Issue:-
Metric server is unable to load the configmap "extension-apiserver-authentication" and giving forbidden due to which metricserver does show load with kubectl top command.
Error:-
panic: unable to load configmap based request-header-client-ca-file: configmaps "extension-apiserver-authentication" is forbidden: User "system:serviceaccount:kubernetes-infra:metrics-server" cannot get resource "configmaps" in API group "" in the namespace "kube-system"
Effect:-
Metric server doesn't work and kubectl top command fails
Error from server (ServiceUnavailable): the server is currently unable to handle the request (get nodes.metrics.k8s.io)
Resolution:-
Replace
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: metrics-server
name: system:metrics-server
rules:
- apiGroups:
- ""
resources:
- nodes/metrics
verbs:
- get
- apiGroups:
- ""
resources:
- pods
- nodes
WITH
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: metrics-server
name: system:metrics-server
rules:
- apiGroups:
- ""
resources:
- nodes/metrics
verbs:
- get
- apiGroups:
- ""
resources:
- pods
- nodes
- nodes/stats
- namespaces
- configmaps
Explanation:-
In the latest version of the metricserver , the yaml has reduced resources on which metrics server can authorise. So we need to add the nodes/stats , namespaces and configmaps which are used by the metric server for working. Because of the above missing resource when it tries to contact configmaps it getting an error after the resources in the yaml it as it able to successfully connect to the configmaps and run the top command.
0 comments:
Post a Comment