PodMonitor要列出Pods需要哪些角色?

huangapple
go评论68阅读模式
英文:

What roles required for PodMonitor to list pods?

问题

I have this repo terraform1#prometheus-operator,之前已成功使用普通的 Prometheus(没有 operator)使其正常运行,现在正在测试 Prometheus-operator,以便在 pod 水平扩展时,仍然可以正确抓取所有 pod 的所有指标,而不仅仅是来自一个 pod。

这篇文章逐步介绍了如何运行 Minikube 和 Terraform。

部署后,显示正常:

k get pods -n pf1ns -w                                                                    1 ↵
NAME                                               READY   STATUS    RESTARTS   AGE
keda-admission-webhooks-76cd6c4b59-6b59r           1/1     Running   0          20h
keda-operator-5bb494667b-bb2bl                     1/1     Running   0          20h
keda-operator-metrics-apiserver-68d9f78869-d65vj   1/1     Running   0          20h
prometheus-pf1prom-0                               2/2     Running   0          3m9s
promfiberdeploy-868697d555-2jfgv                   1/1     Running   0          20h

但是 prometheus-pf1prom-0 上出现了错误:

ts=2023-07-04T17:23:40.085Z caller=klog.go:116 level=error component=k8s_client_runtime func=ErrorDepth msg="pkg/mod/k8s.io/client-go@v0.26.2/tools/cache/reflector.go:169: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:pf1ns:pf1promsvcacc\" cannot list resource \"pods\" in API group \"\" in the namespace \"pf1ns\""

需要哪些角色来列出 pods?
已经具有 pod 权限:

  rule {
    api_groups = [""]
    resources  = ["services", "endpoints", "pods"]
    verbs      = ["get", "list", "watch"]
  }
英文:

I have this repo terraform1#prometheus-operator, got it working previously with normal prometheus (without operator), now testing for prometheus-operator so if pod scaled horizontally, it would still can scrape correctly all metrics for all pods, not just from 1 pod.

This article step by step how to run the minikube and terraform.

After deployed, it shows properly:

k get pods -n pf1ns -w                                                                    1 ↵
NAME                                               READY   STATUS    RESTARTS   AGE
keda-admission-webhooks-76cd6c4b59-6b59r           1/1     Running   0          20h
keda-operator-5bb494667b-bb2bl                     1/1     Running   0          20h
keda-operator-metrics-apiserver-68d9f78869-d65vj   1/1     Running   0          20h
prometheus-pf1prom-0                               2/2     Running   0          3m9s
promfiberdeploy-868697d555-2jfgv                   1/1     Running   0          20h

but there's error on prometheus-pf1prom-0:

ts=2023-07-04T17:23:40.085Z caller=klog.go:116 level=error component=k8s_client_runtime func=ErrorDepth msg="pkg/mod/k8s.io/client-go@v0.26.2/tools/cache/reflector.go:169: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:pf1ns:pf1promsvcacc\" cannot list resource \"pods\" in API group \"\" in the namespace \"pf1ns\""

What roles required to list pods?
there's already pod permission:

  rule {
    api_groups = [""]
    resources  = ["services", "endpoints", "pods"]
    verbs      = ["get", "list", "watch"]
  }

答案1

得分: 1

确保将创建的Role附加到ServiceAccount,并使用RoleBinding

英文:

Make sure you attach the created Role to the ServiceAccount using a RoleBinding.

huangapple
  • 本文由 发表于 2023年7月5日 01:27:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/76614778.html
  • kubernetes
  • prometheus
  • prometheus-operator
  • rbac
  • terraform
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定