Kube-prometheus: "Failed to list" errors logged using default ClusterRole "prometheus-k8s"

Created on 6 Apr 2020  路  2Comments  路  Source: prometheus-operator/kube-prometheus

Prometheus is spamming our logs with messages about it not having permissions to list the resources services, endpoints and pods in our cluster. The error messages look like this:

level=error ts=2020-04-06T11:17:49.793Z caller=klog.go:94 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:264: Failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:monitoring:prometheus-k8s\" cannot list resource \"services\" in API group \"\" in the namespace \"fluentd\""
level=error ts=2020-04-06T11:17:49.756Z caller=klog.go:94 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:263: Failed to list *v1.Endpoints: endpoints is forbidden: User \"system:serviceaccount:monitoring:prometheus-k8s\" cannot list resource \"endpoints\" in API group \"\" in the namespace \"fluentd\""
level=error ts=2020-04-06T11:17:49.753Z caller=klog.go:94 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:265: Failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:monitoring:prometheus-k8s\" cannot list resource \"pods\" in API group \"\" in the namespace \"nginx-ingress\""

Amending the included ClusterRole to include the resources and the list verb stops the errors. However, I notice that in all of the releases in this repo, none of them have these permissions included on the ClusterRole:

Looking at the Prometheus docs, their ClusterRole does include these permissions in their docs.

What am I missing? I notice that in this issue the same errors are reported, but the answer is that they should be using the release-0.1 branch.

We're running Kubernetes 1.16.5 with the release-0.3 branch of kube-prometheus.

Thanks in advance!

Most helpful comment

I updated the ClusterRole to include the extra roles by adding this to my base jsonnet file

local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local clusterRole = k.rbac.v1.clusterRole;
local policyRule = clusterRole.rulesType;
local extra_cluster_role_resources = policyRule.new() +
                                     policyRule.withApiGroups(['']) +
                                     policyRule.withResources(['services','pods','endpoints']) +
                                     policyRule.withVerbs(['get','list','watch']);

local kp =
  (import 'kube-prometheus/kube-prometheus.libsonnet') +
  {
    prometheus+:: {
      clusterRole+: {
        rules+: [extra_cluster_role_resources],
      },
    },
  };

These changes resulted in my ClusterRole looking like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: prometheus-k8s
rules:
- apiGroups:
  - ""
  resources:
  - nodes/metrics
  verbs:
  - get
- nonResourceURLs:
  - /metrics
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - services
  - pods
  - endpoints
  verbs:
  - get
  - list
  - watch

All 2 comments

The reason for this, it seems, is that those resources and verbs are granted on a per-namespace basis, not as part of the ClusterRole.

You can therefore update the array of namespaces which these permissions should be extended to, or amend the ClusterRole to add in those permissions. I'm going to do the latter, and I'll add a comment to this to demonstrate how I did it

I updated the ClusterRole to include the extra roles by adding this to my base jsonnet file

local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local clusterRole = k.rbac.v1.clusterRole;
local policyRule = clusterRole.rulesType;
local extra_cluster_role_resources = policyRule.new() +
                                     policyRule.withApiGroups(['']) +
                                     policyRule.withResources(['services','pods','endpoints']) +
                                     policyRule.withVerbs(['get','list','watch']);

local kp =
  (import 'kube-prometheus/kube-prometheus.libsonnet') +
  {
    prometheus+:: {
      clusterRole+: {
        rules+: [extra_cluster_role_resources],
      },
    },
  };

These changes resulted in my ClusterRole looking like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: prometheus-k8s
rules:
- apiGroups:
  - ""
  resources:
  - nodes/metrics
  verbs:
  - get
- nonResourceURLs:
  - /metrics
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - services
  - pods
  - endpoints
  verbs:
  - get
  - list
  - watch
Was this page helpful?
0 / 5 - 0 ratings

Related issues

chiefy picture chiefy  路  6Comments

rupadhya1 picture rupadhya1  路  3Comments

kmurthyms picture kmurthyms  路  4Comments

DimitrijeManic picture DimitrijeManic  路  3Comments

arpita-hub picture arpita-hub  路  3Comments