linux-foundation-easycla[bot]
commented
1 month ago Closed aupadhyay3 closed 1 month ago
linux-foundation-easycla[bot]
commented
1 month ago 
k8s-ci-robot
commented
1 month ago This issue is currently awaiting triage.
If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
k8s-ci-robot
commented
1 month ago Hi @aupadhyay3. Thanks for your PR.
I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
cartermckinnon
commented
1 month ago Makes sense to me, thanks @aupadhyay3
/ok-to-test /lgtm
cartermckinnon
commented
1 month ago @aupadhyay3 can you add a release note block for this?
aupadhyay3
commented
1 month ago @cartermckinnon Added the release note, let me know if it looks good.
cartermckinnon
commented
1 month ago /lgtm /approve
Thanks, @aupadhyay3!
k8s-ci-robot
commented
1 month ago [APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: cartermckinnon
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Co-Authored-By: Eric Wolak eric.wolak@reddit.com
What type of PR is this? /kind bug
What this PR does / why we need it: This PR adds to the RBAC configuration for the
system:serviceaccount:kube-system:cloud-controller-managerby granting ability to create tokenreviews and subjectaccessreviews. This update enables the service account to validate client credentials allowing Prometheus to scrape metrics.Which issue(s) this PR fixes: N/A
Special notes for your reviewer: This fix came up while trying to utilize cloud-controller-manager metrics. While trying to get prometheus to authenticate with the
cloud-controller-managermetrics port, we found that theserviceaccount:kube-system:cloud-controller-managerdoes not have the right RBAC to perform authentication and authorization checks which are needed to validate prometheus client credentials. Specifically, it’s missing the permissions to createtokenreviewsandsubjectaccessreviews. See these errors:After patching the RBAC to include these permissions, prometheus was able to talk to connect to AWS CCM and scrape its metrics.
Does this PR introduce a user-facing change?: