Access to Prometheus service monitor fails

[jnewfield]

After deploying NGINX Ingress Operator and an NginxIngress crd with parameter spec.prometheus.serviceMonitor.create.true, the NGINX Ingress Controller pod fails to get created. An error similar to the following message is reported from the NginxIngress resource:

failed to install release: Unable to continue with install: could not get information about the resource ServiceMonitor "nginxingress-sample-nginx-ingress-controller" in namespace "nginx-ingress": servicemonitors.monitoring.coreos.com "nginxingress-sample-nginx-ingress-controller" is forbidden: User "system:serviceaccount:nginx-ingress-operator-system:nginx-ingress-operator-controller-manager" cannot get resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "nginx-ingress"

Workaround:
Add appropriate rbac rules for NGINX Ingress Operator to access the Prometheus service monitor
Edit the NGINX Ingress Operator manager cluster role
kubectl edit clusterroles.rbac.authorization.k8s.io nginx-ingress-operator-manager-role
Add the following api group rule just before the very last api group rule in the file

- apiGroups:
  - monitoring.coreos.com
  resources:
  - servicemonitors
  verbs:
  - '*'

Fix:
Incorporate permissions to api group monitoring.coreos.com

[AlexFenlon]

Hi @jnewfield, we are looking into this.