What does this mean? Well, it means that we have access to all namespaces of the cluster. We see everything. This makes sense, since we assign the cluster role "cluster-monitoring-view" to the serviceaccount of Grafana.
But what if we want to show only objects from a specific namespace? If we want, for example, give the developers the possibility to create their own dashboards, without having view access to the whole cluster.
How does the Openshift WebUI actually work, when you are a developer and would like to search one of the above queries. Let’s try that:
Figure 6. Query using the OpenShift UI
It works! It shows the namespace of the developer and only this namespace.
When you inspect the actual network traffic, you will see that OpenShift automatically adds the URL parameter namespace=ns1 to the request URL:
https://your-cluster/api/prometheus-tenancy/api/v1/query?namespace=ns1&query=sum%28node_namespace_pod_container%3Acontainer_cpu_usage_seconds_total%3Asum_rate%29+by+%28namespace%29
This is good information, let’s try this using the Grafana Data Source.
Login to Grafana as administrator and switch to "Configuration > Data Source > Prometheus >". At the very bottom add namespace=ns1 to the Custom query parameters
Figure 7. Configure Grafana Data Source
| At this point the Grafana serviceaccount has cluster_monitoring_view privileges. |
As you can see in the following image, this configuration did not help.
Figure 8. Query after Data Source has manually been modified