Open dplusic opened 3 years ago
alexellis
commented
3 years ago This is expected, Prometheus needs to scrape in more than one namespace. The cluster role flag that you mention is only for the OpenFaaS Operator and does not configure the RBAC for Prometheus.
Happy for you to send a PR, otherwise you'll need to wait for this to be prioritized. Premium Subscription customers get priority.
alexellis
commented
3 years ago /set title: Feature Request - toggle for Prometheus scraping as ClusterRole
alexellis
commented
3 years ago I took a look into this today to refresh my memory, you should read the notes on this PR:
And if converted to two Roles and RoleBindings to the Prometheus SA, the following error is given by Prometheus which fails to work:
level=error ts=2020-11-29T16:33:17.946Z caller=klog.go:94 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:283: Failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:openfaas:openfaas-prometheus\" cannot list resource \"pods\" in API group \"\" in the namespace \"openfaas-fn\": RBAC: role.rbac.authorization.k8s.io \"openfaas-prometheus\" not found"With:
alex@alex-nuc8:~/go/src/github.com/openfaas/faas-netes$ kubectl get sa -n openfaas
NAME SECRETS AGE
default 1 4m55s
openfaas-prometheus 1 4m48s
openfaas-controller 1 4m48s
alex@alex-nuc8:~/go/src/github.com/openfaas/faas-netes$ kubectl get sa -n openfaas-fn
NAME SECRETS AGE
default 1 4m56s
alex@alex-nuc8:~/go/src/github.com/openfaas/faas-netes$ kubectl get role -n openfaas
NAME CREATED AT
openfaas-prometheus 2020-11-29T16:29:47Z
openfaas-profiles 2020-11-29T16:29:47Z
alex@alex-nuc8:~/go/src/github.com/openfaas/faas-netes$ kubectl get role -n openfaas-fn
NAME CREATED AT
openfaas-controller 2020-11-29T16:29:47Z
alex@alex-nuc8:~/go/src/github.com/openfaas/faas-netes$ kubectl get rolebinding -n openfaas
NAME ROLE AGE
openfaas-prometheus Role/openfaas-prometheus 5m3s
openfaas-profiles Role/openfaas-profiles 5m3s
alex@alex-nuc8:~/go/src/github.com/openfaas/faas-netes$ kubectl get rolebinding -n openfaas-fn
NAME ROLE AGE
openfaas-prometheus Role/openfaas-prometheus 5m4s
openfaas-controller Role/openfaas-controller 5m4s
alex@alex-nuc8:~/go/src/github.com/openfaas/faas-netes$ We would welcome your suggestions @dplusic
Expected Behaviour
Helm Chart should not create
ClusterRolewhenclusterRole=false.Current Behaviour
It creates
ClusterRoleeven ifclusterRole=false.Possible Solution
It should create
Roleinstead ofClusterRole.Steps to Reproduce (for bugs)
ClusterRolehelm install openfaas openfaas/openfaas --set clusterRole=false --set createCRDs=falseError: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource: clusterroles.rbac.authorization.k8s.io "openfaas-prometheus" is forbidden: User "system:serviceaccount:default:default" cannot get resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scopeContext
I want namespaced installation of openfaas.
Your Environment
FaaS-CLI version ( Full output from:
faas-cli version): -Docker version
docker version(e.g. Docker 17.0.05 ): -What version and distriubtion of Kubernetes are you using?
kubectl versionOperating System and version (e.g. Linux, Windows, MacOS):
Ubuntu 18.04 on WSLLink to your project or a code example to reproduce issue: -
What network driver are you using and what CIDR? i.e. Weave net / Flannel: -