This repository has been archived by the owner on Oct 24, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 522
Add anonymous etcd metrics endpoints so that prometheus can scrape etcd metrics without requiring root permissions #2171
Labels
enhancement
New feature or request
Comments
ericsuhong
changed the title
Add anonymous etcd metrics endpoints when starting etcd for etcd metrics support
Add anonymous etcd metrics endpoints for prometheus so that it does not require root permission
Oct 16, 2019
ericsuhong
changed the title
Add anonymous etcd metrics endpoints for prometheus so that it does not require root permission
Add anonymous etcd metrics endpoints so that prometheus can scrape etcd metrics without requiring root permissions
Oct 16, 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
@jackfrancis it looks like this was closed by automation. Can you please keep it open until it is implemented? |
+1 we really need this one.. @jackfrancis @ritazh |
Thanks for opening the issue and the proposed solution! PRs are welcome! |
Thanks @ritazh ! We will contribute for sure 👍 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Right now, etcd /metrics endpoint is exposed via cert-protected endpoint: 127.0.0.1:2379.
This is requiring prometheus to run as a root to access /etc/kubernetes/certs/etcd* certificartes in order to talk with etcd/metrics endpoint.
etcd added a support to run /metrics endpoint in a separate port anonymously, by simply adding following arguments at the startup (etcd-io/etcd#8060):
--listen-metrics-urls=http://[masterIP]:9379
(9379 is a default port allocated by prometheus for etcd exporters: https://github.com/prometheus/prometheus/wiki/Default-port-allocations).
This will allow prometheus to scrape etcd metrics anonymously without requiring a root access.
I verified that manually adding this argument allowed prometheus to scrape metrics anonymously.
This also doesn't break backward compatibility as it keeps old metrics endpoint as well.
Explain why AKS Engine needs it
This will allow prometheus to scrape etcd metrics without requiring root access nor access to certificates.
Describe the solution you'd like
Add --listen-metrics-urls=http://[masterIP]:9379 as an argument at etcd startup.
Describe alternatives you've considered
Run prometheus-server in master nodes as a root, with /etc/kubernetes/certs folder mounted to grab etcd CA/client certs.
Then, I used following scrape rule to scrape etcd metrics:
This requires prometheus-server to run as root, which is BAD!
Additional context
The text was updated successfully, but these errors were encountered: