Description
Is your feature request related to a problem ?
I use kubeRBACproxy to make metrics endpoint to https and I install node-exporter in different cluster from prometheus. And I use serviceaccount token for auth. But the error that always appears is Forbidden when trying to curl https metrics from different cluster.
Describe the solution you'd like.
When the node-exporter installation is finish, there is a note like this :
kube-rbac-proxy endpoint protections is enabled:
- Metrics endpoints is now HTTPS
- Ensure that the client authenticates the requests (e.g. via service account) with the following role permissions:
rules:
- apiGroups: [ "" ]
resources: ["services/prometheus-node-exporter"]
verbs:
- get
So temporary solution, I need to manually add that rule to the node-exporter clusterrole to allow the serviceaccount token to working well.
Possible solution: Add permissions for CustomResources' apiGroups in Role/ClusterRole. Should be used in conjunction with Custom Resource Node Exporter configuration.
Describe alternatives you've considered.
Add extraRules: [] on rbac section
Additional context.
Here's the situation when encountering this issue :
Creating a secret token, then restarting the node-exporter pods and try to curl with that secret token. The result is forbidden :
Try to add extra rule to the clusterrole and then restarting the node-exporter pods again.
Try curl again and the result is successful.
