Using prometheus in restricted openshift project (namespace)
215 views
Skip to first unread message
thibaut....@gmail.com
Dec 6, 2017, 4:46:06 AM12/6/17
to Prometheus Users
Hello,
I m using prometheus into openshift infrastructure with limited rights to my project (namespace). I can't make auto discovery work despite the fact that this functionality (using a unique namespace) seems to be working since prometheus1.7 (i'm using last 2.0 version). Could you help me ? How can I make this auto discovery work ?
Thanks in advance
I m using prometheus into openshift infrastructure with limited rights to my project (namespace). I can't make auto discovery work despite the fact that this functionality (using a unique namespace) seems to be working since prometheus1.7 (i'm using last 2.0 version). Could you help me ? How can I make this auto discovery work ?
Thanks in advance
Message has been deleted
thibaut....@gmail.com
Dec 7, 2017, 4:20:38 AM12/7/17
to Prometheus Users
Configuration of prometheus.yml:
- job_name: 'kubernetes-service-endpoints'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- prom-expe
relabel_configs:
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
action: replace
target_label: __scheme__
regex: (https?)
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: (.+)(?::\d+);(\d+)
replacement: $1:$2
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: kubernetes_name
Answer from openshift:
level=warn ts=2017-12-07T09:12:22.0364455Z caller=main.go:377 msg="Received SIGTERM, exiting gracefully..."
Thanks @jordi for his previous answer but I already used the parameter namespace and this is not enough. Someone has an idea on how making this work (discover services from my project in openshift) ?
- job_name: 'kubernetes-service-endpoints'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- prom-expe
relabel_configs:
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
action: replace
target_label: __scheme__
regex: (https?)
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: (.+)(?::\d+);(\d+)
replacement: $1:$2
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: kubernetes_name
Answer from openshift:
| level=error ts=2017-12-07T09:12:21.95257536Z caller=main.go:211 component=k8s_client_runtime err="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:178: Failed to list *v1.Service: User \"system:serviceaccount:prom-expe:prometheus-sa\" cannot list services in project \"prom-expe\"" |
Thanks @jordi for his previous answer but I already used the parameter namespace and this is not enough. Someone has an idea on how making this work (discover services from my project in openshift) ?
Simon Pasquier
Dec 7, 2017, 4:59:17 AM12/7/17
to thibaut....@gmail.com, Prometheus Users
Hi,
You need to grant appropriate permissions to the Prometheus service account (eg read permissions on the namespace/project).
See [1] for an example.
HTH
Simon
--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-users+unsubscribe@googlegroups.com.
To post to this group, send email to prometheus-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/7e002f58-9029-49a8-85f0-fe4480425b29%40googlegroups.com.
thibaut....@gmail.com
Dec 7, 2017, 5:38:43 AM12/7/17
to Prometheus Users
Thanks for this quick answer but the thing is : I can't create any role, clusterrole... due to these restricted rights. That is why I don't know how to make auto discovery work without configuring a proper cluster role/role with my service account.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
To post to this group, send email to promethe...@googlegroups.com.
thibaut....@gmail.com
Dec 7, 2017, 5:52:57 AM12/7/17
to Prometheus Users
My bad...
I simply needed to force the namespace in yaml file.
apiVersion: v1
kind: RoleBinding
metadata:
name: prometheus-sa
namespace: prom-expe
Thanks !
I simply needed to force the namespace in yaml file.
apiVersion: v1
kind: RoleBinding
metadata:
name: prometheus-sa
namespace: prom-expe
Thanks !
Le jeudi 7 décembre 2017 10:59:17 UTC+1, Simon Pasquier a écrit :
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
To post to this group, send email to promethe...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages