Comments (13)
I experienced same issue after I added that line working perfectly.
from kube-metrics-adapter.
Sorry, I'd submit a pull request, but that would require a lengthy approval process from my employer.
from kube-metrics-adapter.
Hi @bentrombley there should be a default role in the cluster called: extension-apiserver-authentication-reader
This we bind to here:
kube-metrics-adapter/docs/rbac.yaml
Line 116 in 97ec13d
Does your cluster not have this role as default? From what I can see it should also be in v1.15.7
from kube-metrics-adapter.
Same here, adding this section to the clusterrole/custom-metrics-resource-collector
made the metrics work on my k8s (1.18.3).
What confuses me is that I installed a cluster a month ago (1.18.2), without that part, and it works... 🤔
from kube-metrics-adapter.
Hello, I came up with this fix also, but I'm still getting the following logs.
I0624 19:40:42.941182 1 serving.go:306] Generated self-signed cert (apiserver.local.config/certificates/apiserver.crt, apiserver.local.config/certificates/apiserver.key)
W0624 19:40:43.437556 1 configmap_cafile_content.go:102] unable to load initial CA bundle for: "client-ca::kube-system::extension-apiserver-authentication::client-ca-file" due to: configmap "extension-apiserver-authentication" not found
W0624 19:40:43.437629 1 configmap_cafile_content.go:102] unable to load initial CA bundle for: "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" due to: configmap "extension-apiserver-authentication" not found
In debug mode I can see the configmap being read, though.
from kube-metrics-adapter.
Can you check if you have the role extension-apiserver-authentication-reader
in your cluster?
I have just created a new cluster based on v1.18.6 and it's there by default:
kubectl --namespace kube-system get role extension-apiserver-authentication-reader
NAME CREATED AT
extension-apiserver-authentication-reader 2020-07-21T19:14:01Z
Or could it be that you're not deploying the kube-metrics-adapter to kube-system
namespace but to another namespace?
@prageethw, @edsonmarquezani, @bentrombley
from kube-metrics-adapter.
@mikkeloscar
yes default role exist in kube-system
namespace, it seems the issue is with custom-metrics-resource-reader
and custom-metrics-resource-collector
that gets created in the namespace I install the adopter it seems.
from kube-metrics-adapter.
@prageethw Is installing to kube-system
an option for you. Then we could change the docs to include the namespace for all resources. If not then we need to adapt it for users not installing to kube-system where the extension-apiserver-authentication-reader
is no available. But this also means the configmap is not available and thus I would expect some things to not work as the configMap includes the CA of the apiserver.
from kube-metrics-adapter.
@mikkeloscar Thanks for the reply, yeah installing in kube-system
is always an option though not sure whether that will be the best practice, generally, I like to keep Kube-system
untouched, though I guess everyone is different. What stop are we giving enough access rights to custom-metrics-resource-reader
and custom-metrics-resource-collector
instead of forcing users to install to Kube-system
?
from kube-metrics-adapter.
What stop are we giving enough access rights to
custom-metrics-resource-reader
andcustom-metrics-resource-collector
instead of forcing users to install toKube-system
?
What I want to avoid is that we document more access than is needed. With the change suggested in this thread and in #181 the kube-metrics-adapter would get access to ALL configmaps instead of just a single one as intended.
from kube-metrics-adapter.
@mikkeloscar fair point, I think TBH that is an extreme measure if someone can access to custom-metrics-resource-collector
and custom-metrics-resource-reader
, most likely he is already inside the cluster.
from kube-metrics-adapter.
@mikkeloscar fair point, I think TBH that is an extreme measure if someone can access to custom-metrics-resource-collector and custom-metrics-resource-reader, most likely he is already inside the cluster.
I want to document the best practice which is the least amount of permissions. If users need something custom or more relaxed they're free to use a custom role setup. I'm also fine documenting that if we clearly state the reason (e.g. not deploying in kube-system
) However considering that the original issue clearly states a problem when the service account is in kube-system
and that we also only document kube-system
as the default setup right now, then I suspect something else is wrong if it doesn't work for folks without these extra changes.
Does anyone in this thread deploy to kube-system
and still have the problem with the default RBAC roles we have documented?
from kube-metrics-adapter.
I prefer to have all monitoring related stuff in the monitoring namespace. I have moved the adapter for now though because it seems the only way to get this to work is have it in kube-system since even giving it the right RBAC would mean it needs a clusterwide priv instead of a single cm priv as documented here.
from kube-metrics-adapter.
Related Issues (20)
- container release tag concept HOT 2
- Panic: assignment to entry in nil map HOT 7
- update to work with kube 1.22 HOT 2
- Update outdated base image? HOT 2
- Kustomize support HOT 1
- Helm chart should be available in a chart repository HOT 8
- [Doc Question] May I config multiple type of collector in a single HPA HOT 2
- Is it possible to retrieve request per second to pod without using prometheus? HOT 4
- Parameters consultation
- Missing Documentation for kubernetes compatibility matrix HOT 1
- Update k8s autoscaling dependency to v2 version to support Kubernetes 1.26+ HOT 1
- Metric Adapter is taking metrics from cache HOT 1
- Is that feasible to run the adapter into a namespace different from `kube-system`? HOT 3
- Make log level configurable
- Docker image for arm64 not published HOT 1
- HPA metric got stuck at a random value and not scaling down after reaching max replica count HOT 12
- No latest tag exists for ghcr.io repo
- Error: the server could not find the requested resource HOT 1
- feature: add Argo Rollouts support
- install fail
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube-metrics-adapter.