Bug 1820677

Summary: jenkins-*-monitored templates require extra permissions
Product: OpenShift Container Platform Reporter: Adam Kaplan <adam.kaplan>
Component: JenkinsAssignee: Vibhav Bobade <vbobade>
Status: CLOSED ERRATA QA Contact: Jitendar Singh <jitsingh>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.2.0CC: abenaiss, aos-bugs, pbhattac, vbobade
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-13 17:25:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Adam Kaplan 2020-04-03 14:56:33 UTC
Description of problem:

New "monitored" versions of the Jenkins template were added in OCP 4.2. These require users to have extra RBAC permissions to create the service monitor objects.

The template description/doc needs to make clear that users must have permission to create servicemonitor objects. These are installed as a CRD on OpenShift (api group monitoring.coreos.com)

Version-Release number of selected component (if applicable): 4.2.0

How reproducible: Always

Steps to Reproduce:
1. Log into the web console or oc as a user with the default "edit" permission
2. Try to create the jenkins-ephemeral-monitored template (ex via oc new-app)

Actual results:

Creation of the template instance fails with error
InstantiateFailure error: servicemonitors.monitoring.coreos.com is forbidden: User "system:serviceaccount:openshift-infra:template-instance-controller" cannot create resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "xyz"

Expected results:

Users should know up front that they need permission to create servicemonitor objects.

Additional info:

See https://access.redhat.com/articles/4220601 for a detailed explanation as to why we recommend granting these extra permissions to users (and not to the template instance controller).

Comment 1 Vibhav Bobade 2020-04-06 06:56:34 UTC
Hello Adam,

Thank you for raising the bug with us.

Understanding that, creating Service Monitors need special previleges, would adding the same to the documentation be enough ?
Or is there something more we can also do ?

Vibhav Bobade

Comment 2 Adam Kaplan 2020-04-06 16:44:14 UTC
Adding to the documentation in some fashion should be sufficient. Example - adding a note in the description that this template requires users to have additional permissions, link to the solution article.

Comment 6 Jitendar Singh 2020-06-19 05:55:45 UTC

Comment 8 errata-xmlrpc 2020-07-13 17:25:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.