Closed aupadhyay3 closed 1 month ago
This issue is currently awaiting triage.
If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
Hi @aupadhyay3. Thanks for your PR.
I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test
on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test
label.
I understand the commands that are listed here.
Makes sense to me, thanks @aupadhyay3
/ok-to-test /lgtm
@aupadhyay3 can you add a release note block for this?
@cartermckinnon Added the release note, let me know if it looks good.
/lgtm /approve
Thanks, @aupadhyay3!
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: cartermckinnon
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Co-Authored-By: Eric Wolak eric.wolak@reddit.com
What type of PR is this? /kind bug
What this PR does / why we need it: This PR adds to the RBAC configuration for the
system:serviceaccount:kube-system:cloud-controller-manager
by granting ability to create tokenreviews and subjectaccessreviews. This update enables the service account to validate client credentials allowing Prometheus to scrape metrics.Which issue(s) this PR fixes: N/A
Special notes for your reviewer: This fix came up while trying to utilize cloud-controller-manager metrics. While trying to get prometheus to authenticate with the
cloud-controller-manager
metrics port, we found that theserviceaccount:kube-system:cloud-controller-manager
does not have the right RBAC to perform authentication and authorization checks which are needed to validate prometheus client credentials. Specifically, it’s missing the permissions to createtokenreviews
andsubjectaccessreviews
. See these errors:After patching the RBAC to include these permissions, prometheus was able to talk to connect to AWS CCM and scrape its metrics.
Does this PR introduce a user-facing change?: