From bf67031b5c9b208935d06ce661a227e9e32324db Mon Sep 17 00:00:00 2001
From: Frederic Branczyk <fbranczyk@gmail.com>
Date: Wed, 22 Mar 2017 19:36:17 +0100
Subject: [PATCH] kube-prometheus: add RBAC resources

---
 hack/cluster-monitoring/deploy                |  5 ++-
 hack/cluster-monitoring/teardown              |  2 +-
 ...metheus-operator-cluster-role-binding.yaml | 12 ++++++
 .../prometheus-operator-cluster-role.yaml     | 42 +++++++++++++++++++
 .../prometheus-operator-service-account.yaml  |  4 ++
 .../prometheus-operator.yaml                  |  5 ++-
 .../prometheus-cluster-role-binding.yaml      | 12 ++++++
 .../prometheus/prometheus-cluster-role.yaml   | 16 +++++++
 .../prometheus-k8s-service-account.yaml       |  4 ++
 manifests/prometheus/prometheus-k8s.yaml      |  1 +
 10 files changed, 99 insertions(+), 4 deletions(-)
 create mode 100644 manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml
 create mode 100644 manifests/prometheus-operator/prometheus-operator-cluster-role.yaml
 create mode 100644 manifests/prometheus-operator/prometheus-operator-service-account.yaml
 rename manifests/{ => prometheus-operator}/prometheus-operator.yaml (74%)
 create mode 100644 manifests/prometheus/prometheus-cluster-role-binding.yaml
 create mode 100644 manifests/prometheus/prometheus-cluster-role.yaml
 create mode 100644 manifests/prometheus/prometheus-k8s-service-account.yaml

diff --git a/hack/cluster-monitoring/deploy b/hack/cluster-monitoring/deploy
index 9ad91eb0..098af134 100755
--- a/hack/cluster-monitoring/deploy
+++ b/hack/cluster-monitoring/deploy
@@ -14,7 +14,7 @@ kctl() {
     kubectl --namespace "$NAMESPACE" "$@"
 }
 
-kctl apply -f manifests/prometheus-operator.yaml
+kctl apply -f manifests/prometheus-operator
 
 # Wait for TPRs to be ready.
 printf "Waiting for Operator to register third party objects..."
@@ -28,6 +28,9 @@ kctl apply -f manifests/grafana
 
 kctl apply -f manifests/prometheus/prometheus-k8s-rules.yaml
 kctl apply -f manifests/prometheus/prometheus-k8s-service.yaml
+kctl apply -f manifests/prometheus/prometheus-cluster-role-binding.yaml
+kctl apply -f manifests/prometheus/prometheus-cluster-role.yaml
+kctl apply -f manifests/prometheus/prometheus-k8s-service-account.yaml
 
 kctl apply -f manifests/alertmanager/alertmanager-config.yaml
 kctl apply -f manifests/alertmanager/alertmanager-service.yaml
diff --git a/hack/cluster-monitoring/teardown b/hack/cluster-monitoring/teardown
index 45ae61ed..e5e0d9a6 100755
--- a/hack/cluster-monitoring/teardown
+++ b/hack/cluster-monitoring/teardown
@@ -20,5 +20,5 @@ kctl delete -f manifests/alertmanager
 # Hack: wait a bit to let the controller delete the deployed Prometheus server.
 sleep 5
 
-kctl delete -f manifests/prometheus-operator.yaml
+kctl delete -f manifests/prometheus-operator
 
diff --git a/manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml b/manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml
new file mode 100644
index 00000000..bd69276f
--- /dev/null
+++ b/manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-operator
+subjects:
+- kind: ServiceAccount
+  name: prometheus-operator
+  namespace: default
diff --git a/manifests/prometheus-operator/prometheus-operator-cluster-role.yaml b/manifests/prometheus-operator/prometheus-operator-cluster-role.yaml
new file mode 100644
index 00000000..c7bebb9d
--- /dev/null
+++ b/manifests/prometheus-operator/prometheus-operator-cluster-role.yaml
@@ -0,0 +1,42 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRole
+metadata:
+  name: prometheus-operator
+rules:
+- apiGroups:
+  - extensions
+  resources:
+  - thirdpartyresources
+  verbs:
+  - create
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - alertmanagers
+  - prometheuses
+  - servicemonitors
+  verbs:
+  - "*"
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs: ["*"]
+- apiGroups: [""]
+  resources:
+  - configmaps
+  - secrets
+  verbs: ["*"]
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs: ["list", "delete"]
+- apiGroups: [""]
+  resources:
+  - services
+  - endpoints
+  verbs: ["get", "create", "update"]
+- apiGroups: [""]
+  resources:
+  - nodes
+  verbs: ["list", "watch"]
diff --git a/manifests/prometheus-operator/prometheus-operator-service-account.yaml b/manifests/prometheus-operator/prometheus-operator-service-account.yaml
new file mode 100644
index 00000000..38d18cce
--- /dev/null
+++ b/manifests/prometheus-operator/prometheus-operator-service-account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-operator
diff --git a/manifests/prometheus-operator.yaml b/manifests/prometheus-operator/prometheus-operator.yaml
similarity index 74%
rename from manifests/prometheus-operator.yaml
rename to manifests/prometheus-operator/prometheus-operator.yaml
index 06ddf799..06232af0 100644
--- a/manifests/prometheus-operator.yaml
+++ b/manifests/prometheus-operator/prometheus-operator.yaml
@@ -11,12 +11,13 @@ spec:
       labels:
         operator: prometheus
     spec:
+      serviceAccountName: prometheus-operator
       containers:
        - name: prometheus-operator
          image: quay.io/coreos/prometheus-operator:v0.7.0
          args:
-           - "--kubelet-object=kube-system/kubelet"
-           - "--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1"
+         - "--kubelet-object=kube-system/kubelet"
+         - "--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1"
          resources:
            requests:
              cpu: 100m
diff --git a/manifests/prometheus/prometheus-cluster-role-binding.yaml b/manifests/prometheus/prometheus-cluster-role-binding.yaml
new file mode 100644
index 00000000..e337527f
--- /dev/null
+++ b/manifests/prometheus/prometheus-cluster-role-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: monitoring
diff --git a/manifests/prometheus/prometheus-cluster-role.yaml b/manifests/prometheus/prometheus-cluster-role.yaml
new file mode 100644
index 00000000..458c6158
--- /dev/null
+++ b/manifests/prometheus/prometheus-cluster-role.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRole
+metadata:
+  name: prometheus
+rules:
+- apiGroups: [""]
+  resources:
+  - nodes
+  - services
+  - endpoints
+  - pods
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources:
+  - configmaps
+  verbs: ["get"]
diff --git a/manifests/prometheus/prometheus-k8s-service-account.yaml b/manifests/prometheus/prometheus-k8s-service-account.yaml
new file mode 100644
index 00000000..58d5342d
--- /dev/null
+++ b/manifests/prometheus/prometheus-k8s-service-account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-k8s
diff --git a/manifests/prometheus/prometheus-k8s.yaml b/manifests/prometheus/prometheus-k8s.yaml
index 23156650..a8a14910 100644
--- a/manifests/prometheus/prometheus-k8s.yaml
+++ b/manifests/prometheus/prometheus-k8s.yaml
@@ -7,6 +7,7 @@ metadata:
 spec:
   replicas: 2
   version: v1.5.2
+  serviceAccountName: prometheus-k8s
   serviceMonitorSelector:
     matchExpression:
     - {key: k8s-apps, operator: Exists}
-- 
GitLab