Skip to content

Commit 920848d

Browse files
reedcortreedcort
committed
Add exception for openshift-customer-monitoring for the PrometheusRule webhook
1 parent 742fe1e commit 920848d

File tree

2 files changed

+7
-4
lines changed

2 files changed

+7
-4
lines changed

pkg/webhooks/prometheusrule/prometheusrule.go

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,10 @@ func (s *prometheusruleWebhook) authorized(request admissionctl.Request) admissi
8080
return admissionctl.Errored(http.StatusBadRequest, err)
8181
}
8282

83-
if hookconfig.IsPrivilegedNamespace(pr.GetNamespace()) {
83+
if hookconfig.IsPrivilegedNamespace(pr.GetNamespace()) &&
84+
// TODO: [OSD-13680] Remove this exception for openshift-customer-monitoring
85+
pr.GetNamespace() != "openshift-customer-monitoring" &&
86+
pr.GetNamespace() != "openshift-user-workload-monitoring" {
8487
log.Info(fmt.Sprintf("%s operation detected on managed namespace: %s", request.Operation, pr.GetNamespace()))
8588
if isAllowedUser(request) {
8689
ret = admissionctl.Allowed(fmt.Sprintf("User can do operations on PrometheusRules"))

pkg/webhooks/prometheusrule/prometheusrule_test.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -255,7 +255,7 @@ func TestUsers(t *testing.T) {
255255
username: "prometheus-user-workload",
256256
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
257257
operation: admissionv1.Create,
258-
shouldBeAllowed: false,
258+
shouldBeAllowed: true,
259259
},
260260
{
261261
testID: "regular-user-can-create-prometheusrule-in-openshift-user-workload-monitoring",
@@ -264,7 +264,7 @@ func TestUsers(t *testing.T) {
264264
username: "prometheus-user-workload",
265265
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
266266
operation: admissionv1.Delete,
267-
shouldBeAllowed: false,
267+
shouldBeAllowed: true,
268268
},
269269
{
270270
testID: "serviceaccount-in-managed-namespaces-can-create-prometheusrule-in-openshift-user-workload-monitoring",
@@ -273,7 +273,7 @@ func TestUsers(t *testing.T) {
273273
username: "prometheus-user-workload",
274274
userGroups: []string{"cluster-admins", "system:authenticated", "system:authenticated:oauth"},
275275
operation: admissionv1.Update,
276-
shouldBeAllowed: false,
276+
shouldBeAllowed: true,
277277
},
278278
{
279279
testID: "serviceaccount-in-managed-namespaces-can-create-prometheusrule-in-redhat-rhoam-observability",

0 commit comments

Comments
 (0)