-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use AlertmanagerConfigAllowList for alertmanager secret informer #4455
use AlertmanagerConfigAllowList for alertmanager secret informer #4455
Conversation
This secrets informer exists for |
Ahh I see now with the To address tighter scoping of secrets permissions, we could add an option |
I wouldn't be opposed to this. To be consistent with the other flags, the logic should be:
@fpetkovski @paulfantom thoughts? |
@simonpasquier Sounds reasonable to me. Will wait for others to chime in. |
This suggestion makes sense to me as well 👍 |
Simon's suggestion sounds good to me. |
Great, I'll get to work on this and will have something by end of week. |
b7a584f
to
7c3c80d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
@simonpasquier is there a release we can expect this in? |
@william-tran some CI jobs are failing, you should be able to fix them with |
@simonpasquier okay with you to merge? |
The check docs error seems unrelated to this PR:
|
@william-tran - if you rebase on top of |
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.12.0 to 1.12.1. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.12.0...v1.12.1) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
AlertmanagerConfig namespaces require Secrets list/watch, so separating this config from general --namespaces provides better control over which namespaces to allow Secrets RBAC access. Fixes prometheus-operator#3544 Signed-off-by: Will Tran <will@autonomic.ai>
Signed-off-by: Will Tran <will@autonomic.ai>
f3b81f7
to
3d8f8d4
Compare
@philipgough done |
thanks! |
…metheus-operator#4455) * build(deps): bump github.com/prometheus/client_golang Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.12.0 to 1.12.1. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.12.0...v1.12.1) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Add a new flag alertmanager-config-namespaces to watch AlertmanagerConfig namespaces require Secrets list/watch, so separating this config from general --namespaces provides better control over which namespaces to allow Secrets RBAC access. Fixes prometheus-operator#3544 Signed-off-by: Will Tran <will@autonomic.ai> * Use AlertmanagerConfigAllowList for alrtCfgInfs and nsAlrtCfgInf as well Signed-off-by: Will Tran <will@autonomic.ai> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Description
Describe the big picture of your changes here to communicate to the maintainers why we should accept this pull request.
If it fixes a bug or resolves a feature request, be sure to link to that issue.
I want to use the operator to handle PrometheusRule CRDs in many namespaces but only handle Prometheus CRDs in one namespace. I saw the default RBAC in the helm chart was far too broad and wrote my own, having secrets operations as Roles instead of ClusterRoles, attached only to the namespaces where I want to set up prometheus instances. I noticed after setting
--namespaces
and--prometheus-instance-selector
to different values, that list/watch of secrets was being attempted in the namespaces under--namespaces
, with access denied.Fixes #3544 (and #3298 in the case
--namespaces
is unset, which results in attempting to watch all secrets)Type of change
What type of changes does your code introduce to the Prometheus operator? Put an
x
in the box that apply.CHANGE
(fix or feature that would cause existing functionality to not work as expected)FEATURE
(non-breaking change which adds functionality)BUGFIX
(non-breaking change which fixes an issue)ENHANCEMENT
(non-breaking change which improves existing functionality)NONE
(if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)Changelog entry
Please put a one-line changelog entry below. This will be copied to the changelog file during the release process.