From c97a329792e65665a2ad1ee2fab11b14bd25d3d9 Mon Sep 17 00:00:00 2001
From: Frederic Branczyk <fbranczyk@gmail.com>
Date: Thu, 29 Jun 2017 16:32:51 +0200
Subject: [PATCH] kube-prometheus: run prometheus-k8s with only those roles it
needs
---
hack/cluster-monitoring/deploy | 4 +-
hack/cluster-monitoring/teardown | 4 +-
.../prometheus-cluster-role-binding.yaml | 12 -----
.../prometheus/prometheus-cluster-role.yaml | 18 -------
.../prometheus-k8s-role-bindings.yaml | 54 +++++++++++++++++++
.../prometheus/prometheus-k8s-roles.yaml | 50 +++++++++++++++++
6 files changed, 110 insertions(+), 32 deletions(-)
delete mode 100644 manifests/prometheus/prometheus-cluster-role-binding.yaml
delete mode 100644 manifests/prometheus/prometheus-cluster-role.yaml
create mode 100644 manifests/prometheus/prometheus-k8s-role-bindings.yaml
create mode 100644 manifests/prometheus/prometheus-k8s-roles.yaml
diff --git a/hack/cluster-monitoring/deploy b/hack/cluster-monitoring/deploy
index c565d442..9176b956 100755
--- a/hack/cluster-monitoring/deploy
+++ b/hack/cluster-monitoring/deploy
@@ -27,6 +27,8 @@ kctl apply -f manifests/node-exporter
kctl apply -f manifests/kube-state-metrics
kctl apply -f manifests/grafana/grafana-credentials.yaml
kctl apply -f manifests/grafana
-kctl apply -f manifests/prometheus/
+find manifests/prometheus -type f ! -name prometheus-k8s-roles.yaml ! -name prometheus-k8s-role-bindings.yaml -exec kubectl --namespace "$NAMESPACE" apply -f {} \;
+kubectl apply -f manifests/prometheus/prometheus-k8s-roles.yaml
+kubectl apply -f manifests/prometheus/prometheus-k8s-role-bindings.yaml
kctl apply -f manifests/alertmanager/
diff --git a/hack/cluster-monitoring/teardown b/hack/cluster-monitoring/teardown
index 9fcc4513..ac4d222d 100755
--- a/hack/cluster-monitoring/teardown
+++ b/hack/cluster-monitoring/teardown
@@ -15,7 +15,9 @@ kctl() {
kctl delete -f manifests/node-exporter
kctl delete -f manifests/kube-state-metrics
kctl delete -f manifests/grafana
-kctl delete -f manifests/prometheus
+find manifests/prometheus -type f ! -name prometheus-k8s-roles.yaml ! -name prometheus-k8s-role-bindings.yaml -exec kubectl --namespace "$NAMESPACE" delete -f {} \;
+kubectl delete -f manifests/prometheus/prometheus-k8s-roles.yaml
+kubectl delete -f manifests/prometheus/prometheus-k8s-role-bindings.yaml
kctl delete -f manifests/alertmanager
# Hack: wait a bit to let the controller delete the deployed Prometheus server.
diff --git a/manifests/prometheus/prometheus-cluster-role-binding.yaml b/manifests/prometheus/prometheus-cluster-role-binding.yaml
deleted file mode 100644
index 3600490f..00000000
--- a/manifests/prometheus/prometheus-cluster-role-binding.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: prometheus
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: prometheus
-subjects:
-- kind: ServiceAccount
- name: prometheus-k8s
- namespace: monitoring
diff --git a/manifests/prometheus/prometheus-cluster-role.yaml b/manifests/prometheus/prometheus-cluster-role.yaml
deleted file mode 100644
index a85422ec..00000000
--- a/manifests/prometheus/prometheus-cluster-role.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: prometheus
-rules:
-- apiGroups: [""]
- resources:
- - nodes
- - services
- - endpoints
- - pods
- verbs: ["get", "list", "watch"]
-- apiGroups: [""]
- resources:
- - configmaps
- verbs: ["get"]
-- nonResourceURLs: ["/metrics"]
- verbs: ["get"]
diff --git a/manifests/prometheus/prometheus-k8s-role-bindings.yaml b/manifests/prometheus/prometheus-k8s-role-bindings.yaml
new file mode 100644
index 00000000..5f190e7a
--- /dev/null
+++ b/manifests/prometheus/prometheus-k8s-role-bindings.yaml
@@ -0,0 +1,54 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: prometheus-k8s
+ namespace: monitoring
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: prometheus-k8s
+subjects:
+- kind: ServiceAccount
+ name: prometheus-k8s
+ namespace: monitoring
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: prometheus-k8s
+ namespace: kube-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: prometheus-k8s
+subjects:
+- kind: ServiceAccount
+ name: prometheus-k8s
+ namespace: monitoring
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: prometheus-k8s
+ namespace: default
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: prometheus-k8s
+subjects:
+- kind: ServiceAccount
+ name: prometheus-k8s
+ namespace: monitoring
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: prometheus-k8s
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: prometheus-k8s
+subjects:
+- kind: ServiceAccount
+ name: prometheus-k8s
+ namespace: monitoring
diff --git a/manifests/prometheus/prometheus-k8s-roles.yaml b/manifests/prometheus/prometheus-k8s-roles.yaml
new file mode 100644
index 00000000..7a3efa90
--- /dev/null
+++ b/manifests/prometheus/prometheus-k8s-roles.yaml
@@ -0,0 +1,50 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: prometheus-k8s
+ namespace: monitoring
+rules:
+- apiGroups: [""]
+ resources:
+ - nodes
+ - services
+ - endpoints
+ - pods
+ verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+ resources:
+ - configmaps
+ verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: prometheus-k8s
+ namespace: kube-system
+rules:
+- apiGroups: [""]
+ resources:
+ - services
+ - endpoints
+ - pods
+ verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: prometheus-k8s
+ namespace: default
+rules:
+- apiGroups: [""]
+ resources:
+ - services
+ - endpoints
+ verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: prometheus-k8s
+rules:
+- nonResourceURLs: ["/metrics"]
+ verbs: ["get"]
--
GitLab