Operator metrics are protected by kube-auth-proxy
. You must grant permissions to a Prometheus server before it can scrape the protected metrics.
You can create a ClusterRole
and bind it with ClusterRoleBinding
to the service account that your Prometheus server uses.
If you have not configured this cluster role and cluster role binding, you can use the following configuration:
Cluster Role
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cbcontainers-metrics-reader rules: - nonResourceURLs: - /metrics verbs: - get
Cluster Role Binding
kubectl create clusterrolebinding metrics --clusterrole=cbcontainers-metrics-reader --serviceaccount=<prometheus-namespace>:<prometheus-service-account-name>
Use the following ServiceMonitor
to scrape metrics from the Carbon Black Container Operator. Your Prometheus custom resource service monitor selectors must match this configuration.
apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: control-plane: operator name: cbcontainers-operator-metrics-monitor namespace: cbcontainers-dataplane spec: endpoints: - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token path: /metrics port: https scheme: https tlsConfig: insecureSkipVerify: true selector: matchLabels: control-plane: operator