Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-30294

cluster-readers can't see Observe pages in UI

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Normal Normal
    • None
    • 4.15.0
    • Monitoring
    • None
    • Moderate
    • No
    • 3
    • MON Sprint 250
    • 1
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Users who are assigned to the "cluster-reader" built-in ClusterRole, can't see the Observe pages (Alerting, Metrics, Dashboards) upon an upgrade to OCP 4.15.0.
It worked for them in previous OCP versions.

      Version-Release number of selected component (if applicable):

      4.15.0

      How reproducible:

      100%

      Steps to Reproduce:

      1. Have an OAuth configured on the cluster (e.g. htpasswd) with regular users
2. Create a ClusterRoleBinding to assign one of the users to the "cluster-reader" ClusterRole
3. Log in with this user
4. Navigate to Observe - Alerting/Metrics/Dashboards in the UI
5. See the forbidden message

      Actual results:

      Observe pages are being blocked for the cluster readers

      Expected results:

      Cluster readers can see the observe pages including cluster alerts

      Additional info:

      Further investigation reveals that since 4.15.0, the AlertManager requires the user to have an RBAC to the subresource of "prometheuses/api".
there is a ClusterRole named "cluster-monitoring-view", but it is not configured to be aggregated to view.
This can be solved by adding the following label to that ClusterRole:

rbac.authorization.k8s.io/aggregate-to-view: 'true'

              dmellado1@redhat.com Daniel Mellado Area
              ocohen@redhat.com Oren Cohen
              Junqi Zhao Junqi Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: