New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add dedicated serviceaccount for blackbox-exporter #5543
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gardener-robot
added
area/monitoring
Monitoring (including availability monitoring and alerting) related
area/security
Security related
kind/bug
Bug
size/XS
Denotes a PR that changes 0-9 lines, ignoring generated files.
labels
Mar 9, 2022
/priority 2 |
gardener-robot
added
needs/cherry-pick
priority/2
Priority (lower number equals higher priority)
labels
Mar 9, 2022
rfranzke
approved these changes
Mar 9, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/milestone v1.42 |
krgostev
approved these changes
Mar 9, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
krgostev
pushed a commit
to krgostev/gardener
that referenced
this pull request
Apr 21, 2022
krgostev
pushed a commit
to krgostev/gardener
that referenced
this pull request
Jul 5, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/monitoring
Monitoring (including availability monitoring and alerting) related
area/security
Security related
kind/bug
Bug
priority/2
Priority (lower number equals higher priority)
size/XS
Denotes a PR that changes 0-9 lines, ignoring generated files.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
How to categorize this PR?
/area security monitoring
/kind bug
What this PR does / why we need it:
Before, blackbox-exporter in the shoot was not specifying any
serviceAccountName
and was hence using thekube-system/default
service account.With #5422, the
kube-system/default
service account specifiesautomountServiceAccountToken=false
and because the grm projected token volume webhook does not mount the default service account, blackbox-exporter runs without any service account token mount.This causes the probe to fail with errors like this:
Hence, the API server availability from the shoot perspective was always displayed as "down".
This PR introduces a dedicated serviceaccount for blackbox-exporter, which is then mounted as a projected volume and used to authenticate against the API server.
With this, probes are working again.
Which issue(s) this PR fixes:
Part of #4878
Special notes for your reviewer:
/invite @rfranzke @kris94
Release note: