-
Bug
-
Resolution: Done-Errata
-
Major
-
Logging 5.8.1
-
False
-
None
-
False
-
NEW
-
NEW
-
-
Bug Fix
-
-
-
Log Storage - Sprint 247
Description of problem:
When UWM Alertmanager is enabled and the Ruler tries to send an alert to UWM Alertmanager it get's denied with 403.
I enabled high verbose logging on kube-rbac-proxy in the UWM Alertmanager pod and I saw that the Ruler is failing the SAR with:
alertmanager-proxy I0108 20:37:25.898884 1 request.go:1172] Response Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null,"managedFields":[{"manager":"kube-rbac-proxy","operation":"Update","apiVersion":"authorization.k8s.io/v1","time":"2024-01-08T │
│ 20:37:25Z","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:extra":{".":{},"f:authentication.kubernetes.io/pod-name":{},"f:authentication.kubernetes.io/pod-uid":{}},"f:groups":{},"f:resourceAttributes":{".":{},"f:group":{},"f:name":{},"f:namespace":{},"f:resource":{},"f:subresource":{},"f:verb":{}},"f:uid":{}," │
│ f:user":{}}}}]},"spec":{"resourceAttributes":
,"user":"system:serviceaccount:openshift-logging:lokistack-dev-ruler","groups":["system:serviceacco │
│ unts","system:serviceaccounts:openshift-logging","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["lokistack-dev-ruler-0"],"authentication.kubernetes.io/pod-uid":["91023287-38c1-4465-bd1d-423ed1692e08"]},"uid":"ad1745bc-1661-4f24-a776-26d0e16d986e"},"status":{"allowed":false}} │
│ alertmanager-proxy I0108 20:37:25.898983 1 auth.go:97] Forbidden (user=system:serviceaccount:openshift-logging:lokistack-dev-ruler, verb=create, resource=alertmanagers, subresource=api). Reason: "".
Version-Release number of selected component (if applicable): 4.15.0-rc.1
How reproducible: Always
Steps to Reproduce:
- Provision 4.15.0-rc.1
- Enable UWM Alertmanager
- Create a User Logging Alert
- Check the Ruler logs for 403 errors
Actual results: Ruler gets 403 when sending Alerts
Expected results: Ruler should not get 403
Additional info:
- clones
-
LOG-4938 Operator - Ruler unable to send alerts to UWM Alertmanager
- Closed
- links to
-
RHSA-2023:125709 Logging Subsystem 5.8.2 - Red Hat OpenShift