OpenShift Monitor Security Requirements

book

Article ID: 104998

calendar_today

Updated On:

Products

APP PERF MANAGEMENT CA Application Performance Management Agent (APM / Wily / Introscope) CUSTOMER EXPERIENCE MANAGER INTROSCOPE

Issue/Introduction

The steps to install CA APM's Openshift monitor are documented here: https://docops.ca.com/ca-apm/10-7/en/implementing-agents/infrastructure-agent/openshift-monitoring/install-and-configure-openshift-monitoring.

Why is cluster-reader role required for the caapm user and privileged access required for the default namespace? 

Environment

Release:
Component: APMAGT

Resolution

To obtain these metrics Openshift monitor uses various Openshift APIs which can be executed remotely to query state of various Kubernetes and Docker objects in the environment. The cluster-reader role is needed for the caapm service account to obtain metrics. Privileged access is needed since the monitor runs on top of a pod/container and is needed in order to get suitable access on the filesystem and docker.sock file from the host the environment runs on.