From 85d6c48f9869318115ea12b30eff77f29bbe4076 Mon Sep 17 00:00:00 2001
From: prune <prune@lecentre.net>
Date: Thu, 26 Jul 2018 14:58:12 -0400
Subject: [PATCH] allow creation of role and rolebindings for other namespaces
 in jsonnet

---
 docs/monitoring-other-namespaces.md           | 28 +++++++++++++++
 .../prometheus/prometheus.libsonnet           | 36 +++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 docs/monitoring-other-namespaces.md

diff --git a/docs/monitoring-other-namespaces.md b/docs/monitoring-other-namespaces.md
new file mode 100644
index 00000000..c1ee7ae7
--- /dev/null
+++ b/docs/monitoring-other-namespaces.md
@@ -0,0 +1,28 @@
+# Monitoring other Kubernetes Namespaces
+This guide will help you monitor applications in other Namespaces, which is only enabled for the `Default` Namespace during Install.
+
+# Setup
+You have to give the list of the Namespaces that you want to be able to monitor.
+This is done in the variable `prometheus.roleSpecificNamespaces`. You usually set this in your `.jsonnet` file when building the manifests.
+
+Ex to create the needed `Role` and `Rolebindig` for the Namespace `foo` : 
+```
+local kp = (import 'kube-prometheus/kube-prometheus.libsonnet') + {
+  _config+:: {
+    namespace: 'monitoring',
+
+    prometheus+:: {
+      roleSpecificNamespaces: ["foo"],
+    },
+  },
+};
+ 
+{ ['00namespace-' + name]: kp.kubePrometheus[name] for name in std.objectFields(kp.kubePrometheus) } +
+{ ['0prometheus-operator-' + name]: kp.prometheusOperator[name] for name in std.objectFields(kp.prometheusOperator) } +
+{ ['node-exporter-' + name]: kp.nodeExporter[name] for name in std.objectFields(kp.nodeExporter) } +
+{ ['kube-state-metrics-' + name]: kp.kubeStateMetrics[name] for name in std.objectFields(kp.kubeStateMetrics) } +
+{ ['alertmanager-' + name]: kp.alertmanager[name] for name in std.objectFields(kp.alertmanager) } +
+{ ['prometheus-' + name]: kp.prometheus[name] for name in std.objectFields(kp.prometheus) } +
+{ ['grafana-' + name]: kp.grafana[name] for name in std.objectFields(kp.grafana) }
+
+```
\ No newline at end of file
diff --git a/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet b/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet
index e84986f5..d4010d5b 100644
--- a/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet
+++ b/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet
@@ -21,6 +21,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
       replicas: 2,
       rules: {},
       renderedRules: {},
+      roleSpecificNamespaces: [],
     },
   },
 
@@ -65,6 +66,20 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
       roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) +
       roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
       roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]),
+    roleBindingSpecificNamespace:
+      local roleBinding = k.rbac.v1.roleBinding;
+
+      local newSpecificRoleBinding(namespace) =   
+        roleBinding.new() +
+        roleBinding.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
+        roleBinding.mixin.metadata.withNamespace(namespace) +
+        roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
+        roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) +
+        roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
+        roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: namespace }]);
+        
+      local roleBindigList = k.rbac.v1.roleBindingList;
+      roleBindigList.new([newSpecificRoleBinding(x) for x in $._config.prometheus.roleSpecificNamespaces]),
     clusterRole:
       local clusterRole = k.rbac.v1.clusterRole;
       local policyRule = clusterRole.rulesType;
@@ -163,6 +178,27 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
       role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
       role.mixin.metadata.withNamespace('default') +
       role.withRules(coreRule),
+    roleSpecificNamespace:
+      local role = k.rbac.v1.role;
+      local policyRule = role.rulesType;
+      local coreRule = policyRule.new() +
+                       policyRule.withApiGroups(['']) +
+                       policyRule.withResources([
+                         'nodes',
+                         'services',
+                         'endpoints',
+                         'pods',
+                       ]) +
+                       policyRule.withVerbs(['get', 'list', 'watch']);
+                      
+      local newSpecificRole(namespace) =                 
+        role.new() +
+        role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
+        role.mixin.metadata.withNamespace(namespace) +
+        role.withRules(coreRule);
+        
+      local roleList = k.rbac.v1.roleList;
+      roleList.new([newSpecificRole(x) for x in $._config.prometheus.roleSpecificNamespaces]),
     roleBindingKubeSystem:
       local roleBinding = k.rbac.v1.roleBinding;
 
-- 
GitLab