Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ws-man-bridge] Add cluster role binding to scrape metrics #10034

Merged
merged 1 commit into from
May 16, 2022
Merged

[ws-man-bridge] Add cluster role binding to scrape metrics #10034

merged 1 commit into from
May 16, 2022

Conversation

easyCZ
Copy link
Member

@easyCZ easyCZ commented May 16, 2022
edited
Loading

Description

ws-manager-bridge is not being scraped correctly due to missing cluster role binding, logs show:

E0513 13:49:49.791452       1 webhook.go:111] Failed to make webhook authenticator request: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:default:ws-manager-bridge" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope
E0513 13:49:49.791513       1 proxy.go:73] Unable to authenticate the request due to an error: tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:default:ws-manager-bridge" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope

This change adds the necessary role binding so that the kube-rbac-proxy sidecar can be scraped. This is the same as we do for other components, such as server.

Related Issue(s)

None

How to test

None

Release Notes

[ws-manager-bridge] Fix cluster role binding to scrape metrics

Documentation

NONE

@easyCZ easyCZ requested a review from a team May 16, 2022 08:33
@github-actions github-actions bot added the team: webapp Issue belongs to the WebApp team label May 16, 2022
andrew-farries
andrew-farries reviewed May 16, 2022
View reviewed changes
install/installer/pkg/components/ws-manager-bridge/rolebinding.go
Comment on lines +27 to +35
RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole",
Name: fmt.Sprintf("%s-kube-rbac-proxy", ctx.Namespace),
APIGroup: "rbac.authorization.k8s.io",
},
Subjects: []rbacv1.Subject{{
Kind: "ServiceAccount",
Name: Component,
Namespace: ctx.Namespace,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we want to bind the ws-manager-bridge to the kube-rbac-proxy cluster role? Given the role's name, I'd assume that it is intended to have the only the kube-rbac-proxy service account bound to it.

@roboquat roboquat merged commit 6913b4f into main May 16, 2022
@roboquat roboquat deleted the mp/ws-man-bridge-fix-metrics branch May 16, 2022 08:48
@easyCZ
Copy link
Member Author

easyCZ commented May 16, 2022

We can test this once it lands in staging. https://grafana.gitpod-staging.com/explore?orgId=1&left=%7B%22datasource%22:%22VictoriaMetrics%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22instant%22:true,%22range%22:true,%22exemplar%22:false,%22expr%22:%22gitpod_ws_manager_bridge_stale_prebuild_events_total%22%7D%5D,%22range%22:%7B%22from%22:%22now-1h%22,%22to%22:%22now%22%7D%7D should show data

@roboquat roboquat added deployed: webapp Meta team change is running in production deployed Change is completely running in production labels May 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrew-farries andrew-farries andrew-farries approved these changes

Assignees
No one assigned
Labels
deployed: webapp Meta team change is running in production deployed Change is completely running in production release-note size/S team: webapp Issue belongs to the WebApp team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@easyCZ @andrew-farries @roboquat