Skip to content
This repository has been archived by the owner on Jun 29, 2022. It is now read-only.

Document manual steps to setup monitoring for etcd #270

Closed
surajssd opened this issue Apr 7, 2020 · 5 comments
Closed

Document manual steps to setup monitoring for etcd #270

surajssd opened this issue Apr 7, 2020 · 5 comments
Assignees
@surajssd
Labels
area/monitoring Monitoring priority/P2 Medium priority

Comments

@surajssd
Copy link
Member

surajssd commented Apr 7, 2020
edited
Loading

Create a document to help users setup monitoring for etcd manually. Taking inspiration from the document create an update issue to automate those steps in #252.
@surajssd surajssd added area/monitoring Monitoring proposed/next-sprint Issues proposed for next sprint labels Apr 7, 2020
@iaguis iaguis removed the proposed/next-sprint Issues proposed for next sprint label Apr 8, 2020
@invidian
Copy link
Member

invidian commented Apr 9, 2020
edited
Loading

I've looked how this can be done and actually it requires few things to be done:

  • We need to generate multiple etcd client certificates with different CNs:
    • CN: root, this one is special, for administrative tasks, including enabling RBAC
    • CN: kube-apiserver (CN can be different), for kubernetes API server, should have readwrite access to entire etcd
    • CN: prometheus (CN can also be different), for monitoring, should have no role granted
  • --client-cert-auth=true flag must be added to etcd: https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/authentication.md#using-tls-common-name
  • Following commands needs to be executed: 
    #!/bin/sh
# Setup connection
export ETCDCTL_API=3
export ETCDCTL_CACERT=<ca cert path>
export ETCDCTL_CERT=<root user client cert path>
export ETCDCTL_KEY=<root user client private key path>
export ETCDCTL_ENDPOINTS=https://<etcd member IP>:2379
# Create root user, role and role grant, so 'auth enable' does not print error.
etcdctl user add --no-password=true root
etcdctl role add root
etcdctl user grant-role root root
etcdctl auth enable
etcdctl user add --no-password=true kube-apiserver
etcdctl role add kube-apiserver
etcdctl role grant-permission kube-apiserver readwrite --prefix=true /
etcdctl user grant-role kube-apiserver kube-apiserver
etcdctl user add --no-password=true prometheus
# Until https://github.com/etcd-io/etcd/issues/8458 is resolved.
etcdctl user grant-role kube-apiserver root

Then, it works just fine. kube-apiserver works as before and have access to everything and prometheus certificate can only list metrics securely, but cannot access any data.

@invidian
Copy link
Member

invidian commented Apr 9, 2020

See also etcd-io/etcd#8458.

@surajssd surajssd added the proposed/next-sprint Issues proposed for next sprint label May 20, 2020
@iaguis iaguis added priority/P2 Medium priority and removed proposed/next-sprint Issues proposed for next sprint labels May 20, 2020
@surajssd surajssd self-assigned this May 27, 2020
@surajssd surajssd mentioned this issue May 27, 2020
Merged
3 tasks
@iaguis
Copy link
Contributor

iaguis commented Jun 4, 2020

Is this still relevant after #493?

@invidian
Copy link
Member

invidian commented Jun 4, 2020

No, but there should be a follow up issue created to scrape etcd metrics securely. Let me create it.

@invidian invidian mentioned this issue Jun 4, 2020
Open
@invidian
Copy link
Member

invidian commented Jun 4, 2020

This is now done in #493, though insecurely, so let's follow up on that in #553.

@invidian invidian closed this as completed Jun 4, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@surajssd surajssd

Labels
area/monitoring Monitoring priority/P2 Medium priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@iaguis @surajssd @invidian