-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add documentation for kubernetesSDConfigs usage to scrape node targets #6517
Comments
You would need to create service account token secret example if prometheus service account name is
Also create secret for TLS config and use secret selector to select the configs Example
|
Ok, it'll probably work, however, it's not the way described in the docs. |
ya adding Referring to https://github.com/slashpai/prometheus-operator-examples/tree/main/scrape_config/kubernetes_sd may be helpful for some examples for time being. |
Thanks @slashpai for the hint with the API token Secrets! We tried to switch the Strimzi additional scrape config example to the new ScrapeConfig CR. Additionally to the bearer token, we also used the One of the resulting ScrapeConfigs looks now like this: apiVersion: monitoring.coreos.com/v1alpha1
kind: ScrapeConfig
metadata:
name: kubernetes-cadvisor
labels:
prometheus: prometheus
spec:
...
authorization:
credentials:
name: prometheus-secret
key: token
...
tlsConfig:
ca:
secret:
name: prometheus-secret
key: ca.crt
relabelings:
...
metricRelabelings:
... Since we want to avoid long-living API tokens, we decided to introduce a Kyverno CleanupPolicy, which removes the token based on a schedule: apiVersion: kyverno.io/v2beta1
kind: CleanupPolicy
metadata:
name: remove-api-token
spec:
match:
any:
- resources:
kinds:
- Secret
names:
- prometheus-secret
schedule: "<cron schedule>" Our ArgoCD will recreate the Secret afterwards. |
Is there an existing issue for this?
What happened?
Description
When I configure
ScrapeConfig
to scrape nodes or cadvisor metrics, the target returns a 403 error.Steps to Reproduce
Use manifests attached to the issue
Expected Result
According to the documentation, prometheus should use the default in-cluster token and ca to communicate with the API
Actual Result
server returned HTTP status 403 Forbidden
Prometheus Operator Version
Kubernetes Version
v1.28.7-eks-b9c9ed7
Kubernetes Cluster Type
EKS
How did you deploy Prometheus-Operator?
prometheus-operator/kube-prometheus
Manifests
prometheus-operator log output
Anything else?
Before operator, I configure scrape to use SA token and CA directly with
So I can't do it with the operator b/c no such options for the scrape configs.
The text was updated successfully, but these errors were encountered: