Problem with auth scopes in metrics-server #16

crassirostris · 2017-09-15T13:30:56Z

There's something wrong with the permissions (RBAC maybe?). Example errors:

github.com/kubernetes-incubator/metrics-server/metrics/processors/namespace_based_enricher.go:85: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:metrics-server" cannot list namespaces at the cluster scope
github.com/kubernetes-incubator/metrics-server/metrics/processors/namespace_based_enricher.go:85: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:metrics-server" cannot list namespaces at the cluster scope

Kubernetes 1.8 from HEAD on GCE

/cc @piosz

The text was updated successfully, but these errors were encountered:

piosz · 2017-09-15T13:41:13Z

I can't reproduce in my cluster ;/

crassirostris · 2017-09-15T20:13:53Z

@piosz I start the cluster using kubetest -up from the kubernetes directory

$ kubectl logs --namespace kube-system --tail 10 metrics-server-5dcccdfb48-xccx6                                                                                          
E0915 20:12:39.313997       1 reflector.go:199] github.com/kubernetes-incubator/metrics-server/metrics/heapster.go:254: Failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:metrics-server" cannot list pods at the cluster scope
E0915 20:12:39.315342       1 reflector.go:199] github.com/kubernetes-incubator/metrics-server/metrics/util/util.go:52: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:metrics-server" cannot list nodes at the cluster scope
E0915 20:12:39.315898       1 reflector.go:199] github.com/kubernetes-incubator/metrics-server/metrics/util/util.go:52: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:metrics-server" cannot list nodes at the cluster scope
E0915 20:12:39.317000       1 reflector.go:199] github.com/kubernetes-incubator/metrics-server/metrics/util/util.go:52: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:metrics-server" cannot list nodes at the cluster scope
E0915 20:12:39.318000       1 reflector.go:199] github.com/kubernetes-incubator/metrics-server/metrics/processors/namespace_based_enricher.go:85: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:metrics-server" cannot list namespaces at the cluster scope
E0915 20:12:40.316749       1 reflector.go:199] github.com/kubernetes-incubator/metrics-server/metrics/heapster.go:254: Failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:metrics-server" cannot list pods at the cluster scope
E0915 20:12:40.317359       1 reflector.go:199] github.com/kubernetes-incubator/metrics-server/metrics/util/util.go:52: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:metrics-server" cannot list nodes at the cluster scope
E0915 20:12:40.317623       1 reflector.go:199] github.com/kubernetes-incubator/metrics-server/metrics/util/util.go:52: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:metrics-server" cannot list nodes at the cluster scope
E0915 20:12:40.318744       1 reflector.go:199] github.com/kubernetes-incubator/metrics-server/metrics/util/util.go:52: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:metrics-server" cannot list nodes at the cluster scope
E0915 20:12:40.320135       1 reflector.go:199] github.com/kubernetes-incubator/metrics-server/metrics/processors/namespace_based_enricher.go:85: Failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:metrics-server" cannot list namespaces at the cluster scope

piosz · 2017-09-18T19:33:35Z

Oh. You did it in test env.

Looks like a problem with misconfigured RBAC in test env. I'll take a look once writing e2e test.

charlesakalugwu · 2017-10-01T10:45:23Z

i'm seeing the same on a fresh 1.8.0 install in my vagrant environment.

Automatic merge from submit-queue (batch tested with PRs 53280, 53330). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add permisions for Metrics Server to read resources on cluster level **What this PR does / why we need it**: Add permisions for Metrics Server to read resources on cluster level. **Which issue this PR fixes**: fixes kubernetes-sigs/metrics-server#16 **Release note**: ```release-note Fix permissions for Metrics Server. ```

MON-3301: Sync metrics-server with upstream v0.6.4

piosz self-assigned this Sep 15, 2017

piosz assigned kawych Oct 2, 2017

piosz changed the title ~~Log spam in Kubernetes 1.8~~ Problem with auth scopes in metrics-server Oct 2, 2017

piosz closed this as completed in #20 Oct 3, 2017

piosz mentioned this issue Oct 3, 2017

README is missing #18

Closed

slashpai pushed a commit to slashpai/metrics-server that referenced this issue Aug 16, 2023

Merge pull request kubernetes-sigs#16 from slashpai/merge-0.6.4

82de70c

MON-3301: Sync metrics-server with upstream v0.6.4

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Problem with auth scopes in metrics-server #16

Problem with auth scopes in metrics-server #16

crassirostris commented Sep 15, 2017 •

edited

Loading

piosz commented Sep 15, 2017

crassirostris commented Sep 15, 2017

piosz commented Sep 18, 2017

charlesakalugwu commented Oct 1, 2017

Problem with auth scopes in metrics-server #16

Problem with auth scopes in metrics-server #16

Comments

crassirostris commented Sep 15, 2017 • edited Loading

piosz commented Sep 15, 2017

crassirostris commented Sep 15, 2017

piosz commented Sep 18, 2017

charlesakalugwu commented Oct 1, 2017

crassirostris commented Sep 15, 2017 •

edited

Loading