search

openshift / cluster-monitoring-operator

Manage the OpenShift monitoring stack
Apache License 2.0
247 stars 363 forks source link

MON-3820: allow read-only access for Alertmanager API #2319

Closed rexagod closed 6 months ago

rexagod commented 6 months ago

PTAL below for more details.

Details ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: janedoe-am-read namespace: openshift-monitoring roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: monitoring-alertmanager-view subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: janedoe ``` ``` ┌[rexagod@nebuchadnezzar] [/dev/ttys002] └[~]> curl -H "Authorization: Bearer $token" -k "https://$host/api/v2/silences" [{"id":"e6840382-e5b8-48f2-847f-384628ff0f97","status":{"state":"active"},"updatedAt":"2024-04-15T00:02:01.834Z","comment":"foo2","createdBy":"kube:admin","endsAt":"2024-04-15T02:02:01.351Z","matchers":[{"isEqual":true,"isRegex":false,"name":"namespace","value":"openshift-monitoring"},{"isEqual":true,"isRegex":false,"name":"prometheus","value":"openshift-monitoring/k8s"},{"isEqual":true,"isRegex":false,"name":"severity","value":"warning"},{"isEqual":true,"isRegex":false,"name":"alertname","value":"AlertmanagerReceiversNotConfigured"}],"startsAt":"2024-04-15T00:02:01.834Z"}] ┌[rexagod@nebuchadnezzar] [/dev/ttys002] └[~]> curl -H "Authorization: Bearer $token" -X "DELETE" -k "https://$host/api/v2/silences/e6840382-e5b8-48f2-847f-384628ff0f97" Forbidden (user=janedoe, verb=delete, resource=alertmanagers, subresource=api) ```
openshift-ci-robot commented 6 months ago

@rexagod: This pull request references MON-3396 which is a valid jira issue.

In response to [this](https://github.com/openshift/cluster-monitoring-operator/pull/2319): >PTAL below for more details. > >
>Details > >```yaml >apiVersion: rbac.authorization.k8s.io/v1 >kind: RoleBinding >metadata: > name: janedoe-am-read > namespace: openshift-monitoring >roleRef: > apiGroup: rbac.authorization.k8s.io > kind: Role > name: monitoring-alertmanager-view >subjects: >- apiGroup: rbac.authorization.k8s.io > kind: User > name: janedoe >``` >``` >┌[rexagod@nebuchadnezzar] [/dev/ttys002] >└[~]> curl -H "Authorization: Bearer $token" -k "https://$host/api/v2/silences" >[{"id":"e6840382-e5b8-48f2-847f-384628ff0f97","status":{"state":"active"},"updatedAt":"2024-04-15T00:02:01.834Z","comment":"foo2","createdBy":"kube:admin","endsAt":"2024-04-15T02:02:01.351Z","matchers":[{"isEqual":true,"isRegex":false,"name":"namespace","value":"openshift-monitoring"},{"isEqual":true,"isRegex":false,"name":"prometheus","value":"openshift-monitoring/k8s"},{"isEqual":true,"isRegex":false,"name":"severity","value":"warning"},{"isEqual":true,"isRegex":false,"name":"alertname","value":"AlertmanagerReceiversNotConfigured"}],"startsAt":"2024-04-15T00:02:01.834Z"}] > >┌[rexagod@nebuchadnezzar] [/dev/ttys002] >└[~]> curl -H "Authorization: Bearer $token" -X "DELETE" -k "https://$host/api/v2/silences/e6840382-e5b8-48f2-847f-384628ff0f97" >Forbidden (user=janedoe, verb=delete, resource=alertmanagers, subresource=api) >``` > >
  • [x] I added CHANGELOG entry for this change.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

rexagod commented 6 months ago

/retitle MON-3820: allow read-only access for Alertmanager API

openshift-ci-robot commented 6 months ago

@rexagod: This pull request references MON-3820 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set.

In response to [this](https://github.com/openshift/cluster-monitoring-operator/pull/2319): >PTAL below for more details. > >
>Details > >```yaml >apiVersion: rbac.authorization.k8s.io/v1 >kind: RoleBinding >metadata: > name: janedoe-am-read > namespace: openshift-monitoring >roleRef: > apiGroup: rbac.authorization.k8s.io > kind: Role > name: monitoring-alertmanager-view >subjects: >- apiGroup: rbac.authorization.k8s.io > kind: User > name: janedoe >``` >``` >┌[rexagod@nebuchadnezzar] [/dev/ttys002] >└[~]> curl -H "Authorization: Bearer $token" -k "https://$host/api/v2/silences" >[{"id":"e6840382-e5b8-48f2-847f-384628ff0f97","status":{"state":"active"},"updatedAt":"2024-04-15T00:02:01.834Z","comment":"foo2","createdBy":"kube:admin","endsAt":"2024-04-15T02:02:01.351Z","matchers":[{"isEqual":true,"isRegex":false,"name":"namespace","value":"openshift-monitoring"},{"isEqual":true,"isRegex":false,"name":"prometheus","value":"openshift-monitoring/k8s"},{"isEqual":true,"isRegex":false,"name":"severity","value":"warning"},{"isEqual":true,"isRegex":false,"name":"alertname","value":"AlertmanagerReceiversNotConfigured"}],"startsAt":"2024-04-15T00:02:01.834Z"}] > >┌[rexagod@nebuchadnezzar] [/dev/ttys002] >└[~]> curl -H "Authorization: Bearer $token" -X "DELETE" -k "https://$host/api/v2/silences/e6840382-e5b8-48f2-847f-384628ff0f97" >Forbidden (user=janedoe, verb=delete, resource=alertmanagers, subresource=api) >``` > >
  • [x] I added CHANGELOG entry for this change.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

rexagod commented 6 months ago

/jira refresh

openshift-ci-robot commented 6 months ago

@rexagod: This pull request references MON-3820 which is a valid jira issue.

In response to [this](https://github.com/openshift/cluster-monitoring-operator/pull/2319#issuecomment-2054242468): >/jira refresh Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fcluster-monitoring-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
rexagod commented 6 months ago

/test e2e-aws-ovn-techpreview /test versions

simonpasquier commented 6 months ago

Can you extend TestAlertmanagerAPI() to check that reader role can only GET while writer role can GET/POST/DELETE?

openshift-ci[bot] commented 6 months ago

@rexagod: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
juzhao commented 6 months ago

tested with PR, no issue /label qe-approved

jan--f commented 6 months ago

lgtm but will leave final approval to @simonpasquier

openshift-ci[bot] commented 6 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rexagod, simonpasquier

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/cluster-monitoring-operator/blob/master/OWNERS)~~ [rexagod,simonpasquier] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
openshift-bot commented 6 months ago

[ART PR BUILD NOTIFIER]

This PR has been included in build cluster-monitoring-operator-container-v4.16.0-202404191609.p0.g5af508b.assembly.stream.el9 for distgit cluster-monitoring-operator. All builds following this will include this PR.