kube-prometheus icon indicating copy to clipboard operation
kube-prometheus copied to clipboard

Published 20 hours ago verified publisher icon prometheus-operator

k3s - HTTP status 401 Unauthorized

Open NicklasWallgren opened this issue 6 years ago • 9 comments
trafficstars

What did you do? We've deployed kube-prometheus to our k3s cluster using the Quickstart Guide.

Did you expect to see some different? All targets healthy and not reported as down in prometheus. The problem is probably related to RBAC.

Prometheus Targets

monitoring/kube-state-metrics/0 (0/1 up)

https://10.42.0.11:8443/metrics
server returned HTTP status 401 Unauthorized

monitoring/kube-state-metrics/1 (0/1 up)

server returned HTTP status 401 Unauthorized
https://10.42.0.11:9443/metrics

monitoring/node-exporter/0 (0/1 up)

https://159.65.aaa.bbb:9100/metrics
server returned HTTP status 401 Unauthorized

Environment K3s 0.8.1 K8s v1.14.6 Kube-prometheus 0.2

NicklasWallgren avatar Sep 19 '19 17:09 NicklasWallgren

Log output.

kube-rbac-proxy-main

E0921 12:14:01.518665       1 webhook.go:106] Failed to make webhook authenticator request: the server could not find the requested resource
E0921 12:14:01.518704       1 proxy.go:67] Unable to authenticate the request due to an error: the server could not find the requested resource

kube-rbac-proxy-self

E0921 12:15:19.846455       1 webhook.go:106] Failed to make webhook authenticator request: the server could not find the requested resource
E0921 12:15:19.846494       1 proxy.go:67] Unable to authenticate the request due to an error: the server could not find the requested resource

NicklasWallgren avatar Sep 21 '19 12:09 NicklasWallgren

Found the cause of the issue.

I found my issue with k8s audit, kube-rbac-proxy use authentication.k8s.io/v1beta1 to authenticate the token, but k3s removed v1beta1 in favor to v1.

https://github.com/carlosedp/cluster-monitoring/issues/13

NicklasWallgren avatar Sep 21 '19 12:09 NicklasWallgren

Cannot be easily fixed until kubernetes api server migrates to v1 in https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go#L36

paulfantom avatar Oct 08 '19 09:10 paulfantom

Maybe I'm totally misunderstanding, but doesn't that just mean we need to update kube-rbac-proxy to use the v1 API?

brancz avatar Oct 08 '19 12:10 brancz

Yes, that's exactly what needs to be done and I started doing that. However, there is a transient dependency on v1beta1 coming from https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go#L36

paulfantom avatar Oct 08 '19 15:10 paulfantom

I see. Maybe worth asking in kubernetes slack if this is a left over, and just needs to be done.

brancz avatar Oct 08 '19 15:10 brancz

Asked. This change is not planned yet.

paulfantom avatar Oct 17 '19 14:10 paulfantom

Just checking in on this. k3s no longer supports rbac v1beta1.

AshtonKem avatar Jun 21 '22 00:06 AshtonKem

any updates? somehow this is causing kube-rbac-proxy to throttle Screenshot 2022-07-23 at 00 15 48

jodevsa avatar Jul 22 '22 21:07 jodevsa

This issue has been automatically marked as stale because it has not had any activity in the last 60 days. Thank you for your contributions.

github-actions[bot] avatar Jan 13 '23 03:01 github-actions[bot]

This issue was closed because it has not had any activity in the last 120 days. Please reopen if you feel this is still valid.

github-actions[bot] avatar May 14 '23 03:05 github-actions[bot]