Running prometheus to monitor ONLY specific namespaces?

[Klavs Klavsen]

Hi,

I want to setup Prometheus, for monitoring my application in kubernetes only (a few namespaces).

I have found that scrape config has a namespaces setting to limit what it tries to scrape, and so does kube-state-metrics.

I was trying to use stable/prometheus helm chart with helm 3, but it fails horribly with:

Error: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource: clusterrolebindings.rbac.authorization.k8s.io "prometheus-1592479936-kube-state-metrics" is forbidden: User "XXX" cannot get clusterrolebindings.rbac.authorization.k8s.io at the cluster scope: no RBAC policy matched

I can't seem to find any guides on how to do it :(

My account don't have cluster-admin - so I need to specify what I need setup, for me to be able to run Prometheus to monitor my own application namespaces.

I have access to the namespaces, and can see pods with k9s (or kubectl :) just fine.

Any hints appreciated.

[Klavs Klavsen]

can't I create a Role, Rolebinding and ServiceAccount in each namespace I want to monitor - and then prometheus can access those, from its own namespace?

[Klavs Klavsen]

I was thinking along these lines:

https://medium.com/faun/kubernetes-rbac-use-one-role-in-multiple-namespaces-d1d08bb08286

and then instead of using ClusterRole as in the example - simply define the role in each namespace (as I do not have privs to create a ClusterRole)

[Klavs Klavsen]

for kube-state-metrics it works with a Role and Rolebinding it seems (its accepted).

I had to get admins to do a ClusterRole - since prometheus needs access to nonResourceUrl /metrics..

but rolebindings work fine per namespace.