Bug 1893724

Summary: OperatorHub generates incorrect RBAC
Product: OpenShift Container Platform Reporter: Alexander Greene <agreene>
Component: Management ConsoleAssignee: Samuel Padgett <spadgett>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.4CC: aos-bugs, jokerman, nmukherj, spadgett, yapei
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, the web console was incorrectly granting permissions to the wrong service account, prometheus-operator, for scraping metrics for OLM operators. The console now correctly grants permissions to the prometheus-k8s service account, allowing metrics to be scraped.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:29:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1893784    
Attachments:
Description Flags
RoleBinding is subjected to prometheus-k8s serviceaccount none

Description Alexander Greene 2020-11-02 13:13:08 UTC 
Description of problem:
When using the OperatorHub Console to install an operator that supports reporting metrics to Telemeter the generated Service RoleBinding is created for the `prometheus-operator` ServiceAccount [1] instead of the `prometheus-k8s` ServiceAccount, preventing prometheus from scraping the operator's metrics.

Version-Release number of selected component (if applicable):
4.4

How reproducible:
Always

Steps to Reproduce:
1. Install an operator which includes the `operatorframework.io/cluster-monitoring=true` annotation.

Actual results:
The operator is installed but the Prometheus Service RBAC is generated for the `prometheus-operator` ServiceAccount.

Expected results:
The operator is installed and the Prometheus Service RBAC is generated for the `prometheus-k8s`ServiceAccount.


Additional info:
[1] https://github.com/openshift/console/blob/master/frontend/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-subscribe.tsx#L283
[2]
Comment 2 Yadan Pei 2020-11-04 06:22:46 UTC 
Created attachment 1726475 [details]
RoleBinding is subjected to prometheus-k8s serviceaccount

1. From OperatorHub, subscribe 'Metering' operator which has operatorframework.io/cluster-monitoring: 'true' annotation
2. check the rolebinding/openshift-metering-prometheus, it was subjected to prometheus-k8s ServiceAccount


Verified on 4.7.0-0.ci-2020-11-03-102229
Comment 5 errata-xmlrpc 2021-02-24 15:29:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633