Bug 1626520 - Prometheus with default serviceaccount cannot list all nodes in the cluster
Summary: Prometheus with default serviceaccount cannot list all nodes in the cluster
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.10.z
Assignee: Paul Gier
QA Contact: Junqi Zhao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-07 14:17 UTC by Mauricio Magnani
Modified: 2023-09-15 00:12 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-07 15:50:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Mauricio Magnani 2018-09-07 14:17:17 UTC 
### Description of problem ###

I'm not sure if this is bug.

Per default the prometheus serviceaccount gets the view clusterrole, which is not able to view/list/watch nodes in the cluster. However prometheus tries to acquire node objects in the cluster and creates following error messages:
~~~
 k8s.io/kube-state-metrics/collectors/node.go:130: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:openshift-metrics:default" cannot list nodes at the cluster scope: User "system:serviceaccount:openshift-metrics:default" cannot list all nodes in the cluster
~~~

After adding a cluster role with the right to view nodes the mistake is gone.

If prometheus is deployed with ansible.
It's a permanent mistake, because prometheus (with the default serviceaccount) continuously tries to view nodes.

### Version-Release number ###

 openshift-ansible-3.10.21-1.git.0.6446011.el7.noarch
Comment 1 Frederic Branczyk 2018-09-07 14:24:11 UTC 
Assigning to Paul Gier. This should be a simple change in the ClusterRole adding this permission.
Comment 4 Red Hat Bugzilla 2023-09-15 00:12:05 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.