Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrading metrics-server to v0.3.2 #600

Closed
wants to merge 2 commits into from
Closed

Upgrading metrics-server to v0.3.2 #600

wants to merge 2 commits into from

Conversation

junaid-ali
Copy link

@junaid-ali
Copy link
Author

@ktsakalozos

ktsakalozos
ktsakalozos reviewed Aug 19, 2019
View reviewed changes
microk8s-resources/actions/metrics-server.yaml Outdated
@@ -99,51 +99,22 @@ spec:
serviceAccountName: metrics-server
containers:
- name: metrics-server
image: k8s.gcr.io/metrics-server-$ARCH:v0.2.1
image: k8s.gcr.io/metrics-server-$ARCH:v0.3.3
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not see the v0.3.3 available for arm https://console.cloud.google.com/gcr/images/google-containers/GLOBAL/metrics-server-arm?gcrImageListsize=30 . Should we go for v0.3.2?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested it on amd64, so didn't realize this. Let me change this to v0.3.2 please

ktsakalozos
ktsakalozos reviewed Aug 19, 2019
View reviewed changes
microk8s-resources/actions/metrics-server.yaml Outdated
@@ -219,7 +181,7 @@ metadata:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
resources: ["pods"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We got this part 11 days ago from @giner: 8920c10

@junaid-ali, @giner do we need the "nodes" here?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@giner, do we need this when we have it here: https://github.com/kubernetes-incubator/metrics-server/blob/v0.3.3/deploy/1.8%2B/resource-reader.yaml#L11

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For me microk8s.kubectl top nodes is working:

$ microk8s.kubectl top nodes
NAME                               CPU(cores)   CPU%   MEMORY(bytes)   MEMORY%   
junaid-hp-z240-tower-workstation   828m         20%    20263Mi         63%

Here are the cluster roles:

$ microk8s.kubectl -n kube-system get clusterrole system:aggregated-metrics-reader -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"labels":{"rbac.authorization.k8s.io/aggregate-to-admin":"true","rbac.authorization.k8s.io/aggregate-to-edit":"true","rbac.authorization.k8s.io/aggregate-to-view":"true"},"name":"system:aggregated-metrics-reader"},"rules":[{"apiGroups":["metrics.k8s.io"],"resources":["pods"],"verbs":["get","list","watch"]}]}
  creationTimestamp: "2019-08-16T14:27:53Z"
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-view: "true"
  name: system:aggregated-metrics-reader
  resourceVersion: "3115824"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/system%3Aaggregated-metrics-reader
  uid: 25e0931b-1543-432a-802d-cc3465e84304
rules:
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

$ microk8s.kubectl -n kube-system get clusterrole system:metrics-server -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"labels":{"addonmanager.kubernetes.io/mode":"Reconcile","kubernetes.io/cluster-service":"true"},"name":"system:metrics-server"},"rules":[{"apiGroups":[""],"resources":["pods","nodes","nodes/stats"],"verbs":["get","list","watch"]}]}
  creationTimestamp: "2019-08-16T14:27:53Z"
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/cluster-service: "true"
  name: system:metrics-server
  resourceVersion: "3115821"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/system%3Ametrics-server
  uid: d7b0d0bb-f68a-41eb-ac6c-7685c4d1af2e
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - nodes
  - nodes/stats
  verbs:
  - get
  - list
  - watch

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, these are different.

system:metrics-server role is used to access kubernetes API by metrics-server

system:aggregated-metrics-reader is used to access metrics-server API itself

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is rbac enabled?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, will add nodes in resources again

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is rbac enabled?

Wow, it was disabled.

@giner
Copy link
Contributor

giner commented Aug 19, 2019

Yes, we do kubernetes-sigs/metrics-server#297

@junaid-ali junaid-ali changed the title Upgrading metrics-server to v0.3.3 Upgrading metrics-server to v0.3.2 Aug 19, 2019
@ktsakalozos
Copy link
Member

We need to also handle the upgrade case of MicroK8s. When this PR gets merged the new metrics-server.yaml manifest will reach all users. Since the updated manifest changes the names of the deployments there will be no way for the already existing MicroK8s installations that have the v0.2.1 metrics server deployed to microk8s.disable metrics-server (the old v0.2.1 will remain deployed). We have had the same situation when we moved from kube-dns to coredns (https://github.com/ubuntu/microk8s/pull/491/files#diff-6fd127854f535085554c48b8215245f1). What we did for the coredns transition is to keep both old and new manifests and when we disable the add-on we first check which version we have deployed and use the respective manifest in kubectl delete. We should be doing the same here.

Also, upgraded MicroK8s deployment will need to get the kubelet arguments updated and the service restart. The script that run during an upgrade is the configure one found in https://github.com/ubuntu/microk8s/blob/master/snap/hooks/configure. We will need an if statement sayin "if the new arguments are missing from kubelet, then add them", similar to this one https://github.com/ubuntu/microk8s/blob/master/snap/hooks/configure#L135

Thank you for being on top of this PR @junaid-ali.

@junaid-ali
Copy link
Author

@ktsakalozos apologies, couldn't follow the PR for a few days. I have started tested it again. When we enable rbac, I caught a few missing things (we have to add flags to apiserver for API aggregation, https://kubernetes.io/docs/tasks/access-kubernetes-api/configure-aggregation-layer/#enable-kubernetes-apiserver-flags). Also there is one issue still left, kubectl logs command is failing with an error Error from server (Forbidden): Forbidden (user=127.0.0.1, verb=get, resource=nodes, subresource=proxy) ( pods/log nginx-7bb7cd8db5-rtw9q), the user 127.0.0.1 is, I assume, coming from kubernetes ca cert (/var/snap/microk8s/<743>/certs/ca.crt).

@giner
Copy link
Contributor

giner commented Aug 27, 2019

@junaid-ali, enabling aggregation layer is merged to master and will be in the snap with version 1.15.3.

@sdarwin sdarwin mentioned this pull request Dec 28, 2019
Closed
@stephenstubbs
Copy link

Is there any way to get this merged? 0.2.1 is quite old now and newer dashboards in Grafana are not working for me. I've tried installing it via the helm chart instead of enabling it via microk8s but that does not seem to work.

@junaid-ali
Copy link
Author

I just realized I never finished this PR 😅 Hopefully I will work on this over the weekend to wrap this up if no one else is working on it

@stephenstubbs
Copy link

That would be great. Let me know if and how I can help with this. Everything is working well with microk8s so far except this in my setup.

@junaid-ali
Copy link
Author

I have this issue where as soon as I enable authorization-mode=Webhook to kubelet, I start seeing errors for kubectl logs, exec commands:

Error from server (Forbidden): Forbidden (user=127.0.0.1, verb=get, resource=nodes, subresource=proxy) ( pods/log nginx)

@junaid-ali
Copy link
Author

The following error in api server logs (--v=6):

$ journalctl -u snap.microk8s.daemon-apiserver.service -f | grep -B 30 RBAC | grep -B 30 127.0.0.1
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.400291   19805 handler.go:153] kube-apiserver: GET "/openapi/v2" satisfied by nonGoRestful                                                                
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.400825   19805 pathrecorder.go:240] kube-apiserver: "/openapi/v2" satisfied by exact match                                                                
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.401365   19805 handler.go:153] apiextensions-apiserver: GET "/openapi/v2" satisfied by nonGoRestful                                                       
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.401583   19805 pathrecorder.go:240] apiextensions-apiserver: "/openapi/v2" satisfied by exact match
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.449943   19805 handler.go:153] kube-aggregator: GET "/api/v1/namespaces/default/pods/nginx" satisfied by nonGoRestful
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.450428   19805 pathrecorder.go:247] kube-aggregator: "/api/v1/namespaces/default/pods/nginx" satisfied by prefix /api/
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.450851   19805 handler.go:143] kube-apiserver: GET "/api/v1/namespaces/default/pods/nginx" satisfied by gorestful with webservice /api/v1
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.453591   19805 httplog.go:90] verb="GET" URI="/api/v1/namespaces/default/pods/nginx" latency=3.747778ms resp=200 UserAgent="kubectl/v1.18.0 (linux/amd64) 
kubernetes/9e99141" srcIP="127.0.0.1:49050":
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.471626   19805 handler.go:153] kube-aggregator: GET "/api/v1/namespaces/default/pods/nginx/log" satisfied by nonGoRestful
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.472040   19805 pathrecorder.go:247] kube-aggregator: "/api/v1/namespaces/default/pods/nginx/log" satisfied by prefix /api/                      [59/32353]
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.472409   19805 handler.go:143] kube-apiserver: GET "/api/v1/namespaces/default/pods/nginx/log" satisfied by gorestful with webservice /api/v1             
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.486561   19805 rbac.go:119] RBAC DENY: user "system:node:microk8s-vm" groups ["system:nodes" "system:authenticated"] cannot "create" resource "subjectacce
ssreviews.authorization.k8s.io" cluster-wide                                                                                                                                                                                           
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.486949   19805 handler.go:153] kube-aggregator: POST "/apis/authorization.k8s.io/v1/subjectaccessreviews" satisfied by nonGoRestful                       
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.487202   19805 pathrecorder.go:247] kube-aggregator: "/apis/authorization.k8s.io/v1/subjectaccessreviews" satisfied by prefix /apis/authorization.k8s.io/v
1/                                                                                                                                                                                                                                     
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.487532   19805 handler.go:143] kube-apiserver: POST "/apis/authorization.k8s.io/v1/subjectaccessreviews" satisfied by gorestful with webservice /apis/auth
orization.k8s.io/v1                                                                                                                                                                                                                    
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.488770   19805 rbac.go:119] RBAC DENY: user "127.0.0.1" groups ["Canonical" "system:authenticated"] cannot "get" resource "nodes/proxy" named "microk8s-vm
" cluster-wide                                                                                                                                                                                                                         
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.489157   19805 httplog.go:90] verb="POST" URI="/apis/authorization.k8s.io/v1/subjectaccessreviews" latency=2.84676ms resp=201 UserAgent="kubelet/v1.18.0 (
linux/amd64) kubernetes/9e99141" srcIP="127.0.0.1:45710":                                                                                                                                                                              
Apr 07 15:23:47 microk8s-vm microk8s.daemon-apiserver[19805]: I0407 15:23:47.495266   19805 httplog.go:90] verb="GET" URI="/api/v1/namespaces/default/pods/nginx/log" latency=23.679994ms resp=403 UserAgent="kubectl/v1.18.0 (linux/am
d64) kubernetes/9e99141" srcIP="127.0.0.1:49050":

@junaid-ali
Copy link
Author

junaid-ali commented Apr 7, 2020
edited
Loading

The following error on kubelet:

$ journalctl -u snap.microk8s.daemon-kubelet.service -f
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: I0407 15:23:47.485369   19692 auth.go:112] Node request attributes: user=&user.DefaultInfo{Name:"127.0.0.1", UID:"", Groups:[]string{"Canonical", "system:authenticated"}, Extra:map[string][]string(nil)} attrs=authorizer.AttributesRecord{User:(*user.DefaultInfo)(0xc000c4d940), Verb:"get", Namespace:"", APIGroup:"", APIVersion:"v1", Resource:"nodes", Subresource:"proxy", Name:"microk8s-vm", ResourceRequest:true, Path:"/containerLogs/default/nginx/nginx"}                                                                                                                                                                                 Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: I0407 15:23:47.490139   19692 server.go:275] Forbidden (user=127.0.0.1, verb=get, resource=nodes, subresource=proxy)                                                       Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: I0407 15:23:47.490227   19692 httplog.go:90] verb="GET" URI="/containerLogs/default/nginx/nginx" latency=5.072321ms resp=403 UserAgent="Go-http-client/1.1" srcIP="127.0.0.1:50358":                                                                                                                                                                                                              
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: goroutine 5813 [running]:                                                                                                                                                  Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/httplog.(*respLogger).recordStatus(0xc00072c700, 0x193)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /workspace/anago-v1.18.0-rc.1.21+8be33caaf953ac/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/httplog/httplo
g.go:225 +0xc8                                           
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/httplog.(*respLogger).WriteHeader(0xc00072c700, 0x193)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /workspace/anago-v1.18.0-rc.1.21+8be33caaf953ac/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/httplog/httplo
g.go:204 +0x35                                           
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: k8s.io/kubernetes/vendor/github.com/emicklei/go-restful.(*Response).WriteHeader(...)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /workspace/anago-v1.18.0-rc.1.21+8be33caaf953ac/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/emicklei/go-restful/response.go
:220                                                     
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: k8s.io/kubernetes/vendor/github.com/emicklei/go-restful.(*Response).WriteErrorString(0xc00072c770, 0x193, 0xc000dbf810, 0x47, 0x1, 0x1)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /workspace/anago-v1.18.0-rc.1.21+8be33caaf953ac/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/emicklei/go-restful/response.go
:200 +0x51                                               
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: k8s.io/kubernetes/pkg/kubelet/server.(*Server).InstallAuthFilter.func1(0xc0008dd410, 0xc00072c770, 0xc0008dd5f0)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /workspace/anago-v1.18.0-rc.1.21+8be33caaf953ac/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/server/server.go:276 +0x4e4
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: k8s.io/kubernetes/vendor/github.com/emicklei/go-restful.(*FilterChain).ProcessFilter(0xc0008dd5f0, 0xc0008dd410, 0xc00072c770)
Apr 07 15:23:47 microk8s-vm microdden (user=127.0.0.1, verb=get, resource=nodes, subresource=proxy) ( pods/log nginx)

k8s.daemon-kubelet[19692]:         /workspace/anago-v1.18.0-rc.1.21+8be33caaf953ac/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/emicklei/go-restful/filter.go:1
9 +0x65                                                  
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: k8s.io/kubernetes/vendor/github.com/emicklei/go-restful.(*Container).dispatch(0xc000847c20, 0x4b17ba0, 0xc00072c700, 0xc00066e100)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /workspace/anago-v1.18.0-rc.1.21+8be33caaf953ac/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/emicklei/go-restful/container.g
o:285 +0x866                                             
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: net/http.HandlerFunc.ServeHTTP(0xc0007fc8c0, 0x4b17ba0, 0xc00072c700, 0xc00066e100)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /usr/local/go/src/net/http/server.go:2007 +0x44 
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: net/http.(*ServeMux).ServeHTTP(0xc0006bdbc0, 0x4b17ba0, 0xc00072c700, 0xc00066e100)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /usr/local/go/src/net/http/server.go:2387 +0x1bd
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: k8s.io/kubernetes/vendor/github.com/emicklei/go-restful.(*Container).ServeHTTP(0xc000847c20, 0x4b17ba0, 0xc00072c700, 0xc00066e100)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /workspace/anago-v1.18.0-rc.1.21+8be33caaf953ac/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/github.com/emicklei/go-restful/container.g
o:303 +0x4d                                              
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/httplog.WithLogging.func1(0x4b1ade0, 0xc000813c00, 0xc00066e000)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /workspace/anago-v1.18.0-rc.1.21+8be33caaf953ac/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/httplog/httplo
g.go:89 +0x2ca                                           
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: net/http.HandlerFunc.ServeHTTP(0xc00085ce60, 0x4b1ade0, 0xc000813c00, 0xc00066e000)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /usr/local/go/src/net/http/server.go:2007 +0x44 
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: k8s.io/kubernetes/pkg/kubelet/server.(*Server).ServeHTTP(0xc000315810, 0x4b1ade0, 0xc000813c00, 0xc00066e000)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /workspace/anago-v1.18.0-rc.1.21+8be33caaf953ac/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/pkg/kubelet/server/server.go:923 +0x60d
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: net/http.serverHandler.ServeHTTP(0xc000812460, 0x4b1ade0, 0xc000813c00, 0xc00066e000)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /usr/local/go/src/net/http/server.go:2802 +0xa4 
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: net/http.(*conn).serve(0xc000da7220, 0x4b24660, 0xc000c4d5c0)
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /usr/local/go/src/net/http/server.go:1890 +0x875
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: created by net/http.(*Server).Serve
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]:         /usr/local/go/src/net/http/server.go:2928 +0x384
Apr 07 15:23:47 microk8s-vm microk8s.daemon-kubelet[19692]: logging error output: "Forbidden (user=127.0.0.1, verb=get, resource=nodes, subresource=proxy)"

@junaid-ali
Copy link
Author

@ktsakalozos any idea why this error could happen?

@junaid-ali
Copy link
Author

Although, metrics server is running fine:

$ k -n kube-system top po
NAME                                    CPU(cores)   MEMORY(bytes)   
coredns-588fd544bf-zbhvv                7m           14Mi            
hostpath-provisioner-75fdc8fccd-4gpvb   1m           12Mi            
metrics-server-v0.3.2-94f47fb9c-ll588   1m           21M

@ktsakalozos
Copy link
Member

ktsakalozos commented Apr 9, 2020
edited
Loading

@junaid-ali there is an RBAC denial in the logs you pasted.

Is this PR ready for a second review round?

@drewboswell
Copy link

The addition of the authentication-token-webhook and authorization-mode flags are also needed for prometheus kubelet metrics retrieval. It would really help to get this merged as soon as possible.

@junaid-ali
Copy link
Author

@junaid-ali there is an RBAC denial in the logs you pasted.

Is this PR ready for a second review round?

I still need to address your comment at #600 (comment)

@junaid-ali
Copy link
Author

@drewboswell enabling authentication webhook causes kubectl logs and exec commands to throw this error:

Error from server (Forbidden): Forbidden (user=127.0.0.1, verb=get, resource=nodes, subresource=proxy)

Still need to debug from where this user=127.0.0.1 is coming from

@stephenstubbs
Copy link

Do you have any idea when this pr will be done or do you suggest I try to get the helm chart working instead?

@balchua
Copy link
Collaborator

balchua commented May 16, 2020

@junaid-ali im sorry i also did a PR on upgrading metrics server. Didn't realize that there is one.

@junaid-ali
Copy link
Author

@balchua I couldn't really work on it due to to other commitments. Please go ahead with your PR, check the comments here if that can help you in any way.

@balchua
Copy link
Collaborator

balchua commented May 16, 2020

@junaid-ali Thanks for letting me know. In that case, will be closing this PR in favor of this #1201

@balchua balchua closed this May 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ktsakalozos ktsakalozos ktsakalozos left review comments

@giner giner giner left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@junaid-ali @giner @ktsakalozos @stephenstubbs @drewboswell @balchua