Bug 1428998 - [DOCS] OCP 3.4.x: Missing required command in Enabling Cluster Metrics service account topic
Summary: [DOCS] OCP 3.4.x: Missing required command in Enabling Cluster Metrics servic...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.4.1
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Michael Burke
QA Contact: Peng Li
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks: 1421090
TreeView+ depends on / blocked
 
Reported: 2017-03-03 18:56 UTC by Mike Fiedler
Modified: 2017-03-23 03:46 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-10 21:56:12 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Mike Fiedler 2017-03-03 18:56:08 UTC
Document URL: 

https://docs.openshift.com/container-platform/3.4/install_config/cluster_metrics.html#metrics-service-accounts

Section Number and Name: 

Enabling Cluster Metrics -> Service Accounts

Describe the issue: 

Following the documentation in this section, you will always end up with a hawkular-metrics pod which is in CrashLoopBackoff status.   oc logs for the pod gives this message:

Error: the service account for Hawkular Metrics does not have permission to view resources in this namespace. View permissions are required for Hawkular Metrics to function properly.
Usually this can be resolved by running: oc adm policy add-role-to-user view system:serviceaccount:openshift-infra:hawkular -n openshift-infra

Suggestions for improvement: 

Add the missing command to the documentation.

oc adm policy add-role-to-user view system:serviceaccount:openshift-infra:hawkular -n openshift-infra

Additional information:

Comment 1 Michael Burke 2017-03-06 20:24:51 UTC
(In reply to Mike Fiedler from comment #0)
> Document URL: 
> 
> https://docs.openshift.com/container-platform/3.4/install_config/
> cluster_metrics.html#metrics-service-accounts
> 
> Section Number and Name: 
> 
> Enabling Cluster Metrics -> Service Accounts
> 
> Describe the issue: 
> 
> Following the documentation in this section, you will always end up with a
> hawkular-metrics pod which is in CrashLoopBackoff status.   oc logs for the
> pod gives this message:
> 
> Error: the service account for Hawkular Metrics does not have permission to
> view resources in this namespace. View permissions are required for Hawkular
> Metrics to function properly.
> Usually this can be resolved by running: oc adm policy add-role-to-user view
> system:serviceaccount:openshift-infra:hawkular -n openshift-infra
> 
> Suggestions for improvement: 
> 
> Add the missing command to the documentation.
> 
> oc adm policy add-role-to-user view
> system:serviceaccount:openshift-infra:hawkular -n openshift-infra
> 
> Additional information:

Mike -- It appears that this topic has been changed since you posted this defect. Jeff Cantrill tracked the changes in the following commit:
https://github.com/openshift/openshift-docs/commit/72a6296b607a3060b4905f0eb0ea0b71b7c2838d

The Service Account sections that you highlighted as a concern have been removed, it appears.

Can you take a look at Jeff's changes to see if we still need to add the "oc adm policy add-role-to-user view system:serviceaccount:openshift-infra:hawkular -n openshift-infra" command? (The other instances of oc adm policy have been removed.)

Comment 2 Matt Wringe 2017-03-06 20:49:19 UTC
Jeff's changes are for 3.5 and above. We are now deploying metrics using ansible in 3.5 while before we have a customized pod to do that for us.

For this particular issue, it needs to be applied to the 3.4 documentation and not to 3.5/master.

Comment 3 Mike Fiedler 2017-03-06 20:58:19 UTC
I think we're good for 3.5, but it would be nice to fix 3.4 if we can since 3.5 is not yet released.

Comment 4 Michael Burke 2017-03-06 21:04:49 UTC
Thank you.

Comment 5 Michael Burke 2017-03-07 17:19:19 UTC
(In reply to Mike Fiedler from comment #3)
> I think we're good for 3.5, but it would be nice to fix 3.4 if we can since
> 3.5 is not yet released.
Mike --

I added the oc command you listed above as step 1 in the "Metrics Deployer Service Account" procedure. Is this what you expected?
file:///home/mburke/Docs/openshift-docs/_preview/openshift-enterprise/mburke-BZ-1428998/install_config/cluster_metrics.html#metrics-deployer-service-account

Michael

Comment 6 Mike Fiedler 2017-03-07 18:58:07 UTC
I would have the bullet say "Grant view permissions to the hawkluar service acccount".  Otherwise, looks good.

Comment 7 Michael Burke 2017-03-07 19:55:08 UTC
(In reply to Mike Fiedler from comment #6)
> I would have the bullet say "Grant view permissions to the hawkluar service
> acccount".  Otherwise, looks good.

Done. Thanks. 

I am assuming this applies to versions 3.3 and 3.2?
http://file.rdu.redhat.com/~mburke/BZ-1428998/cluster_metrics.html#metrics-deployer-service-account

Comment 8 Peng Li 2017-03-10 02:25:13 UTC
(In reply to Michael Burke from comment #7)
> (In reply to Mike Fiedler from comment #6)
> > I would have the bullet say "Grant view permissions to the hawkluar service
> > acccount".  Otherwise, looks good.
> 
> Done. Thanks. 
> 
> I am assuming this applies to versions 3.3 and 3.2?
> http://file.rdu.redhat.com/~mburke/BZ-1428998/cluster_metrics.html#metrics-
> deployer-service-account

Michael, this change is only for 3.4

Comment 10 Michael Burke 2017-03-10 17:44:47 UTC
Pull request:
https://github.com/openshift/openshift-docs/pull/3915

Comment 12 brice 2017-03-23 03:46:11 UTC
Apologies, commented on the wrong BZ...


Note You need to log in before you can comment on or make changes to this bug.