Bug 1723662 - User with cluster -reader role can't access metrics using `oc adm top <nodes>`
Summary: User with cluster -reader role can't access metrics using `oc adm top <nodes>`
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.4.0
Assignee: Sergiusz Urbaniak
QA Contact: Junqi Zhao
Depends On:
Blocks: 1793628
TreeView+ depends on / blocked
Reported: 2019-06-25 06:05 UTC by Abhishek
Modified: 2020-05-13 21:51 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Currently users having a binding against the cluster-reader role do not have the permission to view node or pod metrics, i.e. using `oc top node`. This is now fixed.
Clone Of:
: 1793628 (view as bug list)
Last Closed: 2020-05-13 21:51:49 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github coreos kube-prometheus pull 384 0 None closed prometheus-adapter: add nodes resource to aggregated-metrics-reader 2021-01-14 12:04:07 UTC
Github openshift cluster-monitoring-operator pull 622 0 None closed Bug 1723662: jsonnet/prometheus-adapter: add cluster-reader aggregation 2021-01-14 12:04:08 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-13 21:51:54 UTC

Description Abhishek 2019-06-25 06:05:44 UTC
Document URL: https://docs.openshift.com/container-platform/3.11/admin_guide/manage_nodes.html

Section: Note 1

# oc adm top nodes
Error from server (Forbidden): nodes.metrics.k8s.io is forbidden: User "tt" cannot list nodes.metrics.k8s.io at the cluster scope: no RBAC policy matched

# oc get clusterrolebinding | grep tt
cluster-reader-3                                                           /cluster-reader                                                         tt                                                                                                                                               

# oc describe clusterrole.rbac cluster-reader | grep metrics
  nodes/metrics                                                 []                 []              [get]

cluster-reader does not have `apis/metrics.k8s.io/v1beta1` API access

Comment 10 errata-xmlrpc 2020-05-13 21:51:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.