Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-30294: Add aggregate-to-view to cluster-monitoring-view #2273

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

OCPBUGS-30294: Add aggregate-to-view to cluster-monitoring-view #2273

wants to merge 1 commit into from

Conversation

danielmellado
Copy link
Contributor

Since OpenShift 4.15.0, AlertManager requires the user to have an RBAC
to the subresource of 'prometheuses/api'. The ClusterRole
'cluster-monitoring-view' is not configured to use aggregate-to-view [1]

This commit adds the rbac.authorization.k8s.io/aggregate-to-view: 'true'
label to the cluster-monitoring-view ClusterRole.

[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings

  • I added CHANGELOG entry for this change.
  • No user facing changes, so no entry in CHANGELOG was needed.

Signed-off-by: Daniel Mellado dmellado@redhat.com

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 6, 2024
@openshift-ci-robot
Copy link
Contributor

@danielmellado: This pull request references Jira Issue OCPBUGS-20294, which is invalid:

  • expected the bug to be open, but it isn't
  • expected the bug to target the "4.16.0" version, but no target version was set
  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Done) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Since OpenShift 4.15.0, AlertManager requires the user to have an RBAC
to the subresource of 'prometheuses/api'. The ClusterRole
'cluster-monitoring-view' is not configured to use aggregate-to-view [1]

This commit adds the rbac.authorization.k8s.io/aggregate-to-view: 'true'
label to the cluster-monitoring-view ClusterRole.

[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings

  • I added CHANGELOG entry for this change.
  • No user facing changes, so no entry in CHANGELOG was needed.

Signed-off-by: Daniel Mellado dmellado@redhat.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Mar 6, 2024
@openshift-ci openshift-ci bot requested review from jan--f and slashpai March 6, 2024 07:41
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 6, 2024
@danielmellado danielmellado changed the title OCPBUGS-20294: Add aggregate-to-view to cluster-monitoring-view OCPBUGS-30294: Add aggregate-to-view to cluster-monitoring-view Mar 6, 2024
@openshift-ci-robot openshift-ci-robot added the jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. label Mar 6, 2024
@openshift-ci-robot
Copy link
Contributor

@danielmellado: This pull request references Jira Issue OCPBUGS-30294, which is invalid:

  • expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Since OpenShift 4.15.0, AlertManager requires the user to have an RBAC
to the subresource of 'prometheuses/api'. The ClusterRole
'cluster-monitoring-view' is not configured to use aggregate-to-view [1]

This commit adds the rbac.authorization.k8s.io/aggregate-to-view: 'true'
label to the cluster-monitoring-view ClusterRole.

[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings

  • I added CHANGELOG entry for this change.
  • No user facing changes, so no entry in CHANGELOG was needed.

Signed-off-by: Daniel Mellado dmellado@redhat.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@danielmellado
Copy link
Contributor Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Mar 6, 2024
@openshift-ci-robot
Copy link
Contributor

@danielmellado: This pull request references Jira Issue OCPBUGS-30294, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.16.0) matches configured target version for branch (4.16.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @juzhao

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from juzhao March 6, 2024 07:44
marioferh
marioferh reviewed Mar 6, 2024
View reviewed changes
Copy link
Contributor

@marioferh marioferh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 6, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 6, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danielmellado, marioferh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [danielmellado,marioferh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@machine424
Copy link
Contributor

I don't see any yaml changes and the generate job is passing, maybe the change has no effect or it's already applied.
/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 6, 2024
@danielmellado
OCPBUGS-20294: Add aggregate-to-view to cluster-monitoring-view
531c7d7 
Since OpenShift 4.15.0, AlertManager requires the user to have an RBAC
to the subresource of 'prometheuses/api'. The ClusterRole
'cluster-monitoring-view' is not configured to use aggregate-to-view [1]

This commit adds the rbac.authorization.k8s.io/aggregate-to-view: 'true'
label to the cluster-monitoring-view ClusterRole.

[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
Signed-off-by: Daniel Mellado <dmellado@redhat.com>
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 6, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 6, 2024

New changes are detected. LGTM label has been removed.

@danielmellado danielmellado changed the title OCPBUGS-30294: Add aggregate-to-view to cluster-monitoring-view OCPBUGS-20294: Add aggregate-to-view to cluster-monitoring-view Mar 6, 2024
@openshift-ci-robot openshift-ci-robot removed jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Mar 6, 2024
@openshift-ci-robot
Copy link
Contributor

@danielmellado: This pull request references Jira Issue OCPBUGS-20294, which is invalid:

  • expected the bug to be open, but it isn't
  • expected the bug to target the "4.16.0" version, but no target version was set
  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Done) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Since OpenShift 4.15.0, AlertManager requires the user to have an RBAC
to the subresource of 'prometheuses/api'. The ClusterRole
'cluster-monitoring-view' is not configured to use aggregate-to-view [1]

This commit adds the rbac.authorization.k8s.io/aggregate-to-view: 'true'
label to the cluster-monitoring-view ClusterRole.

[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings

  • I added CHANGELOG entry for this change.
  • No user facing changes, so no entry in CHANGELOG was needed.

Signed-off-by: Daniel Mellado dmellado@redhat.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Mar 6, 2024
@danielmellado danielmellado changed the title OCPBUGS-20294: Add aggregate-to-view to cluster-monitoring-view OCPBUGS-30294: Add aggregate-to-view to cluster-monitoring-view Mar 6, 2024
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Mar 6, 2024
@openshift-ci-robot
Copy link
Contributor

@danielmellado: This pull request references Jira Issue OCPBUGS-30294, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.16.0) matches configured target version for branch (4.16.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @juzhao

In response to this:

Since OpenShift 4.15.0, AlertManager requires the user to have an RBAC
to the subresource of 'prometheuses/api'. The ClusterRole
'cluster-monitoring-view' is not configured to use aggregate-to-view [1]

This commit adds the rbac.authorization.k8s.io/aggregate-to-view: 'true'
label to the cluster-monitoring-view ClusterRole.

[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings

  • I added CHANGELOG entry for this change.
  • No user facing changes, so no entry in CHANGELOG was needed.

Signed-off-by: Daniel Mellado dmellado@redhat.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Mar 6, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 6, 2024

@danielmellado: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/versions 531c7d7 link false /test versions
ci/prow/e2e-aws-ovn-single-node 531c7d7 link false /test e2e-aws-ovn-single-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@danielmellado
Copy link
Contributor Author

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 11, 2024
@simonpasquier
Copy link
Contributor

/hold

While the change might solve the reported issue, we need to review the implications..

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 11, 2024
@juzhao
Copy link

juzhao commented Mar 14, 2024

@simonpasquier @machine424 @danielmellado please see my comment in bug, edit clusterrole cluster-monitoring-view to add label: rbac.authorization.k8s.io/aggregate-to-view: "true", login console with the user, could view Alerts/ALerting rules, but there is warning on page

Error loading silences from Alertmanager. Some of the alerts below may actually be silenced.
Forbidden

also Forbidden error for Silences tab, can not view silences

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marioferh marioferh marioferh left review comments

@jan--f jan--f Awaiting requested review from jan--f

@slashpai slashpai Awaiting requested review from slashpai

@juzhao juzhao Awaiting requested review from juzhao

Assignees

@marioferh marioferh

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@danielmellado @openshift-ci-robot @machine424 @simonpasquier @juzhao @marioferh