Prometheus kubelet metrics server returned HTTP status 403 Forbidden
Recently been working a lot with Kubernetes and needed to install some monitoring to better profile the cluster and it’s components. After doing that then doing an installation using the their deploy script. It all looked good, no errors, all the pods and services were running. I went ahead and launched the Prometheus web interface and saw there was a bunch of errors and it was not able to access Kubelet metrics.
Setup
I first cloned the project for prometheus-operator
git clone git@github.com:coreos/prometheus-operator.git
After that I then ran the deployment for cluster monitoring.
$ cd prometheus-operator/
$ contrib/kube-prometheus/hack/cluster-monitoring/deploy
After everything was installed, I created my own ingress. We’re running ingress-nginx, so I created a couple of quick ingress configuration files and imported them into the cluster so I could access remotely.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: alertmanager-ingress
namespace: monitoring
labels:
app: alertmanager-main
spec:
rules:
- host: alert.example.com
http:
paths:
- backend:
serviceName: alertmanager-main
servicePort: 9093
path: /
tls:
- hosts:
- alert.example.com
secretName: example-com-tls
--
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: grafana-ingress
namespace: monitoring
labels:
app: grafana
spec:
rules:
- host: gra.example.com
http:
paths:
- backend:
serviceName: grafana
servicePort: 3000
path: /
tls:
- hosts:
- gra.example.com
secretName: example-com-tls
--
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: prometheus-ingress
namespace: monitoring
labels:
app: prometheus-operated
spec:
rules:
- host: prom.example.com
http:
paths:
- backend:
serviceName: prometheus-operated
servicePort: 9090
path: /
tls:
- hosts:
- prom.example.com
secretName: example-com-tls
You can save that as prometheus-ingress.yaml, then import.
$ kubectl apply -f prometheus-ingress.yaml
Now that you’ve got your Prometheus running and ingress routing setup, we can do a test. Launch a web browser and go to
https://prom.example.com/targets
Once that opens, check and make sure if you have any errors. Everything should look good, except for kubelet section. This is where I had errors on all the metrics collections. The error I had
HTTP status 403 Forbidden
After doing some research I determined, that after you complete the pod installation there was another setup when using kubeadm.
Follow the instruction you’ll need to modify some configuration files on your master node.
Fist update the kubelet service to include webhook and restart.
KUBEADM_SYSTEMD_CONF=/etc/systemd/system/kubelet.service.d/10-kubeadm.conf sed -e "/cadvisor-port=0/d" -i "$KUBEADM_SYSTEMD_CONF" if ! grep -q "authentication-token-webhook=true" "$KUBEADM_SYSTEMD_CONF"; then sed -e "s/--authorization-mode=Webhook/--authentication-token-webhook=true --authorization-mode=Webhook/" -i "$KUBEADM_SYSTEMD_CONF" fi systemctl daemon-reload systemctl restart kubelet
Next, modify the kube controller and kube scheduler to allow for reading data.
sed -e "s/- --address=127.0.0.1/- --address=0.0.0.0/" -i /etc/kubernetes/manifests/kube-controller-manager.yaml sed -e "s/- --address=127.0.0.1/- --address=0.0.0.0/" -i /etc/kubernetes/manifests/kube-scheduler.yaml
After you make those changes they will restart automatically after about a minute or so.
Once you do these changes, now go back to your prometheus targets page and after a minute you should see all the error messages go away.