Implement service account token based HTTP authorization #7518

exekias · 2018-07-05T13:18:42Z

Metricbeat uses HTTP helper to gather metrics from kubelet + many Prometheus endpoints. In order to use the safe port (HTTPS) we need to implement a way to fetch service account token from the metricbeat container. A request like this works:

TOKEN="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt https://localhost:10250/stats/summary -H "Authorization: Bearer $TOKEN"

more on service account tokens:
https://kubernetes.io/docs/concepts/storage/volumes/#projected
https://kubernetes.io/docs/reference/access-authn-authz/authentication/

The text was updated successfully, but these errors were encountered:

exekias · 2018-07-05T13:50:56Z

We already have an appender for this here: https://github.com/elastic/beats/blob/master/metricbeat/autodiscover/appender/kubernetes/token/token.go, it would be nice to fold it into the HTTP helper

This change allows to load bearer tokens from files in modules using the HTTP helper. This is especially useful for Kubernetes and Prometheus, as some deployments enforce SSL access (like OpenShift): ``` - module: kubernetes metricsets: - pod bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token ssl.certificate_authorities: - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt ``` Closes #7518

This change allows to load bearer tokens from files in modules using the HTTP helper. This is especially useful for Kubernetes and Prometheus, as some deployments enforce SSL access (like OpenShift): ``` - module: kubernetes metricsets: - pod bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token ssl.certificate_authorities: - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt ``` Closes elastic#7518 (cherry picked from commit 1d3109f)

…lper (#7577) * Add `bearer_token_file` paramter to HTTP helper (#7527) This change allows to load bearer tokens from files in modules using the HTTP helper. This is especially useful for Kubernetes and Prometheus, as some deployments enforce SSL access (like OpenShift): ``` - module: kubernetes metricsets: - pod bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token ssl.certificate_authorities: - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt ``` Closes #7518 (cherry picked from commit 1d3109f) * Update CHANGELOG.asciidoc

…HTTP helper (elastic#7577) * Add `bearer_token_file` paramter to HTTP helper (elastic#7527) This change allows to load bearer tokens from files in modules using the HTTP helper. This is especially useful for Kubernetes and Prometheus, as some deployments enforce SSL access (like OpenShift): ``` - module: kubernetes metricsets: - pod bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token ssl.certificate_authorities: - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt ``` Closes elastic#7518 (cherry picked from commit 7b90836) * Update CHANGELOG.asciidoc

exekias added enhancement Metricbeat Metricbeat containers Related to containers use case labels Jul 5, 2018

exekias mentioned this issue Jul 5, 2018

[Meta Issue] Increase Kubernetes monitoring coverage #7058

Closed

23 tasks

exekias mentioned this issue Jul 6, 2018

Add bearer_token_file paramter to HTTP helper #7527

Merged

ruflin closed this as completed in #7527 Jul 12, 2018

exekias mentioned this issue Jul 12, 2018

Cherry-pick #7527 to 6.3: Add bearer_token_file paramter to HTTP helper #7577

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement service account token based HTTP authorization #7518

Implement service account token based HTTP authorization #7518

exekias commented Jul 5, 2018

exekias commented Jul 5, 2018

Implement service account token based HTTP authorization #7518

Implement service account token based HTTP authorization #7518

Comments

exekias commented Jul 5, 2018

exekias commented Jul 5, 2018