Kubeadm: Heapster default deployment does not support RBAC in v1.6.0 setup

it is an RBAC issue.
Working manifest at:
https://github.com/luxas/kubeadm-workshop/blob/master/demos/monitoring/heapster.yaml

but we need to have the default manifest updated and documented...

cc @luxas

Another option is adding a clusterrolebinding for the heapster account to have the cluster-admin role. This should only be used in a test environment since it grants permission to the entire kube-system namespace.

kubectl create clusterrolebinding add-on-cluster-admin \
    --clusterrole=cluster-admin \
    --serviceaccount=kube-system:default

Sorry @carlosedp, but that will give all kube-system Pods root access to the cluster which is nearly as turning of RBAC completely which is _extremely_ discouraged.

cc @liggitt @jbeda

The real fix for this problem is to create a ServiceAccount for heapster and grant the system:heapster ClusterRole to that ServiceAccount with a ClusterRoleBinding.

Please see: https://github.com/kubernetes/heapster/issues/1612

Added a comment to my original one regarding this. This solution was added to the RBAC documentation as a temporary fix while migrating to RBAC.

@sebgoa I fixed the heapster manifests: https://github.com/kubernetes/heapster/issues/1612

@carlosedp Thanks for editing the comment to say "test env only". The problem is that dev/test methods are sometimes likely to slip into production, therefore my relatively strong statement.

I hope you understand, I know the RBAC change is hard and kind of disruptive for apps since we're basically going from allow-all to deny-all. Please bear with us in this change towards a more Kubernetes.

Actually official one has below ClusterRoleBinding created
https://raw.githubusercontent.com/luxas/heapster/1308dd71f0ba343895456b46d1bbf3238800b6f3/deploy/kube-config/rbac/heapster-rbac.yaml
why not put in one yaml? Thanks
~
your version was working as it had ClusterRoleBinding, the official fix still complains
~
k8s.io/heapster/metrics/processors/namespace_based_enricher.go:84: Failed to list *v1.Namespace: User "system:serviceaccount:kube-system:heapster" cannot list namespaces at the cluster scope. (get namespaces)

@zhuroy It's expected that you apply both heapster.yaml and heapster-rbac.yaml if you use RBAC

Hello,

using the suggested heapster.yaml file fixes the data collection in the dashboard, but it's not working with the horizontal pod autoscaler.
When I'm checking the HPA resource I'm getting this:

Events:
  FirstSeen LastSeen    Count   From                SubObjectPath   Type        Reason              Message
  --------- --------    -----   ----                -------------   --------    ------              -------
  34m       7s      70  horizontal-pod-autoscaler           Warning     FailedGetResourceMetric     missing request for cpu on container ghost in pod default/ghost-2663835528-169fs
  34m       7s      70  horizontal-pod-autoscaler           Warning     FailedComputeMetricsReplicas    failed to get cpu utilization: missing request for cpu on container ghost in pod default/ghost-2663835528-169fs

Is this also an RBAC issue?

Thank you!
Laszlo

Hi all,
Any updates to this issue, I still have this error in both version of 1.8.8 and 1.9.3.

E0514 07:51:32.974038       1 reflector.go:190] k8s.io/heapster/metrics/util/util.go:30: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:heapster" cannot list nodes at the cluster scope
E0514 07:51:32.980050       1 reflector.go:190] k8s.io/heapster/metrics/util/util.go:30: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:heapster" cannot list nodes at the cluster scope
E0514 07:51:32.981074       1 reflector.go:190] k8s.io/heapster/metrics/heapster.go:328: Failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:heapster" cannot list pods at the cluster scope
E0514 07:51:32.982340       1 reflector.go:190] k8s.io/heapster/metrics/util/util.go:30: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:heapster" cannot list nodes at the cluster scope
E0514 07:51:32.983079       1 reflector.go:190] k8s.io/heapster/metrics/processors/namespace_based_enricher.go:89: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:heapster" cannot list namespaces at the cluster scope
I0514 07:52:05.076147       1 influxdb.go:274] Created database "k8s" on influxDB server at "monitoring-influxdb.kube-system.svc:8086"

And HPA does not work neither.

Conditions:
  Type           Status  Reason                   Message
  ----           ------  ------                   -------
  AbleToScale    True    SucceededGetScale        the HPA controller was able to get the target's current scale
  ScalingActive  False   FailedGetResourceMetric  the HPA was unable to compute the replica count: unable to get metrics for resource cpu: unable to fetch metrics from API: the server could not find the requested resource (get pods.metrics.k8s.io)
Events:
  Type     Reason                   Age                From                       Message
  ----     ------                   ----               ----                       -------
  Warning  FailedGetResourceMetric  3m (x301 over 2h)  horizontal-pod-autoscaler  unable to get metrics for resource cpu: unable to fetch metrics from API: the server could not find the requested resource (get pods.metrics.k8s.io)

the system:heapster role includes the permissions required by heapster:

https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml#L747-L775

whatever deploys heapster is responsible for binding that role to the heapster service account. for example:

https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/cluster-monitoring/heapster-rbac.yaml#L1-L15