Skip to content
Snippets Groups Projects
Commit 2edd30dd authored by Frederic Branczyk's avatar Frederic Branczyk Committed by GitHub
Browse files

Merge pull request #229 from brancz/kube-prometheus-rbac

kube-prometheus: add RBAC resources
parents 59bcbb70 bbd5684b
No related branches found
No related tags found
No related merge requests found
Showing
with 133 additions and 4 deletions
...@@ -14,7 +14,7 @@ kctl() { ...@@ -14,7 +14,7 @@ kctl() {
kubectl --namespace "$NAMESPACE" "$@" kubectl --namespace "$NAMESPACE" "$@"
} }
kctl apply -f manifests/prometheus-operator.yaml kctl apply -f manifests/prometheus-operator
# Wait for TPRs to be ready. # Wait for TPRs to be ready.
printf "Waiting for Operator to register third party objects..." printf "Waiting for Operator to register third party objects..."
...@@ -28,6 +28,9 @@ kctl apply -f manifests/grafana ...@@ -28,6 +28,9 @@ kctl apply -f manifests/grafana
kctl apply -f manifests/prometheus/prometheus-k8s-rules.yaml kctl apply -f manifests/prometheus/prometheus-k8s-rules.yaml
kctl apply -f manifests/prometheus/prometheus-k8s-service.yaml kctl apply -f manifests/prometheus/prometheus-k8s-service.yaml
kctl apply -f manifests/prometheus/prometheus-cluster-role-binding.yaml
kctl apply -f manifests/prometheus/prometheus-cluster-role.yaml
kctl apply -f manifests/prometheus/prometheus-k8s-service-account.yaml
kctl apply -f manifests/alertmanager/alertmanager-config.yaml kctl apply -f manifests/alertmanager/alertmanager-config.yaml
kctl apply -f manifests/alertmanager/alertmanager-service.yaml kctl apply -f manifests/alertmanager/alertmanager-service.yaml
......
...@@ -20,5 +20,5 @@ kctl delete -f manifests/alertmanager ...@@ -20,5 +20,5 @@ kctl delete -f manifests/alertmanager
# Hack: wait a bit to let the controller delete the deployed Prometheus server. # Hack: wait a bit to let the controller delete the deployed Prometheus server.
sleep 5 sleep 5
kctl delete -f manifests/prometheus-operator.yaml kctl delete -f manifests/prometheus-operator
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
name: kube-state-metrics
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kube-state-metrics
subjects:
- kind: ServiceAccount
name: kube-state-metrics
namespace: monitoring
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
name: kube-state-metrics
rules:
- apiGroups: [""]
resources:
- nodes
- pods
- resourcequotas
verbs: ["list", "watch"]
- apiGroups: ["extensions"]
resources:
- daemonsets
- deployments
- replicasets
verbs: ["list", "watch"]
...@@ -9,6 +9,7 @@ spec: ...@@ -9,6 +9,7 @@ spec:
labels: labels:
app: kube-state-metrics app: kube-state-metrics
spec: spec:
serviceAccountName: kube-state-metrics
containers: containers:
- name: kube-state-metrics - name: kube-state-metrics
image: gcr.io/google_containers/kube-state-metrics:v0.4.1 image: gcr.io/google_containers/kube-state-metrics:v0.4.1
......
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-state-metrics
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
name: prometheus-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-operator
subjects:
- kind: ServiceAccount
name: prometheus-operator
namespace: default
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
name: prometheus-operator
rules:
- apiGroups:
- extensions
resources:
- thirdpartyresources
verbs:
- create
- apiGroups:
- monitoring.coreos.com
resources:
- alertmanagers
- prometheuses
- servicemonitors
verbs:
- "*"
- apiGroups:
- apps
resources:
- statefulsets
verbs: ["*"]
- apiGroups: [""]
resources:
- configmaps
- secrets
verbs: ["*"]
- apiGroups: [""]
resources:
- pods
verbs: ["list", "delete"]
- apiGroups: [""]
resources:
- services
- endpoints
verbs: ["get", "create", "update"]
- apiGroups: [""]
resources:
- nodes
verbs: ["list", "watch"]
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus-operator
...@@ -11,6 +11,7 @@ spec: ...@@ -11,6 +11,7 @@ spec:
labels: labels:
operator: prometheus operator: prometheus
spec: spec:
serviceAccountName: prometheus-operator
containers: containers:
- name: prometheus-operator - name: prometheus-operator
image: quay.io/coreos/prometheus-operator:v0.7.0 image: quay.io/coreos/prometheus-operator:v0.7.0
......
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
name: prometheus
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus
subjects:
- kind: ServiceAccount
name: prometheus-k8s
namespace: monitoring
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
name: prometheus
rules:
- apiGroups: [""]
resources:
- nodes
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- configmaps
verbs: ["get"]
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus-k8s
...@@ -7,6 +7,7 @@ metadata: ...@@ -7,6 +7,7 @@ metadata:
spec: spec:
replicas: 2 replicas: 2
version: v1.5.2 version: v1.5.2
serviceAccountName: prometheus-k8s
serviceMonitorSelector: serviceMonitorSelector:
matchExpression: matchExpression:
- {key: k8s-apps, operator: Exists} - {key: k8s-apps, operator: Exists}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment