Skip to content

/prometheus

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

K8s SD: Namespace discovery should use namespace from serviceaccount folder #4191

Open
ramato-procon opened this Issue May 24, 2018 · 5 comments

Comments

Assignees
No one assigned
Labels
component/service discovery priority/Pmaybe
Projects
None yet
Milestone
No milestone
3 participants
@ramato-procon @brancz @brian-brazil
@ramato-procon
Copy link

ramato-procon commented May 24, 2018

Proposal

Currently the ca-cert and token for Kubernetes API is read from mounted container serviceaccount in folder: /var/run/secrets/kubernetes.io/serviceaccount
Unfortunately the namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace is not used. Therefore all queries run in cluster context, not in the namepsace. If the service account is restricted to the namespace an error will occur.
Setting the namespace in the prometheus.yml for each namespace is not handy.
@brancz

This comment has been minimized.

Sign in to view
Copy link
Member

brancz commented May 24, 2018

While I agree with this from a security perspective, this would be a breaking change to the Kubernetes service discovery, that would break the majority of configurations. The majority of people want to start by monitoring their entire cluster, and the current way is the expected behavior by most users.

In your case, I agree that this takes some effort, but it's just a matter of configuring the namespace in one place in your Prometheus Kubernetes SD configuration. This shouldn't be much of an issue, as you must be specifying the namespace you're deploying Prometheus to in some way as well, so you should be able to template the configuration in the same way.
@ramato-procon

This comment has been minimized.

Sign in to view
Copy link
Author

ramato-procon commented May 28, 2018

I don't know how most users monitor their application in Kubernetes cluster, but we have a large cluster with hundreds of projects. Each project is responsible to collect their own metrics with an own prometheus pod (it can be aggregated to a central prometheus server).
And of course each project has access to their namespace only.
I assume this is the basic approach in large clusters.

Currently I'm replacing the namespace in my docker run script:

KUBERNETES_NAMESPACE=$( cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
sed -i s/KUBERNETES_NAMESPACE/${KUBERNETES_NAMESPACE}/g /var/prometheus/config/prometheus.yml

prometheus.yml:

kubernetes_sd_configs:
     - role: endpoints
       namespaces:
         names:
           - KUBERNETES_NAMESPACE

I can live with that, but in my oppinion it would be better to have on option like "use_project_namespace:true" which reads the namespace from the serviceaccount folder.
@brian-brazil

This comment has been minimized.

Sign in to view
Copy link
Member

brian-brazil commented Jun 12, 2018

I agree with @brancz here. This is something to be handled via configuration management.
@brancz

This comment has been minimized.

Sign in to view
Copy link
Member

brancz commented Jun 12, 2018

As a side note, the Prometheus Operator does exactly what you're asking for here by default.
@ramato-procon

This comment has been minimized.

Sign in to view
Copy link
Author

ramato-procon commented Jun 13, 2018

@brancz Thank, you. I didn't know that. Looks promising.

@brian-brazil brian-brazil added priority/Pmaybe component/service discovery labels Jun 13, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.