Bug 1855275 - CRDs are still in prometheus-operator ClusterRole
Summary: CRDs are still in prometheus-operator ClusterRole
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.0
Assignee: Simon Pasquier
QA Contact: Junqi Zhao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-09 12:30 UTC by Junqi Zhao
Modified: 2020-10-27 16:13 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:13:10 UTC
Target Upstream Version:


Attachments (Terms of Use)
prometheus-operator cluster-role file (2.25 KB, text/plain)
2020-07-09 12:30 UTC, Junqi Zhao
no flags Details
prometheus-operator deployment file (10.51 KB, text/plain)
2020-07-09 12:31 UTC, Junqi Zhao
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-monitoring-operator pull 851 0 None closed Bump client-go and other deps to v1.18.3 2020-10-01 21:44:39 UTC
Github openshift cluster-monitoring-operator pull 867 0 None closed Bug 1855275: jsonnet: update prometheus-operator cluster role 2020-10-01 21:44:31 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:13:30 UTC

Description Junqi Zhao 2020-07-09 12:30:13 UTC
Created attachment 1700430 [details]
prometheus-operator cluster-role file

Description of problem:
this bug is for https://issues.redhat.com/browse/MON-1084

https://github.com/coreos/prometheus-operator/pull/3155 and 
https://github.com/openshift/prometheus-operator/pull/77 
are in 4.6.0-0.nightly-2020-07-07-141639 and later build.

Tested with 4.6.0-0.nightly-2020-07-07-233934, 
according to https://github.com/coreos/prometheus-operator/pull/3155
crd resources should be removed from ClusterRole/prometheus-operator, but they still in the ClusterRole
# oc -n openshift-monitoring get ClusterRole/prometheus-operator -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
...
rules:
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - create
- apiGroups:
  - apiextensions.k8s.io
  resourceNames:
  - alertmanagers.monitoring.coreos.com
  - podmonitors.monitoring.coreos.com
  - prometheuses.monitoring.coreos.com
  - prometheusrules.monitoring.coreos.com
  - servicemonitors.monitoring.coreos.com
  - thanosrulers.monitoring.coreos.com
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - update
...
**********************************
checked with # oc -n openshift-monitoring get deploy prometheus-operator -oyaml
there is not "- --manage-crds=false" setting, details see the attached files
...
    spec:
      containers:
      - args:
        - --kubelet-service=kube-system/kubelet
        - --logtostderr=true
        - --config-reloader-image=quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ee5afaf279a1228999c0d1b7f6f4ab168cae34bd3b1454acaa8380d3c1edacc1
        - --prometheus-config-reloader=quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e1543cc7d31d6f943e955dd6a82a45ea0502aba8f5085869d68c40f831e34717
        - --namespaces=openshift-apiserver,openshift-apiserver-operator,openshift-authentication,openshift-authentication-operator,openshift-cloud-credential-operator,openshift-cluster-machine-approver,openshift-cluster-samples-operator,openshift-cluster-storage-operator,openshift-cluster-version,openshift-config-operator,openshift-console-operator,openshift-controller-manager,openshift-controller-manager-operator,openshift-dns,openshift-dns-operator,openshift-etcd-operator,openshift-image-registry,openshift-ingress,openshift-ingress-operator,openshift-insights,openshift-kube-apiserver,openshift-kube-apiserver-operator,openshift-kube-controller-manager,openshift-kube-controller-manager-operator,openshift-kube-scheduler,openshift-kube-scheduler-operator,openshift-kube-storage-version-migrator,openshift-kube-storage-version-migrator-operator,openshift-machine-api,openshift-machine-config-operator,openshift-marketplace,openshift-monitoring,openshift-multus,openshift-operator-lifecycle-manager,openshift-sdn,openshift-service-ca-operator,openshift-user-workload-monitoring
        - --prometheus-instance-namespaces=openshift-monitoring
        - --thanos-ruler-instance-namespaces=openshift-monitoring
        - --alertmanager-instance-namespaces=openshift-monitoring
        - --config-reloader-cpu=0
        - --config-reloader-memory=0
        - --web.enable-tls=true
        - --web.tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        - --web.tls-min-version=VersionTLS12
        image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5a6f7db12af24f4dcef5ac04a75c5d50d28a1712fea066c886ae0ca21d902d83
        imagePullPolicy: IfNotPresent
        name: prometheus-operator
        ports:
        - containerPort: 8080
          name: http
          protocol: TCP
        resources:
          requests:
            cpu: 5m
            memory: 60Mi
...

Version-Release number of selected component (if applicable):
4.6.0-0.nightly-2020-07-07-233934

How reproducible:
always

Steps to Reproduce:
1. see the description
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Junqi Zhao 2020-07-09 12:31:01 UTC
Created attachment 1700431 [details]
prometheus-operator deployment file

Comment 8 errata-xmlrpc 2020-10-27 16:13:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.