Open eguzki opened 4 years ago
@eguzki can you describe how you deployed the AMO stack ?
The Role
which should be bound to this account system:serviceaccount:application-monitoring:grafana-operator
is https://github.com/integr8ly/application-monitoring-operator/blob/master/templates/grafana-operator-role.yaml#L14 which does have permissions "*"
for events
.
Do we need to allow a clusterrole (https://github.com/integr8ly/application-monitoring-operator/blob/master/deploy/cluster-roles/grafana-operator-clusterrole.yaml) to do create events
in other namespaces @david-martin @pb82 ?
The grafana operator tries to create events in another namespace, hence the permissions should be added in the clusterrole (clusterbindingroles cannot be created using local roles)
I think this is due to https://github.com/integr8ly/grafana-operator/blob/master/pkg/controller/grafanadashboard/dashboard_controller.go#L281
dashboard errors are recorded in the namespace of the dashboard CR (because we have one dashboard controller per namespace)
If we give the clusterrole permission to create events, these will show in the event log right? So would be nice to have imo anyway.
The grafana operator tries to create events and link to grafana objects, but the clusterrole does not have required roles to create events.
The error logged is: