Bug 1838297 - OLM: Console is not creating role binding when enabling monitoring for an operator
Summary: OLM: Console is not creating role binding when enabling monitoring for an ope...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.5
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.5.0
Assignee: Jakub Hadvig
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks: 1841149
TreeView+ depends on / blocked
 
Reported: 2020-05-20 19:55 UTC by Samuel Padgett
Modified: 2020-07-13 17:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Role and RoleBinding for let monitoring scrape metrics for operators when the `operatorframework.io/cluster-monitoring=true` is set, are not created when creating suggested-namespace Consequence: Monitoring metrics scraping fails Fix: Create Role and RoleBinding for let monitoring scrape metrics for operators when the `operatorframework.io/cluster-monitoring=true` is set Result: Monitoring metrics scraping succeeds
Clone Of:
Environment:
Version: 4.5.0-0.ci-2020-05-20-085335 Cluster ID: 5e1d119a-f4dd-41f6-bdbb-a8f12f65b250 Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0
Last Closed: 2020-07-13 17:40:29 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 5529 0 None closed Bug 1838297: Creating role and roleBinding when enabling monitoring for an operator 2020-06-22 12:44:49 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:40:43 UTC

Description Samuel Padgett 2020-05-20 19:55:55 UTC
The console is not creating the role bindings to let monitoring scrape metrics for operators when the `operatorframework.io/cluster-monitoring=true` is set.

See https://github.com/openshift/enhancements/blob/master/enhancements/olm/olm-managed-operator-metrics.md#rbac-requirements

```
The operatorframework.io/cluster-monitoring=true annotation. When this annotation is set to true, the OpenShift Console will update the namespace that the operator is being deployed to with the openshift.io/cluster-monitoring=true label. When this annotation is present, the UI will update the OpenShift Monitoring Prometheus Operator ServiceAccount with the appropriate RBAC privileges for the given namespace as well, allowing operators to be scraped by the OpenShift Monitoring Prometheus Operator.
```

Comment 3 shahan 2020-05-28 02:01:45 UTC
install logging enabled monitoring on console.
[hasha@localhost ~]$ oc get role openshift-logging-prometheus -n openshift-logging  -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2020-05-28T01:47:59Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:rules: {}
    manager: Mozilla
    operation: Update
    time: "2020-05-28T01:47:59Z"
  name: openshift-logging-prometheus
  namespace: openshift-logging
  resourceVersion: "67233"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/openshift-logging/roles/openshift-logging-prometheus
  uid: fa021303-f1ff-48d5-8308-418aaa142b28
rules:
- apiGroups:
  - ""
  resources:
  - services
  - endpoints
  - pods
  verbs:
  - get
  - list
  - watch
[hasha@localhost ~]$ oc get rolebinding openshift-logging-prometheus -n openshift-logging  -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2020-05-28T01:48:00Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: Mozilla
    operation: Update
    time: "2020-05-28T01:48:00Z"
  name: openshift-logging-prometheus
  namespace: openshift-logging
  resourceVersion: "67238"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/openshift-logging/rolebindings/openshift-logging-prometheus
  uid: e7532b0e-542a-4abc-9f4b-320418677f8a
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: openshift-logging-prometheus
subjects:
- kind: ServiceAccount
  name: prometheus-operator
  namespace: openshift-monitoring

4.5.0-0.nightly-2020-05-27-174108

Comment 4 errata-xmlrpc 2020-07-13 17:40:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.