jsonnet/prometheus-adapter: add metrics to default user-facing roles

Currently, only cluster wide admins have the permissions to view metrics resources. This fixes it by adding a read-only cluster role which includes aggregation labels to synthesize permission rules for standard user-facing roles according to [1]. Note that only the "pods" resource is granted as reading "nodes" metrics requires a cluster wide permission. [1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

jsonnet/prometheus-adapter: add metrics to default user-facing roles
1fbf7576 · Sergiusz Urbaniak · 7bd745ef · 1fbf7576
Commit 1fbf7576 authored 6 years ago by Sergiusz Urbaniak
--- a/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
@@ -184,6 +184,25 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
      clusterRole.mixin.metadata.withName('resource-metrics-server-resources') +
      clusterRole.withRules(rules),

+    clusterRoleAggregatedMetricsReader:
+      local clusterRole = k.rbac.v1.clusterRole;
+      local policyRule = clusterRole.rulesType;
+
+      local rules =
+        policyRule.new() +
+        policyRule.withApiGroups(['metrics.k8s.io']) +
+        policyRule.withResources(['pods']) +
+        policyRule.withVerbs(['get','list','watch']);
+
+      clusterRole.new() +
+      clusterRole.mixin.metadata.withName('system:aggregated-metrics-reader') +
+      clusterRole.mixin.metadata.withLabels({
+        "rbac.authorization.k8s.io/aggregate-to-admin": "true",
+        "rbac.authorization.k8s.io/aggregate-to-edit": "true",
+        "rbac.authorization.k8s.io/aggregate-to-view": "true",
+      }) +
+      clusterRole.withRules(rules),
+
    roleBindingAuthReader:
      local roleBinding = k.rbac.v1.roleBinding;