2.4. Granting user permissions using CLI
This procedure shows how to grant users permissions for monitoring their own services using the CLI.
重要
Whichever role you choose, you must bind it against a specific namespace.
Prerequisites
- You have access to the cluster as a user with the cluster-admin role.
- Have a user created.
-
Log in using the
occommand.
Procedure
Run this command to assign a role to a user in a defined namespace:
$ oc policy add-role-to-user <role> <user> -n <namespace>
Substitute
<role>withmonitoring-rules-view,monitoring-rules-edit, ormonitoring-edit.-
monitoring-rules-viewallows readingPrometheusRulecustom resources within the namespace. -
monitoring-rules-editallows creating, modifying, and deletingPrometheusRulecustom resources matching the permitted namespace. -
monitoring-editgives the same permissions asmonitoring-rules-edit. Additionally, it allows creating scraping targets for services or pods. It also allows creating, modifying, and deletingServiceMonitorandPodMonitorresources.
As an example, substitute the role with
monitoring-edit, the user withjohnsmith, and the namespace withns1. This assigns to userjohnsmiththe permissions for setting up metrics collection and creating alerting rules in thens1namespace.-
