Uploaded image for project: 'OpenShift Monitoring'
  1. OpenShift Monitoring
  2. MON-3379

Replace OAuth-proxy container with kube-rbac-proxy in Thanos-Querier pod


    • Icon: Task Task
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • Thanos
    • None
    • MON Sprint 246, MON Sprint 248
    • 0

      In CMO, Thanos Querier pods have an Oauth-proxy on port 9091 for web access on all paths.

      We are going to replace it with kube-rbac-proxy. 

      The current behavior is allow access to the Thanos Querier web server for any user having "get" access to "namespace" resources. We do not have to keep the same logic but have to make sure no regression happen.

      We use the subresource "prometheus/api" to authorize both "post" and "get" HTTP requests to kube-rbac-proxy.

      We update the cluster role "cluster-monitoring-view" with new access priviledges and prepare a new role for api access.



            spasquie@redhat.com Simon Pasquier
            hasun@redhat.com Haoyu Sun
            Simon Pasquier
            0 Vote for this issue
            2 Start watching this issue