Grant Rok Monitoring Stack Admin Privileges

This guide contains all necessary steps to grant an EKF user admin privileges to the Rok Monitoring Stack.

The Rok Monitoring Stack ships with a pre-configured Grafana installation that provides a rich web UI for viewing real-time metrics dashboards and performing management tasks. Currently, access to the Rok Monitoring Stack is allowed only to admin users. All users that are allowed to access the Rok Monitoring Stack UI share the same Grafana view and are logged in as organization admins.

See also

Important

A Rok Monitoring Stack admin can:

  • Access all dashboards that the Rok Monitoring Stack pre-configures.
  • View cluster-wide metrics from multiple sources, e.g., physical nodes, Kubernetes and running applications.
  • Perform administrative and management tasks, e.g., create teams, group users, declare permissions, modify dashboards, explore queries etc.

Procedure

Note

The steps listed below allow you to add a single EKF user to the list of Rok Monitoring Stack admins. To add multiple EKF users to the list of Rok Monitoring Stack admins you have to repeat steps 2-11 below.

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments

  2. Specify the EKF user to grant Rok Monitoring Stack admin privileges:

    root@rok-tools:~/ops/deployments# export USERNAME=<USERNAME>

    Replace <USERNAME> with the desired value. For example:

    root@rok-tools:~/ops/deployments# export USERNAME=user

  3. Get the current list of Rok Monitoring Stack admins:

    root@rok-tools:~/ops/deployments# export ROK_MONITORING_ADMINS=$(\ > kubectl get authorizationpolicy -n monitoring rok-monitoring-admins \ > -o jsonpath='{.spec.rules[*].when[].values[*]}')

  4. Add the previously specified EKF user to the list of Rok Monitoring Stack admins:

    root@rok-tools:~/ops/deployments# export ROK_MONITORING_ADMINS=$(\ > echo $ROK_MONITORING_ADMINS $USERNAME | xargs -n1 | sort -u | xargs)

  5. Update the patch for the AuthorizationPolicy of the Rok Monitoring Stack:

    root@rok-tools:~/ops/deployments# rok-j2 \ > rok/monitoring/overlays/deploy/patches/authorizationPolicy-admins.yaml.j2 \ > -o rok/monitoring/overlays/deploy/patches/authorizationPolicy-admins.yaml

  6. View the updated patch for the AuthorizationPolicy of the Rok Monitoring Stack at rok/monitoring/overlays/deploy/patches/authorizationPolicy-admins.yaml. For example:

    apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: rok-monitoring-admins namespace: monitoring spec: rules: - when: - key: request.headers[kubeflow-userid] values: - user

  7. Commit the changes:

    root@rok-tools:~/ops/deployments# git commit -am "Grant user '${USERNAME?}' Rok Monitoring Stack admin privileges"

  8. Apply the changes:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/monitoring/overlays/deploy

Verify

  1. Verify that the AuthorizationPolicy of the Rok Monitoring Stack has exactly one rule with the desired list of Rok Monitoring Stack admins. For example:

    root@rok-tools:~/ops/deployments# kubectl get authorizationpolicy -n monitoring rok-monitoring-admins \ > -o jsonpath='{.spec.rules[*].when[].values[*]}' user

  2. Log in as the specified EKF user and verify that you are allowed to access the Rok Monitoring Stack UI at

    https://<FQDN>/monitoring/

    in your browser.

    Troubleshooting

    EKF user cannot access the Rok Monitoring Stack UI

    It might be the case that you see an RBAC: access denied error message from Istio in your browser. Verify that you do not have a typo in the username of the user to be granted Rok Monitoring Stack admin privileges. Also, verify that the generated rule for the AuthorizationPolicy of the Rok Monitoring Stack is properly formatted, as shown in the example snippet above.

Summary

You have successfully granted an EKF user Rok Monitoring Stack admin privileges.

What’s Next

Check out the rest of the maintenance operations that you can perform on your cluster.