ksm doesn't report any metrics at all if it lacks rights for just 1 subject namespace #1413
Comments
|
Hello 👋 Is this the kube-state-metrics in OpenShift you are talking about or are you deploying one manually? If manually can you share the deployments manifests and which one you used? FYI the manifests in this repo are just examples so you have to customize them if you need something specific. |
|
Hi, Lili! Manifests are really irrelevant here, because they don't even specify which custom ServiceAccount to use, so the default one The only part that may be relevant here is I deploy it to |
|
Yes seems like a bug with the multlistwatcher, do you want to take up fixing it? |
|
Sorry, I'm not fluent in Golang enough as to fix it. |
lilic
added
the
help wanted
|
No worries! I added the help wanted label, as we had folks interested in contributing more, otherwise will have a look if no one else picks it up. Thanks for reporting! @brancz would be great to replace the custom listwatch with something else, maybe importing it from Prometheus operator what do you think? |
The multiListerWatcher is a composite object encapsulating multiple ListerWatchers and implements the ListerWatcher interface. When calling the List method on the multiListerWatcher, if an individual Lister call fails, the outcome is treated as an error and the entire call fails. This leads to KSM not exporting any metrics when it does not have the necessary permissions for resources in one more more namespaces. This commit modifies the multiListerWatcher List function to log errors from individual ListerWatchers and continue with execution. As a result, when KSM does not have permissions to list resources from a namespace, it will still export metrics from namespaces it has permissions to. Fixes kubernetes#1413 Signed-off-by: fpetkovski <filip.petkovsky@gmail.com>
…er errors The multiListerWatcher is a composite object encapsulating multiple ListerWatchers and implements the ListerWatcher interface. When calling the List method on the multiListerWatcher, if an individual Lister call fails, the outcome is treated as an error and the entire call fails. This leads to KSM not exporting any metrics when it does not have the necessary permissions for resources in one more more namespaces. This commit modifies the multiListerWatcher List function to log errors from individual ListerWatchers and continue with execution. As a result, when KSM does not have permissions to list resources from a namespace, it will still export metrics from namespaces it has permissions to. Fixes kubernetes#1413 Signed-off-by: fpetkovski <filip.petkovsky@gmail.com>
… errors The multiListerWatcher is a composite object encapsulating multiple ListerWatchers and implements the ListerWatcher interface. When calling the List method on the multiListerWatcher, if an individual Lister call fails, the outcome is treated as an error and the entire call fails. This leads to KSM not exporting any metrics when it does not have the necessary permissions for resources in one more more namespaces. This commit modifies the multiListerWatcher List function to log errors from individual ListerWatchers and continue with execution. As a result, when KSM does not have permissions to list resources from a namespace, it will still export metrics from namespaces it has permissions to. Fixes kubernetes#1413 Signed-off-by: fpetkovski <filip.petkovsky@gmail.com>
The multiListerWatcher is a composite object encapsulating multiple ListerWatchers and implements the ListerWatcher interface. When calling the List method on the multiListerWatcher, if an individual Lister call fails, the outcome is treated as an error and the entire call fails. This leads to KSM not exporting any metrics when it does not have the necessary permissions for resources in one more more namespaces. This commit modifies the multiListerWatcher List function to log errors from individual ListerWatchers and continue with execution. As a result, when KSM does not have permissions to list resources from a namespace, it will still export metrics from namespaces it has permissions to. Fixes kubernetes#1413 Signed-off-by: fpetkovski <filip.petkovsky@gmail.com>
The multiListerWatcher is a composite object encapsulating multiple ListerWatchers and implements the ListerWatcher interface. When calling the List method on the multiListerWatcher, if an individual Lister call fails, the outcome is treated as an error and the entire call fails. This leads to KSM not exporting any metrics when it does not have the necessary permissions for resources in one more more namespaces. This commit modifies the multiListerWatcher List function to log errors from individual ListerWatchers and continue with execution. As a result, when KSM does not have permissions to list resources from a namespace, it will still export metrics from namespaces it has permissions to. Fixes kubernetes#1413 Signed-off-by: fpetkovski <filip.petkovsky@gmail.com>
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
k8s-ci-robot
added
the
lifecycle/stale
|
I would like to look at this problem |
k8s-ci-robot
removed
the
lifecycle/stale
What happened: ksm doesn't report any metrics at all if just 1 namespace from the list of specified ones is not available.
What you expected to happen: ksm should return metrics for the k8s objects from other namespaces (where it has access to).
How to reproduce it (as minimally and precisely as possible): have arg '--namespaces=project1,project2' but give access only to ksm's ServiceAccount 'view' rights only in project1.
ksm will produce NO metrics, because its ServiceAccount lacks 'view' rights in project2, although it could return metrics from project1.
Anything else we need to know?: no
Environment:
kubectl version): 1.18.3+002a51fThe text was updated successfully, but these errors were encountered: