0

Question:

Why do users have to be able to have the rbac permission to create services/proxy inorder to view metrics via lens?

Recently I created an aws-auth entry mapping readOnly developers to the default 'view' group which gives all permissions listed in default 'view clusterrole https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles. When connecting to the cluster via lens, users were unable to view metrics and got the below error in the UI.

Error:

"Metrics are not available due to missing or invalid Prometheus configuration."

Additional information

AWS EKS Cluster Version: v1.20.11-eks-f17b81 Kubectl version: 1.20.15

Solution:

To find the solution I follow this comment on the lensapp git: See https://github.com/lensapp/lens/issues/3698#issuecomment-968616099

Changes made:

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-only-lens-metrics
  labels:
    # Add these permissions to the "view" default role.
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
  - ""
  resources:
  - "services/proxy"
  verbs:
  - create
Cian
  • 33
  • 1
  • 6

0 Answers0