kubernetesterraformprometheusrbacprometheus-operator

What roles required for PodMonitor to list pods?


I have this repo terraform1#prometheus-operator, got it working previously with normal prometheus (without operator), now testing for prometheus-operator so if pod scaled horizontally, it would still can scrape correctly all metrics for all pods, not just from 1 pod.

This article step by step how to run the minikube and terraform.

After deployed, it shows properly:

k get pods -n pf1ns -w                                                                    1 ↵
NAME                                               READY   STATUS    RESTARTS   AGE
keda-admission-webhooks-76cd6c4b59-6b59r           1/1     Running   0          20h
keda-operator-5bb494667b-bb2bl                     1/1     Running   0          20h
keda-operator-metrics-apiserver-68d9f78869-d65vj   1/1     Running   0          20h
prometheus-pf1prom-0                               2/2     Running   0          3m9s
promfiberdeploy-868697d555-2jfgv                   1/1     Running   0          20h

but there's error on prometheus-pf1prom-0:

ts=2023-07-04T17:23:40.085Z caller=klog.go:116 level=error component=k8s_client_runtime func=ErrorDepth msg="pkg/mod/k8s.io/client-go@v0.26.2/tools/cache/reflector.go:169: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:pf1ns:pf1promsvcacc\" cannot list resource \"pods\" in API group \"\" in the namespace \"pf1ns\""

What roles required to list pods? there's already pod permission:

  rule {
    api_groups = [""]
    resources  = ["services", "endpoints", "pods"]
    verbs      = ["get", "list", "watch"]
  }

Solution

  • Make sure you attach the created Role to the ServiceAccount using a RoleBinding.