Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prometheus metrics federation yields HTTP 403 #11050

Open
adleong opened this issue Jun 22, 2023 Discussed in #11044 · 13 comments · May be fixed by #12212
Open

Prometheus metrics federation yields HTTP 403 #11050

adleong opened this issue Jun 22, 2023 Discussed in #11044 · 13 comments · May be fixed by #12212
Assignees
@alpeb
Labels
good first issue

Comments

@adleong
Copy link
Member

adleong commented Jun 22, 2023

Discussed in #11044

Originally posted by ngc4579 June 21, 2023
Using the Prometheus federation API as advertised in the docs yields an HTTP 403 scrape error (server returned HTTP status 403 Forbidden). IIRC this used to work some time ago. Were there any (recent) changes that are possibly not reflected in the docs?

What might cause the described behaviour?
@adleong
Copy link
Member Author

adleong commented Jun 22, 2023

Thanks for raising this, @ngc4579. It's possible that additional AuthorizationPolicies are needed for Prometheus federation. This will require some investigation.

@wmorgan
Copy link
Member

wmorgan commented Jun 22, 2023

This policy was suggested by Michelle B on the Linkerd Slack (link will expire in 90 days):

apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
  name: prometheus-admin-federate
  namespace: linkerd-viz
spec:
  targetRef:
    group: policy.linkerd.io
    kind: Server
    name: prometheus-admin
  requiredAuthenticationRefs:
    - group: policy.linkerd.io
      kind: NetworkAuthentication
      name: kubelet

@ngc4579
Copy link

ngc4579 commented Jun 23, 2023

Thanks so much @adleong @wmorgan for your answers. The mentioned AuthorizationPolicy actually did help, federation works as expected now. If this policy is intentionally required, I guess this should be reflected in the docs. (Or else, if it already is, it seems I wasn't able to find it. :) )

@prajithp13
Copy link

We have setup the linkerd-viz with external prometheus and after the upgrade we are getting following errors

time="2023-06-26T12:34:55Z" level=error msg="queryProm failed with: Query failed: \"sum(increase(response_total{deployment=\\\"app-prod-http\\\", direction=\\\"outbound\\\", namespace=\\\"web\\\"}[1m])) by (dst_namespace, dst_deployment, classification, tls)\": Post \"https://external-endpoint/api/v1/query\": context canceled"

@alpeb
Copy link
Member

alpeb commented Jun 29, 2023

Anybody would like to submit a PR with this policy included? Should be pretty straight-forward.

@prajithp13 Did you apply the policy?

@deepto98
Copy link

deepto98 commented Jul 1, 2023

@alpeb I'd like to pick this up, I'm learning Linkerd and service meshes in general, would also like to contribute to the project, this seems like a good issue to start with.

@alpeb
Copy link
Member

alpeb commented Jul 10, 2023

@deepto98 sounds great, please proceed!

@alexandreliberato
Copy link

@deepto98 Are you working on this? If not, I will be willing to tackle this issue :)

@deepto98
Copy link

I'll pick this up this week

@jderieg
Copy link

jderieg commented Aug 23, 2023

Did a PR for this issue ever get created?

@ioannatheo
Copy link

Hey is there any progress on this issue?

@wmorgan
Copy link
Member

wmorgan commented Dec 15, 2023

@ioannatheo there is a workaround by adding that policy YAML pasted earlier above. A PR to add that by default would be welcome.

@francRang
Copy link

I am actively working on this. I think I have a pretty good understanding on what needs to be done.
Track progress: https://github.com/francRang/linkerd2
Give me 1-2 days max and I should be able to get it ready for review.

@francRang francRang linked a pull request Mar 6, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alpeb alpeb

Labels
good first issue
Projects
None yet
Milestone
No milestone
10 participants
@wmorgan @alexandreliberato @alpeb @adleong @ngc4579 @francRang @jderieg @ioannatheo @deepto98 @prajithp13