2.4. Granting user permissions using CLI
This procedure shows how to grant users permissions for monitoring their own services using the CLI.
重要
Whichever role you choose, you must bind it against a specific namespace.
Prerequisites
- You have access to the cluster as a user with the cluster-admin role.
- Have a user created.
-
Log in using the
oc
command.
Procedure
Run this command to assign a role to a user in a defined namespace:
$ oc policy add-role-to-user <role> <user> -n <namespace>
Substitute
<role>
withmonitoring-rules-view
,monitoring-rules-edit
, ormonitoring-edit
.-
monitoring-rules-view
allows readingPrometheusRule
custom resources within the namespace. -
monitoring-rules-edit
allows creating, modifying, and deletingPrometheusRule
custom resources matching the permitted namespace. -
monitoring-edit
gives the same permissions asmonitoring-rules-edit
. Additionally, it allows creating scraping targets for services or pods. It also allows creating, modifying, and deletingServiceMonitor
andPodMonitor
resources.
As an example, substitute the role with
monitoring-edit
, the user withjohnsmith
, and the namespace withns1
. This assigns to userjohnsmith
the permissions for setting up metrics collection and creating alerting rules in thens1
namespace.-