-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Chore] Add cluster role binding required for OpenShift monitoring dependent cases. #708
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #708 +/- ##
=======================================
Coverage 77.66% 77.66%
=======================================
Files 68 68
Lines 5157 5157
=======================================
Hits 4005 4005
Misses 954 954
Partials 198 198
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
440637b
to
fd94b3e
Compare
name: kuttl-cluster-monitoring-metrics-api | ||
subjects: | ||
- kind: ServiceAccount | ||
name: prometheus-user-workload |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tempo operator does not own/manage the prometheus-user-workload
service account, is it really the responsibility of the tempo operator (tests) to grant this service account additional permissions?
Shouldn't this permission be granted in the CMO operator?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I checked with the CMO dev, the CMO creates cluster-monitoring-view role which can be bound to any SA to view the metrics for user workload monitoring. This is the docs for the viewing user workload monitoring metrics. https://docs.openshift.com/container-platform/4.14/monitoring/enabling-monitoring-for-user-defined-projects.html#accessing-metrics-from-outside-cluster_enabling-monitoring-for-user-defined-projects With the new CMO change, the additional step is to also bind the cluster-monitoring-view role. This gives the flexibility to the user to use any SA.
The ClusterRoleBinding step is not a Tempo requirement and is used only by the test case to check the metrics using the check_metrics.sh script.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ClusterRoleBinding step is not a Tempo requirement and is used only by the test case to check the metrics using the check_metrics.sh script.
Ah! Thanks for the explanation. That was the part I didn't realize, that check_metrics.sh is impersonating the prometheus-user-workload
service account.
Could you add this as a comment above the ClusterRoleBinding?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added the comment. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
335f9fa
to
49aeb40
Compare
49aeb40
to
c8fe606
Compare
The Thanos Querier has switched to using kube-rbac-proxy in OpenShift 4.15 which requires creation of additional role and binding to query for metrics. https://issues.redhat.com/browse/MON-3379 This PR adds the required ClusterRole and ClusterRolebinding so that the in-cluster monitoring dependent cases work on OCP 4.15.