search

nginxinc / nginx-ingress-helm-operator

NGINX Ingress Operator for NGINX and NGINX Plus Ingress Controllers. Based on the Helm chart for NGINX Ingress Controller - https://github.com/nginxinc/helm-charts
Apache License 2.0
35 stars 20 forks source link

Access to Prometheus service monitor fails #369

Open jnewfield opened 4 weeks ago

jnewfield commented 4 weeks ago

After deploying NGINX Ingress Operator and an NginxIngress crd with parameter spec.prometheus.serviceMonitor.create.true, the NGINX Ingress Controller pod fails to get created. An error similar to the following message is reported from the NginxIngress resource:

failed to install release: Unable to continue with install: could not get information about the resource ServiceMonitor "nginxingress-sample-nginx-ingress-controller" in namespace "nginx-ingress": servicemonitors.monitoring.coreos.com "nginxingress-sample-nginx-ingress-controller" is forbidden: User "system:serviceaccount:nginx-ingress-operator-system:nginx-ingress-operator-controller-manager" cannot get resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "nginx-ingress"

Workaround: Add appropriate rbac rules for NGINX Ingress Operator to access the Prometheus service monitor Edit the NGINX Ingress Operator manager cluster role kubectl edit clusterroles.rbac.authorization.k8s.io nginx-ingress-operator-manager-role Add the following api group rule just before the very last api group rule in the file

- apiGroups:
  - monitoring.coreos.com
  resources:
  - servicemonitors
  verbs:
  - '*'

Fix: Incorporate permissions to api group monitoring.coreos.com

AlexFenlon commented 2 weeks ago

Hi @jnewfield, we are looking into this.