Loading...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Major
Fix Version/s: None
Affects Version/s: 4.8.z, 4.16
Component/s: Monitoring
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Default service account able to query thanos in clusters with long upgrade history - example customers cluster upgraded from 4.8.23 -> 4.16.16

Version-Release number of selected component (if applicable):

How reproducible:

Witnessed on a customer call - TAM is installing a 4.8 cluster to attempt to replicate

Steps to Reproduce:

Deploy cluster at 4.8.23  
upgrade to 4.16.16 

Mount default service account into a pod and query the thanos endpoint: 
using instructions from this KCS: https://access.redhat.com/solutions/7080873 

Do not create the cluster role binding.

Actual results:

in cluster upgraded from 4.8 we can query metrics

Expected results:

as in fresh install of 4.16 we cannot query metrics without the clusterrole binding

Additional info:

Assignee:: Ayoub Mrini

Reporter:: Nigel Smith

Need Info From:: None

Contributors:: None

QA Contact:: Junqi Zhao

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/02/18 2:42 PM

Updated:: 2025/10/09 9:54 PM

Resolved:: 2025/05/28 9:51 AM