-
Notifications
You must be signed in to change notification settings - Fork 475
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request - toggle for Prometheus scraping as ClusterRole #717
Comments
This is expected, Prometheus needs to scrape in more than one namespace. The cluster role flag that you mention is only for the OpenFaaS Operator and does not configure the RBAC for Prometheus. Happy for you to send a PR, otherwise you'll need to wait for this to be prioritized. Premium Subscription customers get priority. |
/set title: Feature Request - toggle for Prometheus scraping as ClusterRole |
I took a look into this today to refresh my memory, you should read the notes on this PR: 71edafa#diff-48d9710e441cfca34edd16570dabeda39dc6ecfae662e42f4e9bab7813290aa7 And if converted to two Roles and RoleBindings to the Prometheus SA, the following error is given by Prometheus which fails to work:
With:
We would welcome your suggestions @dplusic |
A user was confused about the intent of the ClusterRole flag in the faas-netes chart. This should resolve any future ambiguity. Ref: #717 Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>
Unless clusterRole is specified, the Prometheus role will be restricted to scraping from only a single namespace. This fixes issue: #717 where I user complained that they did not want to create a ClusterRole in their cluster. It has been tested with k3d and K8s 1.19 with and without the --set clusterRole=true flag passed into the faas-netes helm chart. The second Role and RoleBinding needed a different name to the ones in the primary namespace in order for the RBAC error to go away in Prometheus. Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>
Unless clusterRole is specified, the Prometheus role will be restricted to scraping from only a single namespace. This fixes issue: #717 where I user complained that they did not want to create a ClusterRole in their cluster. It has been tested with k3d and K8s 1.19 with and without the --set clusterRole=true flag passed into the faas-netes helm chart. The second Role and RoleBinding needed a different name to the ones in the primary namespace in order for the RBAC error to go away in Prometheus. Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>
Expected Behaviour
Helm Chart should not create
ClusterRole
whenclusterRole=false
.Current Behaviour
It creates
ClusterRole
even ifclusterRole=false
.Possible Solution
It should create
Role
instead ofClusterRole
.Steps to Reproduce (for bugs)
ClusterRole
helm install openfaas openfaas/openfaas --set clusterRole=false --set createCRDs=false
Error: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource: clusterroles.rbac.authorization.k8s.io "openfaas-prometheus" is forbidden: User "system:serviceaccount:default:default" cannot get resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
Context
I want namespaced installation of openfaas.
Your Environment
FaaS-CLI version ( Full output from:
faas-cli version
): -Docker version
docker version
(e.g. Docker 17.0.05 ): -What version and distriubtion of Kubernetes are you using?
kubectl version
Operating System and version (e.g. Linux, Windows, MacOS):
Ubuntu 18.04 on WSL
Link to your project or a code example to reproduce issue: -
What network driver are you using and what CIDR? i.e. Weave net / Flannel: -
The text was updated successfully, but these errors were encountered: