Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-17850

common user can view UWM alertmanager alerts

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Normal
    • 4.15.0
    • 4.14.0
    • Monitoring
    • None
    • MON Sprint 243, MON Sprint 244
    • 2
    • No
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • In Progress

    Description

      Description of problem:

      enable UWM and enable UWM alertmanager

      $ oc -n openshift-monitoring get cm cluster-monitoring-config -oyaml
      apiVersion: v1
      data:
        config.yaml: |
          enableUserWorkload: true
      kind: ConfigMap
      metadata:
        creationTimestamp: "2023-08-17T06:02:36Z"
        name: cluster-monitoring-config
        namespace: openshift-monitoring
        resourceVersion: "259151"
        uid: a9365c21-5c1d-4c91-98ee-f074b023dd31
      
      $ oc -n openshift-user-workload-monitoring get cm user-workload-monitoring-config -oyaml
      apiVersion: v1
      data:
        config.yaml: |
          alertmanager:
            enabled: true
      kind: ConfigMap
      metadata:
        creationTimestamp: "2023-08-17T06:02:44Z"
        labels:
          app.kubernetes.io/managed-by: cluster-monitoring-operator
          app.kubernetes.io/part-of: openshift-monitoring
        name: user-workload-monitoring-config
        namespace: openshift-user-workload-monitoring
        resourceVersion: "148193"
        uid: b3c6e5a6-ff7b-4ae4-85eb-28be683119e4
      
      $ oc -n openshift-user-workload-monitoring get pod
      NAME                                   READY   STATUS    RESTARTS   AGE
      alertmanager-user-workload-0           6/6     Running   0          4h50m
      alertmanager-user-workload-1           6/6     Running   0          4h50m
      prometheus-operator-77bcdcbd9c-7nt6v   2/2     Running   0          6h14m
      prometheus-user-workload-0             6/6     Running   0          6h14m
      prometheus-user-workload-1             6/6     Running   0          6h14m
      thanos-ruler-user-workload-0           4/4     Running   0          4h50m
      thanos-ruler-user-workload-1           4/4     Running   0          4h50m

      kubeadmin user create namespace and PrometheusRule, the alert could be fired

      apiVersion: v1
      kind: Namespace
      metadata:
        name: ns1
      ---
      apiVersion: monitoring.coreos.com/v1
      kind: PrometheusRule
      metadata:
        name: example-alert
        namespace: ns1
      spec:
        groups:
        - name: example
          rules:
          - alert: TestAlert
            expr: vector(1)
            labels:
              severity: none
            annotations:
              message: This is an alert meant to ensure that the entire alerting pipeline is functional.

      could see the alerts from UWM alertmanager

      $ token=`oc create token prometheus-k8s -n openshift-monitoring`
      $ oc -n openshift-monitoring exec -c prometheus prometheus-k8s-0 -- curl -k -H "Authorization: Bearer $token" 'https://alertmanager-user-workload.openshift-user-workload-monitoring.svc:9095/api/v2/alerts' | jq
      [
        {
          "annotations": {
            "message": "This is an alert meant to ensure that the entire alerting pipeline is functional."
          },
          "endsAt": "2023-08-17T12:08:41.558Z",
          "fingerprint": "348490d73f8513a0",
          "receivers": [
            {
              "name": "Default"
            }
          ],
          "startsAt": "2023-08-17T12:04:11.558Z",
          "status": {
            "inhibitedBy": [],
            "silencedBy": [],
            "state": "active"
          },
          "updatedAt": "2023-08-17T12:04:41.583Z",
          "generatorURL": "https://thanos-querier-openshift-monitoring.apps.***/api/graph?g0.expr=vector%281%29&g0.tab=1",
          "labels": {
            "alertname": "TestAlert",
            "namespace": "ns1",
            "severity": "none"
          }
        }
      ] 

      open another terminal, or another person execute following commands in his terminal

      ##### login with common user, deploy pod to project is only for we can use curl command
      # oc login https://${api_server}:6443 -u ${user} -p ${password}
      # oc new-project test
      # oc -n test new-app rails-postgresql-example
      # oc -n test get pod
      NAME                                  READY   STATUS      RESTARTS   AGE
      postgresql-1-deploy                   0/1     Completed   0          13m
      postgresql-1-v4lz5                    1/1     Running     0          13m
      rails-postgresql-example-1-build      0/1     Completed   0          13m
      rails-postgresql-example-1-crdbq      1/1     Running     0          9m20s
      rails-postgresql-example-1-deploy     0/1     Completed   0          9m42s
      rails-postgresql-example-1-hook-pre   0/1     Completed   0          9m39s
      # token=`oc whoami -t`
      # echo $token
      sha256~EJCVjflM6lbsl8plKkU7Hv0swkQMxySJr5BGXRJaKhU 

      user could see the alert from UWM alertmanager service

      # oc -n test exec postgresql-1-v4lz5 -- curl -k -H "Authorization: Bearer $token" 'https://alertmanager-user-workload.openshift-user-workload-monitoring.svc:9095/api/v2/alerts'  | jq
      [
        {
          "annotations": {
            "message": "This is an alert meant to ensure that the entire alerting pipeline is functional."
          },
          "endsAt": "2023-08-17T12:16:56.558Z",
          "fingerprint": "348490d73f8513a0",
          "receivers": [
            {
              "name": "Default"
            }
          ],
          "startsAt": "2023-08-17T12:04:11.558Z",
          "status": {
            "inhibitedBy": [],
            "silencedBy": [],
            "state": "active"
          },
          "updatedAt": "2023-08-17T12:12:56.563Z",
          "generatorURL": "https://thanos-querier-openshift-monitoring.apps.***/api/graph?g0.expr=vector%281%29&g0.tab=1",
          "labels": {
            "alertname": "TestAlert",
            "namespace": "ns1",
            "severity": "none"
          }
        }
      ] 

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-08-16-114741

      How reproducible:

      always

      Steps to Reproduce:

      1. see the description
      

      Actual results:

      common user can view UWM alertmanager alerts

      Expected results:

       

      Additional info:

      if this is expected, we could close the bug

      Attachments

        Issue Links

          Activity

            People

              mariofer@redhat.com Mario Fernandez Herrero
              juzhao@redhat.com Junqi Zhao
              Junqi Zhao Junqi Zhao
              Brian Burt Brian Burt
              Daniel Mellado Area, Pranshu Srivastava, Simon Pasquier
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated: