Skip to content
Snippets Groups Projects
Commit 88f79258 authored by prune's avatar prune
Browse files

replaced default namespaces rbac rules by a loop

parent 85d6c48f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
docs/monitoring-other-namespaces.md
+ 2
2
View file @ 88f79258
# Monitoring other Kubernetes Namespaces # Monitoring other Kubernetes Namespaces
This guide will help you monitor applications in other Namespaces, which is only enabled for the `Default` Namespace during Install. This guide will help you monitor applications in other Namespaces. By default the RBAC rules are only enabled for the `Default` and `kube-system` Namespace during Install.
# Setup # Setup
You have to give the list of the Namespaces that you want to be able to monitor. You have to give the list of the Namespaces that you want to be able to monitor.
...@@ -12,7 +12,7 @@ local kp = (import 'kube-prometheus/kube-prometheus.libsonnet') + { ...@@ -12,7 +12,7 @@ local kp = (import 'kube-prometheus/kube-prometheus.libsonnet') + {
namespace: 'monitoring', namespace: 'monitoring',
prometheus+:: { prometheus+:: {
roleSpecificNamespaces: ["foo"], namespaces: ["default", "kube-system","foo"],
}, },
}, },
}; };
......
jsonnet/kube-prometheus/prometheus/prometheus.libsonnet
+ 1
85
View file @ 88f79258
...@@ -21,7 +21,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; ...@@ -21,7 +21,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
replicas: 2, replicas: 2,
rules: {}, rules: {},
renderedRules: {}, renderedRules: {},
roleSpecificNamespaces: [], namespaces: ["default", "kube-system",$._config.namespace],
}, },
}, },
...@@ -56,16 +56,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; ...@@ -56,16 +56,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
groups: $._config.prometheus.rules.groups, groups: $._config.prometheus.rules.groups,
}, },
}, },
roleBindingDefault:
local roleBinding = k.rbac.v1.roleBinding;
roleBinding.new() +
roleBinding.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
roleBinding.mixin.metadata.withNamespace('default') +
roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) +
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]),
roleBindingSpecificNamespace: roleBindingSpecificNamespace:
local roleBinding = k.rbac.v1.roleBinding; local roleBinding = k.rbac.v1.roleBinding;
...@@ -123,16 +113,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; ...@@ -123,16 +113,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name + '-config') + roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name + '-config') +
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) + roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]), roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]),
roleBindingNamespace:
local roleBinding = k.rbac.v1.roleBinding;
roleBinding.new() +
roleBinding.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
roleBinding.mixin.metadata.withNamespace($._config.namespace) +
roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) +
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]),
clusterRoleBinding: clusterRoleBinding:
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding; local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
...@@ -142,42 +122,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; ...@@ -142,42 +122,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
clusterRoleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) + clusterRoleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) +
clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) + clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) +
clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]), clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]),
roleKubeSystem:
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
local coreRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'nodes',
'services',
'endpoints',
'pods',
]) +
policyRule.withVerbs(['get', 'list', 'watch']);
role.new() +
role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
role.mixin.metadata.withNamespace('kube-system') +
role.withRules(coreRule),
roleDefault:
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
local coreRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'nodes',
'services',
'endpoints',
'pods',
]) +
policyRule.withVerbs(['get', 'list', 'watch']);
role.new() +
role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
role.mixin.metadata.withNamespace('default') +
role.withRules(coreRule),
roleSpecificNamespace: roleSpecificNamespace:
local role = k.rbac.v1.role; local role = k.rbac.v1.role;
local policyRule = role.rulesType; local policyRule = role.rulesType;
...@@ -199,34 +143,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; ...@@ -199,34 +143,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local roleList = k.rbac.v1.roleList; local roleList = k.rbac.v1.roleList;
roleList.new([newSpecificRole(x) for x in $._config.prometheus.roleSpecificNamespaces]), roleList.new([newSpecificRole(x) for x in $._config.prometheus.roleSpecificNamespaces]),
roleBindingKubeSystem:
local roleBinding = k.rbac.v1.roleBinding;
roleBinding.new() +
roleBinding.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
roleBinding.mixin.metadata.withNamespace('kube-system') +
roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) +
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]),
roleNamespace:
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
local coreRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'nodes',
'services',
'endpoints',
'pods',
]) +
policyRule.withVerbs(['get', 'list', 'watch']);
role.new() +
role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
role.mixin.metadata.withNamespace($._config.namespace) +
role.withRules(coreRule),
prometheus: prometheus:
local container = k.core.v1.pod.mixin.spec.containersType; local container = k.core.v1.pod.mixin.spec.containersType;
local resourceRequirements = container.mixin.resourcesType; local resourceRequirements = container.mixin.resourcesType;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment