Uploaded image for project: 'OpenShift Monitoring'
  1. OpenShift Monitoring
  2. MON-3381

Replace oauth-proxy container with kube-rbac-proxy in Alertmanager pods

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Critical
    • None
    • None
    • Alertmanager
    • None
    • MON Sprint 250
    • 0

    Description

      In CMO, Alertmanager pods in the openshift-monitoring namespace have an Oauth-proxy on port 9095 for web access on all paths.

      We are going to replace it with kube-rbac-proxy and constraint the access to /api/v2 pathes. 

      The current behavior is to allow access to the Alertmanager web server for any user having "get" access to "namespace" resources. We do not have to keep the same logic but have to make sure no regression happen. We may need use a stubbed custom resource to authorize both "post" and "get" HTTP requests from certain users.

      There is a request to allow read-only access to alerts in Developer view. kube-rbac-proxy can facilitate this functionality.

      Attachments

        Issue Links

          blocks

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. MON-3396 add role.rbac.authorization.k8s.io/monitoring-alertmanager-view

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is depended on by

          Task - Represents a small unit of work that is not end-user facing. MON-3701 Clean up oauth-proxy references from CMO code base

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Code Review
          relates to

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-17850 common user can view UWM alertmanager alerts

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          GitHub openshift/cluster-monitoring-operator#2260: MON-3381: replace OAuth proxy for Alertmanager

          Activity

            People

              spasquie@redhat.com Simon Pasquier
              hasun@redhat.com Haoyu Sun
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: