New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC Deny when requesting metrics #40
Comments
Looks like your RBAC setup is messed up -- look at the messages like |
It seems I need to dig deeper because I just bootstrapped a fresh cluster , the cluster role exists but it still doesn’t work Will share my experience here as it unfolds |
So, i think i have narrowed it down to two sets of issues Issue 1:
Issue 2
This seems odd, because i can make calls to the API Server using the Pod Service Account Token just fine.
Here are the relevant roles and bindings which are reported as not found in original post
@piosz @DirectXMan12 Any pointers will be very appreciated |
So, I found the solution to my issue. First issue got resolved when i configured the following flags correctly. --requestheader-client-ca-file= My Second issue was unique to my setup and occured because i was deploying the metrics pod "before" i set up the pod routes on master. My master nodes does not schedule pods and does not know how to get to pods. Hopefully it helps someone else as well. |
I am facing the same issue after setting below certificate and configuration for metrics server
|
complete logs after deployment of metrics server (kube8 version 1.9)
@rahulmishra any help appreciated |
temporary solution for above issue is set below mentioned flag-
|
Your certificates have the wrong CN. You've either set up your certificates incorrectly, or passed the wrong certificate somewhere -- |
|
@yashubh Sorry for the delay. You need to generate the requestheader-client-ca file and use the CA to sign the aggregator's cert. You also need to include a flag in your API server configuration Atleast, thats the way i have made it work |
I also get error about permissions:
I use admin certificate generated by kubespray:
We can temporary fix it by allowing system:anonymous to access metrics: apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: view-metrics
rules:
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: view-metrics
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view-metrics
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:anonymous |
@Paxa Thanks, solved my problem! |
Same problem and inspired by @rahulmishra I solved it
Add config to kubelet
|
Great! |
Solved my problem: I am missing the configuration: --proxy-client-cert-file and --proxy-client-key-file
|
yes,you are right!this has successful resloved my problem! thanks a lot |
Hello,
I have a 3 node cluster on Virtual Machines (Kubernetes Version 1.9.0)
I added the following flags to the Kube API Server to enable aggregation
Since this is a non production set up, i am using the same CA and Certs which i use for Kube API Server.
Then i deployed the manifests located at https://github.com/kubernetes-incubator/metrics-server/tree/master/deploy
When running
On Metrics Server Pod
On Kube API Server:
kubectl just responds with
Error from server (Forbidden): nodes.metrics.k8s.io is forbidden: User "kubernetes" cannot list nodes.metrics.k8s.io at the cluster scope.
I don't know where the user "kubernetes" is picked up from , my admin has a CN named admin, the certificate is signed by an issuer with CN(kubernetes)
I thought the deployment manifests of metrics server would address its RBAC requirements, what other permissions does the metric server need?
The text was updated successfully, but these errors were encountered: