From 1fbf75767a59d7fff5a7d716657349fcd884e4d3 Mon Sep 17 00:00:00 2001
From: Sergiusz Urbaniak <sergiusz.urbaniak@gmail.com>
Date: Tue, 23 Apr 2019 13:04:31 +0200
Subject: [PATCH] jsonnet/prometheus-adapter: add metrics to default
user-facing roles
Currently, only cluster wide admins have the permissions to view
metrics resources. This fixes it by adding a read-only cluster role
which includes aggregation labels to synthesize permission rules for
standard user-facing roles according to [1].
Note that only the "pods" resource is granted as reading "nodes"
metrics requires a cluster wide permission.
[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
---
.../prometheus-adapter.libsonnet | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
index 6d6604bc..b2336259 100644
--- a/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
@@ -184,6 +184,25 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
clusterRole.mixin.metadata.withName('resource-metrics-server-resources') +
clusterRole.withRules(rules),
+ clusterRoleAggregatedMetricsReader:
+ local clusterRole = k.rbac.v1.clusterRole;
+ local policyRule = clusterRole.rulesType;
+
+ local rules =
+ policyRule.new() +
+ policyRule.withApiGroups(['metrics.k8s.io']) +
+ policyRule.withResources(['pods']) +
+ policyRule.withVerbs(['get','list','watch']);
+
+ clusterRole.new() +
+ clusterRole.mixin.metadata.withName('system:aggregated-metrics-reader') +
+ clusterRole.mixin.metadata.withLabels({
+ "rbac.authorization.k8s.io/aggregate-to-admin": "true",
+ "rbac.authorization.k8s.io/aggregate-to-edit": "true",
+ "rbac.authorization.k8s.io/aggregate-to-view": "true",
+ }) +
+ clusterRole.withRules(rules),
+
roleBindingAuthReader:
local roleBinding = k.rbac.v1.roleBinding;
--
GitLab