Open justinclayton opened 6 years ago
same problem
problem solve. Just add some rules to prometheus-operator
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: prometheus-operator
namespace: monitoring
rules:
- apiGroups:
- extensions
resources:
- thirdpartyresources
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- alertmanagers
- prometheuses
- servicemonitors
verbs:
- '*'
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- '*'
- apiGroups:
- ""
resources:
- pods
verbs:
- watch
- list
- delete
- apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- list
- create
- watch
- update
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- apiGroups:
- ""
resources:
- nodes/metrics
verbs:
- get
- nonResourceURLs:
- /metrics
verbs:
- get
problem solve. Just add some rules to prometheus-operator
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: prometheus-operator namespace: monitoring rules: - apiGroups: - extensions resources: - thirdpartyresources verbs: - '*' - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - '*' - apiGroups: - monitoring.coreos.com resources: - alertmanagers - prometheuses - servicemonitors verbs: - '*' - apiGroups: - apps resources: - statefulsets verbs: - '*' - apiGroups: - "" resources: - configmaps - secrets verbs: - '*' - apiGroups: - "" resources: - pods verbs: - watch - list - delete - apiGroups: - "" resources: - services - endpoints verbs: - get - list - create - watch - update - apiGroups: - "" resources: - nodes verbs: - list - watch - apiGroups: - "" resources: - namespaces verbs: - list - apiGroups: - "" resources: - nodes/metrics verbs: - get - nonResourceURLs: - /metrics verbs: - get
This is not working in AWS EKS, it still throws a forbidden error.
clusterroles.rbac.authorization.k8s.io "prometheus-operator" is forbidden: attempt to grant extra privileges: [PolicyRule{NonResourceURLs:["/metrics"], Verbs:["get"]}] user=&{user heptio-authenticator-aws:399104057037:AIDAJOJSTM3M7JM55CYHE [system:authenticated] map[]} ownerrules=[PolicyRule{APIGroups:["*"], Resources:["*"], Verbs:["*"]} PolicyRule{APIGroups:["authorization.k8s.io"], Resources:["selfsubjectaccessreviews" "selfsubjectrulesreviews"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/openapi" "/openapi/*" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version" "/version/"], Verbs:["get"]} PolicyRule{APIGroups:["*"], Resources:["*"], Verbs:["*"]}] ruleResolutionErrors=[]
Even am getting the same error
apiserver targets return a 403, presumably because EKS doesn't expose a
/metrics
endpoint. Should be called out if this workshop is being adapted for EKS.