Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When using limited privilege environment (roles) empty metrics endpoint #2400

Open
SennaSemakula opened this issue May 24, 2024 · 3 comments
Open

When using limited privilege environment (roles) empty metrics endpoint #2400

SennaSemakula opened this issue May 24, 2024 · 3 comments
Assignees
@mrueg
Labels
kind/bug Categorizes issue or PR as related to a bug. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@SennaSemakula
Copy link

SennaSemakula commented May 24, 2024
edited
Loading

What happened:
I ran kube-state-metrics using Roles and RoleBindings following: https://github.com/kubernetes/kube-state-metrics?tab=readme-ov-file#limited-privileges-environment but I did not pass in --namespaces as it should default to all namespaces including the current one. When I navigate to localhost:8080/metrics the endpoint is blank.

Screenshot 2024-05-24 at 15 48 02

What you expected to happen:
When using limited privileges (roles and not clusterroles) it should have metrics on the current namespace. Note this works if you do pass in --namespaces but it should work regardless as the default value monitors all namespaces based on: https://github.com/kubernetes/kube-state-metrics/blob/main/pkg/options/options.go#L146

How to reproduce it (as minimally and precisely as possible):

  1. Follow steps but make sure you do not specify --namespaces as it should default to all namespaces by default
  2. Navigate to localhost:8080/metrics and you should see no metrics

Anything else we need to know?:
I'm working on deploying kube-state-metrics in a tenanted environment that is using: https://github.com/kubernetes-sigs/hierarchical-namespaces.

Environment:

  • kube-state-metrics version: 2.12.0
  • Kubernetes version (use kubectl version): v1.27.12-gke.1115000
  • Cloud provider or hardware configuration: GKE
  • Other info:
@SennaSemakula SennaSemakula added the kind/bug Categorizes issue or PR as related to a bug. label May 24, 2024
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label May 24, 2024
@thunderbird86
Copy link

Have the same issue, but I didn't setup any limited privileges environment, it works fine for some time and now it has the same empty responce

@Serializator
Copy link
Contributor

The problem originates from the use of v1.NamespaceAll, where KSM assumes it can list and watch resources at the cluster scope. This is a wrong assumption in a limited privilege environment.

W0623 13:07:43.643600  104637 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:kube-state-metrics" cannot list resource "pods" in API group "" at the cluster scope

https://github.com/kubernetes/kube-state-metrics/blob/main/internal/store/builder.go#L514-L524

The thing is though, without the permission to list namespaces, KSM can't determine what namespaces we have access to either. The minimal requirement in a limited privilege environment for something like this to work is a cluster role (binding) to allow the listing of namespaces across the cluster.

@Serializator Serializator mentioned this issue Jun 23, 2024
Open
@dgrisonnet
Copy link
Member

/assign @mrueg
/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mrueg mrueg

Labels
kind/bug Categorizes issue or PR as related to a bug. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mrueg @Serializator @thunderbird86 @k8s-ci-robot @SennaSemakula @dgrisonnet