How to configure cluster

[darose]

I've been able to install the kubernetes-app plugin into grafana running on our kubernetes cluster, but I'm not able to get the plugin to work. I think I probably don't have it configured correctly, but I'm not sure how to correct it. In my cluster config I have datasource set to "prometheus", and access set to "Server (Default)". But I'm not sure what to set for the http url or the auth settings. I have grafana and prometheus running as pods on the k8s cluster. (Installed via core-os prometheus-operator kube-prometheus.) So I'm not sure what http url to use: url of the kubernetes system? url of the prometheus service? The docs/help system aren't clear. Would appreciate if someone could help get this issue addressed, as the plugin looks quite nice. Thanks!

[dionmes]

I also looked at this App for Grafana and also didn't know what to fill in the http field. My guess is, it is the kubernetes api server. But than you need to use credentials (a token), so I am not sure. I now have settled for the dashboards which load directly from prometheus, they seem to provide enough info. Don't know if this app would provide more.

[darose]

FYI, I finally got this working. (Woo hoo!) Details are as follows:

• all the needed data is stored in your .kube/config YAML file
• paste the url stored in the "clusters.cluster.server" .kube/config field into the "HTTP URL" field for the plugin
• check the boxes "TLS Client Auth" and "With CA Cert"
• fill out the "CA Cert", "Client Cert", and "Client Key" fields like so:
• the CA Cert value is obtained by taking the value of the "clusters.cluster.certificate-authority-data" .kube/config field and base64 decoding it (e.g., pipe it into "base64 -d")
• For Client Cert, same as previous step, but use "users.user.client-certificate-data"
• For Client Key, same as previous step, but use "users.user.client-key-data"

Hope this is helpful.

FYI to Grafana people: it would probably be good if somebody documents this somewhere!

DR

[dionmes]

I hope you understand the security implementations of this setup. You'd better dive into RBAC and only authorise the API user for reading.

[darose]

Thanks for the tip. It's just a dev cluster though, used by only a handful of people, so not really a significant security risk. I'll definitely make a note to be aware of this for production though.

[shashikant-koder]

FYI, I finally got this working. (Woo hoo!) Details are as follows:

• all the needed data is stored in your .kube/config YAML file
• paste the url stored in the "clusters.cluster.server" .kube/config field into the "HTTP URL" field for the plugin
• check the boxes "TLS Client Auth" and "With CA Cert"
• fill out the "CA Cert", "Client Cert", and "Client Key" fields like so:
• the CA Cert value is obtained by taking the value of the "clusters.cluster.certificate-authority-data" .kube/config field and base64 decoding it (e.g., pipe it into "base64 -d")
• For Client Cert, same as previous step, but use "users.user.client-certificate-data"
• For Client Key, same as previous step, but use "users.user.client-key-data"

Hope this is helpful.

FYI to Grafana people: it would probably be good if somebody documents this somewhere!

DR

In my .kube/config i have only clusters.cluster.server and clusters.cluster.certificate-authority-data data. Other data is not available in the config file. Can you please help me weather i miss something in the setup or how to connect to the cluster.

[mpictor]

I'm using minikube, and I had to do it a bit differently.

The IP address in the clusters.cluster.server url in the config didn't work; I substituted the pod IP for kube-apiserver instead. This can be seen in the dashboard and is also output by

kubectl get pods --namespace=kube-system -l component=kube-apiserver -o jsonpath='{.items[*].status.podIP}'

After substituting, you'll end up with a url like https://192.168.122.152:8443 - the only difference from the config url is the last two octets of the IP.

Set Access to Server (Default)

The client cert and key were in files pointed to by the config; I copied their content into the fields. I did not have a CA cert so checked the Skip TLS Verify box (not sure if that was necessary).

[cbenjemaa]

For Kubernetes clusters in GCP, you'll get the credential information when running

$ gcloud container clusters describe <cluster_name>

addonsConfig:
  networkPolicyConfig:
    disabled: true
clusterIpv4Cidr: 10.108.0.0/14
createTime: '2017-03-23T11:19:37+00:00'
currentMasterVersion: 1.10.11-gke.1
currentNodeCount: 2
currentNodeVersion: 1.10.11-gke.1
description: Production environment cluster
endpoint: <IP_ADRESS>...
initialClusterVersion: 1.5.4
instanceGroupUrls:
- https://www.googleapis.com/compute/v1/projects/......../zones/europe-west1-d/instanceGroupManagers/....
- https://www.googleapis.com/compute/v1/projects/......../zones/europe-west1-b/instanceGroupManagers/....
legacyAbac: {}
location: europe-west1-d
locations:
- europe-west1-d
- europe-west1-b
loggingService: logging.googleapis.com
**masterAuth**:
  **clientCertificate**: <clientCertificate>....
  **clientKey**: <clientKey>....
  **clusterCaCertificate**: <clusterCaCertificate>....
  **password**: <pass>....
  **username**: <user>....
monitoringService: monitoring.googleapis.com
name: <cluster_name>
network: default
networkConfig:
  network: .........

The setting that worked for me was Basic auth with user and pass parameters.

It took me a while to find this setting the Readme should be update to make users aware of different methods to set those parameters.

Hope that helps some of you :)

[CiaranCurran]

This is a copy of a previous comment by darose, you can use the kube client to view the config file:

1. You can use the command kubectl config view --raw to get all the necessary values
2. paste the url stored under the fields clusters: -cluster: server into "HTTP URL" field for the plugin
3. check the boxes "TLS Client Auth" and "With CA Cert" in the kubernetes plugin
4. fill out the "CA Cert", "Client Cert", and "Client Key" fields like so:
   5. the CA Cert value is obtained by taking the value under the fields clusters: cluster: certificate- authority-data, make sure to base64 decode it (e.g. "base64 -d ....")
   7. For Client Cert, same as previous step, but use users: user: client-certificate-data
   8. For Client Key, same as previous step, but use users: user: client-key-data

[bertoost]

Thanks @darose that made it work for me too!!

[agupta-ionos]

Hi, I have done the same thing but I am getting the Error as also mentioned on my new github issue. Hope you can help me out.

#70 (comment)

[zimmertr]

I hope you understand the security implementations of this setup. You'd better dive into RBAC and only authorise the API user for reading.

@dionmes could you please elaborate on how to implement RBAC to properly mitigate any risks involved?

[dionmes]

Hello @zimmertr , I am not really familiar with configuring RBAC in kubernetes but you can get info about RBAC here ; https://kubernetes.io/docs/reference/access-authn-authz/rbac/ . You should use a role which has read rights only.

[MakeshKathirvel]

@CiaranCurran
We are using EKS and not seeing the values for users: user: client-certificate-data and users: user: client-key-data
How we can authenticate the EKS cluster