Non cluster-admin cannot request metrics

Question

Non cluster-admin cannot request metrics

Closed this issue 6 years ago · 12 comments

I have the Deploy 1.8 YAML files deployed on an OpenShift cluster @ v3.11.0-alpha.0+3af079d-343.

If I run the following:
oc get --raw /apis/metrics.k8s.io/v1beta1/namespaces/<my-namespace>/pods/<my-happy-pod>

I will receive the response:

Error from server (Forbidden): pods.metrics.k8s.io "<my-happy-pod>" is forbidden: 
User "<me>" cannot get pods.metrics.k8s.io in the namespace "<my-namespace>": 
User "<me>" cannot get pods.metrics.k8s.io in project "<my-namespace>"

I believe a non-cluster-admin user must be able to get metrics for the metrics service to be most useful.

@DirectXMan12

fyi @spadgett

Answer 1 · 2018-07-24T19:00:32.000Z

We might need to move this to the Kubernetes repo, since it's a question of default policy, but we might also just be able to aggregate up to one of the default cluster roles. I'll need to take a look.

Answer 2 · 2018-07-24T19:03:50.000Z

I think we can add an rbac.authorization.k8s.io/aggregate-to-view: true label on a role here and fix this, but it's probably better to just fix the default cluster policy in Kubernetes.

Answer 3 · 2018-08-08T17:18:19.000Z

Talked to the sig-auth folks -- we probably just want to have aggregate-to-view here.

Answer 4 · 2018-08-08T18:26:28.000Z

Which roles should be labeled as such, @DirectXMan12? We define the "metrics-server-auth-reader" Role and the "system:metrics-server" ClusterRole per the 1.8+ deployment advice.

Answer 5 · 2018-08-09T13:28:01.000Z

Reading kubernetes/kubernetes#66579 again this morning, I now assume that you meant that we'll define the new "system:namespaced-metrics-reader" ClusterRole in this project, and aggregate it via label.

Answer 6 · 2018-08-09T15:25:51.000Z

yes, correct.

Answer 7 · 2018-08-13T18:14:08.000Z

How does one make use of all the permissions granted in the "custom.metrics.k8s.io" group, such as "jobs.batch?"

Answer 8 · 2018-08-13T20:14:29.000Z

what do you mean? Are you asking what URLs those translate to? the resource "jobs.batch" in the API group "custom.metrics.k8s.io" corresponds to the URL /apis/custom.metrics.k8s.io/v1beta1/namespaces/<ns>/jobs.batch/<name-or-star>/<metric>, and grants permission to fetch any metric (subresource) on jobs.batch (although there's a typo and they should have subresources of * attached).

Answer 9 · 2018-08-13T23:55:34.000Z

Are you asking what URLs those translate to?

Yes, that's what I'm asking. I tried several of my guesses, and couldn't find any to which the API server responded positively.

there's a typo and they should have subresources of * attached

I'll add that subresource tomorrow morning and try a few URLs again.

More broadly, though, does this imply that the metrics server is collecting metrics on all of these resources today, or is it that if there were such metrics in the future, this is how we'd read them?

Does the "<metric>" placeholder in your URL template have any valid values today?

Answer 10 · 2018-08-14T15:20:41.000Z

Those ones aren't actually related to metrics-server -- they're related to custom metrics adapters. They can be removed from the metrics-server version of the PR -- they were in the original PR since I figured I'd handle both "safe" metrics APIs in one go.

Answer 11 · 2018-08-14T15:49:11.000Z

Given that, I can whittle my ClusterRole down to granting "get" and "list" against the "pods" resource within the "metrics.k8s.io" group.

What's a good source for learning about these custom metrics adapters?

Answer 12 · 2018-08-14T15:52:39.000Z

@seh take a look at the documentation in kubernetes-sigs/custom-metrics-apiserver#24