k3s: permissions necessary to access metrics server?

8/8/2021

I'd like to grant a service account the ability to access the metrics exposed by the metrics-server service (https://metrics-server.kube-system/metrics). If I create a serviceaccount...

apiVersion: v1
kind: ServiceAccount
metadata:
  name: metrics-reader
  namespace: prometheus

...and then grant it cluster-admin privileges...

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metrics-reader-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: metrics-reader
  namespace: prometheus

...it works! I can use the account token to access the metrics server:

curl -k --header "Authorization: Bearer $token" https://metrics-server.kube-system/metrics

But I don't want to require cluster-admin access just to read metrics. I tried to use the view cluster role instead of cluster-admin, but that fails.

Is there an existing role that would grant the appropriate access? If not, what are the specific permissions necessary to grant read-only access to the metrics-server /metrics endpoint?

-- larsks
authorization
kubernetes
metrics

1 Answer

8/9/2021

Interesting question. I've found some info for you, however i'm not sure that 100% helpful. It needs more research and reproduce.

  1. check RBAC Deny when requesting metrics. Smth like below?
apiVersion: v1
kind: ServiceAccount
metadata:
  name: metrics-reader
  namespace: prometheus

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: view-metrics
rules:
- apiGroups:
    - metrics.k8s.io
  resources:
    - pods
    - nodes
  verbs:
    - get
    - list
    - watch

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: view-metrics
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view-metrics
subjects:
- kind: ServiceAccount
  name: metrics-reader
  namespace: prometheus

  1. It seems, there is a aggregated-metrics-reader clusterrole (or there was)

Aggregated ClusterRoles are documented in: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles. The purpose of the system:aggregated-metrics-reader ClusterRole, is to aggregate the rules, that grant permission to get the pod and node metrics, to the view, edit and admin roles.

however I wasnt able to find any reference to aggregated-metrics-reader clusterrole in current version of that doc.

You can find huge example of using this clusterrole in Metrics server unable to scrape

IN addition check This adds the aggregated-metrics-reader ClusterRole which was missing github PR:

What this PR does / why we need it: This adds the aggregated-metrics-reader ClusterRole which was missing, and seems to be required for k8s 1.8+ per the metrics-server documentation and default deploy manfiests

Unfortunately link in that PR direct to nowhere. I start thinking this obsolete info for 1.8 clusters.. Will update answer in case find anything more relevant

-- Vit
Source: StackOverflow