[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Metrics access by regular user

Hello :)


The problem was arrived, when guys from my team decided to redeploy matrics once again. Current version of our Origin is 1.5.1. (We are one step before upgrade to 3.6). 
The ansible flow used "latest" tag. This mean that we have 1.5.1 with metrics images from latest master branch. 
The latest metrics, has got some issues. After upgrade all our customers stopped seeing metrics and had lost access to them.
Result was error code in browser 403, cannot retrieve metrics, and screen from my last email.
After deeper investigation , I had discovered , that metrics are working fine,  but  simple there is no permissions to see them.
"cluster-admin" allows me to see metrics, then I noticed that cluster reader is the minimum access level, which allows me to see metrics.

I couldn't find answers so I decided to create my own metrics role, that allows all authenticated users (customers), see own metrics.  The role allows only to gain access to metrics ,

Name:           metrics-workaround
Namespace:      <none>
Created:        2 days ago
Labels:         <none>
Annotations:    authorization.openshift.io/system->
Verbs           Non-Resource URLs       Extension       Resource Names  API Groups      Resources
[list]          []                                      []              []              [pods pods/status]
[get]           []                                      []              []              [nodes/metrics nodes/spec]

This policy solved my problems,  till time when we approach to upgrade to the latest version.

After creation just assign it to proper group. For example, if you want to grant this permissions to all authenticated users from oauth , you can choose "system:authenticate-oauth"

Best regads

2017-08-28 14:31 GMT+02:00 Łukasz Strzelec <lukasz strzelec gmail com>:
Hello :)
I have following issue with my metrics:

Obraz w treści 1
The metrics are working when I assigned cluster-role to my user. Any ideas what should I do to allow regular users to see metrics properly?

Best regards


Sr. DevOps Expert / Product Owner of XaaS platform at ING Services Polska 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]