I have a running Rancher (v2.3.2) setup with enabled cluster monitoring via prometheus/grafana.
As admin user I can see/use those cluster metrics in Rancher UI (v2.3.22) and in running Grafana instance.
Adding new users to the cluster - but even though they are now “Cluster Member” they can’t see/use monitoring stuff.
E.g. in cluster monitoring overview page in Rancher UI there are no Grafana icons and opening a URL that works for admin user fails for those users with
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"http:access-grafana:80\" is forbidden: User \"u-qddg6\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"cattle-prometheus\"",
"reason": "Forbidden",
"details": {
"name": "http:access-grafana:80",
"kind": "services"
},
"code": 403
}
What Role(s) does a user have to be to be able to use prometheus/grafana with metrics in Rancher ?
To first thank you for your solution which was useful to me.
I’m working on Rancher rights, my goal is to create a limited project level profile that allows to see only workloads (see events, metrics) and config maps.
With that my users have access to grafana but there are two problems:
1/ As I explain in my ticket Advanced View Workloads Role I would like my users to be able to directly see the workloads-metric tab in Rancher; Do you have an idea?
2/ The error message services "http:rancher-monitoring-grafana:80" is forbidden: User "u-fhws6" cannot create resource "services/proxy" in API group ... remains but only for a particular path /k8s/clusters/c-t4vjj/api/v1/namespaces/cattle-monitoring- system/services/http:rancher-monitoring-grafana:80/proxy/api/frontend-metrics. I guess I need to give cluster level rights on some resource other than workloads, I haven’t found what yet, do you think I’m on the right direction?