rhn-support-sreber found that in https://docs.openshift.com/container-platform/4.13/monitoring/enabling-monitoring-for-user-defined-projects.html#accessing-metrics-from-outside-cluster_enabling-monitoring-for-user-defined-projects we encourage the use of the UWM Prometheus ServicAccount token to access thanos-querier web's port (access metrics of all namespaces).

Doing so:

• Encourages user impersonation
• Makes use of a powerful token (Prometheus ServicAccount can do anything on secrets cluster wide e.g.)
• Makes use of a permanent token

After some digging, it turned out, that section was extracted from a KCS https://github.com/openshift/openshift-docs/pull/31500 and wasn't revisited since then.

Given the config of the proxy, a token with the cluster-monitoring-view permission will be able to query that API (tests confirmed that), so why no ask for a human role that will have that permission.

Maybe we can move that section into https://docs.openshift.com/container-platform/4.13/monitoring/accessing-third-party-monitoring-apis.html

And talk also about the tenancy port in there, for now there is a KCS for that https://access.redhat.com/solutions/7002863

—

for context: https://redhat-internal.slack.com/archives/C0VMT03S5/p1697450846786499