Not set permissions to system:serviceaccount:openshift-monitoring:prometheus-k8s for scrapping the `openshift-update-service` namespace resources

Solution Verified - Updated -

Issue

  • After installing the OpenShift Update Service operator are visible errors in the Prometheus pods indicating that the user system:serviceaccount:openshift-monitoring:prometheus-k8s has not permissions to list the pods:

    ts=2025-02-24T11:25:18.124Z caller=klog.go:108 level=warn component=k8s_client_runtime func=Warningf msg="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:556: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:openshift-monitoring:prometheus-k8s\" cannot list resource \"pods\" in API group \"\" in the namespace \"openshift-update-service\""
ts=2025-02-24T11:25:18.124Z caller=klog.go:116 level=error component=k8s_client_runtime func=ErrorDepth msg="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:556: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:openshift-monitoring:prometheus-k8s\" cannot list resource \"pods\" in API group \"\" in the namespace \"openshift-update-service\""

Environment

  • Red Hat OpenShift Container Platform
    • 4.16, 4.18
  • OpenShift Update Service Operator
    • 5.0.3

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content