Only namespaces of OCP "core" and Red Hat certified components are supposed to be labeled with openshift.io/cluster-monitoring="true" . Anything else should be scraped by the user-defined monitoring stack or a custom deployed Prometheus. The current advice goes against the support conditions, meaning that we could consider the cluster to be unsupported.
If a user "forgets" to label the namespace and user-defined monitoring is enabled, the PrometheusOperatorRejectedResources alert will fire because the service monitor uses bearerTokenFile which is forbidden in this case (to avoid users getting access to the service account's token).
Managed OpenShift (OSD, ROSA) forbids non-platform namespaces from being labeled with openshift.io/cluster-monitoring="true".
A better solution would be to support user-defined monitoring.
https://github.com/redhat-cop/resource-locker-operator/issues/68#issue-1464664260
The instructions at https://github.com/redhat-cop/group-sync-operator#metrics are problematic for a couple of reasons:
bearerTokenFilewhich is forbidden in this case (to avoid users getting access to the service account's token).openshift.io/cluster-monitoring="true".A better solution would be to support user-defined monitoring.
cc @jan--f @coffeegoesincodecomesout @w1dg3r