jackzampolin
commented
5 years ago @casertap when I wrote these charts serviceaccounts weren't a thing yet. You may need to add one to this chart.
Open casertap opened 5 years ago
jackzampolin
commented
5 years ago @casertap when I wrote these charts serviceaccounts weren't a thing yet. You may need to add one to this chart.
rawkode
commented
5 years ago @casertap I don't suppose you're running this on GKE?
casertap
commented
5 years ago @rawkode no I built my own kube cluster on aws using kops
rawkode
commented
5 years ago @casertap Please ensure you have Webhook authentication enabled in your Kubelet configuration:
--authentication-token-webhook
niklasember
commented
5 years ago @rawkode I'm having this issue while running on GKE, any ideas?
Tried with --authentication-token-webhook on kubelet and have created a serviceaccount. Same config works on non-gke setup.
rawkode
commented
5 years ago @niklasember GKE doesn't allow access to Kubelet on the host, you need to go through API Server
- kubernetes:
url: "http://kubernetes.default.svc.cluster.local/v1/nodes/${HOSTIP}/proxy/metrics"
bearer_token: "/var/run/secrets/kubernetes.io/serviceaccount/token"
florianrusch
commented
5 years ago @jackzampolin do you have an example how to configure the role for the service account?
florianrusch
commented
5 years ago I've found a solution that works for me:
apiVersion: v1
kind: ServiceAccount
metadata:
name: tick-stack
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: metric-scanner-kubelet-api-admin
subjects:
- kind: ServiceAccount
name: tick-stack
namespace: tick
roleRef:
kind: ClusterRole
name: system:kubelet-api-admin
apiGroup: rbac.authorization.k8s.ioWe should update the telegraf-ds chart to also create this service-account automatically.
rawkode
commented
5 years ago @florianrusch I agree. We're working on cleaning up our Helm charts and will be supporting / endorsing the charts in the official Helm repository very soon
pbaderia01
commented
5 years ago @florianrusch Would it be possible for you to list out the steps that you followed to get the service account working for you?
florianrusch
commented
5 years ago @piyush-insider I didn't test it again. But I've took the resources I've published before and just applied them to the cluster/namespace.
You can put the resources in a yaml-file and kubectl apply this file, or you can run this command:
$ cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: tick-stack
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: metric-scanner-kubelet-api-admin
subjects:
- kind: ServiceAccount
name: tick-stack
namespace: tick
roleRef:
kind: ClusterRole
name: system:kubelet-api-admin
apiGroup: rbac.authorization.k8s.io
EOF
stanislav-zaprudskiy
commented
5 years ago Apart from service account specification (which also requires #105) you'll need to provide adequate ClusterRole and ClusterRoleBinding.
For kubernetes plugin to work, assigning service account to system:kubelet-api-admin role (referenced above) is too much. In my case what was enough is something like below:
apiVersion: v1
kind: ServiceAccount
metadata:
name: telegraf
namespace: monitoring
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: metrics-reader
rules:
- apiGroups: [""]
resources: ["nodes/stats"]
verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: telegraf-metrics-reader
subjects:
- kind: ServiceAccount
name: telegraf
namespace: monitoring
roleRef:
kind: ClusterRole
name: metrics-reader
apiGroup: rbac.authorization.k8s.io
Using this config in
telegraf-dsI get this error:
It seems that I am missing the
serviceaccounttoken fortelegrafto query the kubernetes endpoint.I find it weird that the tick-charts did not create this serviceaccount automatically.
What am I missing? How can I make the inputs.kubernetes work?