check_rancher2 monitoring getting Authentication failed error on API Key with scope

Written by Claudio Kuenzler - 0 comments

Published on June 16th 2022 - Listed in Kubernetes Rancher Monitoring

---

When monitoring Kubernetes environments managed by SUSE Rancher with the check_rancher2 monitoring plugin, there is one requirement which needs to be done first: Creating an API Key.

In the past versions (Rancher 2.0 - 2.5) no errors could be made when creating this API Key. Rancher 2.6 however added a new "scope" limitation for the API. A specific cluster can be selected as scope, therefore limiting the API to the selected cluster.

It may seem a good idea to select a scope for the API Key. However this limits the API access in a way, that the monitoring plugin check_rancher2 does not work anymore:

ck@linux:~$ ./check_rancher2.sh -H rancher.example.com -S -U token-xxxx1 -P secret -t info
CHECK_RANCHER2 WARNING - Authentication failed

Therefore select "No Scope" when creating the API Key for monitoring with check_rancher2. This way the plugin has the necessary permissions on the "top level" elements of the API, necessary for the checks to correctly work:

ck@linux:~$ ./check_rancher2.sh -H rancher.example.com -S -U token-xxxx2 -P secret -t info
CHECK_RANCHER2 OK - Found 1 clusters: local alias local - and 2 projects: local:p-6m75s alias Default - local:p-b8fnq alias System -|'clusters'=1;;;; 'projects'=2;;;;

This important information was added in the documentation of check_rancher2.

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.