以prometheus(kube-state-metrics)显示的kubernetes api服务器-“禁止:用户\“ system:anonymous \”无法获取路径\“ / metrics \”“,

时间:2019-10-29 15:42:10

标签: kubernetes prometheus kubectl

我是k8s的新手,普罗米修斯。我正在尝试使用普罗米修斯收集每个吊舱的指标,但由于错误而无法收集指标: API ERROR

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/metrics\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
}

2 个答案:

答案 0 :(得分:1)

system:anonymous表示未经身份验证的用户正在尝试从您的群集中获取资源,这是禁止的。您将需要创建一个服务帐户,然后通过RBAC授予该服务帐户一些权限,然后使该服务帐户获取指标。所有记录在案。

作为解决方法,您可以执行以下操作:

kubectl create clusterrolebinding prometheus-admin --clusterrole cluster-admin --user system:anonymous

现在,请注意,除非您正在使用kubernetes,否则这是一个糟糕想法。有了此权限,您便可以向所有未经身份验证的用户授予群集的总权限。

答案 1 :(得分:0)

创建以下清单:

ServiceAccount.yaml: 

    apiVersion: v1
    kind: ServiceAccount
    metadata:
        labels:
            app.kubernetes.io/name: kube-state-metrics
        name: kube-state-metrics
        namespace: grafana

ClusterRole.yaml 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
    labels:
        app.kubernetes.io/name: kube-state-metrics
    name: kube-state-metrics
rules:
    - apiGroups:
        - ""
      resources:
          - configmaps
          - secrets
          - nodes
          - pods
          - services
          - resourcequotas
          - replicationcontrollers
          - limitranges
          - persistentvolumeclaims
          - persistentvolumes
          - namespaces
          - endpoints
      verbs:
          - list
          - watch
    - apiGroups:
        - extensions
      resources:
          - daemonsets
          - deployments
          - replicasets
          - ingresses
      verbs:
          - list
          - watch
    - apiGroups:
        - apps
      resources:
          - statefulsets
          - daemonsets
          - deployments
          - replicasets
      verbs:
          - list
          - watch
    - apiGroups:
        - batch
      resources:
          - cronjobs
          - jobs
      verbs:
          - list
          - watch
    - apiGroups:
        - autoscaling
      resources:
          - horizontalpodautoscalers
      verbs:
          - list
          - watch
    - apiGroups:
        - authentication.k8s.io
      resources:
          - tokenreviews
      verbs:
        - create
    - apiGroups:
        - authorization.k8s.io
      resources:
          - subjectaccessreviews
      verbs:
          - create
    - apiGroups:
        - policy
      resources:
          - poddisruptionbudgets
      verbs:
          - list
          - watch
    - apiGroups:
        - certificates.k8s.io
      resources:
          - certificatesigningrequests
      verbs:
          - list
          - watch
    - apiGroups:
        - storage.k8s.io
      resources:
          - storageclasses
      verbs:
          - list
          - watch
    - nonResourceURLs:
          - "/metrics"
      verbs:
          - get

ClusterRoleBinding.yaml: 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
    labels:
        app.kubernetes.io/name: kube-state-metrics
    name: kube-state-metrics
roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: kube-state-metrics
subjects:
    - kind: ServiceAccount
      name: kube-state-metrics
      namespace: grafana

并通知您的Kube-State-Metrics部署使用新的ServiceAccount,并在模板规范中添加以下内容:serviceAccountName: kube-state-metrics

相关问题
最新问题