Comments (13)
sorry to slightly hijack, but also curious what folks who are using Workload Identity do - do you create a GCP service account for the custom metrics adapter and bind it to the Kube service account? I assume the cluster role bindings don't provide Google API level access, and with workkload identity, I don't think the pod will implicitly have the creds of the nodepool's service account either.
#315 I guess kind of covers this
from k8s-stackdriver.
@sosimon how do you test to know it is functional? are you reading a metric with kubectl ?
from k8s-stackdriver.
Looks like I have the same issue:
E1205 21:46:49.429171 1 timeout.go:135] post-timeout activity - time-elapsed: 3.304368ms, GET "/apis/custom.metrics.k8s.io/v1beta2" result: <nil>
E1205 21:46:49.523578 1 wrap.go:54] timeout or abort while handling: method=GET URI="/apis/custom.metrics.k8s.io/v1beta2" audit-ID="71f72960-a980-4afb-ad1d-03e1b6bec66f"
E1205 21:46:49.523649 1 writers.go:117] apiserver was unable to write a JSON response: http2: stream closed
E1205 21:46:49.523716 1 wrap.go:54] timeout or abort while handling: method=GET URI="/apis/custom.metrics.k8s.io/v1beta2" audit-ID="79f73bf9-dc54-4676-936a-aa819a77194e"
E1205 21:46:49.525281 1 writers.go:111] apiserver was unable to close cleanly the response writer: http: Handler timeout
E1205 21:46:49.525327 1 status.go:71] apiserver received an error that is not an metav1.Status: &errors.errorString{s:"http2: stream closed"}: http2: stream closed
E1205 21:46:49.526374 1 writers.go:130] apiserver was unable to write a fallback JSON response: http2: stream closed
E1205 21:46:49.528673 1 timeout.go:135] post-timeout activity - time-elapsed: 4.796544ms, GET "/apis/custom.metrics.k8s.io/v1beta2" result: <nil>
from k8s-stackdriver.
I have the same issue
post-timeout activity - time-elapsed: 109.781784ms, GET "/apis/custom.metrics.k8s.io/v1beta1" result: <nil>
from k8s-stackdriver.
I have a high volume of the same / similar errors
That said, the adapter itself works AFAIK
from k8s-stackdriver.
Same issue, also I had to add this resource to my cluster in order to get it to startup
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: custom-metrics-extension-apiserver-authentication-reader
namespace: kube-system
subjects:
- kind: ServiceAccount
name: custom-metrics-stackdriver-adapter
namespace: custom-metrics
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
from k8s-stackdriver.
Same issue, also I had to add this resource to my cluster in order to get it to startup
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: custom-metrics-extension-apiserver-authentication-reader namespace: kube-system subjects: - kind: ServiceAccount name: custom-metrics-stackdriver-adapter namespace: custom-metrics roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader
I tried this but nothing changed. When you "get it to startup" what exactly does "it" refer to? The stackdriver adapter pod? In my case the pod is running, but it
has loads of of log entries like:
E0208 17:56:12.201768 1 provider.go:320] Failed request to stackdriver api: googleapi: Error 403: Permission monitoring.metricDescriptors.list denied (or the resource may not exist)., forbidden
Maybe it's a different issue?
from k8s-stackdriver.
@PaulRudin just spitballing here, but that error looks like your cluster's service account doesn't have permission to call the GCP monitoring API.
from k8s-stackdriver.
Yeah, but nothing has changed recently as far as I know. But maybe I've inadvertently modified something when changing something unrelated.
from k8s-stackdriver.
Hi!
I have the exactly same issue and it appeared suddenly about the same period.
I thought too about a permission or scope issue but the node where the adapter is running has cloud-platform
scope and the service account has Monitoring Viewer
permission.
I also think that it is not a permission or scope issue as we have timeout errors.
I am still investigating. Maybe something has changed on GCP side.
from k8s-stackdriver.
OK - so in my case I had inadvertently changed the service account, so the permission denied problem has been fixed. But I do still see messages similar to those reported by others:
E0209 10:59:56.474287 1 timeout.go:135] post-timeout activity - time-elapsed: 15.70529ms, GET "/apis/custom.metrics.k8s.io/v1beta1" result: <nil>
E0209 10:59:56.554654 1 writers.go:111] apiserver was unable to close cleanly the response writer: http: Handler timeout
E0209 10:59:56.555141 1 writers.go:130] apiserver was unable to write a fallback JSON response: http2: stream closed
E0209 10:59:56.556250 1 writers.go:130] apiserver was unable to write a fallback JSON response: http: Handler timeout
E0209 10:59:56.558605 1 timeout.go:135] post-timeout activity - time-elapsed: 93.570353ms, GET "/apis/custom.metrics.k8s.io/v1beta1" result: <nil>
E0209 10:59:56.559753 1 timeout.go:135] post-timeout activity - time-elapsed: 102.936145ms, GET "/apis/custom.metrics.k8s.io/v1beta1" result: <nil>
E0209 10:59:56.560900 1 timeout.go:135] post-timeout activity - time-elapsed: 102.266556ms, GET "/apis/custom.metrics.k8s.io/v1beta2" result: <nil>
from k8s-stackdriver.
We're seeing the same error messages but the adapter appears to be functional. It would be nice to understand what the errors mean and what changes we need to make to reduce the noise.
from k8s-stackdriver.
@matiasah I think our HPA is working. Some of the logs shown here are same as the ones in #510. Not the auth errors, those should be, and need to be, resolved by providing the service account the right permissions.
from k8s-stackdriver.
Related Issues (20)
- Custom stack driver pod doesnt seem to have liveness/readiness probe.
- Running custom-metrics-stackdriver-adapter as non-root user HOT 1
- Stackdriver metrics are not supported by HorizontalPodAutoscaler HOT 2
- ClusterRole in stackdriver adapter has namespace defined
- Security Policy violation Binary Artifacts HOT 5
- Allow custom metrics from a different pod HOT 3
- Custom metrics adapter spewing errors "apiserver was unable to write a fallback JSON response: http2: stream closed" HOT 11
- custom-metrics-stackdriver-adapter - couldn't get resource list for external.metrics.k8s.io/v1beta1: Got empty response for: external.metrics.k8s.io/v1beta1 HOT 3
- istio.io/service/server/response_latencies metric that HPA collected is different to Cloud monitoring HOT 1
- Filtering metrics by labelSelector in external.metrics.k8s.io api doesn't work HOT 1
- Timeout error logs HOT 5
- Deploying adapter_new_resource_model.yaml results in OOMKilled HOT 3
- 100% memory and CPU and never recovers HOT 2
- Documentation bugs in custom-metrics-stackdriver-adapter README HOT 3
- Error while sending request to Stackdriver googleapi: Error 503 HOT 17
- Tracing custom-metrics-stackdriver-adapter trace logging enabled HOT 6
- wrong version of file in tag HOT 4
- Unable to authenticate the request err="verifying certificate failed: x509: certificate signed by unknown authority"" HOT 4
- Custom log-based metric not recognized by HPA HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from k8s-stackdriver.