Skip to content
This repository has been archived by the owner on Feb 9, 2022. It is now read-only.

clusterrole/prometheus ist not allowed to list ingresses.networking.k8s.io #1035

Open
floek opened this issue Jan 4, 2021 · 0 comments
Open

clusterrole/prometheus ist not allowed to list ingresses.networking.k8s.io #1035

floek opened this issue Jan 4, 2021 · 0 comments

Comments

@floek
Copy link

floek commented Jan 4, 2021

Hi,

I get the following error in my prometheus logs:

level=error ts=2021-01-04T11:38:22.372Z caller=klog.go:94 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:429: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:kubeprod:prometheus\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope"
level=error ts=2021-01-04T11:38:23.658Z caller=klog.go:94 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:429: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:kubeprod:prometheus\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope"
level=error ts=2021-01-04T11:38:26.084Z caller=klog.go:94 component=k8s_client_runtime func=ErrorDepth msg="/app/discovery/kubernetes/kubernetes.go:429: Failed to list *v1beta1.Ingress: ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:kubeprod:prometheus\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope"

I had to change the clusterrrole/prometheus as follows and add networking.k8s.io:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kubecfg.ksonnet.io/garbage-collect-tag: kube_prod_runtime
  labels:
    kubecfg.ksonnet.io/garbage-collect-tag: kube_prod_runtime
    name: prometheus
  name: prometheus
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - nodes/proxy
  - nodes/metrics
  - services
  - endpoints
  - pods
  - ingresses
  - configmaps
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  - networking.k8s.io
  resources:
  - ingresses
  - ingresses/status
  verbs:
  - get
  - list
  - watch
- nonResourceURLs:
  - /metrics
  verbs:
  - get

now the error disappeared.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@floek