Kubernetes 401 unauthorized

CMK version: 2.1 Enterprise
OS version: Ubuntu 20.04

Error message:
[special_kube] Agent exited with code 1: 401, Reason: Unauthorized, Message: UnauthorizedCRIT, execution time 1.2 sec

Hi, I’ve been trying to set up kubernetes in the new checkmk 2.1. I’ve watched the tutorial and gone through the documentation. I’ve set it up accordingly but I’m stuck on a 401 unauthorized message.

I generated the token like so:
kubectl get secret $(kubectl get serviceaccount checkmk -o=jsonpath=’{.secrets[*].name}’ -n cmk-monitoring) -n cmk-monitoring -o=jsonpath=’{.data.token}’ | base64 --decode

Which Kubernetes version and which flavor (Vanilla, AWS, …) are you using?

For debugging purposes, you could help us a bit by providing some additional information. Please follow Debugging the kubernetes - k8s special agent - Checkmk Knowledge Base - Checkmk Knowledge Base

Follow the steps under Debugging K8s special agent

We just need the --debug flag set with the special agent call. This might show why the 401 was raised (e.g. insufficient permissions)

Hi, thank you for the response.
I managed to get it running. I think the issue was the token and the Kubernetes version.

None of my deployments, namespaces are showing in the dashboard though ?

I also have a lot of these:

This seems to be the problem

You can ignore these messages. The CRIT message on Check_MK is not related to this message. If it is still CRIT, then your problem is something else.

Yes it is still critical.

I have never seen one of those :slight_smile:
Can you provide a little more context, e.g. a screenshot of the hosts (incl. hostnames) of the hosts where this happens? e.g.

Does this happen for all your Kubernetes piggyback hosts?

Yes, everything you showed in the screenshot is showing up red on mine. Namespaces, pods, deployments etc.

What I can see from here:
The Check_MK service has in the summary an [agent] part and a [piggyback] part. For the Kubernetes monitoring, an agent part is not necessary as all data comes via [piggyback].

In your DCD, you need to configure it like this:

→ So that the agent part is not done anymore as then “Monitoring agents Checkmk agent / API integration” is set to none.

Oh thank you. I did not see that part in the documentation. It works now!