Prometheus scrape metrics

[blezoray]

Hello,

I deployed kube-green with OLM on an Openshift platform and I would like to configure my local Prometheus to scrape its metrics.
But, when I try to configure it, queries returns server returned HTTP status 400 Bad Request on both ports 8443 and 9443.

After some investigation, it appears that /metrics is exposed only on the localhost:

    spec:
      containers:
      - args:
        - --health-probe-bind-address=:8081
        - --metrics-bind-address=127.0.0.1:8080
        - --leader-elect
        command:
        - /manager

There is also a service named kube-green-controller-manager-metrics-service on port 8443. But it is protected by the sidecar kube-rbac-proxy and a query returns 401 Unauthorized.

What is the solution to bypass the kube-rbac-proxy ?

Rgds.

[davidebianchi]

Hi @blezoray! We should address it.

I link this issue which could help in the resolution of this issue.

At the same page, there is some documentation on how to give to the prometheus operator the permissions to scrape the metrics: https://book.kubebuilder.io/reference/metrics#exporting-metrics-for-prometheus

[blezoray]

Thanks.
If I understand correctly the prometheus ServiceAccount should have permissions to /metrics, like in this example: https://github.com/brancz/kube-rbac-proxy/blob/master/examples/non-resource-url/client-rbac.yaml#L1-L7
But, this permission must be configured in a ClusterRole and in my case, with OpenShift namespace isolation, each project has has its own prometheus with a simple Role and I can't add this rule (nonResourceURLs).
So, it is not applicable.