Bug 1820677 - jenkins-*-monitored templates require extra permissions
Summary: jenkins-*-monitored templates require extra permissions
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Jenkins
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.5.0
Assignee: Vibhav Bobade
QA Contact: Jitendar Singh
Depends On:
TreeView+ depends on / blocked
Reported: 2020-04-03 14:56 UTC by Adam Kaplan
Modified: 2020-07-13 17:25 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-07-13 17:25:33 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift jenkins pull 1046 0 None closed Bug 1820677: Update Description on Monitored Templates reflecting permission issues 2020-06-23 09:48:56 UTC
Red Hat Bugzilla 1805442 0 unspecified CLOSED template-instance-controller can't deploy servicemonitors 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:25:56 UTC

Description Adam Kaplan 2020-04-03 14:56:33 UTC
Description of problem:

New "monitored" versions of the Jenkins template were added in OCP 4.2. These require users to have extra RBAC permissions to create the service monitor objects.

The template description/doc needs to make clear that users must have permission to create servicemonitor objects. These are installed as a CRD on OpenShift (api group monitoring.coreos.com)

Version-Release number of selected component (if applicable): 4.2.0

How reproducible: Always

Steps to Reproduce:
1. Log into the web console or oc as a user with the default "edit" permission
2. Try to create the jenkins-ephemeral-monitored template (ex via oc new-app)

Actual results:

Creation of the template instance fails with error
InstantiateFailure error: servicemonitors.monitoring.coreos.com is forbidden: User "system:serviceaccount:openshift-infra:template-instance-controller" cannot create resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "xyz"

Expected results:

Users should know up front that they need permission to create servicemonitor objects.

Additional info:

See https://access.redhat.com/articles/4220601 for a detailed explanation as to why we recommend granting these extra permissions to users (and not to the template instance controller).

Comment 1 Vibhav Bobade 2020-04-06 06:56:34 UTC
Hello Adam,

Thank you for raising the bug with us.

Understanding that, creating Service Monitors need special previleges, would adding the same to the documentation be enough ?
Or is there something more we can also do ?

Vibhav Bobade

Comment 2 Adam Kaplan 2020-04-06 16:44:14 UTC
Adding to the documentation in some fashion should be sufficient. Example - adding a note in the description that this template requires users to have additional permissions, link to the solution article.

Comment 6 Jitendar Singh 2020-06-19 05:55:45 UTC

Comment 8 errata-xmlrpc 2020-07-13 17:25:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.