Revoke Rok Monitoring Stack Admin Privileges¶
This guide contains all necessary steps to revoke Rok Monitoring Stack admin privileges from an EKF user.
The Rok Monitoring Stack ships with a pre-configured Grafana installation that provides a rich web UI for viewing real-time metrics dashboards and performing management tasks. Currently, access to the Rok Monitoring Stack is allowed only to admin users. All users that are allowed to access the Rok Monitoring Stack UI share the same Grafana view and are logged in as organization admins.
Important
A Rok Monitoring Stack admin can:
- Access all dashboards that the Rok Monitoring Stack pre-configures.
- View cluster-wide metrics from multiple sources, e.g., physical nodes, Kubernetes and running applications.
- Perform administrative and management tasks, e.g., create teams, group users, declare permissions, modify dashboards, explore queries etc.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster.
- An existing Rok deployment.
Procedure¶
Note
The steps listed below allow you to remove a single EKF user from the list of Rok Monitoring Stack admins. To remove multiple EKF users from the list of Rok Monitoring Stack admins you have to repeat steps 2-11 below.
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsSpecify the EKF user to revoke Rok Monitoring Stack admin privileges from:
root@rok-tools:~/ops/deployments# export USERNAME=<USERNAME>Replace <USERNAME> with the desired value. For example:
root@rok-tools:~/ops/deployments# export USERNAME=userGet the current list of Rok Monitoring Stack admins:
root@rok-tools:~/ops/deployments# export ROK_MONITORING_ADMINS=$(\ > kubectl get authorizationpolicy -n monitoring rok-monitoring-admins \ > -o jsonpath='{.spec.rules[*].when[].values[*]}')Remove the previously specified EKF user from the list of Rok Monitoring Stack admins:
root@rok-tools:~/ops/deployments# export ROK_MONITORING_ADMINS=$(\ > echo ${ROK_MONITORING_ADMINS} | xargs -n1 | grep -w -v $USERNAME)Update the patch for the
AuthorizationPolicy
of the Rok Monitoring Stack:root@rok-tools:~/ops/deployments# rok-j2 \ > rok/monitoring/overlays/deploy/patches/authorizationPolicy-admins.yaml.j2 \ > -o rok/monitoring/overlays/deploy/patches/authorizationPolicy-admins.yamlView the updated patch for the
AuthorizationPolicy
of the Rok Monitoring Stack atrok/monitoring/overlays/deploy/patches/authorizationPolicy-admins.yaml
. For example:apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: rok-monitoring-admins namespace: monitoring spec: rules: []Commit the changes:
root@rok-tools:~/ops/deployments# git commit -am "Revoke Rok Monitoring Stack admin privileges from user '${USERNAME?}'"Apply the changes:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/monitoring/overlays/deploy
Verify¶
Verify that the
AuthorizationPolicy
of the Rok Monitoring Stack does not mention the user you want to revoke access to:root@rok-tools:~/ops/deployments# kubectl get authorizationpolicy -n monitoring rok-monitoring-admins \ > -o jsonpath='{.spec.rules[*].when[].values[*]}')Log in as the specified EKF user and verify that you are no longer allowed to access the Rok Monitoring Stack UI at
https://<FQDN>/monitoring/in your browser. More specifically, you should see an
RBAC: access denied
error message from Istio.Troubleshooting
EKF user can still access the Rok Monitoring Stack UI
Verify that you do not have a typo in the username of the user to revoke Rok Monitoring Stack admin privileges from. Also, verify that the generated rule for the
AuthorizationPolicy
of the Rok Monitoring Stack is properly formatted, as shown in the example snippet above.
What’s Next¶
Check out the rest of the maintenance operations that you can perform on your cluster.