Question:
Why do users have to be able to have the rbac permission to create services/proxy inorder to view metrics via lens?
Recently I created an aws-auth entry mapping readOnly developers to the default 'view' group which gives all permissions listed in default 'view clusterrole https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles. When connecting to the cluster via lens, users were unable to view metrics and got the below error in the UI.
Error:
"Metrics are not available due to missing or invalid Prometheus configuration."
Additional information
AWS EKS Cluster Version: v1.20.11-eks-f17b81 Kubectl version: 1.20.15
Solution:
To find the solution I follow this comment on the lensapp git: See https://github.com/lensapp/lens/issues/3698#issuecomment-968616099
Changes made:
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-only-lens-metrics
labels:
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- ""
resources:
- "services/proxy"
verbs:
- create