search

integr8ly / application-monitoring-operator

Operator for installing the Application Monitoring Stack on OpenShift (Prometheus, AlertManager, Grafana)
Apache License 2.0
30 stars 45 forks source link

cannot get applicationmonitorings.applicationmonitoring.integreatly.org in the namespace #123

Open sousaaguilherme opened 4 years ago

sousaaguilherme commented 4 years ago

After creating the example-prometheus-nodejs, the grafana dashboard is not showing.

In the grafana-operator I get the following error:

{"level":"error","ts":1582801368.3774614,"logger":"cmd","msg":"error starting metrics service","error":"failed to initialize service object for metrics: applicationmonitorings.applicationmonitoring.integreatly.org \"example-applicationmonitoring\" is forbidden: User \"system:serviceaccount:application-monitoring:grafana-operator\" cannot get applicationmonitorings.applicationmonitoring.integreatly.org in the namespace \"application-monitoring\": no RBAC policy matched","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/home/travis/gopath/pkg/mod/github.com/go-logr/zapr@v0.1.1/zapr.go:128\nmain.main\n\tgrafana-operator/cmd/manager/main.go:223\nruntime.main\n\t/home/travis/.gimme/versions/go1.13.5.linux.amd64/src/runtime/proc.go:203"}

Best regards

david-martin commented 4 years ago 
> User \"system:serviceaccount:application-monitoring:grafana-operator\" cannot get applicationmonitorings.applicationmonitoring.integreatly.org in the namespace \"application-monitoring\":

This seems odd. Why would the grafana-operator serviceaccount need to get ApplicationMonitoring CRs.

david-martin commented 4 years ago

@pb82 Any thoughts on this?

pb82 commented 4 years ago

Strange, could it have to do with the CRD metrics?

david-martin commented 4 years ago

@pb82 My guess is it's failing on getting the ownerRef of the pod here https://github.com/operator-framework/operator-sdk/blob/453e43e06c8968e291ec8d3c0b31472269c796d0/pkg/metrics/metrics.go#L126-L129

david-martin commented 4 years ago

Some more supporting evidence. https://github.com/integr8ly/application-monitoring-operator/blob/b92d362c7af5e2d2a3b01556f887086727536e72/pkg/controller/applicationmonitoring/applicationmonitoring_controller.go#L571-L576

david-martin commented 4 years ago

@pb82 If this is the problem, 1 solution is to grant the additional permission to the grafana-operator serviceaccount. However, I'm hesitant to do that without being certain it's the right way to solve this and it's not leaking the abstraction down to grafana-operator. I don't think it would currently as its AMO that crreates the roles for grafana-operator, and the grafana-operator doesn't explicitly know anything about AMO. What do you think?