2.4. Granting user permissions using CLI

This procedure shows how to grant users permissions for monitoring their own services using the CLI.

重要

Whichever role you choose, you must bind it against a specific namespace.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • Have a user created.
  • Log in using the oc command.

Procedure

  • Run this command to assign a role to a user in a defined namespace: 

    $ oc policy add-role-to-user <role> <user> -n <namespace>

    Substitute <role> with monitoring-rules-view, monitoring-rules-edit, or monitoring-edit.

    • monitoring-rules-view allows reading PrometheusRule custom resources within the namespace.
    • monitoring-rules-edit allows creating, modifying, and deleting PrometheusRule custom resources matching the permitted namespace.
    • monitoring-edit gives the same permissions as monitoring-rules-edit. Additionally, it allows creating scraping targets for services or pods. It also allows creating, modifying, and deleting ServiceMonitor and PodMonitor resources.

    As an example, substitute the role with monitoring-edit, the user with johnsmith, and the namespace with ns1. This assigns to user johnsmith the permissions for setting up metrics collection and creating alerting rules in the ns1 namespace.