Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-30294

cluster-readers can't see Observe pages in UI


    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.15.0
    • Monitoring
    • None
    • Moderate
    • No
    • 3
    • MON Sprint 250
    • 1
    • False
    • Hide



      Description of problem:

      Users who are assigned to the "cluster-reader" built-in ClusterRole, can't see the Observe pages (Alerting, Metrics, Dashboards) upon an upgrade to OCP 4.15.0.
      It worked for them in previous OCP versions.

      Version-Release number of selected component (if applicable):


      How reproducible:


      Steps to Reproduce:

      1. Have an OAuth configured on the cluster (e.g. htpasswd) with regular users
      2. Create a ClusterRoleBinding to assign one of the users to the "cluster-reader" ClusterRole
      3. Log in with this user
      4. Navigate to Observe - Alerting/Metrics/Dashboards in the UI
      5. See the forbidden message

      Actual results:

      Observe pages are being blocked for the cluster readers

      Expected results:

      Cluster readers can see the observe pages including cluster alerts

      Additional info:

      Further investigation reveals that since 4.15.0, the AlertManager requires the user to have an RBAC to the subresource of "prometheuses/api".
      there is a ClusterRole named "cluster-monitoring-view", but it is not configured to be aggregated to view.
      This can be solved by adding the following label to that ClusterRole:
      rbac.authorization.k8s.io/aggregate-to-view: 'true'

            dmellado1@redhat.com Daniel Mellado Area
            ocohen@redhat.com Oren Cohen
            Junqi Zhao Junqi Zhao
            0 Vote for this issue
            5 Start watching this issue