[CRW-8315] devspaces-metrics-exporter ServiceMonitor is provisioned without prometheus-k8s ServiceAccount RoleBinding

Type: Bug
Resolution: Unresolved
Priority: Minor
Fix Version/s: 3.x
Affects Version/s: None
Component/s: Team B: DevWorkspace + Operator, Web Terminal + Operator, editors/IDEs + built-in vscode extensions, Universal Developer Image, machine-exec, dev environment config
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

DevSpaces Operators deploys a an openshift-devspaces-metrics-exporter ServiceMonitor in a global namespace (i.e. openshift-operators).
However, this is provisioned without the relevant system:serviceaccount:openshift-monitoring:prometheus-k8s ServiceAccount roleBindings, which leads to the Cluster Monitoring Prometheus to complain about missing permissions:

[0]

ts=2025-01-15T11:46:30.778Z caller=klog.go:116 level=error component=k8s_client_runtime func=ErrorDepth msg="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:548: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:openshift-monitoring:prometheus-k8s\" cannot list resource \"pods\" in API group \"\" in the namespace \"openshift-devspaces\""
ts=2025-01-15T11:46:37.479Z caller=klog.go:108 level=warn component=k8s_client_runtime func=Warningf msg="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:547: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:openshift-monitoring:prometheus-k8s\" cannot list resource \"services\" in API group \"\" in the namespace \"openshift-devspaces\""
ts=2025-01-15T11:46:37.479Z caller=klog.go:116 level=error component=k8s_client_runtime func=ErrorDepth msg="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:547: Failed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \"system:serviceaccount:openshift-monitoring:prometheus-k8s\" cannot list resource \"services\" in API group \"\" in the namespace \"openshift-devspaces\""
ts=2025-01-15T11:46:44.705Z caller=klog.go:108 level=warn component=k8s_client_runtime func=Warningf msg="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:546: failed to list *v1.Endpoints: endpoints is forbidden: User \"system:serviceaccount:openshift-monitoring:prometheus-k8s\" cannot list resource \"endpoints\" in API group \"\" in the namespace \"openshift-devspaces\""
ts=2025-01-15T11:46:44.706Z caller=klog.go:116 level=error component=k8s_client_runtime func=ErrorDepth msg="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:546: Failed to watch *v1.Endpoints: failed to list *v1.Endpoints: endpoints is forbidden: User \"system:serviceaccount:openshift-monitoring:prometheus-k8s\" cannot list resource \"endpoints\" in API group \"\" in the namespace \"openshift-devspaces\""

Workaround

As a workaround, permissions can be applied manually while following on https://access.redhat.com/solutions/7024333
It would, given this ServiceAccount is enabled and provisioned by default, it would also be preferable to provision the RoleBinding out of the box, for a seamless user experience.

Actual results:

Missing permissions leading to Prometheus scraping issues, requiring user intervention to provide a fix.

Expected results:

openshift-devspaces system:serviceaccount:openshift-monitoring:prometheus-k8s RoleBindings to be provisioned out of the box.

There are no comments yet on this issue.

Details

Description

Description of problem:

Actual results:

Expected results:

Attachments

Easy Agile Planning Poker

Activity

People

Dates