Skip to content
This repository has been archived by the owner on Apr 19, 2023. It is now read-only.

cannot get applicationmonitorings.applicationmonitoring.integreatly.org in the namespace #123

Open
sousaaguilherme opened this issue Feb 27, 2020 · 6 comments
Open

cannot get applicationmonitorings.applicationmonitoring.integreatly.org in the namespace #123

sousaaguilherme opened this issue Feb 27, 2020 · 6 comments

Comments

@sousaaguilherme
Copy link

After creating the example-prometheus-nodejs, the grafana dashboard is not showing.

In the grafana-operator I get the following error:

{"level":"error","ts":1582801368.3774614,"logger":"cmd","msg":"error starting metrics service","error":"failed to initialize service object for metrics: applicationmonitorings.applicationmonitoring.integreatly.org \"example-applicationmonitoring\" is forbidden: User \"system:serviceaccount:application-monitoring:grafana-operator\" cannot get applicationmonitorings.applicationmonitoring.integreatly.org in the namespace \"application-monitoring\": no RBAC policy matched","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/home/travis/gopath/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128\nmain.main\n\tgrafana-operator/cmd/manager/main.go:223\nruntime.main\n\t/home/travis/.gimme/versions/go1.13.5.linux.amd64/src/runtime/proc.go:203"}

Best regards
@david-martin
Copy link
Member

david-martin commented Mar 4, 2020
edited
Loading 

> User \"system:serviceaccount:application-monitoring:grafana-operator\" cannot get applicationmonitorings.applicationmonitoring.integreatly.org in the namespace \"application-monitoring\":

This seems odd. Why would the grafana-operator serviceaccount need to get ApplicationMonitoring CRs.

@david-martin
Copy link
Member

@pb82 Any thoughts on this?

@pb82
Copy link
Contributor

pb82 commented Mar 4, 2020

Strange, could it have to do with the CRD metrics?

@david-martin
Copy link
Member

@pb82 My guess is it's failing on getting the ownerRef of the pod here
https://github.com/operator-framework/operator-sdk/blob/453e43e06c8968e291ec8d3c0b31472269c796d0/pkg/metrics/metrics.go#L126-L129

@david-martin
Copy link
Member

Some more supporting evidence.

application-monitoring-operator/pkg/controller/applicationmonitoring/applicationmonitoring_controller.go

Lines 571 to 576 in b92d362

// Set the CR as the owner of this resource so that when
// the CR is deleted this resource also gets removed
err = controllerutil.SetControllerReference(cr, resource.(metav1.Object), r.scheme)
if err != nil {
return nil, errors.Wrap(err, "error setting controller reference")
}

@david-martin
Copy link
Member

@pb82 If this is the problem, 1 solution is to grant the additional permission to the grafana-operator serviceaccount.
However, I'm hesitant to do that without being certain it's the right way to solve this and it's not leaking the abstraction down to grafana-operator. I don't think it would currently as its AMO that crreates the roles for grafana-operator, and the grafana-operator doesn't explicitly know anything about AMO.
What do you think?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@david-martin @pb82 @sousaaguilherme