MON-4472: Migrate Prometheus targets discovering from Endpoints to EndpointsSlices#638
MON-4472: Migrate Prometheus targets discovering from Endpoints to EndpointsSlices#638machine424 wants to merge 1 commit intoopenshift:mainfrom
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@machine424: This pull request references MON-4472 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: machine424 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/retest-required |
|
@machine424: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| - get | ||
| - list | ||
| - watch | ||
| - apiGroups: |
There was a problem hiding this comment.
could we remove rbac for endpoints ?
There was a problem hiding this comment.
Choosing the conservative approach in case we forget to set serviceDiscoveryRole: EndpointSlice on some hidden ServiceMonitor and CI doesn’t warn us about it.
If we can be confident that no other ServiceMonitor needs/relies on those roles, we can safely remove the permissions for sure.
That being said, both resources should contain/provide the same data, RO rbac for endpoints will not really be more permissive...
There was a problem hiding this comment.
If we can be confident that no other ServiceMonitor needs/relies on those roles, we can safely remove the permissions for sure.
Are we planning to review these permissions in the future?
I just want to understand and confirm whether unused RBAC permissions will be removed later on.
There was a problem hiding this comment.
once we're confident that no other ServiceMonitor (that wasn't migrated in this PR) relies on those RBAC. Yes.
| - get | ||
| - list | ||
| - watch | ||
| - apiGroups: |
There was a problem hiding this comment.
could we remove rbac for endpoints ?
|
@machine424: This pull request references MON-4472 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@machine424: This pull request references MON-4472 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest-required |
2 similar comments
|
/retest-required |
|
/retest-required |
3 participants
This PR migrates Prometheus service discovery from the deprecated Endpoints API to the EndpointSlices API, by:
serviceDiscoveryRole: EndpointSliceon ServiceMonitors.endpointslicespermissions.We're taking a conservative approach by keeping the existing
endpointspermissions alongside the newendpointslicesones. This provides a safety net in case any ServiceMonitors, whether deployed from this repo or from another source, still rely on the same Role and were missed during the migration.That said, since both resources provide essentially the same data, keeping both isn't meaningfully more permissive from a security standpoint.
These changes target OpenShift 4.22+ and should not be backported to earlier releases.