OCPBUGS-30294: Add aggregate-to-view to cluster-monitoring-view

[danielmellado]

Since OpenShift 4.15.0, AlertManager requires the user to have an RBAC to the subresource of 'prometheuses/api'. The ClusterRole 'cluster-monitoring-view' is not configured to use aggregate-to-view [1]

This commit adds the rbac.authorization.k8s.io/aggregate-to-view: 'true' label to the cluster-monitoring-view ClusterRole.

---

[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings

• [ ] I added CHANGELOG entry for this change.
• [X] No user facing changes, so no entry in CHANGELOG was needed.

Signed-off-by: Daniel Mellado dmellado@redhat.com

[openshift-ci-robot]

@danielmellado: This pull request references Jira Issue OCPBUGS-20294, which is invalid:

• expected the bug to be open, but it isn't
• expected the bug to target the "4.16.0" version, but no target version was set
• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Done) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/cluster-monitoring-operator/pull/2273): >Since OpenShift 4.15.0, AlertManager requires the user to have an RBAC >to the subresource of 'prometheuses/api'. The ClusterRole >'cluster-monitoring-view' is not configured to use aggregate-to-view [1] > >This commit adds the rbac.authorization.k8s.io/aggregate-to-view: 'true' >label to the cluster-monitoring-view ClusterRole. > >--- >[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings > >* [ ] I added CHANGELOG entry for this change. >* [X] No user facing changes, so no entry in CHANGELOG was needed. > >Signed-off-by: Daniel Mellado Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-monitoring-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[openshift-ci-robot]

@danielmellado: This pull request references Jira Issue OCPBUGS-30294, which is invalid:

• expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/cluster-monitoring-operator/pull/2273): >Since OpenShift 4.15.0, AlertManager requires the user to have an RBAC >to the subresource of 'prometheuses/api'. The ClusterRole >'cluster-monitoring-view' is not configured to use aggregate-to-view [1] > >This commit adds the rbac.authorization.k8s.io/aggregate-to-view: 'true' >label to the cluster-monitoring-view ClusterRole. > >--- >[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings > >* [ ] I added CHANGELOG entry for this change. >* [X] No user facing changes, so no entry in CHANGELOG was needed. > >Signed-off-by: Daniel Mellado Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-monitoring-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[danielmellado]

/jira refresh

[openshift-ci-robot]

@danielmellado: This pull request references Jira Issue OCPBUGS-30294, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

* bug is open, matching expected state (open) * bug target version (4.16.0) matches configured target version for branch (4.16.0) * bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @juzhao

In response to [this](https://github.com/openshift/cluster-monitoring-operator/pull/2273#issuecomment-1980264172): >/jira refresh > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-monitoring-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danielmellado, marioferh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/cluster-monitoring-operator/blob/master/OWNERS)~~ [danielmellado,marioferh] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[machine424]

I don't see any yaml changes and the generate job is passing, maybe the change has no effect or it's already applied. /hold

[openshift-ci[bot]]

New changes are detected. LGTM label has been removed.

[openshift-ci-robot]

@danielmellado: This pull request references Jira Issue OCPBUGS-20294, which is invalid:

• expected the bug to be open, but it isn't
• expected the bug to target the "4.16.0" version, but no target version was set
• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Done) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to [this](https://github.com/openshift/cluster-monitoring-operator/pull/2273): >Since OpenShift 4.15.0, AlertManager requires the user to have an RBAC >to the subresource of 'prometheuses/api'. The ClusterRole >'cluster-monitoring-view' is not configured to use aggregate-to-view [1] > >This commit adds the rbac.authorization.k8s.io/aggregate-to-view: 'true' >label to the cluster-monitoring-view ClusterRole. > >--- >[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings > >* [ ] I added CHANGELOG entry for this change. >* [X] No user facing changes, so no entry in CHANGELOG was needed. > >Signed-off-by: Daniel Mellado Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-monitoring-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[openshift-ci-robot]

@danielmellado: This pull request references Jira Issue OCPBUGS-30294, which is valid.

3 validation(s) were run on this bug

* bug is open, matching expected state (open) * bug target version (4.16.0) matches configured target version for branch (4.16.0) * bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @juzhao

In response to [this](https://github.com/openshift/cluster-monitoring-operator/pull/2273): >Since OpenShift 4.15.0, AlertManager requires the user to have an RBAC >to the subresource of 'prometheuses/api'. The ClusterRole >'cluster-monitoring-view' is not configured to use aggregate-to-view [1] > >This commit adds the rbac.authorization.k8s.io/aggregate-to-view: 'true' >label to the cluster-monitoring-view ClusterRole. > >--- >[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings > >* [ ] I added CHANGELOG entry for this change. >* [X] No user facing changes, so no entry in CHANGELOG was needed. > >Signed-off-by: Daniel Mellado Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-monitoring-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[danielmellado]

/unhold

[simonpasquier]

/hold

While the change might solve the reported issue, we need to review the implications..

[juzhao]

@simonpasquier @machine424 @danielmellado please see my comment in bug, edit clusterrole cluster-monitoring-view to add label: rbac.authorization.k8s.io/aggregate-to-view: "true", login console with the user, could view Alerts/ALerting rules, but there is warning on page

Error loading silences from Alertmanager. Some of the alerts below may actually be silenced.
Forbidden 

also Forbidden error for Silences tab, can not view silences

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-ci[bot]]

@danielmellado: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/versions	531c7d7cc64bbcf6dc053817ba364010025e49be	link	false	/test versions
ci/prow/e2e-aws-ovn-single-node	531c7d7cc64bbcf6dc053817ba364010025e49be	link	false	/test e2e-aws-ovn-single-node
ci/prow/e2e-hypershift-conformance	531c7d7cc64bbcf6dc053817ba364010025e49be	link	true	/test e2e-hypershift-conformance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci[bot]]

@openshift-bot: Closed this PR.

In response to [this](https://github.com/openshift/cluster-monitoring-operator/pull/2273#issuecomment-2322820915): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[openshift-ci-robot]

@danielmellado: This pull request references Jira Issue OCPBUGS-30294. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.

In response to [this](https://github.com/openshift/cluster-monitoring-operator/pull/2273): >Since OpenShift 4.15.0, AlertManager requires the user to have an RBAC >to the subresource of 'prometheuses/api'. The ClusterRole >'cluster-monitoring-view' is not configured to use aggregate-to-view [1] > >This commit adds the rbac.authorization.k8s.io/aggregate-to-view: 'true' >label to the cluster-monitoring-view ClusterRole. > >--- >[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings > >* [ ] I added CHANGELOG entry for this change. >* [X] No user facing changes, so no entry in CHANGELOG was needed. > >Signed-off-by: Daniel Mellado Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-monitoring-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.