Description of problem:
# oc -n openshift-monitoring logs prometheus-adapter-587687f4c-g4dt7
I0515 03:53:37.363903 1 adapter.go:94] successfully using in-cluster auth
I0515 03:53:38.139376 1 dynamic_cafile_content.go:166] Starting request-header::/etc/tls/private/requestheader-client-ca-file
I0515 03:53:38.139414 1 dynamic_cafile_content.go:166] Starting client-ca-bundle::/etc/tls/private/client-ca-file
I0515 03:53:38.139626 1 dynamic_serving_content.go:129] Starting serving-cert::/etc/tls/private/tls.crt::/etc/tls/private/tls.key
I0515 03:53:38.140412 1 secure_serving.go:178] Serving securely on [::]:6443
I0515 03:53:38.140485 1 tlsconfig.go:219] Starting DynamicServingCertificateController
E0515 03:54:31.943916 1 webhook.go:197] Failed to make webhook authorizer request: subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope
E0515 03:54:31.944026 1 errors.go:77] subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope
E0515 04:02:40.311308 1 webhook.go:197] Failed to make webhook authorizer request: subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope
E0515 04:02:40.311412 1 errors.go:77] subjectaccessreviews.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot create resource "subjectaccessreviews" in API group "authorization.k8s.io" at the cluster scope
E0515 04:20:42.250215 1 reflector.go:307] k8s.io/client-go/informers/factory.go:135: Failed to watch *v1.Node: unknown (get nodes)
E0515 04:20:43.251510 1 reflector.go:153] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:openshift-monitoring:prometheus-adapter" cannot list resource "nodes" in API group "" at the cluster scope
# token=`oc sa get-token prometheus-adapter -n openshift-monitoring`
# oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer $token" 'https://prometheus-k8s.openshift-monitoring.svc:9091/api/v1/query?query=kube_node_info' | jq | head
{
"status": "success",
"data": {
"resultType": "vector",
"result": [
{
"metric": {
"__name__": "kube_node_info",
"container_runtime_version": "cri-o://1.18.0-17.dev.rhaos4.5.gitdea34b9.el8",
"endpoint": "https-main",
# oc api-resources | grep subjectaccessreviews
subjectaccessreviews authorization.k8s.io false SubjectAccessReview
subjectaccessreviews authorization.openshift.io false SubjectAccessReview
Version-Release number of selected component (if applicable):
4.5.0-0.nightly-2020-05-14-190315
How reproducible:
recently
Steps to Reproduce:
1. See the description
2.
3.
Actual results:
Expected results:
Additional info: