From d96ccedced40f9d746d7be8c62d9669b2d893c59 Mon Sep 17 00:00:00 2001 From: Chris Mark Date: Tue, 7 Jul 2020 15:20:44 +0300 Subject: [PATCH] Add clusterRole note for apiserver (#19328) (#19695) (cherry picked from commit b4a506723eccd07ad8f8a298af4a50bf42d861f6) --- deploy/kubernetes/metricbeat-kubernetes.yaml | 12 ++++++++++++ .../metricbeat/metricbeat-deployment-configmap.yaml | 8 ++++++++ deploy/kubernetes/metricbeat/metricbeat-role.yaml | 4 ++++ metricbeat/docs/modules/kubernetes.asciidoc | 10 ++++++++++ metricbeat/module/kubernetes/_meta/docs.asciidoc | 10 ++++++++++ 5 files changed, 44 insertions(+) diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index 8f37467def4e..4896c9c98f31 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -239,6 +239,14 @@ data: period: 10s host: ${NODE_NAME} hosts: ["kube-state-metrics:8080"] + #- module: kubernetes + # metricsets: + # - apiserver + # hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"] + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # period: 30s --- # Deploy singleton instance in the whole cluster for some unique data sources, like kube-state-metrics apiVersion: apps/v1 @@ -353,6 +361,10 @@ rules: - nodes/stats verbs: - get +- nonResourceURLs: + - "/metrics" + verbs: + - get --- apiVersion: v1 kind: ServiceAccount diff --git a/deploy/kubernetes/metricbeat/metricbeat-deployment-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-deployment-configmap.yaml index 4a3cf4e2f7d5..b7760db71699 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-deployment-configmap.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-deployment-configmap.yaml @@ -48,3 +48,11 @@ data: period: 10s host: ${NODE_NAME} hosts: ["kube-state-metrics:8080"] + #- module: kubernetes + # metricsets: + # - apiserver + # hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"] + # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + # ssl.certificate_authorities: + # - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # period: 30s diff --git a/deploy/kubernetes/metricbeat/metricbeat-role.yaml b/deploy/kubernetes/metricbeat/metricbeat-role.yaml index 2b58efa30d60..79987a8f6799 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-role.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-role.yaml @@ -28,3 +28,7 @@ rules: - nodes/stats verbs: - get +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/metricbeat/docs/modules/kubernetes.asciidoc b/metricbeat/docs/modules/kubernetes.asciidoc index 3f8597c21bd6..de25089fa14c 100644 --- a/metricbeat/docs/modules/kubernetes.asciidoc +++ b/metricbeat/docs/modules/kubernetes.asciidoc @@ -45,6 +45,16 @@ Note: Kube-state-metrics is not deployed by default in Kubernetes. For these cas The apiserver metricset requires access to the Kubernetes API, which should be easily available in all Kubernetes environments. Depending on the Kubernetes configuration, the API access might require SSL (`https`) and token based authentication. +In order to access the `/metrics` path of the API service, some Kubernetes environments might require the following permission to be added to a ClusterRole. + +```yaml +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +``` + [float] ==== proxy diff --git a/metricbeat/module/kubernetes/_meta/docs.asciidoc b/metricbeat/module/kubernetes/_meta/docs.asciidoc index 4d4bd40a8e78..dca36e95e674 100644 --- a/metricbeat/module/kubernetes/_meta/docs.asciidoc +++ b/metricbeat/module/kubernetes/_meta/docs.asciidoc @@ -38,6 +38,16 @@ Note: Kube-state-metrics is not deployed by default in Kubernetes. For these cas The apiserver metricset requires access to the Kubernetes API, which should be easily available in all Kubernetes environments. Depending on the Kubernetes configuration, the API access might require SSL (`https`) and token based authentication. +In order to access the `/metrics` path of the API service, some Kubernetes environments might require the following permission to be added to a ClusterRole. + +```yaml +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +``` + [float] ==== proxy