Non cluster-admin cannot request metrics

[benjaminapetersen]

I have the Deploy 1.8 YAML files deployed on an OpenShift cluster @ v3.11.0-alpha.0+3af079d-343.

If I run the following:
oc get --raw /apis/metrics.k8s.io/v1beta1/namespaces/<my-namespace>/pods/<my-happy-pod>

I will receive the response:

Error from server (Forbidden): pods.metrics.k8s.io "<my-happy-pod>" is forbidden: 
User "<me>" cannot get pods.metrics.k8s.io in the namespace "<my-namespace>": 
User "<me>" cannot get pods.metrics.k8s.io in project "<my-namespace>"

I believe a non-cluster-admin user must be able to get metrics for the metrics service to be most useful.

@DirectXMan12

fyi @spadgett

[DirectXMan12]

We might need to move this to the Kubernetes repo, since it's a question of default policy, but we might also just be able to aggregate up to one of the default cluster roles. I'll need to take a look.

[DirectXMan12]

I think we can add an rbac.authorization.k8s.io/aggregate-to-view: true label on a role here and fix this, but it's probably better to just fix the default cluster policy in Kubernetes.

[DirectXMan12]

Talked to the sig-auth folks -- we probably just want to have aggregate-to-view here.

[seh]

Which roles should be labeled as such, @DirectXMan12? We define the "metrics-server-auth-reader" Role and the "system:metrics-server" ClusterRole per the 1.8+ deployment advice.

[seh]

Reading kubernetes/kubernetes#66579 again this morning, I now assume that you meant that we'll define the new "system:namespaced-metrics-reader" ClusterRole in this project, and aggregate it via label.

[DirectXMan12]

yes, correct.

[seh]

How does one make use of all the permissions granted in the "custom.metrics.k8s.io" group, such as "jobs.batch?"

[DirectXMan12]

what do you mean? Are you asking what URLs those translate to? the resource "jobs.batch" in the API group "custom.metrics.k8s.io" corresponds to the URL /apis/custom.metrics.k8s.io/v1beta1/namespaces/<ns>/jobs.batch/<name-or-star>/<metric>, and grants permission to fetch any metric (subresource) on jobs.batch (although there's a typo and they should have subresources of * attached).

[seh]

Are you asking what URLs those translate to?

Yes, that's what I'm asking. I tried several of my guesses, and couldn't find any to which the API server responded positively.

there's a typo and they should have subresources of * attached

I'll add that subresource tomorrow morning and try a few URLs again.

More broadly, though, does this imply that the metrics server is collecting metrics on all of these resources today, or is it that if there were such metrics in the future, this is how we'd read them?

Does the "<metric>" placeholder in your URL template have any valid values today?

[DirectXMan12]

Those ones aren't actually related to metrics-server -- they're related to custom metrics adapters. They can be removed from the metrics-server version of the PR -- they were in the original PR since I figured I'd handle both "safe" metrics APIs in one go.

[seh]

Given that, I can whittle my ClusterRole down to granting "get" and "list" against the "pods" resource within the "metrics.k8s.io" group.

What's a good source for learning about these custom metrics adapters?

[DirectXMan12]

@seh take a look at the documentation in kubernetes-sigs/custom-metrics-apiserver#24