MON-4500: Migrate Prometheus targets discovering from Endpoints to EndpointSlices

[machine424]

This PR migrates Prometheus service discovery from the deprecated Endpoints API to the EndpointSlices API, by:

• Setting serviceDiscoveryRole: EndpointSlice on ServiceMonitors.
• Granting Prometheus endpointslices permissions.

We're taking a conservative approach by keeping the existing endpoints permissions alongside the new endpointslices ones. This provides a safety net in case any ServiceMonitors, whether deployed from this repo or from another source, still rely on the same Role and were missed during the migration.

That said, since both resources provide essentially the same data, keeping both isn't meaningfully more permissive from a security standpoint.

These changes target OpenShift 4.22+ and should not be backported to earlier releases.

Due to the scope of changes across multiple repositories, these modifications were generated with Claude assistance.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@machine424: This pull request references MON-4500 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR migrates Prometheus service discovery from the deprecated Endpoints API to the EndpointSlices API, by:

• Setting serviceDiscoveryRole: EndpointSlice on ServiceMonitors.
• Granting Prometheus endpointslices permissions.

We're taking a conservative approach by keeping the existing endpoints permissions alongside the new endpointslices ones. This provides a safety net in case any ServiceMonitors, whether deployed from this repo or from another source, still rely on the same Role and were missed during the migration.

That said, since both resources provide essentially the same data, keeping both isn't meaningfully more permissive from a security standpoint.

These changes target OpenShift 4.22+ and should not be backported to earlier releases.

Due to the scope of changes across multiple repositories, these modifications were generated with Claude assistance.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[machine424]

/verified by existing tests
/jira refresh

[openshift-ci-robot]

@machine424: This PR has been marked as verified by existing tests.

Details

In response to this:

/verified by existing tests
/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@machine424: This pull request references MON-4500 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

/verified by existing tests
/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[machine424]

/verified by existing tests
/jira refresh

[openshift-ci-robot]

@machine424: This PR has been marked as verified by existing tests.

Details

In response to this:

/verified by existing tests
/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@machine424: This pull request references MON-4500 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

/verified by existing tests
/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[alebedev87]

/assign @rikatz

[rikatz]

@machine424 you need to apply some extra changes:

• cluster-dns-operator/pkg/operator/controller/controller_service_monitor.go

  Line 46 in d98f998

  func desiredServiceMonitor(dns *operatorv1.DNS, svc *corev1.Service, daemonsetRef metav1.OwnerReference) *unstructured.Unstructured {

  you need to set the same serviceDiscoveryRole: EndpointSlice
• On https://github.com/openshift/cluster-dns-operator/blob/d98f998ef32c2f2dadad13684432e14dcac191b7/pkg/operator/controller/controller_cluster_role.go#L90 you n you need to have an ensure method (like on the service_monitor one above) to update the role, otherwise in case of cluster updates it will not get the right role

Please add unit tests for these changes as well.

Thanks!

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0a1740a5-ae07-43aa-a97d-978f7da5b990

📥 Commits

Reviewing files that changed from the base of the PR and between 90d93ab and 454182e.

📒 Files selected for processing (9)

• manifests/0000_70_dns-operator_00-cluster-role.yaml
• manifests/0000_90_dns-operator_00_prometheusrole.yaml
• manifests/0000_90_dns-operator_02_servicemonitor.yaml
• pkg/manifests/assets/dns/metrics/role.yaml
• pkg/operator/controller/controller.go
• pkg/operator/controller/controller_metrics_role.go
• pkg/operator/controller/controller_metrics_role_test.go
• pkg/operator/controller/controller_service_monitor.go
• pkg/operator/controller/controller_service_monitor_test.go

---

Walkthrough

The pull request adds EndpointSlice monitoring support to the DNS operator. Changes include extending RBAC permissions across cluster-level and role-based rules to grant discovery access to EndpointSlices, implementing metrics role reconciliation logic in the controller, and updating ServiceMonitor configuration to specify EndpointSlice service discovery.

Changes

Cohort / File(s)	Summary
RBAC Rules for EndpointSlices manifests/0000_70_dns-operator_00-cluster-role.yaml, manifests/0000_90_dns-operator_00_prometheusrole.yaml, pkg/manifests/assets/dns/metrics/role.yaml	Adds permissions to discovery.k8s.io resources (endpointslices) with get, list, and watch verbs across cluster role, Prometheus role, and metrics role.
Metrics Role Reconciliation pkg/operator/controller/controller.go, pkg/operator/controller/controller_metrics_role.go, pkg/operator/controller/controller_metrics_role_test.go	Introduces four functions (ensureDNSMetricsRole, currentDNSMetricsRole, updateDNSMetricsRole, dnsMetricsRoleChanged) to manage metrics role creation and updates with diff-based comparison; refactors controller.go to delegate role provisioning to the new helper.
ServiceMonitor Configuration manifests/0000_90_dns-operator_02_servicemonitor.yaml, pkg/operator/controller/controller_service_monitor.go, pkg/operator/controller/controller_service_monitor_test.go	Adds serviceDiscoveryRole field set to "EndpointSlice" in ServiceMonitor spec and extends test coverage to validate detection of this field change.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~18 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from rikatz. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[machine424]

allows the operator to update pkg/manifests/assets/dns/metrics/role.yaml on the cluster

[machine424]

Pushed some changes, keeping an eye on the CI.

[openshift-ci]

@machine424: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[rikatz]

nit: DNSgg?

[rikatz]

please follow the same approach of unit tests on https://github.com/openshift/cluster-dns-operator/blob/master/pkg/operator/controller/controller_cluster_role_test.go

[rikatz]

you need to add these same permissions to the ClusterRole, otherwise the user running openshift-dns-operator won´t be able to give this permission.

See:

	ERROR	Reconciler error	{"controller": "dns_controller", "object": {"name":"default"}, "namespace": "", "name": "default", "reconcileID": "edd6c3b1-ee05-40eb-a566-6a83471fb643", "error": "failed to ensure dns default: failed to integrate metrics with openshift-monitoring for dns default: failed to ensure dns metrics role for default: failed to update dns metrics role openshift-dns/prometheus-k8s: roles.rbac.authorization.k8s.io \"prometheus-k8s\" is forbidden: user \"system:serviceaccount:openshift-dns-operator:dns-operator\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:openshift-dns-operator\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"discovery.k8s.io\"], Resources:[\"endpointslices\"], Verbs:[\"get\"]}", "errorCauses": [{"error": "failed to ensure dns default: failed to integrate metrics with openshift-monitoring for dns default: failed to ensure dns metrics role for default: failed to update dns metrics role openshift-dns/prometheus-k8s: roles.rbac.authorization.k8s.io \"prometheus-k8s\" is forbidden: user \"system:serviceaccount:openshift-dns-operator:dns-operator\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:openshift-dns-operator\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"discovery.k8s.io\"], Resources:[\"endpointslices\"], Verbs:[\"get\"]}"}]}