Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-41158

cluster-monitoring-view role should allow POST queries to fetch metrics

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.18.0
    • Monitoring
    • None
    • Moderate
    • None
    • MON Sprint 259
    • 1
    • False
    • Hide

      None

      Show
      None

      Prometheus HTTP API provides POST endpoints to fetch metrics: https://prometheus.io/docs/prometheus/latest/querying/api/#instant-queries

      Those endpoints are used in the go client: https://github.com/prometheus/client_golang/blob/main/api/prometheus/v1/api.go#L1438

       

      So a viewer-only program/user relying on the go client, or using these POST endpoints to fetch metrics, currently needs to create an additional Role+Binding in that purpose [1]

      It would be much more convenient if that permission was directly included in the existing cluster-monitoring-view role, since it's actually used for reading.

       

      [1]Role+Binding example

      kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: metrics
rules:
  - verbs:
      - create
    apiGroups:
      - metrics.k8s.io
    resources:
      - pods
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: metrics
subjects:
  - kind: User
    apiGroup: rbac.authorization.k8s.io
    name: test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metrics

      [internal] cf slack discussion here https://redhat-internal.slack.com/archives/C0VMT03S5/p1724684997333529?thread_ts=1715862728.898369&cid=C0VMT03S5

       

       

            spasquie@redhat.com Simon Pasquier
            jtakvori Joel Takvorian
            Junqi Zhao Junqi Zhao
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: