-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What is required api rights for prometheus plugin? #39
Comments
@yolossn Can you reply this one? |
Hey @feym78 The plugin identifies the prometheus pod using the
We are working on making the prometheus url configurable so that the user can configure the prometheus endpoint to fetch the metrics from. |
@yolossn Hi, thx for reply |
@yolossn Hi! Any thoughts on this? |
Hey sorry, I missed this message. I think the reason why the read-only setup is not working is that the plugin creates a proxy to the prometheus plugin for fetching the metrics data. Can you share the output of this command with the "read-only" grant.
|
Strange thing - with admin role I get "yes" to this commands, but if I try them even with full scope for cluster role as:
So in order to get prometheus plugin working you need to grant SA get/list to all namespaces and pods (so plugin could find prometheus pod) and scope above for pods/proxy. As offtop: now it would be nice to make chart time range customizable, not hardcoded 10 minutes :) |
Hi. I'm running in-cluster installation of headlamp 0.23.1.
When I use cluster-admin or edit cluster role then prometheus chart is working fine for pods, but if I use view role or custom set of privileges, then chart is not showing with error "Error fetching prometheus Info"
I managed to get understanding that plugin is trying to search all namespaces to see if there is prometheus pod, so I added previleges to get pods in all namespaces, error message disappear, but chart still not showing, in browser console I see error "GET generated url with prometheus pod 403 (Forbidden)".
I can't understand which api right is missing, I tried to grant all api resources in "" group, "apps" group and etc with full scope ("get", "list", "watch", "create", "update", "patch", "delete") clusterwide, but still no result.
My idea is that I don't want to give full access to the cluster for team or even edit role clusterwide and give as few as possible api scope for token, but still provide necessary metrics and tools.
The text was updated successfully, but these errors were encountered: