In process of fiuring out how to best restrict access that our current prometheus POC has, while retaining the ability to monitor projects, I found out it is reasonably easy to change configuration (as rbac-playbook has access to oc oadm) but it is very hard to verify.
rbac-playbook
oc oadm
In general, as a user in our current configuration I don't have access to secrets or config-maps, and with the cluster-wide scope of some of the changes (i.e. as I added application-monitoring project with make-projects-global to group that sees all pods in the cluster) it is even harder to verify how was this applied.
Sure, happy to make you a cluster admin in stg... it's in ansible in the os-cluster playbook at the end.
Note that I still am not at all sure I am in favor of make-projects-global, so please do not do anything like that until it's been discussed in prod.
My hope is, that with cluster-admin on staging it will be easier to figure out something more restricted than make-projects-global :)
Metadata Update from @mohanboddu: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-trouble, medium-gain, ops
cluster role "cluster-admin" added: "asaleh"
Use your powers wisely.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.