status 403 Forbidden" messages similar to the following in Telegraf  pod logs:kubectl -n pks-system logs telegraf-9rlsv
2024-08-20T10:53:45Z I! Loading config: /etc/telegraf/cluster-metric-sinks.conf2024-08-20T10:53:45Z I! Loading config: /etc/telegraf/telegraf.conf2024-08-20T10:53:45Z I! Starting Telegraf 1.29.5 brought to you by InfluxData the makers of InfluxDB2024-08-20T10:53:45Z I! Available plugins: 241 inputs, 9 aggregators, 30 processors, 24 parsers, 60 outputs, 6 secret-stores2024-08-20T10:53:45Z I! Loaded inputs: cpu disk diskio kubernetes mem net2024-08-20T10:53:45Z I! Loaded aggregators:2024-08-20T10:53:45Z I! Loaded processors:2024-08-20T10:53:45Z I! Loaded secretstores:2024-08-20T10:53:45Z I! Loaded outputs: prometheus_client2024-08-20T10:53:45Z I! Tags enabled: cluster_name=pks-cluster-name host=7b7fc874-###-###-####-85129530c8692024-08-20T10:53:45Z I! [agent] Config: Interval:10s, Quiet:false, Hostname:"7b7fc874-###-###-####-85129530c86", Flush Interval:20s2024-08-20T10:53:45Z W! DeprecationWarning: Value "false" for option "ignore_protocol_stats" of plugin "inputs.net" deprecated since version 1.27.3 and will be removed in 1.36.0: use the 'inputs.nstat' plugin instead2024-08-20T10:53:45Z I! [outputs.prometheus_client] Listening on http://0.0.0.0:29273/metrics2024-08-20T10:53:50Z E! [inputs.kubernetes] Error in plugin: https://127.0.0.1:10250/pods returned HTTP status 403 Forbidden2024-08-20T10:54:00Z E! [inputs.kubernetes] Error in plugin: https://127.0.0.1:10250/pods returned HTTP status 403 Forbidden2024-08-20T10:54:50Z E! [inputs.kubernetes] Error in plugin: https://127.0.0.1:10250/pods returned HTTP status 403 Forbidden2024-08-20T10:55:00Z E! [inputs.kubernetes] Error in plugin: https://127.0.0.1:10250/pods returned HTTP status 403 Forbidden2024-08-20T10:55:10Z E! [inputs.kubernetes] Error in plugin: https://127.0.0.1:10250/pods returned HTTP status 403 Forbidden
kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"628b1cbc-e1dd-416e-882b-d4d290106ff0","stage":"ResponseComplete","requestURI":"/apis/authorization.k8s.io/v1/subjectaccessreviews","verb":"create","user":{"username":"kubelet","uid":"kubelet","groups":["system:authenticated"]},"sourceIPs":["172.##.##.7"],"userAgent":"kubelet/v1.28.9+vmware.1 (linux/amd64) kubernetes/dda3aee","objectRef":{"resource":"subjectaccessreviews","apiGroup":"authorization.k8s.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":
{"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"verb":"get","version":"v1","resource":"nodes","subresource":"proxy","name":"7b7fc874-####-####-###-85129530c869"},"user":"system:serviceaccount:pks-system:telegraf","groups":["system:serviceaccounts","system:serviceaccounts:pks-system","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["telegraf-9rlsv"],"authentication.kubernetes.io/pod-uid":["e33a6a73-1690-420f-a77d-6e95ad1be069"]},"uid":"07564e4e-95fe-40ad-a7f8-85971b08aeb5"},"status":{"allowed":false}},"responseObject":{"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null,"managedFields":[{"manager":"kubelet","operation":"Update","apiVersion":"authorization.k8s.io/v1",
"time":"2024-08-20T15:06:20Z","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:extra":{".":{},"f:authentication.kubernetes.io/pod-name":{},"f:authentication.kubernetes.io/pod-uid":{}},"f:groups":{},"f:resourceAttributes":{".":{},"f:name":{},"f:resource":{},"f:subresource":{},"f:verb":{},"f:version":{}},"f:uid":{},"f:user":{}}}}]},"spec":{"resourceAttributes":{"verb":"get","version":"v1","resource":"nodes","subresource":"proxy","name":"7b7fc874-####-####-###-85129530c869"},"user":"system:serviceaccount:pks-system:telegraf","groups":["system:serviceaccounts","system:serviceaccounts:pks-system","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["telegraf-9rlsv"],"authentication.kubernetes.io/pod-uid":["e33a6a73-1690-420f-a77d-6e95ad1be069"]},"uid":"07564e4e-95fe-40ad-a7f8-85971b08aeb5"},"status":{"allowed":false}},"requestReceivedTimestamp":"2024-08-20T15:06:20.032859Z","stageTimestamp":"2024-08-20T15:06:20.049360Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"kubo:internal:kubelet\" of ClusterRole \"system:node\" to User \"kubelet\""}}
The only event I found regarding the 403 "Forbidden", is related to the healthwatch service account"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"c4bfbcf4-9588-49c2-b293-72f78170b3c7","stage":"ResponseComplete","requestURI":"/metrics","verb":"get","user":{"username":"healthwatch","groups":["healthwatch","system:authenticated"]},"sourceIPs":["100.64.0.11"],"userAgent":"Prometheus/2.46.0","responseStatus":{"metadata":{},"status":"Failure","message":"forbidden: User \"healthwatch\" cannot get path \"/metrics\"","reason":"Forbidden","details":{},"code":403},"requestReceivedTimestamp":"2024-08-20T15:15:02.226149Z","stageTimestamp":"2024-08-20T15:15:02.226837Z","annotations":{"authorization.k8s.io/decision":"forbid","authorization.k8s.io/reason":"”}}
VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).
Telegraf" ClusterRole.# kubectl get clusterrole telegraf -o yamlapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  annotations:    kubectl.kubernetes.io/last-applied-configuration: |      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"labels":{"metrics":"true","safeToDelete":"true"},"name":"telegraf"},"rules":[{"apiGroups":[""],"resources":["nodes/stats"],"verbs":["get","list"]},{"apiGroups":[""],"resources":["pods"],"verbs":["watch"]}]}  creationTimestamp: "2024-12-20T05:42:49Z"  labels:    metrics: "true"    safeToDelete: "true"  name: telegraf  resourceVersion: "2588"  uid: 75366dff-####-####-####-7425af5d2c9frules:- apiGroups:  - ""  resources:  - nodes/stats  verbs:  - get  - list- apiGroups:  - ""  resources:  - pods  verbs:  - watchTelegraf" ClusterRole.# kubectl edit clusterrole telegraf- apiGroups:   - ""   resources:   - nodes/proxy   verbs:   - get   - watch   - list
esc to exit insert mode.:wq to write, save, and quit the file