From b1fac8710b5c2f14ff55bb081a90fe1286666a8c Mon Sep 17 00:00:00 2001 From: Simon Pasquier Date: Mon, 13 Jan 2020 17:44:16 +0100 Subject: [PATCH] user-workload-monitoring: be more accurate about alerts & silences endpoints --- .../monitoring/user-workload-monitoring.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/enhancements/monitoring/user-workload-monitoring.md b/enhancements/monitoring/user-workload-monitoring.md index b7eebba0f4c..06565584601 100644 --- a/enhancements/monitoring/user-workload-monitoring.md +++ b/enhancements/monitoring/user-workload-monitoring.md @@ -251,20 +251,22 @@ OpenShift console executes queries against `/query` endpoint of Thanos Querier t Access to this endpoint is gated by the permission to `get pods.metrics.k8s.io` in the requested namespace. -#### Available Rules and declared alerts +#### Available Rules and alerts OpenShift console executes queries against the `/rules` and `/alerts` endpoint of Prometheus and Thanos Ruler -to retrieve a list of declared alerts and recording rules. Recording rules as well as alerting rules deployed via user workload monitoring are having enforced namespace labels set. The list of rules and alerts is being filtered by prom-label-proxy based on the tenant namespace label. +to retrieve a list of declared alerting/recording rules and a list of active alerts. Recording rules as well as alerting rules deployed via user workload monitoring are having enforced namespace labels set. The list of rules and alerts is being filtered by prom-label-proxy based on the tenant namespace label. -Access to this endpoint is gated by the permission to `get prometheusrules.monitoring.coreos.com` in the requested namespace. +Access to these endpoints is gated by the permission to `get prometheusrules.monitoring.coreos.com` in the requested namespace. -#### Alertmanager alerts and silences +#### Alertmanager silences -OpenShift console executes requests against the `/alerts` endpoint of Alertmanager to retrieve the list of currently firing alerts and to silence alerts. Firing alerts originating from user workload monitoring are having enforced namespace labels set. A user can only create and update silences as well as get alerts and silences filtered by the namespace label in flight. +OpenShift console executes requests against the `/silences` endpoint of Alertmanager to retrieve the list of silences and to silence alerts. A user can only create, delete and update silences as well as get silences filtered by the namespace label in flight. -Access to read the list of currently firing alerts is gated by the permission to `get prometheusrules.monitoring.coreos.com` in the requested namespace. +Access to list the silences is gated by the permission to `get prometheusrules.monitoring.coreos.com` in the requested namespace. -Access to post a new silence or update an existing silence is gated by the permission to `create prometheusrules.monitoring.coreos.com`. +Access to create a new silence or update an existing silence is gated by the permission to `create prometheusrules.monitoring.coreos.com` in the requested namespace. + +Access to delete an existing silence is gated by the permission to `delete prometheusrules.monitoring.coreos.com` in the requested namespace. ### Multitenancy