diff --git a/manifests/kube-state-metrics/kube-state-metrics-cluster-role.yaml b/manifests/kube-state-metrics/kube-state-metrics-cluster-role.yaml
index 6ae8db88d253bcb4cec56e00a363c6f65c2ad731..30583ac02f39c000c623d7f9b621c09aac4d7412 100644
--- a/manifests/kube-state-metrics/kube-state-metrics-cluster-role.yaml
+++ b/manifests/kube-state-metrics/kube-state-metrics-cluster-role.yaml
@@ -27,4 +27,12 @@ rules:
resources:
- cronjobs
- jobs
- verbs: ["list", "watch"]
\ No newline at end of file
+ verbs: ["list", "watch"]
+- apiGroups: ["authentication.k8s.io"]
+ resources:
+ - tokenreviews
+ verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+ resources:
+ - subjectaccessreviews
+ verbs: ["create"]
\ No newline at end of file
diff --git a/manifests/kube-state-metrics/kube-state-metrics-deployment.yaml b/manifests/kube-state-metrics/kube-state-metrics-deployment.yaml
index ee8526d3c5f54247bbb93347b7a2dd0e5bab1744..22a8410845c7d2723dbbac74dd1ce779b9269d61 100644
--- a/manifests/kube-state-metrics/kube-state-metrics-deployment.yaml
+++ b/manifests/kube-state-metrics/kube-state-metrics-deployment.yaml
@@ -11,17 +11,43 @@ spec:
spec:
serviceAccountName: kube-state-metrics
containers:
- - name: kube-state-metrics
- image: quay.io/coreos/kube-state-metrics:v1.0.1
+ - name: kube-rbac-proxy-main
+ image: quay.io/brancz/kube-rbac-proxy:v0.2.0
+ args:
+ - "--secure-listen-address=:8443"
+ - "--upstream=http://127.0.0.1:8081/"
+ ports:
+ - name: https-main
+ containerPort: 8443
+ resources:
+ requests:
+ memory: 20Mi
+ cpu: 10m
+ limits:
+ memory: 40Mi
+ cpu: 20m
+ - name: kube-rbac-proxy-self
+ image: quay.io/brancz/kube-rbac-proxy:v0.2.0
+ args:
+ - "--secure-listen-address=:9443"
+ - "--upstream=http://127.0.0.1:8082/"
ports:
- - name: metrics
- containerPort: 8080
- readinessProbe:
- httpGet:
- path: /healthz
- port: 8080
- initialDelaySeconds: 5
- timeoutSeconds: 5
+ - name: https-self
+ containerPort: 9443
+ resources:
+ requests:
+ memory: 20Mi
+ cpu: 10m
+ limits:
+ memory: 40Mi
+ cpu: 20m
+ - name: kube-state-metrics
+ image: quay.io/coreos/kube-state-metrics:v1.2.0-rc.0
+ args:
+ - "--host=127.0.0.1"
+ - "--port=8081"
+ - "--telemetry-host=127.0.0.1"
+ - "--telemetry-port=8082"
- name: addon-resizer
image: gcr.io/google_containers/addon-resizer:1.0
resources:
diff --git a/manifests/kube-state-metrics/kube-state-metrics-service.yaml b/manifests/kube-state-metrics/kube-state-metrics-service.yaml
index 292c49781b357d2473e99e7df238ee57b699d9df..b4422685c270f2ad45556ba1e8c3b2a09fe4431c 100644
--- a/manifests/kube-state-metrics/kube-state-metrics-service.yaml
+++ b/manifests/kube-state-metrics/kube-state-metrics-service.yaml
@@ -6,10 +6,15 @@ metadata:
k8s-app: kube-state-metrics
name: kube-state-metrics
spec:
+ clusterIP: None
ports:
- - name: http-metrics
- port: 8080
- targetPort: metrics
+ - name: https-main
+ port: 8443
+ targetPort: https-main
+ protocol: TCP
+ - name: https-self
+ port: 9443
+ targetPort: https-self
protocol: TCP
selector:
app: kube-state-metrics
diff --git a/manifests/node-exporter/node-exporter-cluster-role-binding.yaml b/manifests/node-exporter/node-exporter-cluster-role-binding.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a5a2050810d0976538a2aa08d4565d4a84bc4a07
--- /dev/null
+++ b/manifests/node-exporter/node-exporter-cluster-role-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: node-exporter
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: node-exporter
+subjects:
+- kind: ServiceAccount
+ name: node-exporter
+ namespace: monitoring
diff --git a/manifests/node-exporter/node-exporter-cluster-role.yaml b/manifests/node-exporter/node-exporter-cluster-role.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..932b7762c43051937e9ead2a721e9b2414eecdf9
--- /dev/null
+++ b/manifests/node-exporter/node-exporter-cluster-role.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: node-exporter
+rules:
+- apiGroups: ["authentication.k8s.io"]
+ resources:
+ - tokenreviews
+ verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+ resources:
+ - subjectaccessreviews
+ verbs: ["create"]
diff --git a/manifests/node-exporter/node-exporter-daemonset.yaml b/manifests/node-exporter/node-exporter-daemonset.yaml
index d98deee6e493f10366c74c6a3dd8e135b00a7647..701e491f78722b99a443f251fb5bfb17f68a9e55 100644
--- a/manifests/node-exporter/node-exporter-daemonset.yaml
+++ b/manifests/node-exporter/node-exporter-daemonset.yaml
@@ -3,24 +3,26 @@ kind: DaemonSet
metadata:
name: node-exporter
spec:
+ updateStrategy:
+ rollingUpdate:
+ maxUnavailable: 1
+ type: RollingUpdate
template:
metadata:
labels:
app: node-exporter
name: node-exporter
spec:
+ serviceAccountName: node-exporter
hostNetwork: true
hostPID: true
containers:
- image: quay.io/prometheus/node-exporter:v0.15.0
args:
+ - "--web.listen-address=127.0.0.1:9101"
- "--path.procfs=/host/proc"
- "--path.sysfs=/host/sys"
name: node-exporter
- ports:
- - containerPort: 9100
- hostPort: 9100
- name: scrape
resources:
requests:
memory: 30Mi
@@ -35,6 +37,22 @@ spec:
- name: sys
readOnly: true
mountPath: /host/sys
+ - name: kube-rbac-proxy
+ image: quay.io/brancz/kube-rbac-proxy:v0.2.0
+ args:
+ - "--secure-listen-address=:9100"
+ - "--upstream=http://127.0.0.1:9101/"
+ ports:
+ - containerPort: 9100
+ hostPort: 9100
+ name: https
+ resources:
+ requests:
+ memory: 20Mi
+ cpu: 10m
+ limits:
+ memory: 40Mi
+ cpu: 20m
tolerations:
- effect: NoSchedule
operator: Exists
diff --git a/manifests/node-exporter/node-exporter-service-account.yaml b/manifests/node-exporter/node-exporter-service-account.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..703a274882355461607aeea10d00f2127186810a
--- /dev/null
+++ b/manifests/node-exporter/node-exporter-service-account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: node-exporter
diff --git a/manifests/node-exporter/node-exporter-service.yaml b/manifests/node-exporter/node-exporter-service.yaml
index 46b1a3fd4bb31b0e1b0167df047a657db6ec6d76..8aa3774792925629be50c08eed611247de866fd7 100644
--- a/manifests/node-exporter/node-exporter-service.yaml
+++ b/manifests/node-exporter/node-exporter-service.yaml
@@ -9,7 +9,7 @@ spec:
type: ClusterIP
clusterIP: None
ports:
- - name: http-metrics
+ - name: https
port: 9100
protocol: TCP
selector:
diff --git a/manifests/prometheus/prometheus-k8s-service-monitor-kube-state-metrics.yaml b/manifests/prometheus/prometheus-k8s-service-monitor-kube-state-metrics.yaml
index 6563a4d49cd5cdd046bc03b73de25dfd43b04089..1433a5feb168e30e8ffcb012970ccd1870ca05fb 100644
--- a/manifests/prometheus/prometheus-k8s-service-monitor-kube-state-metrics.yaml
+++ b/manifests/prometheus/prometheus-k8s-service-monitor-kube-state-metrics.yaml
@@ -13,6 +13,16 @@ spec:
matchNames:
- monitoring
endpoints:
- - port: http-metrics
+ - port: https-main
+ scheme: https
interval: 30s
honorLabels: true
+ bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+ tlsConfig:
+ insecureSkipVerify: true
+ - port: https-self
+ scheme: https
+ interval: 30s
+ bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+ tlsConfig:
+ insecureSkipVerify: true
diff --git a/manifests/prometheus/prometheus-k8s-service-monitor-node-exporter.yaml b/manifests/prometheus/prometheus-k8s-service-monitor-node-exporter.yaml
index e1b083bbdb2c9e7d2257b54a8abe448d1a0e4b0e..0dd72e759a7234996a16b2e724ca703baea6b442 100644
--- a/manifests/prometheus/prometheus-k8s-service-monitor-node-exporter.yaml
+++ b/manifests/prometheus/prometheus-k8s-service-monitor-node-exporter.yaml
@@ -13,5 +13,9 @@ spec:
matchNames:
- monitoring
endpoints:
- - port: http-metrics
+ - port: https
+ scheme: https
interval: 30s
+ bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+ tlsConfig:
+ insecureSkipVerify: true