I've been using metricbeat through its helm chart to install in a kubernetes cluster. It used to work by going though port 10255 which was a non-secured read only port.. but it seems latest releases of kubernetes (installed through kubeadm) deprecated it and we are now forced to use a secure port...
I just cannot make it work... can anyone tell me what are the valid instructions for that:
new config that is not working:
kubernetes:
enabled: true
config:
- module: kubernetes
metricsets:
- node
- system
- pod
- container
- volume
period: 10s
hosts: ["https://${HOSTNAME}:10250"]
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
ssl.certificate_authorities:
- /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
add_metadata: true
in_cluster: true
processors:
- add_cloud_metadata:
- add_kubernetes_metadata:
in_cluster: true
When using this config, I get errors that the "x509: certificate was signed by unknown authority" error
When I use the curl comment on the host, I can have a good response:
sudo curl https://localhost:10250/stats/summary -k --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt --key /etc/kubernetes/pki/apiserver-kubelet-client.key
Anyone was able to get around it...
NOTE: helm chart uses a daemonset rather than a deployment.. I don't know if that may have an impact at all.. but I thought it was worth mentioning.
i think it's time to switch to this approach by default, as most kubernetes versions out there will support it already. Would you mind creating a new issue for that? https://github.com/elastic/beats/issues/new
Thanks, I will raise an issue.... but I tried this approach as it shows above... the file service-ca.crt does not exist... although ca.crt does, so I have been using it... but when I do, I get the "x509: certificate was signed by unknown authority" here as a result of the requests so I must be missing something else... any idea?
Yes, probably you have to change localhost to the name of the node. In our default manifests we added the NODE_NAME env var for this. So if you have it reported, just switch to ${NODE_NAME}:10250.
I use the same configuration as "pastorsx simon", but Metricbeat will not start because /var/run/secrets/ does not exist on the system. Is this path created when installing Kubernetes?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.