus configuration: >> - job_name: 'kubernetes-apiservers' >> >> kubernetes_sd_configs: >> - role: endpoints >> namespaces: >> names: ['admin'] >> >> Please let me know whether we can do with Role and RoleBinding? >> >> Thanks n Regards, >> Chalapathi. >> > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/6bc44ba5-25e9-435c-a05e-49264cf54ef8n%40googlegroups.com.
