Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-4938

Operator - Ruler unable to send alerts to UWM Alertmanager

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Hide
      Before this fix, in OCP 4.15 the Ruler would not be able to send alerts to Alertmanager in the user workload monitoring, because the openshift-monitoring team updated the necessary RBAC permissions to send alerts in OCP 4.15. After the fix, the Loki operator now has (and gives to Ruler) the correct RBAC permissions to send alerts to Alertmanager in the user workload monitoring in OCP 4.15.
      Show
      Before this fix, in OCP 4.15 the Ruler would not be able to send alerts to Alertmanager in the user workload monitoring, because the openshift-monitoring team updated the necessary RBAC permissions to send alerts in OCP 4.15. After the fix, the Loki operator now has (and gives to Ruler) the correct RBAC permissions to send alerts to Alertmanager in the user workload monitoring in OCP 4.15.
    • Release Note Not Required
    • Log Storage - Sprint 247, Log Storage - Sprint 248

      Description of problem:

      When UWM Alertmanager is enabled and the Ruler tries to send an alert to UWM Alertmanager it get's denied with 403.

      I enabled high verbose logging on kube-rbac-proxy in the UWM Alertmanager pod and I saw that the Ruler is failing the SAR with:

      alertmanager-proxy I0108 20:37:25.898884       1 request.go:1172] Response Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null,"managedFields":[{"manager":"kube-rbac-proxy","operation":"Update","apiVersion":"authorization.k8s.io/v1","time":"2024-01-08T │
      │ 20:37:25Z","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:extra":{".":{},"f:authentication.kubernetes.io/pod-name":{},"f:authentication.kubernetes.io/pod-uid":{}},"f:groups":{},"f:resourceAttributes":{".":{},"f:group":{},"f:name":{},"f:namespace":{},"f:resource":{},"f:subresource":{},"f:verb":{}},"f:uid":{}," │
      │ f:user":{}}}}]},"spec":{"resourceAttributes":

      {"namespace":"openshift-user-workload-monitoring","verb":"create","group":"monitoring.coreos.com","resource":"alertmanagers","subresource":"api","name":"user-workload"}

      ,"user":"system:serviceaccount:openshift-logging:lokistack-dev-ruler","groups":["system:serviceacco │
      │ unts","system:serviceaccounts:openshift-logging","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["lokistack-dev-ruler-0"],"authentication.kubernetes.io/pod-uid":["91023287-38c1-4465-bd1d-423ed1692e08"]},"uid":"ad1745bc-1661-4f24-a776-26d0e16d986e"},"status":{"allowed":false}}           │
      │ alertmanager-proxy I0108 20:37:25.898983       1 auth.go:97] Forbidden (user=system:serviceaccount:openshift-logging:lokistack-dev-ruler, verb=create, resource=alertmanagers, subresource=api). Reason: "". 

      Version-Release number of selected component (if applicable): 4.15.0-rc.1

      How reproducible: Always

      Steps to Reproduce:

      1. Provision 4.15.0-rc.1
      2. Enable UWM Alertmanager
      3. Create a User Logging Alert
      4. Check the Ruler logs for 403 errors

      Actual results: Ruler gets 403 when sending Alerts

      Expected results: Ruler should not get 403

      Additional info:

              jmarcal@redhat.com Joao Marcal
              jmarcal@redhat.com Joao Marcal
              Kabir Bharti Kabir Bharti
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: