From bc750aec335aa48a24a6129097ac8e5cb39ad1a7 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Thu, 18 Oct 2018 20:39:30 -0700 Subject: [PATCH] Configure Heapster to source metrics from Kubelet authenticated API * Heapster can now get nodes (i.e. kubelets) from the apiserver and source metrics from the Kubelet authenticated API (10250) instead of the Kubelet HTTP read-only API (10255) * https://github.com/kubernetes/heapster/blob/master/docs/source-configuration.md * Use the heapster service account token via Kubelet bearer token authn/authz. * Permit Heapster to skip CA verification. The CA cert does not contain IP SANs and cannot since nodes get random IPs that aren't known upfront. Heapster obtains the node list from the apiserver, so the risk of spoofing a node is limited. For the same reason, Prometheus scrapes must skip CA verification for scraping Kubelet's provided by the apiserver. * https://github.com/poseidon/typhoon/blob/v1.12.1/addons/prometheus/config.yaml#L68 * Create a heapster ClusterRole to work around the default Kubernetes `system:heapster` ClusterRole lacking the proper GET `nodes/stats` access. See https://github.com/kubernetes/heapster/issues/1936 --- CHANGES.md | 4 +++ addons/heapster/cluster-role-binding.yaml | 2 +- addons/heapster/cluster-role.yaml | 30 +++++++++++++++++++++++ addons/heapster/deployment.yaml | 2 +- 4 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 addons/heapster/cluster-role.yaml diff --git a/CHANGES.md b/CHANGES.md index 64b7f17c..a2eba4c4 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -10,6 +10,10 @@ Notable changes between versions. * Add `disk_iops` variable for EBS volume IOPS ([#314](https://github.com/poseidon/typhoon/pull/314)) +#### Addons + +* Configure Heapster to scrape Kubelets with bearer token auth ([#323](https://github.com/poseidon/typhoon/pull/323)) + ## v1.12.1 * Kubernetes [v1.12.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.12.md#v1121) diff --git a/addons/heapster/cluster-role-binding.yaml b/addons/heapster/cluster-role-binding.yaml index 9ae16e6d..6a36f080 100644 --- a/addons/heapster/cluster-role-binding.yaml +++ b/addons/heapster/cluster-role-binding.yaml @@ -5,7 +5,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:heapster + name: heapster subjects: - kind: ServiceAccount name: heapster diff --git a/addons/heapster/cluster-role.yaml b/addons/heapster/cluster-role.yaml new file mode 100644 index 00000000..7f4ac13f --- /dev/null +++ b/addons/heapster/cluster-role.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: heapster +rules: +- apiGroups: + - "" + resources: + - events + - namespaces + - nodes + - pods + verbs: + - get + - list + - watch +- apiGroups: + - extensions + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes/stats + verbs: + - get diff --git a/addons/heapster/deployment.yaml b/addons/heapster/deployment.yaml index 82adcd08..3e1424d3 100644 --- a/addons/heapster/deployment.yaml +++ b/addons/heapster/deployment.yaml @@ -23,7 +23,7 @@ spec: image: k8s.gcr.io/heapster-amd64:v1.5.4 command: - /heapster - - --source=kubernetes.summary_api:'' + - --source=kubernetes.summary_api:''?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250&insecure=true livenessProbe: httpGet: path: /healthz