This repository has been archived by the owner on Dec 18, 2019. It is now read-only.
AEROGEAR-1917 document how to give user permissions to access metrics #7
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@finp I've changed the content of the doc to be about giving an Openshift user access to the metrics service. Could you take a look again? |
StevenTobin
changed the title
|
@finp any feedback on this PR? |
pwright
approved these changes
Feb 6, 2018
| provisioning of the metrics service. You can refer to the documentation for the proxy container link:https://github.com/openshift/oauth-proxy[here] for | ||
| more detailed information on how the proxy can be configured. | ||
|
|
||
| The configuration for the metrics service is made up of two parts: |
There was a problem hiding this comment.
is that the only configuration for metrics?
|
|
||
| == OAuth proxy usage | ||
|
|
||
| When the metrics service has been provisioned there will be a route for Grafana and a route for Prometheus. |
|
|
||
| == Introduction | ||
|
|
||
| The metrics service creates routes to access Grafana and Prometheus. To protect these routes there is an OAuth reverse proxy sidecar container in front |
There was a problem hiding this comment.
@StevenTobin I feel like we're missing a couple of scenarios here, eg
If you are ... you might want to protect these routes..
or
If you are ... you might not need to protect ...
| == About OAuth proxy permissions | ||
| The OAuth proxy, uses a Subject Access Review rule defined in the *deploymentConfig* resource to specify which permissions are required to access the protected | ||
| routes. This rule is defined by the `openshift-sar` option. For the Prometheus service, the *deploymentConfig* resource in the metrics service default definition is: | ||
| //need to follow up on this, would expect this to be output of `oc deploy prometheus` |
There was a problem hiding this comment.
@StevenTobin this is a bit weird, ping me to discuss
| The deploymentConfig for Grafana contains the same Subject Access Review rule for Grafana. | ||
| To authenticate against the OAuth proxy, a user must have | ||
| sufficient permissions to update the *deploymentConfig* resource named `prometheus` in the current Openshift namespace. | ||
| The *deploymentConfig* resource for Grafana contains the same Subject Access Review rule for the resource named `grafana`. |
There was a problem hiding this comment.
@StevenTobin not sure about the end of this sentence
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding documentation explaining how the metrics OAuth proxy is configured.