2.4. Granting user permissions using CLI
This procedure shows how to grant users permissions for monitoring their own services using the CLI.
Whichever role you choose, you must bind it against a specific namespace.
Prerequisites
- You have access to the cluster as a user with the cluster-admin role.
- Have a user created.
-
Log in using the
oc
command.
Procedure
Run this command to assign a role to a user in a defined namespace:
$ oc policy add-role-to-user <role> <user> -n <namespace>
Substitute
<role>
withmonitoring-rules-view
,monitoring-rules-edit
, ormonitoring-edit
.-
monitoring-rules-view
allows readingPrometheusRule
custom resources within the namespace. -
monitoring-rules-edit
allows creating, modifying, and deletingPrometheusRule
custom resources matching the permitted namespace. -
monitoring-edit
gives the same permissions asmonitoring-rules-edit
. Additionally, it allows creating scraping targets for services or pods. It also allows creating, modifying, and deletingServiceMonitor
andPodMonitor
resources.
As an example, substitute the role with
monitoring-edit
, the user withjohnsmith
, and the namespace withns1
. This assigns to userjohnsmith
the permissions for setting up metrics collection and creating alerting rules in thens1
namespace.-