Advanced View Workloads Role

Rancher 2.x
#1

Hi;

I work on Rancher 2.6, I try to put an advanced view in read-only so that users can follow the workloads in a more detailed way in the rancher interface…

For this i created a project role which takes over the already existing roles View Workloads and View Config Maps.

custom-role
custom-role1267×345 12.8 KB

I added to this role the rights to read events so that the Recent Events tab is visible on the view of a pod

screenshot

So far no difficulty; where I’m stuck is to display the workload-metrics tab for example on a deployment or a statefulsets

example with the view of an administrator

I tried adding the global role View Rancher 2 Metrics and the project role View Monitoring but without success.

Do you have any idea where i am wrong???

Note: monitoring run over rancher-monitoring:100.1.0+up19.0.3

Cluster Member can't see/use Grafana or monitoring stuff
#2

Some additional elements:
With Global Permissions: User-Base; the Cluster Owner role can see metrics but not the Cluster Member role.

I deduced that it came from

rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'

But I refuse to put such a privilege

#3

I have refined the rights and I only work at the project level.
The basic permission remains User-Base (login-access only).

As indicated at the beginning of the topic, I always have a project role inspired by the View Workloads and View Config Maps role and which I apply to the project containing the workloads of my users.

This is complemented by a second role that inherits the View Monitoring and Project Monitoring View Role and which is applied to the System project.

All this allows my users to see the monitoring menu in the sidebar, see the monitoring config, and easily access Grafana. :grinning:

Now I get stuck on displaying the metrics tab on the workloads page :pensive:, for example here is what I see with my cluster owner profile:

deployment-metrics
deployment-metrics567×652 30.5 KB

After multiple tries I now know that rights to the System project are missing to display this tab, however I always find myself blocked because I only manage by giving more permissions than I want and without knowing really what right is missing

roleTemplateNames:
- monitoring-ui-view
- project-monitoring-readonly
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - list
#4

Solves: read Workload metrics tab not displayed · Issue #36587 · rancher/rancher · GitHub