Details
-
Feature Request
-
Resolution: Done
-
Major
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
0
-
0%
Description
1. Proposed title of this feature request
UWM Prometheus Federation requires tenancy awareness
2. What is the nature and description of the request?
With OBSDA-36, Prometheus Federation was implemented for User Workload Monitoring. The problem is that this API does grant access to all metrics on the given Prometheus instance, hence exposing potential details/data in multitenant environment that should not be exposed between different tenants.
In OpenShift Container Platform 4 - Monitoring, this problem was resolved with thanos-querier (as per Accessing OpenShift metrics in a tenant aware way).
A similar approach (approach to be defined) would be desired to make sure only metrics from a tenant the user is allowed can be scraped and not from the entire cluster.
3. Why does the customer need this? (List the business requirements here)
The current implementation is missing tenancy awareness and thus renders the newly introduced functionality unusable for customers running multitenant environments. Even though there is a strong push to provide federation for user workload monitoring, the administrators of the platform are unable to offer it even with OpenShift Container Platform 4.11 as it would expose all data and thus violate the tenancy model and therefore data security.
4. List any affected packages or components.
OpenShift Container Platform 4 - User Workload Monitoring