Grant Rok Monitoring Stack Admin Privileges¶
This guide contains all necessary steps to grant an EKF user admin privileges to the Rok Monitoring Stack.
The Rok Monitoring Stack ships with a pre-configured Grafana installation that provides a rich web UI for viewing real-time metrics dashboards and performing management tasks. Currently, access to the Rok Monitoring Stack is allowed only to admin users. All users that are allowed to access the Rok Monitoring Stack UI share the same Grafana view and are logged in as organization admins.
Important
A Rok Monitoring Stack admin can:
- Access all dashboards that the Rok Monitoring Stack pre-configures.
- View cluster-wide metrics from multiple sources, e.g., physical nodes, Kubernetes and running applications.
- Perform administrative and management tasks, e.g., create teams, group users, declare permissions, modify dashboards, explore queries etc.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster.
- An existing Rok deployment.
Procedure¶
Note
The steps listed below allow you to add a single EKF user to the list of Rok Monitoring Stack admins. To add multiple EKF users to the list of Rok Monitoring Stack admins you have to repeat steps 2-11 below.
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsSpecify the EKF user to grant Rok Monitoring Stack admin privileges:
root@rok-tools:~/ops/deployments# export USERNAME=<USERNAME>Replace <USERNAME> with the desired value. For example:
root@rok-tools:~/ops/deployments# export USERNAME=userGet the current list of Rok Monitoring Stack admins:
root@rok-tools:~/ops/deployments# export ROK_MONITORING_ADMINS=$(\ > kubectl get authorizationpolicy -n monitoring rok-monitoring-admins \ > -o jsonpath='{.spec.rules[*].when[].values[*]}')Add the previously specified EKF user to the list of Rok Monitoring Stack admins:
root@rok-tools:~/ops/deployments# export ROK_MONITORING_ADMINS=$(\ > echo $ROK_MONITORING_ADMINS $USERNAME | xargs -n1 | sort -u | xargs)Update the patch for the
AuthorizationPolicy
of the Rok Monitoring Stack:root@rok-tools:~/ops/deployments# rok-j2 \ > rok/monitoring/overlays/deploy/patches/authorizationPolicy-admins.yaml.j2 \ > -o rok/monitoring/overlays/deploy/patches/authorizationPolicy-admins.yamlView the updated patch for the
AuthorizationPolicy
of the Rok Monitoring Stack atrok/monitoring/overlays/deploy/patches/authorizationPolicy-admins.yaml
. For example:apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: rok-monitoring-admins namespace: monitoring spec: rules: - when: - key: request.headers[kubeflow-userid] values: - userCommit the changes:
root@rok-tools:~/ops/deployments# git commit -am "Grant user '${USERNAME?}' Rok Monitoring Stack admin privileges"Apply the changes:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/monitoring/overlays/deploy
Verify¶
Verify that the
AuthorizationPolicy
of the Rok Monitoring Stack has exactly one rule with the desired list of Rok Monitoring Stack admins. For example:root@rok-tools:~/ops/deployments# kubectl get authorizationpolicy -n monitoring rok-monitoring-admins \ > -o jsonpath='{.spec.rules[*].when[].values[*]}' userLog in as the specified EKF user and verify that you are allowed to access the Rok Monitoring Stack UI at
https://<FQDN>/monitoring/in your browser.
Troubleshooting
EKF user cannot access the Rok Monitoring Stack UI
It might be the case that you see an
RBAC: access denied
error message from Istio in your browser. Verify that you do not have a typo in the username of the user to be granted Rok Monitoring Stack admin privileges. Also, verify that the generated rule for theAuthorizationPolicy
of the Rok Monitoring Stack is properly formatted, as shown in the example snippet above.
What’s Next¶
Check out the rest of the maintenance operations that you can perform on your cluster.