Loading...

XML

Word

Printable

Type: Task
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Component/s: Thanos
Labels:
None

Story Points:
3
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Replace Oauth Proxy by Kube-RBAC-Proxy in Monitoring components
Docs QE Status:
NEW
QE Status:
NEW
Intelligence Requested:
Market:

Sprint:
MON Sprint 251

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

In CMO, ThanosRuler pods have an Oauth-proxy on port 9091 for web access on all paths.

We are going to replace it with kube-rbac-proxy and constraint the access to /api/v1 paths.

The current behavior is to allow access to the ThanosRuler web server for any user having "get" access to "namespace" resources. We do not have to keep the same logic but have to make sure no regression happen. We may need use a stub custom resource to authorize both "post" and "get" HTTP requests from certain users.

is depended on by

MON-3701 Clean up oauth-proxy references from CMO code base

Closed

links to

openshift/cluster-monitoring-operator#2294: MON-3700: replace OAuth proxy for Thanos Ruler

Assignee:: Simon Pasquier

Reporter:: Haoyu Sun

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2024/02/01 3:38 PM

Updated:: 2024/04/10 8:34 AM

Resolved:: 2024/04/10 8:34 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates