Restricting Prometheus to a particular Namespace
148 views
Skip to first unread message
Venkata Bhagavatula
May 26, 2020, 1:01:57 PM5/26/20
to Prometheus Users, Prometheus Developers
Hi All,
Currently Prometheus needs ClusterRole and ClusterRoleBinding for scrapping the metrics on Kubernetes. We want to restrict the prometheus to a particular namespace.
So we changed RBAC to using Role and RoleBinding and in the Prometheus configuration we added namespaces to kubernetes_sd_configs section. we see that we are able to scrape metrics
from the configured namespace, but continuously seeing the errors saying access forbidden to *v1.Pod etc. Currently my cluster is down. will share the exact error once it is available.
Following is the Prometheus configuration:
- job_name: 'kubernetes-apiservers'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names: ['admin']
kubernetes_sd_configs:
- role: endpoints
namespaces:
names: ['admin']
Please let me know whether we can do with Role and RoleBinding?
Thanks n Regards,
Chalapathi.
Venkata Bhagavatula
May 29, 2020, 3:38:34 AM5/29/20
to Prometheus Users, Prometheus Developers
Able to solve the issue. There is a configuration error in one config file where namespaces were not added. Also if we add node role, then clusterrole, clusterolebinding is needed, as node resource is cluster scoped.
Thanks n Regards,
Chalapathi
klavs....@gmail.com
Aug 17, 2020, 7:01:00 AM8/17/20
to Prometheus Users
You can make do with rolebinding - but you need a ClusterRole correct.
If you don't need to scrape /metrics on pods (f.ex. because you expose it as a service on the ones you need to) - then AFAIK you could do away with nonResourceUrls and hence only need Role.
Reply all
Reply to author
Forward
0 new messages