UNCLASSIFIED - NO CUI

fix(authz): restore prometheus sso fallback allow for monitoring namespace

Dax McDonaldrequested to merge
357-upgrading-from-big-bang-3-19-0-to-3-20-0-can-break-grafana-datasource-access-to-prometheus-when into main

General MR

Summary

When Monitoring is deployed with Istio enabled and authservice is used for SSO, Big Bang still creates effective Istio authorization enforcement even when package-level generated authorization policies are otherwise disabled.

When:

istio.enabled: true
sso.enabled: true
istio.authorizationPolicies.enabled: false

there are still authorization policies being deployed by authservice, namely jwt-authz

authservice still deploys the root-namespace jwt-authz AuthorizationPolicy, and Monitoring labels Prometheus / Alertmanager with the authservice selector used by that policy.

Prior to the bb-common migration, Monitoring also rendered a Prometheus-specific allow policy for same-namespace traffic. That behavior was lost, which caused Grafana to receive RBAC: access denied when querying Prometheus in the SSO, non-hardened path.

Relevant logs/screenshots

Before: CleanShot_2026-03-24_at_15.21.48_2x

After: CleanShot_2026-03-24_at_15.32.26_2x

Linked Issue

#357 (closed)

Upgrade Notices

This fixes a bug discovered in the upgrade from 3.19 to 3.20 when hardened is not being used but sso is.

Why wasn't this caught by our ui testing?

All our UI tests run assuming hardened is enabled. This behavior is only observed in unhardened setups

Edited by Dax McDonald

Merge request reports

UNCLASSIFIED - NO CUI