OpenShift Monitor Security Requirements

Document ID : KB000104998
Last Modified Date : 13/07/2018
Show Technical Document Details
Introduction:
Question:
Why is cluster-reader role required for the caapm user and privileged access required for the default namespace? 
Answer:
To obtain these metrics Openshift monitor uses various Openshift APIs which can be executed remotely to query state of various Kubernetes and Docker objects in the environment. The cluster-reader role is needed for the caapm service account to obtain metrics. Privileged access is needed since the monitor runs on top of a pod/container and is needed in order to get suitable access on the filesystem and docker.sock file from the host the environment runs on.