Bug 1728856
Summary: | Prometheus metrics for ES are unavailable after plugin update to 5.6.13.6 | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Jeff Cantrill <jcantril> | |
Component: | Logging | Assignee: | Jeff Cantrill <jcantril> | |
Status: | CLOSED ERRATA | QA Contact: | Anping Li <anli> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 3.11.0 | CC: | anli, aos-bugs, rmeggins | |
Target Milestone: | --- | |||
Target Release: | 3.11.z | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Cause: The authentication class is instantiated multiple times with and without the desired configuration
Consequence: User's are denied access to metrics
Fix: Add SAR config to the authentication_backend
Result: Multi-tenant plugin executes SARs and allows access to metrics
|
Story Points: | --- | |
Clone Of: | ||||
: | 1729297 (view as bug list) | Environment: | ||
Last Closed: | 2020-02-19 19:53:43 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1729297, 1731006 | |||
Bug Blocks: |
Description
Jeff Cantrill
2019-07-10 19:18:03 UTC
The prometheus-k8s couldn't access the svc logging-es-prometheus. the sa with cluster-monitoring-view could't access the svc logging-es-prometheus. oc get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE logging-es ClusterIP 172.31.31.229 <none> 9200/TCP 5h logging-es-cluster ClusterIP None <none> 9300/TCP 1h logging-es-prometheus ClusterIP 172.31.215.247 <none> 443/TCP 5h logging-kibana ClusterIP 172.31.120.102 <none> 443/TCP 5h oc get sa -n openshift-monitoring NAME SECRETS AGE alertmanager-main 2 3h builder 2 3h cluster-monitoring-operator 2 3h default 2 3h deployer 2 3h grafana 2 3h kube-state-metrics 2 3h node-exporter 2 3h prometheus-k8s 2 3h prometheus-operator 2 3h (In reply to Anping Li from comment #3) > The prometheus-k8s couldn't access the svc logging-es-prometheus. the sa > with cluster-monitoring-view could't access the svc logging-es-prometheus. > Moving back to ON_QA. Can the serviceaccount satisfy this SubjectAccessReview: https://github.com/openshift/origin-aggregated-logging/pull/1691/files#diff-84bb2a16fa453407379d6048d001a362R19-R22 Verified in v3.11.169 1) oc create rolebinding --role=prometheus-metrics-viewer metrics-test-reader-1 --serviceaccount openshift-monitoring:prometheus-k8s -n openshift-logging 2) get token from prometheus pod oc exec prometheus-k8s-0 -n openshift-monitoring -- cat /var/run/secrets/kubernetes.io/serviceaccount/token 3) oc get svc logging-es-prometheus -n openshift-logging 4) access metrics via token curl -kv https://$svc_ip/_prometheus/metrics -H"Authorization: Bearer $token" Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0402 |