Uploaded image for project: 'OpenShift Monitoring'
  1. OpenShift Monitoring
  2. MON-3379

Replace OAuth-proxy container with kube-rbac-proxy in Thanos-Querier pod

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • Thanos
    • None
    • MON Sprint 246, MON Sprint 248
    • 0

      In CMO, Thanos Querier pods have an Oauth-proxy on port 9091 for web access on all paths.

      We are going to replace it with kube-rbac-proxy. 

      The current behavior is allow access to the Thanos Querier web server for any user having "get" access to "namespace" resources. We do not have to keep the same logic but have to make sure no regression happen.

      We use the subresource "prometheus/api" to authorize both "post" and "get" HTTP requests to kube-rbac-proxy.

      We update the cluster role "cluster-monitoring-view" with new access priviledges and prepare a new role for api access.

       

       

        1.
        		 Pre-merge Testing Sub-task Closed Normal Tai Gao
        2.
        		 E2E Automation Sub-task Closed Normal Tai Gao
        3.
        		 CI Integration Sub-task Closed Normal Tai Gao

            spasquie@redhat.com Simon Pasquier
            hasun@redhat.com Haoyu Sun
            Simon Pasquier
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: