Skip to content

Commit

Permalink
OCPBUGS-17035: fix rbac rules for thanos-querier
Browse files Browse the repository at this point in the history 
fix rbac rules for thanos-querier for pods by specifying the correct
apiVersion
  • Loading branch information
@rexagod
rexagod committed Aug 8, 2023
1 parent 45bdf6f commit c2fcef4
Show file tree
Hide file tree
Showing 4 changed files with 63 additions and 4 deletions.
3 changes: 2 additions & 1 deletion assets/thanos-querier/kube-rbac-proxy-secret.yaml
View file
Expand Up @@ -15,7 +15,8 @@ stringData:
config.yaml: |-
"authorization":
"resourceAttributes":
"apiVersion": "metrics.k8s.io/v1beta1"
"apiGroup": "metrics.k8s.io"
"apiVersion": "v1beta1"
"namespace": "{{ .Value }}"
"resource": "pods"
"rewrites":
Expand Down
3 changes: 2 additions & 1 deletion jsonnet/components/thanos-querier.libsonnet
View file
Expand Up @@ -144,7 +144,8 @@ function(params)
},
},
resourceAttributes: {
apiVersion: 'metrics.k8s.io/v1beta1',
apiVersion: 'v1beta1',
apiGroup: 'metrics.k8s.io',
resource: 'pods',
namespace: '{{ .Value }}',
},
Expand Down
44 changes: 44 additions & 0 deletions test/e2e/framework/framework.go
View file
Expand Up @@ -29,6 +29,7 @@ import (
openshiftconfigclientset "github.com/openshift/client-go/config/clientset/versioned"
openshiftmonitoringclientset "github.com/openshift/client-go/monitoring/clientset/versioned"
routev1 "github.com/openshift/client-go/route/clientset/versioned/typed/route/v1"

"github.com/openshift/cluster-monitoring-operator/pkg/client"
"github.com/openshift/cluster-monitoring-operator/pkg/manifests"

Expand Down Expand Up @@ -370,6 +371,49 @@ func (f *Framework) CreateClusterRoleBinding(namespace, serviceAccount, clusterR
}, nil
}

func (f *Framework) CreateRoleBindingFromTypedClusterRole(namespace, serviceAccount string, clusterRole *rbacv1.ClusterRole) (cleanUpFunc, error) {
ctx := context.Background()

clusterRole, err := f.KubeClient.RbacV1().ClusterRoles().Create(ctx, clusterRole, metav1.CreateOptions{})
if err != nil {
return nil, err
}

roleBinding := &rbacv1.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("%s-%s", serviceAccount, clusterRole.Name),
Labels: map[string]string{
E2eTestLabelName: E2eTestLabelValue,
},
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: serviceAccount,
Namespace: namespace,
},
},
RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole",
Name: clusterRole.Name,
APIGroup: "rbac.authorization.k8s.io",
},
}

roleBinding, err = f.KubeClient.RbacV1().RoleBindings(namespace).Create(ctx, roleBinding, metav1.CreateOptions{})
if err != nil {
return nil, err
}

return func() error {
err := f.KubeClient.RbacV1().ClusterRoles().Delete(ctx, clusterRole.Name, metav1.DeleteOptions{})
if err != nil {
return err
}
return f.KubeClient.RbacV1().RoleBindings(namespace).Delete(ctx, roleBinding.Name, metav1.DeleteOptions{})
}, nil
}

func (f *Framework) CreateRoleBindingFromClusterRole(namespace, serviceAccount, clusterRole string) (cleanUpFunc, error) {
ctx := context.Background()
roleBinding := &rbacv1.RoleBinding{
Expand Down
17 changes: 15 additions & 2 deletions test/e2e/user_workload_monitoring_test.go
View file
Expand Up @@ -26,15 +26,17 @@ import (
"time"

"github.com/Jeffail/gabs"
"github.com/openshift/cluster-monitoring-operator/test/e2e/framework"
"github.com/pkg/errors"
monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
appsv1 "k8s.io/api/apps/v1"
v1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/util/cert"

"github.com/openshift/cluster-monitoring-operator/test/e2e/framework"
)

type scenario struct {
Expand Down Expand Up @@ -533,7 +535,18 @@ func assertTenancyForMetrics(t *testing.T) {

// Grant enough permissions to the account so it can read metrics.
err = framework.Poll(2*time.Second, 10*time.Second, func() error {
_, err = f.CreateRoleBindingFromClusterRole(userWorkloadTestNs, testAccount, "admin")
_, err = f.CreateRoleBindingFromTypedClusterRole(userWorkloadTestNs, testAccount, &rbacv1.ClusterRole{
ObjectMeta: metav1.ObjectMeta{
Name: "tenancy-test-metrics",
},
Rules: []rbacv1.PolicyRule{
{
APIGroups: []string{"metrics.k8s.io"},
Resources: []string{"pods"},
Verbs: []string{"get"},
},
},
})
return err
})
if err != nil {
Expand Down

0 comments on commit c2fcef4

Please sign in to comment.