Created attachment 1666316 [details] topk(25, sort_desc(sum(avg_over_time(container_memory_working_set_bytes{container="",pod!="",namespace='openshift-monitoring'}[5m])) BY (pod, namespace))) Description of problem: common user, create project and deploy pods under the namespace, example: # oc -n test get pod NAME READY STATUS RESTARTS AGE example-75778c488-4b2x6 1/1 Running 0 13m example-75778c488-kv492 1/1 Running 0 13m example-75778c488-wnng5 1/1 Running 0 13m then login the developer console, click "Monitoring" then select "Metrics" tab, input custome query in the textarea, change namespace value to openshift-monitoring, which the user don't have view permission, example: topk(25, sort_desc(sum(avg_over_time(container_memory_working_set_bytes{container="",pod!="",namespace='openshift-monitoring'}[5m])) BY (pod, namespace))) the result is like the followings, it shows the result for pods under user's namespace, it should not return data namespace pod value test example-75778c488-kv492 13799424 test example-75778c488-wnng5 13316096 test example-75778c488-4b2x6 13271040 Version-Release number of selected component (if applicable): 4.4.0-0.nightly-2020-02-27-020932 How reproducible: Always Steps to Reproduce: 1. See the description 2. 3. Actual results: Expected results: Additional info:
surbania - Is this expected? Console is making a request through prometheus-tenancy service with the namespace query parameter set. For example, /api/v1/query?namespace=sgp&query=topk%2825%2C+sort_desc%28sum%28avg_over_time%28container_memory_working_set_bytes%7Bcontainer%3D%22%22%2Cpod%21%3D%22%22%2Cnamespace%3D%27openshift-monitoring%27%7D%5B5m%5D%29%29+BY+%28pod%2C+namespace%29%29%29
Work is ongoing in upstream prom-label-proxy, hence slipping into the next release.
this is planned in one of the next sprints.
UpcomingSprint: We don't have enough capacity to tackle this one in the next sprint (193).
Waiting on upstream review.
Waiting on upstream prom-label-proxy release https://github.com/prometheus-community/prom-label-proxy/pull/88
tested with 4.10.0-0.nightly-2021-10-21-014208, followed steps in Comment 0 select "test" project and run topk(25, sort_desc(sum(avg_over_time(container_memory_working_set_bytes{container="",pod!="",namespace='openshift-monitoring'}[5m])) BY (pod, namespace))) will get 400 Bad Request error select "test" project and run, will return the correct result topk(25, sort_desc(sum(avg_over_time(container_memory_working_set_bytes{container="",pod!="",namespace='test'}[5m])) BY (pod, namespace)))
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056