英文:
What roles required for PodMonitor to list pods?
问题
I have this repo terraform1#prometheus-operator,之前已成功使用普通的 Prometheus(没有 operator)使其正常运行,现在正在测试 Prometheus-operator,以便在 pod 水平扩展时,仍然可以正确抓取所有 pod 的所有指标,而不仅仅是来自一个 pod。
这篇文章逐步介绍了如何运行 Minikube 和 Terraform。
部署后,显示正常:
k get pods -n pf1ns -w 1 ↵
NAME READY STATUS RESTARTS AGE
keda-admission-webhooks-76cd6c4b59-6b59r 1/1 Running 0 20h
keda-operator-5bb494667b-bb2bl 1/1 Running 0 20h
keda-operator-metrics-apiserver-68d9f78869-d65vj 1/1 Running 0 20h
prometheus-pf1prom-0 2/2 Running 0 3m9s
promfiberdeploy-868697d555-2jfgv 1/1 Running 0 20h
但是 prometheus-pf1prom-0
上出现了错误:
ts=2023-07-04T17:23:40.085Z caller=klog.go:116 level=error component=k8s_client_runtime func=ErrorDepth msg="pkg/mod/k8s.io/client-go@v0.26.2/tools/cache/reflector.go:169: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:pf1ns:pf1promsvcacc\" cannot list resource \"pods\" in API group \"\" in the namespace \"pf1ns\""
需要哪些角色来列出 pods?
已经具有 pod 权限:
rule {
api_groups = [""]
resources = ["services", "endpoints", "pods"]
verbs = ["get", "list", "watch"]
}
英文:
I have this repo terraform1#prometheus-operator, got it working previously with normal prometheus (without operator), now testing for prometheus-operator so if pod scaled horizontally, it would still can scrape correctly all metrics for all pods, not just from 1 pod.
This article step by step how to run the minikube and terraform.
After deployed, it shows properly:
k get pods -n pf1ns -w 1 ↵
NAME READY STATUS RESTARTS AGE
keda-admission-webhooks-76cd6c4b59-6b59r 1/1 Running 0 20h
keda-operator-5bb494667b-bb2bl 1/1 Running 0 20h
keda-operator-metrics-apiserver-68d9f78869-d65vj 1/1 Running 0 20h
prometheus-pf1prom-0 2/2 Running 0 3m9s
promfiberdeploy-868697d555-2jfgv 1/1 Running 0 20h
but there's error on prometheus-pf1prom-0
:
ts=2023-07-04T17:23:40.085Z caller=klog.go:116 level=error component=k8s_client_runtime func=ErrorDepth msg="pkg/mod/k8s.io/client-go@v0.26.2/tools/cache/reflector.go:169: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:pf1ns:pf1promsvcacc\" cannot list resource \"pods\" in API group \"\" in the namespace \"pf1ns\""
What roles required to list pods?
there's already pod permission:
rule {
api_groups = [""]
resources = ["services", "endpoints", "pods"]
verbs = ["get", "list", "watch"]
}
答案1
得分: 1
确保将创建的Role
附加到ServiceAccount
,并使用RoleBinding
。
英文:
Make sure you attach the created Role
to the ServiceAccount
using a RoleBinding
.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论