wait-for-endpoints init-containers fails to load with k8s 1.6.0 about prometheus HOT 8 OPEN

For reference, I was able to resolve the new 1.6 RBAC reqirements by giving it "god" mode

kubectl create clusterrolebinding add-on-cluster-admin-monitoring --clusterrole=cluster-admin --serviceaccount=monitoring:default

This is not a long term solution but it will work as a hack for now. Could you please provide a better "read-only" RBAC for 1.6?

from prometheus.

that command is new in kubectl 1.6.0

from prometheus.

FYI I also believe this issue is related to #48

from prometheus.

strange - I am getting:

Error: unknown flag: --clusterrole

from prometheus.

Boom - that was it. gcloud components update is your friend. ;)

from prometheus.

we're also running into this. been debugging for 2 hours now. to me it seems it's just an issue with fish?

because this works

curl -s --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt --header \"Authorization: Bearer \"(cat /var/run/secrets/kubernetes.io/serviceaccount/token) https://kubernetes.default.svc/api/v1/namespaces/monitoring/endpoints/grafana

but when i do:

set endpoints (curl -s --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt --header \"Authorization: Bearer \"(cat /var/run/secrets/kubernetes.io/serviceaccount/token) https://kubernetes.default.svc/api/v1/namespaces/monitoring/endpoints/grafana); echo $endpoints;

then $endpoints is always empty.

never used fish before, any ideas?

from prometheus.

@chapati23 Try this command:

curl -sX GET -H "Authorization:bearer `cat /var/run/secrets/kubernetes.io/serviceaccount/token`" -k https://kubernetes.default/api/v1/namespaces/monitoring/endpoints/grafana

Change it in manifests-all.yaml to

"command": ["fish", "-c", "echo \"waiting for endpoints...\"; while true; set endpoints (curl -sX GET -H \"Authorization:bearer `cat /var/run/secrets/kubernetes.io/serviceaccount/token`\" -k https://kubernetes.default/api/v1/namespaces/monitoring/endpoints/grafana); echo $endpoints | jq \".\"; if test (echo $endpoints | jq -r \".subsets[]?.addresses // [] | length\") -gt 0; exit 0; end; echo \"waiting...\";sleep 1; end"],

There is no need to set ca.crt and if you do that will make an error.

from prometheus.

I wouldn't recommend getting in the habit of using -k in actual checked-in manifests... skipping TLS verification at the same time you're sending a bearer token opens you to MITM attacks

from prometheus.