From 4402d451aeacc392794dd6faf3f62486b416414a Mon Sep 17 00:00:00 2001
From: Frederic Branczyk <fbranczyk@gmail.com>
Date: Fri, 5 Jan 2018 16:03:04 +0100
Subject: [PATCH] kube-prometheus: Add RBAC authorization to metrics endpoints
---
.../kube-state-metrics-cluster-role.yaml | 10 +++-
.../kube-state-metrics-deployment.yaml | 46 +++++++++++++++----
.../kube-state-metrics-service.yaml | 11 +++--
.../node-exporter-cluster-role-binding.yaml | 12 +++++
.../node-exporter-cluster-role.yaml | 13 ++++++
.../node-exporter-daemonset.yaml | 26 +++++++++--
.../node-exporter-service-account.yaml | 4 ++
.../node-exporter/node-exporter-service.yaml | 2 +-
...8s-service-monitor-kube-state-metrics.yaml | 12 ++++-
...eus-k8s-service-monitor-node-exporter.yaml | 6 ++-
10 files changed, 121 insertions(+), 21 deletions(-)
create mode 100644 manifests/node-exporter/node-exporter-cluster-role-binding.yaml
create mode 100644 manifests/node-exporter/node-exporter-cluster-role.yaml
create mode 100644 manifests/node-exporter/node-exporter-service-account.yaml
diff --git a/manifests/kube-state-metrics/kube-state-metrics-cluster-role.yaml b/manifests/kube-state-metrics/kube-state-metrics-cluster-role.yaml
index 6ae8db88..30583ac0 100644
--- a/manifests/kube-state-metrics/kube-state-metrics-cluster-role.yaml
+++ b/manifests/kube-state-metrics/kube-state-metrics-cluster-role.yaml
@@ -27,4 +27,12 @@ rules:
resources:
- cronjobs
- jobs
- verbs: ["list", "watch"]
\ No newline at end of file
+ verbs: ["list", "watch"]
+- apiGroups: ["authentication.k8s.io"]
+ resources:
+ - tokenreviews
+ verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+ resources:
+ - subjectaccessreviews
+ verbs: ["create"]
\ No newline at end of file
diff --git a/manifests/kube-state-metrics/kube-state-metrics-deployment.yaml b/manifests/kube-state-metrics/kube-state-metrics-deployment.yaml
index ee8526d3..22a84108 100644
--- a/manifests/kube-state-metrics/kube-state-metrics-deployment.yaml
+++ b/manifests/kube-state-metrics/kube-state-metrics-deployment.yaml
@@ -11,17 +11,43 @@ spec:
spec:
serviceAccountName: kube-state-metrics
containers:
- - name: kube-state-metrics
- image: quay.io/coreos/kube-state-metrics:v1.0.1
+ - name: kube-rbac-proxy-main
+ image: quay.io/brancz/kube-rbac-proxy:v0.2.0
+ args:
+ - "--secure-listen-address=:8443"
+ - "--upstream=http://127.0.0.1:8081/"
+ ports:
+ - name: https-main
+ containerPort: 8443
+ resources:
+ requests:
+ memory: 20Mi
+ cpu: 10m
+ limits:
+ memory: 40Mi
+ cpu: 20m
+ - name: kube-rbac-proxy-self
+ image: quay.io/brancz/kube-rbac-proxy:v0.2.0
+ args:
+ - "--secure-listen-address=:9443"
+ - "--upstream=http://127.0.0.1:8082/"
ports:
- - name: metrics
- containerPort: 8080
- readinessProbe:
- httpGet:
- path: /healthz
- port: 8080
- initialDelaySeconds: 5
- timeoutSeconds: 5
+ - name: https-self
+ containerPort: 9443
+ resources:
+ requests:
+ memory: 20Mi
+ cpu: 10m
+ limits:
+ memory: 40Mi
+ cpu: 20m
+ - name: kube-state-metrics
+ image: quay.io/coreos/kube-state-metrics:v1.2.0-rc.0
+ args:
+ - "--host=127.0.0.1"
+ - "--port=8081"
+ - "--telemetry-host=127.0.0.1"
+ - "--telemetry-port=8082"
- name: addon-resizer
image: gcr.io/google_containers/addon-resizer:1.0
resources:
diff --git a/manifests/kube-state-metrics/kube-state-metrics-service.yaml b/manifests/kube-state-metrics/kube-state-metrics-service.yaml
index 292c4978..b4422685 100644
--- a/manifests/kube-state-metrics/kube-state-metrics-service.yaml
+++ b/manifests/kube-state-metrics/kube-state-metrics-service.yaml
@@ -6,10 +6,15 @@ metadata:
k8s-app: kube-state-metrics
name: kube-state-metrics
spec:
+ clusterIP: None
ports:
- - name: http-metrics
- port: 8080
- targetPort: metrics
+ - name: https-main
+ port: 8443
+ targetPort: https-main
+ protocol: TCP
+ - name: https-self
+ port: 9443
+ targetPort: https-self
protocol: TCP
selector:
app: kube-state-metrics
diff --git a/manifests/node-exporter/node-exporter-cluster-role-binding.yaml b/manifests/node-exporter/node-exporter-cluster-role-binding.yaml
new file mode 100644
index 00000000..a5a20508
--- /dev/null
+++ b/manifests/node-exporter/node-exporter-cluster-role-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: node-exporter
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: node-exporter
+subjects:
+- kind: ServiceAccount
+ name: node-exporter
+ namespace: monitoring
diff --git a/manifests/node-exporter/node-exporter-cluster-role.yaml b/manifests/node-exporter/node-exporter-cluster-role.yaml
new file mode 100644
index 00000000..932b7762
--- /dev/null
+++ b/manifests/node-exporter/node-exporter-cluster-role.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: node-exporter
+rules:
+- apiGroups: ["authentication.k8s.io"]
+ resources:
+ - tokenreviews
+ verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+ resources:
+ - subjectaccessreviews
+ verbs: ["create"]
diff --git a/manifests/node-exporter/node-exporter-daemonset.yaml b/manifests/node-exporter/node-exporter-daemonset.yaml
index d98deee6..701e491f 100644
--- a/manifests/node-exporter/node-exporter-daemonset.yaml
+++ b/manifests/node-exporter/node-exporter-daemonset.yaml
@@ -3,24 +3,26 @@ kind: DaemonSet
metadata:
name: node-exporter
spec:
+ updateStrategy:
+ rollingUpdate:
+ maxUnavailable: 1
+ type: RollingUpdate
template:
metadata:
labels:
app: node-exporter
name: node-exporter
spec:
+ serviceAccountName: node-exporter
hostNetwork: true
hostPID: true
containers:
- image: quay.io/prometheus/node-exporter:v0.15.0
args:
+ - "--web.listen-address=127.0.0.1:9101"
- "--path.procfs=/host/proc"
- "--path.sysfs=/host/sys"
name: node-exporter
- ports:
- - containerPort: 9100
- hostPort: 9100
- name: scrape
resources:
requests:
memory: 30Mi
@@ -35,6 +37,22 @@ spec:
- name: sys
readOnly: true
mountPath: /host/sys
+ - name: kube-rbac-proxy
+ image: quay.io/brancz/kube-rbac-proxy:v0.2.0
+ args:
+ - "--secure-listen-address=:9100"
+ - "--upstream=http://127.0.0.1:9101/"
+ ports:
+ - containerPort: 9100
+ hostPort: 9100
+ name: https
+ resources:
+ requests:
+ memory: 20Mi
+ cpu: 10m
+ limits:
+ memory: 40Mi
+ cpu: 20m
tolerations:
- effect: NoSchedule
operator: Exists
diff --git a/manifests/node-exporter/node-exporter-service-account.yaml b/manifests/node-exporter/node-exporter-service-account.yaml
new file mode 100644
index 00000000..703a2748
--- /dev/null
+++ b/manifests/node-exporter/node-exporter-service-account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: node-exporter
diff --git a/manifests/node-exporter/node-exporter-service.yaml b/manifests/node-exporter/node-exporter-service.yaml
index 46b1a3fd..8aa37747 100644
--- a/manifests/node-exporter/node-exporter-service.yaml
+++ b/manifests/node-exporter/node-exporter-service.yaml
@@ -9,7 +9,7 @@ spec:
type: ClusterIP
clusterIP: None
ports:
- - name: http-metrics
+ - name: https
port: 9100
protocol: TCP
selector:
diff --git a/manifests/prometheus/prometheus-k8s-service-monitor-kube-state-metrics.yaml b/manifests/prometheus/prometheus-k8s-service-monitor-kube-state-metrics.yaml
index 6563a4d4..1433a5fe 100644
--- a/manifests/prometheus/prometheus-k8s-service-monitor-kube-state-metrics.yaml
+++ b/manifests/prometheus/prometheus-k8s-service-monitor-kube-state-metrics.yaml
@@ -13,6 +13,16 @@ spec:
matchNames:
- monitoring
endpoints:
- - port: http-metrics
+ - port: https-main
+ scheme: https
interval: 30s
honorLabels: true
+ bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+ tlsConfig:
+ insecureSkipVerify: true
+ - port: https-self
+ scheme: https
+ interval: 30s
+ bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+ tlsConfig:
+ insecureSkipVerify: true
diff --git a/manifests/prometheus/prometheus-k8s-service-monitor-node-exporter.yaml b/manifests/prometheus/prometheus-k8s-service-monitor-node-exporter.yaml
index e1b083bb..0dd72e75 100644
--- a/manifests/prometheus/prometheus-k8s-service-monitor-node-exporter.yaml
+++ b/manifests/prometheus/prometheus-k8s-service-monitor-node-exporter.yaml
@@ -13,5 +13,9 @@ spec:
matchNames:
- monitoring
endpoints:
- - port: http-metrics
+ - port: https
+ scheme: https
interval: 30s
+ bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+ tlsConfig:
+ insecureSkipVerify: true
--
GitLab