Document URL: https://docs.openshift.com/container-platform/3.4/install_config/cluster_metrics.html#metrics-service-accounts Section Number and Name: Enabling Cluster Metrics -> Service Accounts Describe the issue: Following the documentation in this section, you will always end up with a hawkular-metrics pod which is in CrashLoopBackoff status. oc logs for the pod gives this message: Error: the service account for Hawkular Metrics does not have permission to view resources in this namespace. View permissions are required for Hawkular Metrics to function properly. Usually this can be resolved by running: oc adm policy add-role-to-user view system:serviceaccount:openshift-infra:hawkular -n openshift-infra Suggestions for improvement: Add the missing command to the documentation. oc adm policy add-role-to-user view system:serviceaccount:openshift-infra:hawkular -n openshift-infra Additional information:
(In reply to Mike Fiedler from comment #0) > Document URL: > > https://docs.openshift.com/container-platform/3.4/install_config/ > cluster_metrics.html#metrics-service-accounts > > Section Number and Name: > > Enabling Cluster Metrics -> Service Accounts > > Describe the issue: > > Following the documentation in this section, you will always end up with a > hawkular-metrics pod which is in CrashLoopBackoff status. oc logs for the > pod gives this message: > > Error: the service account for Hawkular Metrics does not have permission to > view resources in this namespace. View permissions are required for Hawkular > Metrics to function properly. > Usually this can be resolved by running: oc adm policy add-role-to-user view > system:serviceaccount:openshift-infra:hawkular -n openshift-infra > > Suggestions for improvement: > > Add the missing command to the documentation. > > oc adm policy add-role-to-user view > system:serviceaccount:openshift-infra:hawkular -n openshift-infra > > Additional information: Mike -- It appears that this topic has been changed since you posted this defect. Jeff Cantrill tracked the changes in the following commit: https://github.com/openshift/openshift-docs/commit/72a6296b607a3060b4905f0eb0ea0b71b7c2838d The Service Account sections that you highlighted as a concern have been removed, it appears. Can you take a look at Jeff's changes to see if we still need to add the "oc adm policy add-role-to-user view system:serviceaccount:openshift-infra:hawkular -n openshift-infra" command? (The other instances of oc adm policy have been removed.)
Jeff's changes are for 3.5 and above. We are now deploying metrics using ansible in 3.5 while before we have a customized pod to do that for us. For this particular issue, it needs to be applied to the 3.4 documentation and not to 3.5/master.
I think we're good for 3.5, but it would be nice to fix 3.4 if we can since 3.5 is not yet released.
Thank you.
(In reply to Mike Fiedler from comment #3) > I think we're good for 3.5, but it would be nice to fix 3.4 if we can since > 3.5 is not yet released. Mike -- I added the oc command you listed above as step 1 in the "Metrics Deployer Service Account" procedure. Is this what you expected? file:///home/mburke/Docs/openshift-docs/_preview/openshift-enterprise/mburke-BZ-1428998/install_config/cluster_metrics.html#metrics-deployer-service-account Michael
I would have the bullet say "Grant view permissions to the hawkluar service acccount". Otherwise, looks good.
(In reply to Mike Fiedler from comment #6) > I would have the bullet say "Grant view permissions to the hawkluar service > acccount". Otherwise, looks good. Done. Thanks. I am assuming this applies to versions 3.3 and 3.2? http://file.rdu.redhat.com/~mburke/BZ-1428998/cluster_metrics.html#metrics-deployer-service-account
(In reply to Michael Burke from comment #7) > (In reply to Mike Fiedler from comment #6) > > I would have the bullet say "Grant view permissions to the hawkluar service > > acccount". Otherwise, looks good. > > Done. Thanks. > > I am assuming this applies to versions 3.3 and 3.2? > http://file.rdu.redhat.com/~mburke/BZ-1428998/cluster_metrics.html#metrics- > deployer-service-account Michael, this change is only for 3.4
Pull request: https://github.com/openshift/openshift-docs/pull/3915
Apologies, commented on the wrong BZ...