From mhild at redhat.com Thu Feb 15 13:05:00 2018 From: mhild at redhat.com (Marcel Hild) Date: Thu, 15 Feb 2018 13:05:00 +0000 Subject: [Strimzi] prometheus without clusterrole Message-ID: Hi, I'm experimenting with prometheus monitoring kafka. In your setup you need admin access to the cluster to read which pods to scrape from (I guess) oc login -u system:admin oc create sa prometheus-server oc adm policy add-cluster-role-to-user cluster-reader system:serviceaccount:${NAMESPACE}:prometheus-server Is there a way to deploy this in a setting, where I dont have admin access to the cluster? thanks marcel -------------- next part -------------- An HTML attachment was scrubbed... URL: From asherkho at redhat.com Thu Feb 15 13:36:53 2018 From: asherkho at redhat.com (Anton Sherkhonov) Date: Thu, 15 Feb 2018 08:36:53 -0500 Subject: [Strimzi] prometheus without clusterrole In-Reply-To: References: Message-ID: I think it's oauth-proxy that actually wants this permission to create tokenreviews. # oc policy who-can create tokenreviews.authentication.k8s.io ^^ will give you list of users who can. On Thu, Feb 15, 2018 at 8:05 AM, Marcel Hild wrote: > Hi, > I'm experimenting with prometheus monitoring kafka. > In your setup you need admin access to the cluster to read which pods to > scrape from (I guess) > > oc login -u system:admin > oc create sa prometheus-server > oc adm policy add-cluster-role-to-user cluster-reader > system:serviceaccount:${NAMESPACE}:prometheus-server > > Is there a way to deploy this in a setting, where I dont have admin access > to the cluster? > > thanks > marcel > > _______________________________________________ > Strimzi mailing list > Strimzi at redhat.com > https://www.redhat.com/mailman/listinfo/strimzi > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mhild at redhat.com Thu Feb 15 13:46:55 2018 From: mhild at redhat.com (Marcel Hild) Date: Thu, 15 Feb 2018 13:46:55 +0000 Subject: [Strimzi] prometheus without clusterrole In-Reply-To: References: Message-ID: I think its this config in prometheus (see below) that wants to scrape all pods with a certain label. But I'm not really experienced with service discovery in kubernetes. I would like to restrict that discovery to e.g. the current namespace or namespaces that my service account has access to. E.g. I dont want to scrape other users' kafka clusters... scrape_configs: - job_name: 'kafka_job' kubernetes_sd_configs: - role: pod relabel_configs: - source_labels: [__meta_kubernetes_pod_container_port_name] action: keep regex: kafkametrics.* - source_labels: [__meta_kubernetes_pod_name] action: replace target_label: kubernetes_pod_name On Thu, Feb 15, 2018 at 2:36 PM Anton Sherkhonov wrote: > I think it's oauth-proxy that actually wants this permission to create > tokenreviews. > > # oc policy who-can create tokenreviews.authentication.k8s.io > ^^ will give you list of users who can. > > On Thu, Feb 15, 2018 at 8:05 AM, Marcel Hild wrote: > >> Hi, >> I'm experimenting with prometheus monitoring kafka. >> In your setup you need admin access to the cluster to read which pods to >> scrape from (I guess) >> >> oc login -u system:admin >> oc create sa prometheus-server >> oc adm policy add-cluster-role-to-user cluster-reader >> system:serviceaccount:${NAMESPACE}:prometheus-server >> >> Is there a way to deploy this in a setting, where I dont have admin >> access to the cluster? >> >> thanks >> marcel >> >> _______________________________________________ >> Strimzi mailing list >> Strimzi at redhat.com >> https://www.redhat.com/mailman/listinfo/strimzi >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakub at scholz.cz Thu Feb 15 16:49:21 2018 From: jakub at scholz.cz (Jakub Scholz) Date: Thu, 15 Feb 2018 17:49:21 +0100 Subject: [Strimzi] prometheus without clusterrole In-Reply-To: References: Message-ID: Hi Marcel, As you said, the configuration we use is reading the pods to find the metrics endpoints. That is why it needs the cluster-reader role (which as long as you are fine with staying in single namespace) doesn't have to be a cluster role - role would be sufficient. And to bind the role to the service account you need the admin rights. The Prometheus deployment is more or less only as an example to play with. I'm afraid we are not really the right Prometheus experts to suggest the best configuration of Prometheus it self. So it is possible that it can be done in a better way. But I have no clue. Thanks & Regards Jakub On Thu, Feb 15, 2018 at 2:05 PM, Marcel Hild wrote: > Hi, > I'm experimenting with prometheus monitoring kafka. > In your setup you need admin access to the cluster to read which pods to > scrape from (I guess) > > oc login -u system:admin > oc create sa prometheus-server > oc adm policy add-cluster-role-to-user cluster-reader > system:serviceaccount:${NAMESPACE}:prometheus-server > > Is there a way to deploy this in a setting, where I dont have admin access > to the cluster? > > thanks > marcel > > _______________________________________________ > Strimzi mailing list > Strimzi at redhat.com > https://www.redhat.com/mailman/listinfo/strimzi > > -------------- next part -------------- An HTML attachment was scrubbed... URL: