search

prometheus-community / helm-charts

Prometheus community Helm charts
Apache License 2.0
4.87k stars 4.94k forks source link

[kube-state-metrics] does not create ClusterRole #1264

Closed mozai closed 2 years ago

mozai commented 2 years ago

Describe the bug a clear and concise description of what the bug is.

Installing with default settings, no extra values.yaml , I see it creates ClusterRoleBinding with roleRef.name "kube-state-metrics", but there is no such ClusterRole.

Error messages in the Pod are:

Failed to watch v1.ReplicaSet: failed to list v1.ReplicaSet: replicasets.apps is forbidden: User "system:serviceaccount:ogi:kube-state-metrics" cannot list resource "replicasets" in API group "apps" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "kube-state-metrics" not found

What's your helm version?

version.BuildInfo{Version:"v3.3.0", GitCommit:"8a4aeec08d67a7b84472007529e8097ec3742105", GitTreeState:"dirty", GoVersion:"go1.14.7"}

What's your kubectl version?

Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.12", GitCommit:"5ec472285121eb6c451e515bc0a7201413872fa3", GitTreeState:"clean", BuildDate:"2020-09-16T13:39:51Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"18+", GitVersion:"v1.18.20-eks-8c579e", GitCommit:"8c579edfc914f013ff48b2a2b2c1308fdcacc53f", GitTreeState:"clean", BuildDate:"2021-07-31T01:34:13Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}

Which chart?

kube-state-metrics

What's the chart version?

3.4.2

What happened?

Installing with default settings, no extra values.yaml , I see it creates ClusterRoleBinding with roleRef.name "kube-state-metrics", but there is no such ClusterRole.

Error messages in the Pod are:

Failed to watch v1.ReplicaSet: failed to list v1.ReplicaSet: replicasets.apps is forbidden: User "system:serviceaccount:ogi:kube-state-metrics" cannot list resource "replicasets" in API group "apps" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "kube-state-metrics" not found

What you expected to happen?

kube-state-metrics installed, answers requests with useful information gleaned from the Kubernetes API

How to reproduce it?

helm install -n prommy prometheus-community/kube-state-metrics

Enter the changed values of values.yaml?

n/a

Enter the command that you execute and failing/misfunctioning.

kubectl -n prommy logs -c kube-state-metrics --tail 100

Anything else we need to know?

I can see in the templates/role.yaml these lines:

{{- if and (eq .Values.rbac.create true) (not .Values.rbac.useExistingRole) -}}
{{- range (split "," .Values.namespaces) }}

rbac.create is true by default, and rbac.useExistingRole is commented out. namespaces is an empty string, which I believe {{range }} will iterate zero times over... thus creating zero ClusterRoles. I could put a junk string in namespaces but that will screw up the rolebinding and deployment templates.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

mozai commented 2 years ago

So I have to keep adding noise/junk to this bug report every two weeks until it's resolved?

monotek commented 2 years ago

Can't reproduce, whit 3.5.0.

kind create cluster
Creating cluster "kind" ...
 ✓ Ensuring node image (kindest/node:v1.21.1) đŸ–ŧ
 ✓ Preparing nodes đŸ“Ļ  
 ✓ Writing configuration 📜 
 ✓ Starting control-plane 🕹ī¸ 
 ✓ Installing CNI 🔌 
 ✓ Installing StorageClass 💾 
Set kubectl context to "kind-kind"
You can now use your cluster with:

kubectl cluster-info --context kind-kind

Thanks for using kind! 😊
helm install kube-state-metrics prometheus-community/kube-state-metrics
NAME: kube-state-metrics
LAST DEPLOYED: Tue Sep 21 20:06:00 2021
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects.
The exposed metrics can be found here:
https://github.com/kubernetes/kube-state-metrics/blob/master/docs/README.md#exposed-metrics

The metrics are exported on the HTTP endpoint /metrics on the listening port.
In your case, kube-state-metrics.default.svc.cluster.local:8080/metrics

They are served either as plaintext or protobuf depending on the Accept header.
They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint.
k get po
NAME                                  READY   STATUS    RESTARTS   AGE
kube-state-metrics-869ddbd945-vr46r   1/1     Running   0          107s
k describe clusterrole kube-state-metrics
Name:         kube-state-metrics
Labels:       app.kubernetes.io/instance=kube-state-metrics
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=kube-state-metrics
              helm.sh/chart=kube-state-metrics-3.5.0
Annotations:  meta.helm.sh/release-name: kube-state-metrics
              meta.helm.sh/release-namespace: default
PolicyRule:
  Resources                                                     Non-Resource URLs  Resource Names  Verbs
  ---------                                                     -----------------  --------------  -----
  configmaps                                                    []                 []              [list watch]
  endpoints                                                     []                 []              [list watch]
  limitranges                                                   []                 []              [list watch]
  namespaces                                                    []                 []              [list watch]
  nodes                                                         []                 []              [list watch]
  persistentvolumeclaims                                        []                 []              [list watch]
  persistentvolumes                                             []                 []              [list watch]
  pods                                                          []                 []              [list watch]
  replicationcontrollers                                        []                 []              [list watch]
  resourcequotas                                                []                 []              [list watch]
  secrets                                                       []                 []              [list watch]
  services                                                      []                 []              [list watch]
  mutatingwebhookconfigurations.admissionregistration.k8s.io    []                 []              [list watch]
  validatingwebhookconfigurations.admissionregistration.k8s.io  []                 []              [list watch]
  daemonsets.apps                                               []                 []              [list watch]
  deployments.apps                                              []                 []              [list watch]
  replicasets.apps                                              []                 []              [list watch]
  statefulsets.apps                                             []                 []              [list watch]
  horizontalpodautoscalers.autoscaling                          []                 []              [list watch]
  cronjobs.batch                                                []                 []              [list watch]
  jobs.batch                                                    []                 []              [list watch]
  certificatesigningrequests.certificates.k8s.io                []                 []              [list watch]
  daemonsets.extensions                                         []                 []              [list watch]
  deployments.extensions                                        []                 []              [list watch]
  ingresses.extensions                                          []                 []              [list watch]
  replicasets.extensions                                        []                 []              [list watch]
  ingresses.networking.k8s.io                                   []                 []              [list watch]
  networkpolicies.networking.k8s.io                             []                 []              [list watch]
  poddisruptionbudgets.policy                                   []                 []              [list watch]
  storageclasses.storage.k8s.io                                 []                 []              [list watch]
  volumeattachments.storage.k8s.io                              []                 []              [list watch]
stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

stale[bot] commented 2 years ago

This issue is being automatically closed due to inactivity.