Only namespaces of OCP "core" and Red Hat certified components are supposed to be labeled with openshift.io/cluster-monitoring="true" . Anything else should be scraped by the user-defined monitoring stack or a custom deployed Prometheus. The current advice goes against the support conditions, meaning that we could consider the cluster to be unsupported.
If a user "forgets" to label the namespace and user-defined monitoring is enabled, the PrometheusOperatorRejectedResources alert will fire because the service monitor uses bearerTokenFile which is forbidden in this case (to avoid users getting access to the service account's token).
The instructions at https://github.com/redhat-cop/resource-locker-operator#metrics are problematic for 2 reasons:
openshift.io/cluster-monitoring="true"
. Anything else should be scraped by the user-defined monitoring stack or a custom deployed Prometheus. The current advice goes against the support conditions, meaning that we could consider the cluster to be unsupported.PrometheusOperatorRejectedResources
alert will fire because the service monitor uses bearerTokenFile which is forbidden in this case (to avoid users getting access to the service account's token).cc @jan--f