Description of problem:
New "monitored" versions of the Jenkins template were added in OCP 4.2. These require users to have extra RBAC permissions to create the service monitor objects.
The template description/doc needs to make clear that users must have permission to create servicemonitor objects. These are installed as a CRD on OpenShift (api group monitoring.coreos.com)
Version-Release number of selected component (if applicable): 4.2.0
How reproducible: Always
Steps to Reproduce:
1. Log into the web console or oc as a user with the default "edit" permission
2. Try to create the jenkins-ephemeral-monitored template (ex via oc new-app)
Creation of the template instance fails with error
InstantiateFailure error: servicemonitors.monitoring.coreos.com is forbidden: User "system:serviceaccount:openshift-infra:template-instance-controller" cannot create resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "xyz"
Users should know up front that they need permission to create servicemonitor objects.
See https://access.redhat.com/articles/4220601 for a detailed explanation as to why we recommend granting these extra permissions to users (and not to the template instance controller).
Thank you for raising the bug with us.
Understanding that, creating Service Monitors need special previleges, would adding the same to the documentation be enough ?
Or is there something more we can also do ?
Adding to the documentation in some fashion should be sufficient. Example - adding a note in the description that this template requires users to have additional permissions, link to the solution article.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.