Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-4951

[release-5.8] Operator - Ruler unable to send alerts to UWM Alertmanager

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Hide
      Before this fix, in OCP 4.15 the Ruler would not be able to send alerts to Alertmanager in the user workload monitoring, because the openshift-monitoring team updated the necessary RBAC permissions to send alerts in OCP 4.15. After the fix, the Loki operator now has (and gives to Ruler) the correct RBAC permissions to send alerts to Alertmanager in the user workload monitoring in OCP 4.15.
      Show
      Before this fix, in OCP 4.15 the Ruler would not be able to send alerts to Alertmanager in the user workload monitoring, because the openshift-monitoring team updated the necessary RBAC permissions to send alerts in OCP 4.15. After the fix, the Loki operator now has (and gives to Ruler) the correct RBAC permissions to send alerts to Alertmanager in the user workload monitoring in OCP 4.15.
    • Bug Fix
    • Log Storage - Sprint 247

      Description of problem:

      When UWM Alertmanager is enabled and the Ruler tries to send an alert to UWM Alertmanager it get's denied with 403.

      I enabled high verbose logging on kube-rbac-proxy in the UWM Alertmanager pod and I saw that the Ruler is failing the SAR with:

      alertmanager-proxy I0108 20:37:25.898884       1 request.go:1172] Response Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null,"managedFields":[{"manager":"kube-rbac-proxy","operation":"Update","apiVersion":"authorization.k8s.io/v1","time":"2024-01-08T │
      │ 20:37:25Z","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:extra":{".":{},"f:authentication.kubernetes.io/pod-name":{},"f:authentication.kubernetes.io/pod-uid":{}},"f:groups":{},"f:resourceAttributes":{".":{},"f:group":{},"f:name":{},"f:namespace":{},"f:resource":{},"f:subresource":{},"f:verb":{}},"f:uid":{}," │
      │ f:user":{}}}}]},"spec":{"resourceAttributes":

      {"namespace":"openshift-user-workload-monitoring","verb":"create","group":"monitoring.coreos.com","resource":"alertmanagers","subresource":"api","name":"user-workload"}

      ,"user":"system:serviceaccount:openshift-logging:lokistack-dev-ruler","groups":["system:serviceacco │
      │ unts","system:serviceaccounts:openshift-logging","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["lokistack-dev-ruler-0"],"authentication.kubernetes.io/pod-uid":["91023287-38c1-4465-bd1d-423ed1692e08"]},"uid":"ad1745bc-1661-4f24-a776-26d0e16d986e"},"status":{"allowed":false}}           │
      │ alertmanager-proxy I0108 20:37:25.898983       1 auth.go:97] Forbidden (user=system:serviceaccount:openshift-logging:lokistack-dev-ruler, verb=create, resource=alertmanagers, subresource=api). Reason: "". 

      Version-Release number of selected component (if applicable): 4.15.0-rc.1

      How reproducible: Always

      Steps to Reproduce:

      1. Provision 4.15.0-rc.1
      2. Enable UWM Alertmanager
      3. Create a User Logging Alert
      4. Check the Ruler logs for 403 errors

      Actual results: Ruler gets 403 when sending Alerts

      Expected results: Ruler should not get 403

      Additional info:

            jmarcal@redhat.com Joao Marcal
            jmarcal@redhat.com Joao Marcal
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: