-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
1.35.1, 1.38.0
-
None
-
False
-
-
False
-
-
OCP version: 4.18.17
OpenShift Service Mesh Operator version: 1.35.1
As per with OCP 4.18 UWM doc:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html-single/monitoring/index#configuring-metrics-uwm
bearerTokenFile should not be configured to avoid ServiceMonitor rejection.
The ServiceMonitor CR in knative-serving namespace don't follow this guideline:
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"monitoring.coreos.com/v1","kind":"ServiceMonitor","metadata":{"creationTimestamp":null,"name":"activator-sm","namespace":"knative-serving","ownerReferences":[{"apiVersion":"operator.knative.dev/v1beta1","blockOwnerDeletion":true,"controller":true,"kind":"KnativeServing","name":"knative-serving","uid":"427f023b-56c1-48ad-9b92-c1ff831e95ba"}]},"spec":{"endpoints":[{"bearerTokenFile":"/var/run/secrets/kubernetes.io/serviceaccount/token","bearerTokenSecret":{"key":""},"port":"https","scheme":"https","tlsConfig":{"ca":{},"caFile":"/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt","cert":{},"serverName":"activator-sm-service.knative-serving.svc"}}],"namespaceSelector":{"matchNames":["knative-serving"]},"selector":{"matchLabels":{"name":"activator-sm-service"}}}}
manifestival: new
resourceVersion: '488214'
name: activator-sm
uid: 92b820f7-725e-46ba-ad14-f964a0fcd3a7
creationTimestamp: '2025-06-11T07:42:03Z'
generation: 1
managedFields:
- apiVersion: monitoring.coreos.com/v1
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:annotations':
.: {}
'f:kubectl.kubernetes.io/last-applied-configuration': {}
'f:manifestival': {}
'f:ownerReferences':
.: {}
'k:{"uid":"427f023b-56c1-48ad-9b92-c1ff831e95ba"}': {}
'f:spec':
.: {}
'f:endpoints': {}
'f:namespaceSelector':
.: {}
'f:matchNames': {}
'f:selector': {}
manager: manifestival
operation: Update
time: '2025-06-11T07:42:28Z'
namespace: knative-serving
ownerReferences:
- apiVersion: operator.knative.dev/v1beta1
blockOwnerDeletion: true
controller: true
kind: KnativeServing
name: knative-serving
uid: 427f023b-56c1-48ad-9b92-c1ff831e95ba
spec:
endpoints:
- bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
bearerTokenSecret:
key: ''
name: ''
port: https
scheme: https
tlsConfig:
ca: {}
caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
cert: {}
serverName: activator-sm-service.knative-serving.svc
namespaceSelector:
matchNames:
- knative-serving
selector:
matchLabels:
name: activator-sm-service
As a consequence all ServiceMonitor configuration are rejected and we get these events:
ServiceMonitor activator-sm was rejected due to invalid configuration: it accesses file system via bearer token file which Prometheus specification prohibits ServiceMonitor autoscaler-hpa-sm was rejected due to invalid configuration: it accesses file system via bearer token file which Prometheus specification prohibits ServiceMonitor autoscaler-sm was rejected due to invalid configuration: it accesses file system via bearer token file which Prometheus specification prohibits ServiceMonitor controller-sm was rejected due to invalid configuration: it accesses file system via bearer token file which Prometheus specification prohibits ServiceMonitor webhook-sm was rejected due to invalid configuration: it accesses file system via bearer token file which Prometheus specification prohibits