I created a PR for openshift/prometheus-operator, however, it looks like the release-4.3 branch of cluster-monitoring-operator is pointing to the jsonnet content of the upstream release-0.34 branch. Do we want to backport this patch upstream, or should cluster-monitoring-operator point at the downstream prometheus-operator branch?
issue is fixed with 4.3.0-0.nightly-2020-04-13-190424, verification steps: grant cluster-reader role to user # oc adm policy add-cluster-role-to-user cluster-reader testuser-11 # oc login with the user to the cluster and check # check the crd oauths.config.openshift.io before deletion $ oc get crd oauths.config.openshift.io NAME CREATED AT oauths.config.openshift.io 2020-04-15T01:55:37Z $ oc describe sa -n openshift-monitoring prometheus-operator Name: prometheus-operator Namespace: openshift-monitoring Labels: app.kubernetes.io/component=controller app.kubernetes.io/name=prometheus-operator app.kubernetes.io/version=v0.34.1 Annotations: <none> Image pull secrets: prometheus-operator-dockercfg-v5nb9 Mountable secrets: prometheus-operator-token-q4k9f prometheus-operator-dockercfg-v5nb9 Tokens: <none> Events: <none> $ token=$(oc -n openshift-monitoring get secret prometheus-operator-token-q4k9f -ojsonpath="{.data.token}" | base64 -d) Error from server (Forbidden): secrets "prometheus-operator-token-q4k9f" is forbidden: User "testuser-11" cannot get resource "secrets" in API group "" in the namespace "openshift-monitoring" $ oc --token=$token delete crd oauths.config.openshift.io Error from server (Forbidden): customresourcedefinitions.apiextensions.k8s.io "oauths.config.openshift.io" is forbidden: User "testuser-11" cannot delete resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1482