Bug 1728856
| Summary: | Prometheus metrics for ES are unavailable after plugin update to 5.6.13.6 | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Jeff Cantrill <jcantril> | |
| Component: | Logging | Assignee: | Jeff Cantrill <jcantril> | |
| Status: | CLOSED ERRATA | QA Contact: | Anping Li <anli> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 3.11.0 | CC: | anli, aos-bugs, rmeggins | |
| Target Milestone: | --- | |||
| Target Release: | 3.11.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Cause: The authentication class is instantiated multiple times with and without the desired configuration
Consequence: User's are denied access to metrics
Fix: Add SAR config to the authentication_backend
Result: Multi-tenant plugin executes SARs and allows access to metrics
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1729297 (view as bug list) | Environment: | ||
| Last Closed: | 2020-02-19 19:53:43 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1729297, 1731006 | |||
| Bug Blocks: | ||||
|
Description
Jeff Cantrill
2019-07-10 19:18:03 UTC
The prometheus-k8s couldn't access the svc logging-es-prometheus. the sa with cluster-monitoring-view could't access the svc logging-es-prometheus. oc get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE logging-es ClusterIP 172.31.31.229 <none> 9200/TCP 5h logging-es-cluster ClusterIP None <none> 9300/TCP 1h logging-es-prometheus ClusterIP 172.31.215.247 <none> 443/TCP 5h logging-kibana ClusterIP 172.31.120.102 <none> 443/TCP 5h oc get sa -n openshift-monitoring NAME SECRETS AGE alertmanager-main 2 3h builder 2 3h cluster-monitoring-operator 2 3h default 2 3h deployer 2 3h grafana 2 3h kube-state-metrics 2 3h node-exporter 2 3h prometheus-k8s 2 3h prometheus-operator 2 3h (In reply to Anping Li from comment #3) > The prometheus-k8s couldn't access the svc logging-es-prometheus. the sa > with cluster-monitoring-view could't access the svc logging-es-prometheus. > Moving back to ON_QA. Can the serviceaccount satisfy this SubjectAccessReview: https://github.com/openshift/origin-aggregated-logging/pull/1691/files#diff-84bb2a16fa453407379d6048d001a362R19-R22 Verified in v3.11.169 1) oc create rolebinding --role=prometheus-metrics-viewer metrics-test-reader-1 --serviceaccount openshift-monitoring:prometheus-k8s -n openshift-logging 2) get token from prometheus pod oc exec prometheus-k8s-0 -n openshift-monitoring -- cat /var/run/secrets/kubernetes.io/serviceaccount/token 3) oc get svc logging-es-prometheus -n openshift-logging 4) access metrics via token curl -kv https://$svc_ip/_prometheus/metrics -H"Authorization: Bearer $token" Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0402 |