Bug 1855275

Summary: CRDs are still in prometheus-operator ClusterRole
Product: OpenShift Container Platform Reporter: Junqi Zhao <juzhao>
Component: MonitoringAssignee: Simon Pasquier <spasquie>
Status: CLOSED ERRATA QA Contact: Junqi Zhao <juzhao>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.6CC: alegrand, anpicker, erooth, kakkoyun, lcosic, mloibl, pkrupa, spasquie, surbania
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:13:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
prometheus-operator cluster-role file
none
prometheus-operator deployment file none

Description Junqi Zhao 2020-07-09 12:30:13 UTC 
Created attachment 1700430 [details]
prometheus-operator cluster-role file

Description of problem:
this bug is for https://issues.redhat.com/browse/MON-1084

https://github.com/coreos/prometheus-operator/pull/3155 and 
https://github.com/openshift/prometheus-operator/pull/77 
are in 4.6.0-0.nightly-2020-07-07-141639 and later build.

Tested with 4.6.0-0.nightly-2020-07-07-233934, 
according to https://github.com/coreos/prometheus-operator/pull/3155
crd resources should be removed from ClusterRole/prometheus-operator, but they still in the ClusterRole
# oc -n openshift-monitoring get ClusterRole/prometheus-operator -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
...
rules:
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - create
- apiGroups:
  - apiextensions.k8s.io
  resourceNames:
  - alertmanagers.monitoring.coreos.com
  - podmonitors.monitoring.coreos.com
  - prometheuses.monitoring.coreos.com
  - prometheusrules.monitoring.coreos.com
  - servicemonitors.monitoring.coreos.com
  - thanosrulers.monitoring.coreos.com
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - update
...
**********************************
checked with # oc -n openshift-monitoring get deploy prometheus-operator -oyaml
there is not "- --manage-crds=false" setting, details see the attached files
...
    spec:
      containers:
      - args:
        - --kubelet-service=kube-system/kubelet
        - --logtostderr=true
        - --config-reloader-image=quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ee5afaf279a1228999c0d1b7f6f4ab168cae34bd3b1454acaa8380d3c1edacc1
        - --prometheus-config-reloader=quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e1543cc7d31d6f943e955dd6a82a45ea0502aba8f5085869d68c40f831e34717
        - --namespaces=openshift-apiserver,openshift-apiserver-operator,openshift-authentication,openshift-authentication-operator,openshift-cloud-credential-operator,openshift-cluster-machine-approver,openshift-cluster-samples-operator,openshift-cluster-storage-operator,openshift-cluster-version,openshift-config-operator,openshift-console-operator,openshift-controller-manager,openshift-controller-manager-operator,openshift-dns,openshift-dns-operator,openshift-etcd-operator,openshift-image-registry,openshift-ingress,openshift-ingress-operator,openshift-insights,openshift-kube-apiserver,openshift-kube-apiserver-operator,openshift-kube-controller-manager,openshift-kube-controller-manager-operator,openshift-kube-scheduler,openshift-kube-scheduler-operator,openshift-kube-storage-version-migrator,openshift-kube-storage-version-migrator-operator,openshift-machine-api,openshift-machine-config-operator,openshift-marketplace,openshift-monitoring,openshift-multus,openshift-operator-lifecycle-manager,openshift-sdn,openshift-service-ca-operator,openshift-user-workload-monitoring
        - --prometheus-instance-namespaces=openshift-monitoring
        - --thanos-ruler-instance-namespaces=openshift-monitoring
        - --alertmanager-instance-namespaces=openshift-monitoring
        - --config-reloader-cpu=0
        - --config-reloader-memory=0
        - --web.enable-tls=true
        - --web.tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        - --web.tls-min-version=VersionTLS12
        image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5a6f7db12af24f4dcef5ac04a75c5d50d28a1712fea066c886ae0ca21d902d83
        imagePullPolicy: IfNotPresent
        name: prometheus-operator
        ports:
        - containerPort: 8080
          name: http
          protocol: TCP
        resources:
          requests:
            cpu: 5m
            memory: 60Mi
...

Version-Release number of selected component (if applicable):
4.6.0-0.nightly-2020-07-07-233934

How reproducible:
always

Steps to Reproduce:
1. see the description
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Junqi Zhao 2020-07-09 12:31:01 UTC 
Created attachment 1700431 [details]
prometheus-operator deployment file
Comment 8 errata-xmlrpc 2020-10-27 16:13:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196