Revoke Rok Monitoring Stack Admin Privileges

This guide contains all necessary steps to revoke Rok Monitoring Stack admin privileges from an EKF user.

The Rok Monitoring Stack ships with a pre-configured Grafana installation that provides a rich web UI for viewing real-time metrics dashboards and performing management tasks. Currently, access to the Rok Monitoring Stack is allowed only to admin users. All users that are allowed to access the Rok Monitoring Stack UI share the same Grafana view and are logged in as organization admins.

Important

A Rok Monitoring Stack admin can:

  • Access all dashboards that the Rok Monitoring Stack pre-configures.
  • View cluster-wide metrics from multiple sources, e.g., physical nodes, Kubernetes and running applications.
  • Perform administrative and management tasks, e.g., create teams, group users, declare permissions, modify dashboards, explore queries etc.

Procedure

Note

The steps listed below allow you to remove a single EKF user from the list of Rok Monitoring Stack admins. To remove multiple EKF users from the list of Rok Monitoring Stack admins you have to repeat steps 2-11 below.

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Specify the EKF user to revoke Rok Monitoring Stack admin privileges from:

    root@rok-tools:~/ops/deployments# export USERNAME=<USERNAME>

    Replace <USERNAME> with the desired value. For example:

    root@rok-tools:~/ops/deployments# export USERNAME=user
  3. Get the current list of Rok Monitoring Stack admins:

    root@rok-tools:~/ops/deployments# export ROK_MONITORING_ADMINS=$(\ > kubectl get authorizationpolicy -n monitoring rok-monitoring-admins \ > -o jsonpath='{.spec.rules[*].when[].values[*]}')
  4. Remove the previously specified EKF user from the list of Rok Monitoring Stack admins:

    root@rok-tools:~/ops/deployments# export ROK_MONITORING_ADMINS=$(\ > echo ${ROK_MONITORING_ADMINS} | xargs -n1 | grep -w -v $USERNAME)
  5. Update the patch for the AuthorizationPolicy of the Rok Monitoring Stack:

    root@rok-tools:~/ops/deployments# rok-j2 \ > rok/monitoring/overlays/deploy/patches/authorizationPolicy-admins.yaml.j2 \ > -o rok/monitoring/overlays/deploy/patches/authorizationPolicy-admins.yaml
  6. View the updated patch for the AuthorizationPolicy of the Rok Monitoring Stack at rok/monitoring/overlays/deploy/patches/authorizationPolicy-admins.yaml. For example:

    apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: rok-monitoring-admins namespace: monitoring spec: rules: []
  7. Commit the changes:

    root@rok-tools:~/ops/deployments# git commit -am "Revoke Rok Monitoring Stack admin privileges from user '${USERNAME?}'"
  8. Apply the changes:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/monitoring/overlays/deploy

Verify

  1. Verify that the AuthorizationPolicy of the Rok Monitoring Stack does not mention the user you want to revoke access to:

    root@rok-tools:~/ops/deployments# kubectl get authorizationpolicy -n monitoring rok-monitoring-admins \ > -o jsonpath='{.spec.rules[*].when[].values[*]}')
  2. Log in as the specified EKF user and verify that you are no longer allowed to access the Rok Monitoring Stack UI at

    https://<FQDN>/monitoring/

    in your browser. More specifically, you should see an RBAC: access denied error message from Istio.

    Troubleshooting

    EKF user can still access the Rok Monitoring Stack UI

    Verify that you do not have a typo in the username of the user to revoke Rok Monitoring Stack admin privileges from. Also, verify that the generated rule for the AuthorizationPolicy of the Rok Monitoring Stack is properly formatted, as shown in the example snippet above.

Summary

You have successfully revoked Rok Monitoring Stack admin privileges from an EKF user.

What’s Next

Check out the rest of the maintenance operations that you can perform on your cluster.