NGINX Ingress Operator for NGINX and NGINX Plus Ingress Controllers. Based on the Helm chart for NGINX Ingress Controller - https://github.com/nginxinc/helm-charts
After deploying NGINX Ingress Operator and an NginxIngress crd with parameter spec.prometheus.serviceMonitor.create.true, the NGINX Ingress Controller pod fails to get created. An error similar to the following message is reported from the NginxIngress resource:
failed to install release: Unable to continue with install: could not get information about the resource ServiceMonitor "nginxingress-sample-nginx-ingress-controller" in namespace "nginx-ingress": servicemonitors.monitoring.coreos.com "nginxingress-sample-nginx-ingress-controller" is forbidden: User "system:serviceaccount:nginx-ingress-operator-system:nginx-ingress-operator-controller-manager" cannot get resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "nginx-ingress"
Workaround:
Add appropriate rbac rules for NGINX Ingress Operator to access the Prometheus service monitor
Edit the NGINX Ingress Operator manager cluster role
kubectl edit clusterroles.rbac.authorization.k8s.io nginx-ingress-operator-manager-role
Add the following api group rule just before the very last api group rule in the file
After deploying NGINX Ingress Operator and an NginxIngress crd with parameter spec.prometheus.serviceMonitor.create.true, the NGINX Ingress Controller pod fails to get created. An error similar to the following message is reported from the NginxIngress resource:
failed to install release: Unable to continue with install: could not get information about the resource ServiceMonitor "nginxingress-sample-nginx-ingress-controller" in namespace "nginx-ingress": servicemonitors.monitoring.coreos.com "nginxingress-sample-nginx-ingress-controller" is forbidden: User "system:serviceaccount:nginx-ingress-operator-system:nginx-ingress-operator-controller-manager" cannot get resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "nginx-ingress"
Workaround: Add appropriate rbac rules for NGINX Ingress Operator to access the Prometheus service monitor Edit the NGINX Ingress Operator manager cluster role
kubectl edit clusterroles.rbac.authorization.k8s.io nginx-ingress-operator-manager-role
Add the following api group rule just before the very last api group rule in the fileFix: Incorporate permissions to api group monitoring.coreos.com