Loading...

XML

Word

Printable

Type: Task
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Component/s: Alertmanager
Labels:
None

Story Points:
3
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Replace Oauth Proxy by Kube-RBAC-Proxy in Monitoring components
Docs QE Status:
NEW
QE Status:
NEW
Intelligence Requested:
Market:

Sprint:
MON Sprint 250

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

In CMO, Alertmanager pods in the openshift-monitoring namespace have an Oauth-proxy on port 9095 for web access on all paths.

We are going to replace it with kube-rbac-proxy and constraint the access to /api/v2 pathes.

The current behavior is to allow access to the Alertmanager web server for any user having "get" access to "namespace" resources. We do not have to keep the same logic but have to make sure no regression happen. We may need use a stubbed custom resource to authorize both "post" and "get" HTTP requests from certain users.

There is a request to allow read-only access to alerts in Developer view. kube-rbac-proxy can facilitate this functionality.

blocks

MON-3396 add role.rbac.authorization.k8s.io/monitoring-alertmanager-view

Closed

is depended on by

MON-3701 Clean up oauth-proxy references from CMO code base

Closed

relates to

OCPBUGS-17850 common user can view UWM alertmanager alerts

Closed

links to

openshift/cluster-monitoring-operator#2260: MON-3381: replace OAuth proxy for Alertmanager

1.	Post-merge Testing	Closed	Tai Gao
2.	E2E Automation	Closed	Tai Gao
3.	CI Integration	Closed	Tai Gao

Assignee:: Simon Pasquier

Reporter:: Haoyu Sun

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2023/09/18 4:16 PM

Updated:: 2024/03/07 4:12 PM

Resolved:: 2024/03/07 4:12 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Sub-Tasks

Activity

People

Dates