Installation Manual - 91 Hub ACM addon metrics Secret-read validation
Read-only validation for hub-dc-v7 ACM addon metrics roles with Secret read verbs.
This chapter records the hub-dc-v7 read-only validation for the ACM addon
metrics RBAC exception.
No live cluster state was changed.
Governance
| Field | Value |
|---|---|
| Issue | OP-GF-COMPLIANCE-20 / #412 |
| Milestone | Workspace Governance |
| Governing ADR | ADR 0016 |
| Predecessor | OP-GF-COMPLIANCE-19 / #411 |
Access Path
All live checks used the established path:
local workspace -> dl385-2 -> gf-ocp-bootstrap-01 -> hub-dc-v7 kubeconfigNo Secret values, kubeconfigs, tokens, pull secrets, PAT values, MinIO keys, or full Secret manifests were printed.
Hub State
Read-only validation before and after evidence collection confirmed:
| Check | Result |
|---|---|
| ClusterVersion | Available, not Progressing, not Failing |
| Nodes | 3/3 Ready |
| ClusterOperators | steady |
| Non-running pods | none |
hub-dc-v7-bootstrap | Synced/Healthy at 12c68aee6d6a77dfcc197926d4f36594ea224625 |
ComplianceScan/ocp4-cis | DONE / COMPLIANT |
ComplianceScan/ocp4-cis-node-master | DONE / COMPLIANT |
| Compliance result counts | PASS=162, MANUAL=21, FAIL=0 |
Target Roles
Two ACM addon metrics Roles grant read-only Secret access to platform
Prometheus in open-cluster-management-agent-addon.
| Role | Bound subject | Secret access | Ownership |
|---|---|---|---|
governance-policy-framework-metrics | openshift-monitoring/prometheus-k8s | get,list,watch | AppliedManifestWork, manager work-agent |
hypershift-addon-agent-metrics | openshift-monitoring/prometheus-k8s | get,list,watch | AppliedManifestWork, manager work-agent |
Neither role grants Secret mutation verbs.
Effective Prometheus permissions:
| Permission | Result |
|---|---|
secrets get/list/watch | allowed |
secrets create/update/patch/delete | denied |
services,pods,endpoints,nodes get/list/watch | allowed |
Related Metrics Roles
There are four Prometheus metrics RoleBindings in the namespace.
| Role | Secret access |
|---|---|
cert-policy-controller-metrics | no |
config-policy-controller-metrics | no |
governance-policy-framework-metrics | yes |
hypershift-addon-agent-metrics | yes |
The cert/config policy metrics roles grant only:
services,pods,endpoints get/list/watchMetrics Evidence
Current addon workloads are running, including:
governance-policy-framework
hypershift-addon-agent
cert-policy-controller
config-policy-controller
application-manager
cluster-proxy-proxy-agent
klusterlet-addon-workmgr
managed-serviceaccount-addon-agentThe target ServiceMonitors use HTTPS, the service CA file, and serverName. No
visible bearerTokenSecret name was present in the endpoint shape captured by
the validation.
Decision
Accept RBAC-EX-006 as a current-phase platform exception.
The Secret read access may be inherited from ACM-generated metrics role templates rather than visibly required by the current ServiceMonitor endpoint configuration, but the RBAC is generated and managed by ACM work delivery. Direct live patching would not be a supported durable remediation.
Do not patch or delete these rules in live state or GitOps overlays unless a future gate identifies an upstream/operator-supported reduced manifest and a rollback-tested canary plan.
Next Gate
Recommended next gate:
OP-GF-OPERATORS-01: post-compliance operator readiness and next-operator selectionThat gate should revalidate hub/spoke health, installed operator state, and available mirrored packages before choosing the next operator track.