kube-prometheus: add RBAC resources

bf67031b · Frederic Branczyk · b8b3f99a · bf67031b · bf67031b · bf67031b
Commit bf67031b authored 8 years ago by Frederic Branczyk
--- a/hack/cluster-monitoring/deploy
+++ b/hack/cluster-monitoring/deploy
@@ -14,7 +14,7 @@ kctl() {
    kubectl --namespace "$NAMESPACE" "$@"
 }

-kctl apply -f manifests/prometheus-operator.yaml
+kctl apply -f manifests/prometheus-operator

 # Wait for TPRs to be ready.
 printf "Waiting for Operator to register third party objects..."
@@ -28,6 +28,9 @@ kctl apply -f manifests/grafana

 kctl apply -f manifests/prometheus/prometheus-k8s-rules.yaml
 kctl apply -f manifests/prometheus/prometheus-k8s-service.yaml
+kctl apply -f manifests/prometheus/prometheus-cluster-role-binding.yaml
+kctl apply -f manifests/prometheus/prometheus-cluster-role.yaml
+kctl apply -f manifests/prometheus/prometheus-k8s-service-account.yaml

 kctl apply -f manifests/alertmanager/alertmanager-config.yaml
 kctl apply -f manifests/alertmanager/alertmanager-service.yaml

--- a/hack/cluster-monitoring/teardown
+++ b/hack/cluster-monitoring/teardown
@@ -20,5 +20,5 @@ kctl delete -f manifests/alertmanager
 # Hack: wait a bit to let the controller delete the deployed Prometheus server.
 sleep 5

-kctl delete -f manifests/prometheus-operator.yaml
+kctl delete -f manifests/prometheus-operator

--- a/manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml
+++ b/manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-operator
+subjects:
+- kind: ServiceAccount
+  name: prometheus-operator
+  namespace: default
--- a/manifests/prometheus-operator/prometheus-operator-cluster-role.yaml
+++ b/manifests/prometheus-operator/prometheus-operator-cluster-role.yaml
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRole
+metadata:
+  name: prometheus-operator
+rules:
+- apiGroups:
+  - extensions
+  resources:
+  - thirdpartyresources
+  verbs:
+  - create
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - alertmanagers
+  - prometheuses
+  - servicemonitors
+  verbs:
+  - "*"
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs: ["*"]
+- apiGroups: [""]
+  resources:
+  - configmaps
+  - secrets
+  verbs: ["*"]
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs: ["list", "delete"]
+- apiGroups: [""]
+  resources:
+  - services
+  - endpoints
+  verbs: ["get", "create", "update"]
+- apiGroups: [""]
+  resources:
+  - nodes
+  verbs: ["list", "watch"]
--- a/manifests/prometheus-operator/prometheus-operator-service-account.yaml
+++ b/manifests/prometheus-operator/prometheus-operator-service-account.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-operator
--- a/manifests/prometheus-operator.yaml
+++ b/manifests/prometheus-operator.yaml
@@ -11,12 +11,13 @@ spec:
      labels:
        operator: prometheus
    spec:
+      serviceAccountName: prometheus-operator
      containers:
       - name: prometheus-operator
         image: quay.io/coreos/prometheus-operator:v0.7.0
         args:
-           - "--kubelet-object=kube-system/kubelet"
-           - "--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1"
+         - "--kubelet-object=kube-system/kubelet"
+         - "--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1"
         resources:
           requests:
             cpu: 100m

--- a/manifests/prometheus/prometheus-cluster-role-binding.yaml
+++ b/manifests/prometheus/prometheus-cluster-role-binding.yaml
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: monitoring
--- a/manifests/prometheus/prometheus-cluster-role.yaml
+++ b/manifests/prometheus/prometheus-cluster-role.yaml
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRole
+metadata:
+  name: prometheus
+rules:
+- apiGroups: [""]
+  resources:
+  - nodes
+  - services
+  - endpoints
+  - pods
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources:
+  - configmaps
+  verbs: ["get"]
--- a/manifests/prometheus/prometheus-k8s-service-account.yaml
+++ b/manifests/prometheus/prometheus-k8s-service-account.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-k8s
--- a/manifests/prometheus/prometheus-k8s.yaml
+++ b/manifests/prometheus/prometheus-k8s.yaml
@@ -7,6 +7,7 @@ metadata:
 spec:
  replicas: 2
  version: v1.5.2
+  serviceAccountName: prometheus-k8s
  serviceMonitorSelector:
    matchExpression:
    - {key: k8s-apps, operator: Exists}