/stats/summary returned HTTP status 401 Unauthorized about tick-charts HOT 13 OPEN

Apart from service account specification (which also requires #105) you'll need to provide adequate ClusterRole and ClusterRoleBinding.

For kubernetes plugin to work, assigning service account to system:kubelet-api-admin role (referenced above) is too much. In my case what was enough is something like below:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: telegraf
  namespace: monitoring
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: metrics-reader
rules:
- apiGroups: [""]
  resources: ["nodes/stats"]
  verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: telegraf-metrics-reader
subjects:
- kind: ServiceAccount
  name: telegraf
  namespace: monitoring
roleRef:
  kind: ClusterRole
  name: metrics-reader
  apiGroup: rbac.authorization.k8s.io

from tick-charts.

@florianrusch I agree. We're working on cleaning up our Helm charts and will be supporting / endorsing the charts in the official Helm repository very soon

from tick-charts.

@piyush-insider I didn't test it again. But I've took the resources I've published before and just applied them to the cluster/namespace.

You can put the resources in a yaml-file and kubectl apply this file, or you can run this command:

$ cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tick-stack

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: metric-scanner-kubelet-api-admin
subjects:
- kind: ServiceAccount
  name: tick-stack
  namespace: tick
roleRef:
  kind: ClusterRole
  name: system:kubelet-api-admin
  apiGroup: rbac.authorization.k8s.io
EOF

from tick-charts.

@casertap when I wrote these charts serviceaccounts weren't a thing yet. You may need to add one to this chart.

from tick-charts.

@casertap I don't suppose you're running this on GKE?

from tick-charts.

@rawkode no I built my own kube cluster on aws using kops

from tick-charts.

@casertap Please ensure you have Webhook authentication enabled in your Kubelet configuration:

--authentication-token-webhook

from tick-charts.

@rawkode I'm having this issue while running on GKE, any ideas?

Tried with --authentication-token-webhook on kubelet and have created a serviceaccount. Same config works on non-gke setup.

from tick-charts.

@niklasember GKE doesn't allow access to Kubelet on the host, you need to go through API Server

- kubernetes:
        url: "http://kubernetes.default.svc.cluster.local/v1/nodes/${HOSTIP}/proxy/metrics"
        bearer_token: "/var/run/secrets/kubernetes.io/serviceaccount/token"

from tick-charts.

@jackzampolin do you have an example how to configure the role for the service account?

from tick-charts.

I've found a solution that works for me:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tick-stack

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: metric-scanner-kubelet-api-admin
subjects:
- kind: ServiceAccount
  name: tick-stack
  namespace: tick
roleRef:
  kind: ClusterRole
  name: system:kubelet-api-admin
  apiGroup: rbac.authorization.k8s.io

from tick-charts.

We should update the telegraf-ds chart to also create this service-account automatically.

from tick-charts.

@florianrusch Would it be possible for you to list out the steps that you followed to get the service account working for you?

from tick-charts.