1723662 – User with cluster -reader role can't access metrics using `oc adm top <nodes>`

Bug 1723662 - User with cluster -reader role can't access metrics using `oc adm top <nodes>`

Summary: User with cluster -reader role can't access metrics using `oc adm top <nodes>`

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Monitoring
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.4.0
Assignee:	Sergiusz Urbaniak
QA Contact:	Junqi Zhao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1793628
TreeView+	depends on / blocked

Reported:	2019-06-25 06:05 UTC by Abhishek
Modified:	2020-05-13 21:51 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Currently users having a binding against the cluster-reader role do not have the permission to view node or pod metrics, i.e. using `oc top node`. This is now fixed.
Clone Of:
Clones:	1793628 (view as bug list)
Environment:
Last Closed:	2020-05-13 21:51:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	coreos kube-prometheus pull 384	None	closed	prometheus-adapter: add nodes resource to aggregated-metrics-reader	2021-01-14 12:04:07 UTC
Github	openshift cluster-monitoring-operator pull 622	None	closed	Bug 1723662: jsonnet/prometheus-adapter: add cluster-reader aggregation	2021-01-14 12:04:08 UTC
Red Hat Product Errata	RHBA-2020:0581	None	None	None	2020-05-13 21:51:54 UTC

Description Abhishek 2019-06-25 06:05:44 UTC

Document URL: https://docs.openshift.com/container-platform/3.11/admin_guide/manage_nodes.html

Section: Note 1

# oc adm top nodes
Error from server (Forbidden): nodes.metrics.k8s.io is forbidden: User "tt" cannot list nodes.metrics.k8s.io at the cluster scope: no RBAC policy matched

# oc get clusterrolebinding | grep tt
cluster-reader-3                                                           /cluster-reader                                                         tt                                                                                                                                               

# oc describe clusterrole.rbac cluster-reader | grep metrics
  nodes/metrics                                                 []                 []              [get]


cluster-reader does not have `apis/metrics.k8s.io/v1beta1` API access

Comment 10 errata-xmlrpc 2020-05-13 21:51:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581

Note You need to log in before you can comment on or make changes to this bug.