-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
OSSM 3.1.0
-
None
-
False
-
-
False
-
-
In this section of the documents [1] the prerequisites for the metrics is not very clear and it needs to be more clear. The upstream documentation is much more clear on this and this should be in our docs [2] .
Based on that the information below is misleading and we should either remove the metrics part or just mention that this is valid for one cluster, otherwise this section should be field with the necessary settings for kiali to query the metrics from customer's metrics store which would be outside OCP. With doing that we should of course make note that this configuration is outside of scope of this document and Red Hat support.
Third, we should fix the typo below when we give a route as the output of the creation of the CR. See point II.
Finally I think we need to double check if we are not missing the clusterrole and clusterrolbinding for the kiali-service-account, since we are setting '--process-remote-resources' to false, but the upstream documentation mentions that we need these objects in the remote cluster. When I ran with dry-run and this setting true I get this:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kiali-service-account-role
labels:
app: kiali
app.kubernetes.io/name: kiali
app.kubernetes.io/instance: kiali
version: 5386e1ea7ae1b02794d5f28e8c4a7f56720bdaa1732988979b37f9110fcfXXX
app.kubernetes.io/version: 5386e1ea7ae1b02794d5f28e8c4a7f56720bdaa1732988979b37f9110fcfXXX
app.kubernetes.io/part-of: "kiali"
rules:
- apiGroups: [""]
resources:
- configmaps
- endpoints
- pods/log
verbs:
- get
- list
- watch - apiGroups: [""]
resources:
- namespaces
- pods
- replicationcontrollers
- services
verbs:
- get
- list
- watch
- patch - apiGroups: [""]
resources:
- pods/portforward
verbs:
- create
- post - apiGroups: ["extensions", "apps"]
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- watch
- patch - apiGroups: ["batch"]
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- patch - apiGroups:
- networking.istio.io
- security.istio.io
- extensions.istio.io
- telemetry.istio.io
- gateway.networking.k8s.io
resources: ["*"]
verbs:
- get
- list
- watch
- create
- delete
- patch - apiGroups: ["apps.openshift.io"]
resources:
- deploymentconfigs
verbs:
- get
- list
- watch
- patch - apiGroups: ["project.openshift.io"]
resources:
- projects
verbs:
- get - apiGroups: ["route.openshift.io"]
resources:
- routes
verbs:
- get - apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs:
- create - apiGroups: ["oauth.openshift.io"]
resources:
- oauthclients
resourceNames:
- kiali-service-account-istio-system
verbs:
- get - apiGroups: ["admissionregistration.k8s.io"]
resources:
- mutatingwebhookconfigurations
verbs:
- get
- list
- watch
—
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kiali-service-account
labels:
app: kiali
app.kubernetes.io/name: kiali
app.kubernetes.io/instance: kiali
version: 5386e1ea7ae1b02794d5f28e8c4a7f56720bdaa1732988979b37f9110fcfXXX
app.kubernetes.io/version: 5386e1ea7ae1b02794d5f28e8c4a7f56720bdaa1732988979b37f9110fcfXXX
app.kubernetes.io/part-of: "kiali"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kiali-service-account
subjects: - kind: ServiceAccount
name: kiali-service-account
namespace: "istio-system"
—
[2] https://kiali.io/docs/configuration/multi-cluster/#requirements
- is related to
-
OSSM-11278 [KIALI][OSSM3] Kiali clusterting doesn't seem to be working as expected even though Istio multicluster is
-
- Closed
-