Hi,
I'm trying to monitor k8s cluster A from my Zabbix instance (installed in k8s cluster Z), I followed the steps indicated at https://www.zabbix.com/integrations/kubernetes and setting values for:
- {$KUBE.API.URL} = https://$IP_OR_DNSNAME_OF_A_CONTROL_PLANE:6443/api
- {$KUBE.STATE.ENDPOINT.NAME} = zabbix-agent-kube-state-metrics
- {$KUBE.API.TOKEN} --> obtained doing:
Code:
kubectl -n zabbix get secret -o jsonpath={.data.token} zabbix-service-account | base64 -d
for the hosts created to set the templates Kubernetes cluster state by HTTP and Kubernetes nodes by HTTP
but I get this error:
Code:
250:20240124:172134.576 [ Kubernetes ] ERROR: Request failed with status code 403: {"kind
":"Status","apiVersion":"v1","metadata":{},"status ":"Failure","message":"v1 \"nodes\" is for
bidden: User \"system:serviceaccount:zabbix:zabbix-service-account\" cannot get resource \"v
1\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"name":"nodes","
kind":"v1"},"code":403}
I know TOKEN is right because:
Code:
$ curl -X GET https://$IP_OR_DNSNAME_OF_A_CONTROL_PLANE:6443/api --header "Authorization: Bearer $TOKEN" --insecure
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "$IP:6443"
}
]
}
Code:
curl -X GET https://$IP_OR_DNSNAME_OF_A_CONTROL_PLANE:6443/endpoints --header "Authorization: Bearer $TOKEN" --insecure
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "forbidden: User \"system:serviceaccount:zabbix:zabbix-service-account
\" cannot get path \"/endpoints\"",
"reason": "Forbidden",
"details": {},
"code": 403
My guess is some missing grants in service account system:serviceaccount:zabbix:zabbix-service-account, but even if I tried to grant admin permissions I got the same result
Any idea what am I missing here?
Thanks!
Comment