diff --git a/bundle/manifests/observability-operator.clusterserviceversion.yaml b/bundle/manifests/observability-operator.clusterserviceversion.yaml index 71e9ad099..3bf7f35a5 100644 --- a/bundle/manifests/observability-operator.clusterserviceversion.yaml +++ b/bundle/manifests/observability-operator.clusterserviceversion.yaml @@ -267,6 +267,25 @@ spec: - use serviceAccountName: obo-prometheus-operator-admission-webhook - rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - nodes + - persistentvolumeclaims + - persistentvolumes + - pods + - replicationcontrollers + - secrets + - serviceaccounts + - services + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -304,6 +323,17 @@ spec: - patch - update - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch - apiGroups: - apps resources: @@ -315,6 +345,23 @@ spec: - patch - update - watch + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch - apiGroups: - config.openshift.io resources: @@ -364,6 +411,34 @@ spec: - infrastructure verbs: - get + - apiGroups: + - loki.grafana.com + resources: + - application + - audit + - infrastructure + - network + verbs: + - get + - apiGroups: + - monitoring.coreos.com + resourceNames: + - main + resources: + - alertmanagers/api + verbs: + - get + - list + - apiGroups: + - monitoring.coreos.com + resourceNames: + - k8s + resources: + - prometheuses/api + verbs: + - create + - get + - update - apiGroups: - monitoring.rhobs resources: @@ -438,6 +513,15 @@ spec: - get - patch - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - get + - list + - watch - apiGroups: - observability.openshift.io resources: @@ -481,6 +565,7 @@ spec: verbs: - create - delete + - get - list - patch - update @@ -495,6 +580,7 @@ spec: verbs: - create - delete + - get - list - patch - update @@ -520,6 +606,15 @@ spec: - securitycontextconstraints verbs: - use + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + - volumeattachments + verbs: + - get + - list + - watch - apiGroups: - tempo.grafana.com resources: diff --git a/cmd/operator/main.go b/cmd/operator/main.go index 165940314..89d46a8a3 100644 --- a/cmd/operator/main.go +++ b/cmd/operator/main.go @@ -43,7 +43,7 @@ var defaultImages = map[string]string{ "ui-troubleshooting-panel": "quay.io/openshift-observability-ui/troubleshooting-panel-console-plugin:v0.1.0", "ui-distributed-tracing": "quay.io/openshift-observability-ui/distributed-tracing-console-plugin:v0.1.0", "ui-logging": "quay.io/openshift-logging/logging-view-plugin:6.0.0", - "korrel8r": "quay.io/korrel8r/korrel8r:0.6.5", + "korrel8r": "quay.io/korrel8r/korrel8r:0.6.6", } func imagesUsed() []string { diff --git a/deploy/dependencies/kustomization.yaml b/deploy/dependencies/kustomization.yaml index 908c5e1fa..169746d16 100644 --- a/deploy/dependencies/kustomization.yaml +++ b/deploy/dependencies/kustomization.yaml @@ -23,7 +23,6 @@ resources: - https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.74.0-rhobs1/example/rbac/prometheus-operator/prometheus-operator-service.yaml - # Admission Webhook Deployment - https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.74.0-rhobs1/example/admission-webhook/deployment.yaml - https://raw.githubusercontent.com/rhobs/obo-prometheus-operator/v0.74.0-rhobs1/example/admission-webhook/service-account.yaml @@ -38,7 +37,6 @@ resources: - admission-webhook/alertmanager-config-validating-webhook.yaml - admission-webhook/prometheus-rule-validating-webhook.yaml - namespace: operators namePrefix: obo- commonLabels: diff --git a/deploy/operator/observability-operator-cluster-role.yaml b/deploy/operator/observability-operator-cluster-role.yaml index 08202090c..b83b4bb3d 100644 --- a/deploy/operator/observability-operator-cluster-role.yaml +++ b/deploy/operator/observability-operator-cluster-role.yaml @@ -4,6 +4,25 @@ kind: ClusterRole metadata: name: observability-operator rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - nodes + - persistentvolumeclaims + - persistentvolumes + - pods + - replicationcontrollers + - secrets + - serviceaccounts + - services + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -41,6 +60,17 @@ rules: - patch - update - watch +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch - apiGroups: - apps resources: @@ -52,6 +82,23 @@ rules: - patch - update - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch - apiGroups: - config.openshift.io resources: @@ -101,6 +148,34 @@ rules: - infrastructure verbs: - get +- apiGroups: + - loki.grafana.com + resources: + - application + - audit + - infrastructure + - network + verbs: + - get +- apiGroups: + - monitoring.coreos.com + resourceNames: + - main + resources: + - alertmanagers/api + verbs: + - get + - list +- apiGroups: + - monitoring.coreos.com + resourceNames: + - k8s + resources: + - prometheuses/api + verbs: + - create + - get + - update - apiGroups: - monitoring.rhobs resources: @@ -175,6 +250,15 @@ rules: - get - patch - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - get + - list + - watch - apiGroups: - observability.openshift.io resources: @@ -218,6 +302,7 @@ rules: verbs: - create - delete + - get - list - patch - update @@ -232,6 +317,7 @@ rules: verbs: - create - delete + - get - list - patch - update @@ -257,6 +343,15 @@ rules: - securitycontextconstraints verbs: - use +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + - volumeattachments + verbs: + - get + - list + - watch - apiGroups: - tempo.grafana.com resources: diff --git a/pkg/controllers/uiplugin/controller.go b/pkg/controllers/uiplugin/controller.go index 88ccf7c69..64d6307b6 100644 --- a/pkg/controllers/uiplugin/controller.go +++ b/pkg/controllers/uiplugin/controller.go @@ -75,6 +75,20 @@ const ( // RBAC for logging view plugin // +kubebuilder:rbac:groups=loki.grafana.com,resources=application;infrastructure;audit,verbs=get +// RBAC for korrel8r +//+kubebuilder:rbac:groups=apps,resources=daemonsets;deployments;replicasets;statefulsets,verbs=get;list;watch +//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings;clusterroles;clusterrolebindings,verbs=get;list;watch +//+kubebuilder:rbac:groups="",resources=configmaps;endpoints;events;namespaces;nodes;persistentvolumeclaims;persistentvolumes;pods;replicationcontrollers;secrets;serviceaccounts;services,verbs=get;list;watch +//+kubebuilder:rbac:groups=batch,resources=cronjobs;jobs,verbs=get;list;watch +//+kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=get;list;watch +//+kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch +//+kubebuilder:rbac:groups=storage.k8s.io,resources=storageclasses;volumeattachments,verbs=get;list;watch +//+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies;ingresses,verbs=get;list;watch +//+kubebuilder:rbac:groups=loki.grafana.com,resources=application;infrastructure;audit;network,verbs=get +//+kubebuilder:rbac:groups=monitoring.coreos.com,resources=prometheuses/api,resourceNames=k8s,verbs=get;create;update +//+kubebuilder:rbac:groups=monitoring.coreos.com,resources=alertmanagers/api,resourceNames=main,verbs=get;list + +// RegisterWithManager registers the controller with Manager func RegisterWithManager(mgr ctrl.Manager, opts Options) error { logger := ctrl.Log.WithName("observability-ui") diff --git a/pkg/controllers/uiplugin/troubleshooting_panel.go b/pkg/controllers/uiplugin/troubleshooting_panel.go index 45ebc2362..26dacec0b 100644 --- a/pkg/controllers/uiplugin/troubleshooting_panel.go +++ b/pkg/controllers/uiplugin/troubleshooting_panel.go @@ -9,6 +9,7 @@ import ( osv1alpha1 "github.com/openshift/api/console/v1alpha1" "gopkg.in/yaml.v3" corev1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" @@ -18,6 +19,9 @@ import ( func createTroubleshootingPanelPluginInfo(plugin *uiv1alpha1.UIPlugin, namespace, name, image string, features []string) (*UIPluginInfo, error) { troubleshootingPanelConfig := plugin.Spec.TroubleshootingPanel korrel8rSvcName := "korrel8r" + monitorClusterroleName := "cluster-monitoring" + alertmanagerRoleName := "monitoring-alertmanager-view" + monitoringNamespace := "openshift-monitoring" configYaml, err := marshalTroubleshootingPanelPluginConfig(troubleshootingPanelConfig) if err != nil { @@ -65,6 +69,36 @@ func createTroubleshootingPanelPluginInfo(plugin *uiv1alpha1.UIPlugin, namespace "config.yaml": configYaml, }, }, + RoleBinding: &rbacv1.RoleBinding{ + TypeMeta: metav1.TypeMeta{ + APIVersion: rbacv1.SchemeGroupVersion.String(), + Kind: "RoleBinding", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: alertmanagerRoleName + "-rolebinding", + Namespace: monitoringNamespace, + }, + Subjects: []rbacv1.Subject{ + { + APIGroup: corev1.SchemeGroupVersion.Group, + Kind: "ServiceAccount", + Name: plugin.Name + "-sa", + Namespace: namespace, + }, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: rbacv1.SchemeGroupVersion.Group, + Kind: "Role", + Name: alertmanagerRoleName, + }, + }, + ClusterRoles: []*rbacv1.ClusterRole{ + korrel8rClusterRole(korrel8rSvcName), + }, + ClusterRoleBindings: []*rbacv1.ClusterRoleBinding{ + korrel8rClusterRoleBinding(monitorClusterroleName, plugin.Name, namespace), + korrel8rClusterRoleBinding(korrel8rSvcName, plugin.Name, namespace), + }, } return pluginInfo, nil @@ -100,7 +134,7 @@ func getLokiServiceName(ctx context.Context, k client.Client, ns string) (string return "", err } - // Accumulate services that contain "gateway" in their names + // Accumulate services that contain "gateway-http" in their names for _, service := range serviceList.Items { if strings.Contains(service.Name, "gateway-http") && service.Labels["app.kubernetes.io/component"] == "lokistack-gateway" { return service.Name, nil @@ -108,3 +142,89 @@ func getLokiServiceName(ctx context.Context, k client.Client, ns string) (string } return "", nil } + +func korrel8rClusterRole(name string) *rbacv1.ClusterRole { + korrel8rClusterroleName := name + "-view" + return &rbacv1.ClusterRole{ + TypeMeta: metav1.TypeMeta{ + APIVersion: rbacv1.SchemeGroupVersion.String(), + Kind: "ClusterRole", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: korrel8rClusterroleName, + }, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"configmaps", "endpoints", "events", "namespaces", "nodes", "pods", "persistentvolumeclaims", "persistentvolumes", "replicationcontrollers", "secrets", "serviceaccounts", "services"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"rbac.authorization.k8s.io"}, + Resources: []string{"roles", "rolebindings", "clusterroles", "clusterrolebindings"}, + Verbs: []string{"list", "watch"}, + }, + { + APIGroups: []string{"apps"}, + Resources: []string{"statefulsets", "daemonsets", "deployments", "replicasets"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"batch"}, + Resources: []string{"cronjobs", "jobs"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"autoscaling"}, + Resources: []string{"horizontalpodautoscalers"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"policy"}, + Resources: []string{"poddisruptionbudgets"}, + Verbs: []string{"list", "watch"}, + }, + { + APIGroups: []string{"storage.k8s.io"}, + Resources: []string{"storageclasses", "volumeattachments"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"networking.k8s.io"}, + Resources: []string{"networkpolicies", "ingresses"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"loki.grafana.com"}, + Resources: []string{"application", "audit", "infrastructure", "network"}, + Verbs: []string{"get"}, + }, + }, + } +} + +func korrel8rClusterRoleBinding(name string, serviceAccountName string, namespace string) *rbacv1.ClusterRoleBinding { + korrel8rClusterroleBindingName := name + "-view" + return &rbacv1.ClusterRoleBinding{ + TypeMeta: metav1.TypeMeta{ + APIVersion: rbacv1.SchemeGroupVersion.String(), + Kind: "ClusterRoleBinding", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: korrel8rClusterroleBindingName, + }, + Subjects: []rbacv1.Subject{ + { + APIGroup: corev1.SchemeGroupVersion.Group, + Kind: "ServiceAccount", + Name: serviceAccountName + "-sa", + Namespace: namespace, + }, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: rbacv1.SchemeGroupVersion.Group, + Kind: "ClusterRole", + Name: korrel8rClusterroleBindingName, + }, + } +}