check_rancher2 monitoring getting Authentication failed error on API Key with scope

Published on June 16th 2022

When monitoring Kubernetes environments managed by SUSE Rancher with the check_rancher2 monitoring plugin, there is one requirement which needs to be done first: Creating an API Key.

In the past versions (Rancher 2.0 - 2.5) no errors could be made when creating this API Key. Rancher 2.6 however added a new "scope" limitation for the API. A specific cluster can be selected as scope, therefore limiting the API to the selected cluster.

It may seem a good idea to select a scope for the API Key. However this limits the API access in a way, that the monitoring plugin check_rancher2 does not work anymore:

ck@linux:~$ ./check_rancher2.sh -H rancher.example.com -S -U token-xxxx1 -P secret -t info
CHECK_RANCHER2 WARNING - Authentication failed

Therefore select "No Scope" when creating the API Key for monitoring with check_rancher2. This way the plugin has the necessary permissions on the "top level" elements of the API, necessary for the checks to correctly work:

ck@linux:~$ ./check_rancher2.sh -H rancher.example.com -S -U token-xxxx2 -P secret -t info
CHECK_RANCHER2 OK - Found 1 clusters: local alias local - and 2 projects: local:p-6m75s alias Default - local:p-b8fnq alias System -|'clusters'=1;;;; 'projects'=2;;;;

This important information was added in the documentation of check_rancher2.

More recent articles:

• Invoice Ninja v5: How to make the Account Management setting available to additional (admin) users

• Nagios NRPE and the different payload (packet, buffer) sizes using cross-version communication

• Nginx Ingress configuration gone after Rancher and Kubernetes update

• How to monitor stale zones/domains on PowerDNS secondary (slave) servers

• Troubleshooting AWS EC2 instance with lost network connectivity (after upgrade to Ubuntu 20.04)

• IP address filtering in Logstash: To cidr, or not to cidr?

• How to fix a Rancher 2 cluster node stuck registering in downstream cluster (not shown in UI)

• Varnish caching combined with HAProxy balancing in Kubernetes deployments (and tackling strange DNS issues)

• Using Nginx and LUA script to mitigate against Log4Shell (CVE-2021-44228) vulnerability attacks

• Cluster role issues after Kubernetes upgrade: error getting ClusterInformation: connection is unauthorized

• Rancher managed Kubernetes (Docker) node unable to pull images after clean-up

• Missing calico-node role in Rancher managed Kubernetes cluster after K8s upgrade with RKE

• Lets Encrypt Root CA expiry (server certificate verification failed): Make sure to remove DST Root CA X3!

• Monitoring Windows hosts with NSClient++: Service and system checks using NRPE and API

• How to monitor and handle evicted pods (containers) in Rancher managed Kubernetes

• Confluence upgrade from 7.7 to 7.13 fails with SQL error (java.sql.SQLException) on replicated MySQL database

• Nginx reverse proxy error: SSL alert number 40 while SSL handshaking to upstream server (SSL server name)

• How to secure the Plesk Panel with a Lets Encrypt certificate (and solve port 8443 problem)

• check_nrpe 4.x and NSClient++ 5.x: (ssl_err != 5) Error - Could not complete SSL handshake

• Nginx reverse proxy error: SSL alert number 47 while SSL handshaking to upstream

• How to backup KVM virtual machines using virt-backup.pl script

• Modify InfluxDB subscription to send data to multiple subscribers (asynchronous data replication)

• Unable to create LXC container due to ERROR: Unable to fetch GPG key from keyserver (key server down)

• How to install Dell OMSA (OpenManage Server Administrator) 10.x on Ubuntu 20.04

• Icinga 2 fails to upgrade package to 2.12.4 on a recently upgraded Ubuntu 18.04 Bionic (from Xenial)