K
Q

Prometheus unauthorized access to Azure Kubernetes API

9/21/2018

I'm trying to setup a Prometheus monitoring on a dedicated Linux VM to get Kubernetes cluster metrics.

Whatever I try, I'm always blocked with the nice message Unauthorized...

This is my scrape config for pods:

- job_name: 'Kubernetes'
scheme: https
tls_config:
  insecure_skip_verify: true
bearer_token: %VeryLongLine%
kubernetes_sd_configs:
- api_server: https://%ClusterName%.hcp.westeurope.azmk8s.io
  tls_config:
    insecure_skip_verify: true
  role: node
  namespaces:
    names: [default]

The token is the correct one because a Invoke-WebRequest from PowerShell works just fine.

Does anyone have an idea?

Thank you

-- KAMI
kubernetes
prometheus

Similar Questions

curl: (7) Failed connect to xx.xx.xx.xx:80; Connection refused
Apache Camel with Kubernetes
rancher 2.x thru ingress controller returns 404
Configure Kubernetes cpu memory request and limit for a jenkins slaves created with jenkinsci kubernetes-plugin
AWS Elastic Kubernetes (EKS) not autoscaling
Cannot find 'fake' package from k8s.io/client-go

2 Answers

9/25/2018
- job_name: 'Kubernetes'
  scheme: https
  tls_config:
   insecure_skip_verify: true
  kubernetes_sd_configs:
  - api_server: https://%ClusterName%.hcp.westeurope.azmk8s.io
    bearer_token: %VeryLongLine%
    role: node
    namespaces:
      names: [default]

Bearer token at the right place, so in the kubernetes config and not the job

-- KAMI
Source: StackOverflow
9/21/2018

Looks like you are missing the CA for your service account:

- job_name: 'Kubernetes'
  scheme: https
  tls_config:
    insecure_skip_verify: true
    ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
  bearer_token: %VeryLongLine%
  kubernetes_sd_configs:
  - api_server: https://%ClusterName%.hcp.westeurope.azmk8s.io
    role: node
    namespaces:
      names: [default]

Hope it helps!

-- Rico
Source: StackOverflow