diff --git a/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet b/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
index 4b091e9ae6e3d92c20317ed597ecd1e85b585f45..2fee6e1ecc2e4a8eb42d67b55424af7acf0b6873 100644
--- a/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
+++ b/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
@@ -58,8 +58,6 @@ local defaults = {
};
-
-
function(params) {
local am = self,
config:: defaults + params,
diff --git a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
index 769b1beed50afa1989782f2d732f83046be9d9e4..ce421209e7235ec12f158de362d5e435325d37c1 100644
--- a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
@@ -92,191 +92,191 @@ function(params) {
// Safety check
assert std.isObject(bb.config.resources),
- configuration: {
- apiVersion: 'v1',
- kind: 'ConfigMap',
- metadata: {
- name: 'blackbox-exporter-configuration',
- namespace: bb.config.namespace,
- labels: bb.config.commonLabels,
- },
- data: {
- 'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }),
- },
- },
+ configuration: {
+ apiVersion: 'v1',
+ kind: 'ConfigMap',
+ metadata: {
+ name: 'blackbox-exporter-configuration',
+ namespace: bb.config.namespace,
+ labels: bb.config.commonLabels,
+ },
+ data: {
+ 'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }),
+ },
+ },
- serviceAccount: {
- apiVersion: 'v1',
- kind: 'ServiceAccount',
- metadata: {
- name: 'blackbox-exporter',
- namespace: bb.config.namespace,
- },
- },
+ serviceAccount: {
+ apiVersion: 'v1',
+ kind: 'ServiceAccount',
+ metadata: {
+ name: 'blackbox-exporter',
+ namespace: bb.config.namespace,
+ },
+ },
- clusterRole: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'ClusterRole',
- metadata: {
- name: 'blackbox-exporter',
- },
- rules: [
- {
- apiGroups: ['authentication.k8s.io'],
- resources: ['tokenreviews'],
- verbs: ['create'],
- },
- {
- apiGroups: ['authorization.k8s.io'],
- resources: ['subjectaccessreviews'],
- verbs: ['create'],
- },
- ],
+ clusterRole: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRole',
+ metadata: {
+ name: 'blackbox-exporter',
+ },
+ rules: [
+ {
+ apiGroups: ['authentication.k8s.io'],
+ resources: ['tokenreviews'],
+ verbs: ['create'],
},
-
- clusterRoleBinding: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'ClusterRoleBinding',
- metadata: {
- name: 'blackbox-exporter',
- },
- roleRef: {
- apiGroup: 'rbac.authorization.k8s.io',
- kind: 'ClusterRole',
- name: 'blackbox-exporter',
- },
- subjects: [{
- kind: 'ServiceAccount',
- name: 'blackbox-exporter',
- namespace: bb.config.namespace,
- }],
+ {
+ apiGroups: ['authorization.k8s.io'],
+ resources: ['subjectaccessreviews'],
+ verbs: ['create'],
},
+ ],
+ },
- deployment:
- local blackboxExporter = {
- name: 'blackbox-exporter',
- image: bb.config.image,
- args: [
- '--config.file=/etc/blackbox_exporter/config.yml',
- '--web.listen-address=:%d' % bb.config.internalPort,
- ],
- ports: [{
- name: 'http',
- containerPort: bb.config.internalPort,
- }],
- resources: bb.config.resources,
- securityContext: if bb.config.privileged then {
- runAsNonRoot: false,
- capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
- } else {
- runAsNonRoot: true,
- runAsUser: 65534,
- },
- volumeMounts: [{
- mountPath: '/etc/blackbox_exporter/',
- name: 'config',
- readOnly: true,
- }],
- };
+ clusterRoleBinding: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRoleBinding',
+ metadata: {
+ name: 'blackbox-exporter',
+ },
+ roleRef: {
+ apiGroup: 'rbac.authorization.k8s.io',
+ kind: 'ClusterRole',
+ name: 'blackbox-exporter',
+ },
+ subjects: [{
+ kind: 'ServiceAccount',
+ name: 'blackbox-exporter',
+ namespace: bb.config.namespace,
+ }],
+ },
+
+ deployment:
+ local blackboxExporter = {
+ name: 'blackbox-exporter',
+ image: bb.config.image,
+ args: [
+ '--config.file=/etc/blackbox_exporter/config.yml',
+ '--web.listen-address=:%d' % bb.config.internalPort,
+ ],
+ ports: [{
+ name: 'http',
+ containerPort: bb.config.internalPort,
+ }],
+ resources: bb.config.resources,
+ securityContext: if bb.config.privileged then {
+ runAsNonRoot: false,
+ capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
+ } else {
+ runAsNonRoot: true,
+ runAsUser: 65534,
+ },
+ volumeMounts: [{
+ mountPath: '/etc/blackbox_exporter/',
+ name: 'config',
+ readOnly: true,
+ }],
+ };
- local reloader = {
- name: 'module-configmap-reloader',
- image: bb.config.configmapReloaderImage,
- args: [
- '--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort,
- '--volume-dir=/etc/blackbox_exporter/',
- ],
- resources: bb.config.resources,
- securityContext: { runAsNonRoot: true, runAsUser: 65534 },
- terminationMessagePath: '/dev/termination-log',
- terminationMessagePolicy: 'FallbackToLogsOnError',
- volumeMounts: [{
- mountPath: '/etc/blackbox_exporter/',
- name: 'config',
- readOnly: true,
- }],
- };
+ local reloader = {
+ name: 'module-configmap-reloader',
+ image: bb.config.configmapReloaderImage,
+ args: [
+ '--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort,
+ '--volume-dir=/etc/blackbox_exporter/',
+ ],
+ resources: bb.config.resources,
+ securityContext: { runAsNonRoot: true, runAsUser: 65534 },
+ terminationMessagePath: '/dev/termination-log',
+ terminationMessagePolicy: 'FallbackToLogsOnError',
+ volumeMounts: [{
+ mountPath: '/etc/blackbox_exporter/',
+ name: 'config',
+ readOnly: true,
+ }],
+ };
- local kubeRbacProxy = krp({
- name: 'kube-rbac-proxy',
- upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/',
- secureListenAddress: ':' + bb.config.port,
- ports: [
- { name: 'https', containerPort: bb.config.port },
- ],
- });
+ local kubeRbacProxy = krp({
+ name: 'kube-rbac-proxy',
+ upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/',
+ secureListenAddress: ':' + bb.config.port,
+ ports: [
+ { name: 'https', containerPort: bb.config.port },
+ ],
+ });
- {
- apiVersion: 'apps/v1',
- kind: 'Deployment',
- metadata: {
- name: 'blackbox-exporter',
- namespace: bb.config.namespace,
- labels: bb.config.commonLabels,
- },
+ {
+ apiVersion: 'apps/v1',
+ kind: 'Deployment',
+ metadata: {
+ name: 'blackbox-exporter',
+ namespace: bb.config.namespace,
+ labels: bb.config.commonLabels,
+ },
+ spec: {
+ replicas: bb.config.replicas,
+ selector: { matchLabels: bb.config.selectorLabels },
+ template: {
+ metadata: { labels: bb.config.commonLabels },
spec: {
- replicas: bb.config.replicas,
- selector: { matchLabels: bb.config.selectorLabels },
- template: {
- metadata: { labels: bb.config.commonLabels },
- spec: {
- containers: [blackboxExporter, reloader, kubeRbacProxy],
- nodeSelector: { 'kubernetes.io/os': 'linux' },
- serviceAccountName: 'blackbox-exporter',
- volumes: [{
- name: 'config',
- configMap: { name: 'blackbox-exporter-configuration' },
- }],
- },
- },
+ containers: [blackboxExporter, reloader, kubeRbacProxy],
+ nodeSelector: { 'kubernetes.io/os': 'linux' },
+ serviceAccountName: 'blackbox-exporter',
+ volumes: [{
+ name: 'config',
+ configMap: { name: 'blackbox-exporter-configuration' },
+ }],
},
},
-
- service: {
- apiVersion: 'v1',
- kind: 'Service',
- metadata: {
- name: 'blackbox-exporter',
- namespace: bb.config.namespace,
- labels: bb.config.commonLabels,
- },
- spec: {
- ports: [{
- name: 'https',
- port: bb.config.port,
- targetPort: 'https',
- }, {
- name: 'probe',
- port: bb.config.internalPort,
- targetPort: 'http',
- }],
- selector: bb.config.selectorLabels,
- },
},
+ },
- serviceMonitor:
- {
- apiVersion: 'monitoring.coreos.com/v1',
- kind: 'ServiceMonitor',
- metadata: {
- name: 'blackbox-exporter',
- namespace: bb.config.namespace,
- labels: bb.config.commonLabels,
- },
- spec: {
- endpoints: [{
- bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
- interval: '30s',
- path: '/metrics',
- port: 'https',
- scheme: 'https',
- tlsConfig: {
- insecureSkipVerify: true,
- },
- }],
- selector: {
- matchLabels: bb.config.selectorLabels,
- },
+ service: {
+ apiVersion: 'v1',
+ kind: 'Service',
+ metadata: {
+ name: 'blackbox-exporter',
+ namespace: bb.config.namespace,
+ labels: bb.config.commonLabels,
+ },
+ spec: {
+ ports: [{
+ name: 'https',
+ port: bb.config.port,
+ targetPort: 'https',
+ }, {
+ name: 'probe',
+ port: bb.config.internalPort,
+ targetPort: 'http',
+ }],
+ selector: bb.config.selectorLabels,
+ },
+ },
+
+ serviceMonitor:
+ {
+ apiVersion: 'monitoring.coreos.com/v1',
+ kind: 'ServiceMonitor',
+ metadata: {
+ name: 'blackbox-exporter',
+ namespace: bb.config.namespace,
+ labels: bb.config.commonLabels,
+ },
+ spec: {
+ endpoints: [{
+ bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
+ interval: '30s',
+ path: '/metrics',
+ port: 'https',
+ scheme: 'https',
+ tlsConfig: {
+ insecureSkipVerify: true,
},
+ }],
+ selector: {
+ matchLabels: bb.config.selectorLabels,
},
- }
+ },
+ },
+}
diff --git a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
index a5db87fe0906761e88d09a14c0889a2b8939ad2c..bc4bf7ffbe9250497313c03d1b8a62d236421f5b 100644
--- a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
+++ b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
@@ -9,33 +9,33 @@ local defaults = {
limits: { cpu: '20m', memory: '40Mi' },
},
tlsCipherSuites: [
- 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
- 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
+ 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
+ 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
- // 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
- // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
- // 'TLS_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
- // 'TLS_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
- // 'TLS_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
- // 'TLS_RSA_WITH_AES_128_GCM_SHA256', // disabled by h2
- // 'TLS_RSA_WITH_AES_256_GCM_SHA384', // disabled by h2
- // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
- // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', // disabled by h2
- // 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // disabled by h2
- // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
- // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
- // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
- // 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
- // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
- // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
+ // 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+ // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
+ // 'TLS_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
+ // 'TLS_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
+ // 'TLS_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
+ // 'TLS_RSA_WITH_AES_128_GCM_SHA256', // disabled by h2
+ // 'TLS_RSA_WITH_AES_256_GCM_SHA384', // disabled by h2
+ // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+ // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', // disabled by h2
+ // 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // disabled by h2
+ // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+ // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
+ // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
+ // 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
+ // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
+ // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
- // disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
+ // disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
- 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
- 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
- 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
- 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
- ],
+ 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+ 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
+ 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
+ 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
+ ],
};
@@ -45,19 +45,19 @@ function(params) {
// Safety check
assert std.isObject(krp.config.resources),
- name: krp.config.name,
- image: krp.config.image,
- args: [
- '--logtostderr',
- '--secure-listen-address=' + krp.config.secureListenAddress,
- '--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites),
- '--upstream=' + krp.config.upstream,
- ],
- resources: krp.config.resources,
- ports: krp.config.ports,
- securityContext: {
- runAsUser: 65532,
- runAsGroup: 65532,
- runAsNonRoot: true,
- },
+ name: krp.config.name,
+ image: krp.config.image,
+ args: [
+ '--logtostderr',
+ '--secure-listen-address=' + krp.config.secureListenAddress,
+ '--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites),
+ '--upstream=' + krp.config.upstream,
+ ],
+ resources: krp.config.resources,
+ ports: krp.config.ports,
+ securityContext: {
+ runAsUser: 65532,
+ runAsGroup: 65532,
+ runAsNonRoot: true,
+ },
}
diff --git a/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
index 8b602f7ed78469281ab0080b354507d72fcb4375..037d023b9c3c44042c0a5b07fb4da1f440ac4fe1 100644
--- a/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
@@ -60,7 +60,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
upstream: 'http://127.0.0.1:8081/',
secureListenAddress: ':8443',
ports: [
- { name: 'https-main', containerPort: 8443, },
+ { name: 'https-main', containerPort: 8443 },
],
}),
@@ -69,7 +69,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
upstream: 'http://127.0.0.1:8082/',
secureListenAddress: ':9443',
ports: [
- { name: 'https-self', containerPort: 9443, },
+ { name: 'https-self', containerPort: 9443 },
],
}),
diff --git a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
index 63ec53b9dce8aa7ce71e12449cd6c1b4a7f06537..bb16fc41fc5556d87c8872fb9c43f175fbef89ae 100644
--- a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
@@ -67,8 +67,9 @@ function(params) {
apiGroups: ['authorization.k8s.io'],
resources: ['subjectaccessreviews'],
verbs: ['create'],
- }],
- },
+ },
+ ],
+ },
serviceAccount: {
apiVersion: 'v1',
@@ -169,7 +170,7 @@ function(params) {
}) + {
env: [
{ name: 'IP', valueFrom: { fieldRef: { fieldPath: 'status.podIP' } } },
- ]
+ ],
};
{
diff --git a/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
index 4dceb06f396f8c6a3a23a9ea3eb4ea93f244fd42..4b2ac39f536589b540fd74989dc9301887270a66 100644
--- a/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
@@ -186,117 +186,117 @@ function(params) {
},
},
- serviceAccount: {
- apiVersion: 'v1',
- kind: 'ServiceAccount',
- metadata: {
- name: pa.config.name,
- namespace: pa.config.namespace,
- labels: pa.config.commonLabels,
- },
+ serviceAccount: {
+ apiVersion: 'v1',
+ kind: 'ServiceAccount',
+ metadata: {
+ name: pa.config.name,
+ namespace: pa.config.namespace,
+ labels: pa.config.commonLabels,
},
+ },
- clusterRole: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'ClusterRole',
- metadata: {
- name: pa.config.name,
- labels: pa.config.commonLabels,
- },
- rules: [{
- apiGroups: [''],
- resources: ['nodes', 'namespaces', 'pods', 'services'],
- verbs: ['get', 'list', 'watch'],
- }],
+ clusterRole: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRole',
+ metadata: {
+ name: pa.config.name,
+ labels: pa.config.commonLabels,
},
+ rules: [{
+ apiGroups: [''],
+ resources: ['nodes', 'namespaces', 'pods', 'services'],
+ verbs: ['get', 'list', 'watch'],
+ }],
+ },
- clusterRoleBinding: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'ClusterRoleBinding',
- metadata: {
- name: pa.config.name,
- labels: pa.config.commonLabels,
- },
- roleRef: {
- apiGroup: 'rbac.authorization.k8s.io',
- kind: 'ClusterRole',
- name: $.clusterRole.metadata.name,
- },
- subjects: [{
- kind: 'ServiceAccount',
- name: $.serviceAccount.metadata.name,
- namespace: pa.config.namespace,
- }],
+ clusterRoleBinding: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRoleBinding',
+ metadata: {
+ name: pa.config.name,
+ labels: pa.config.commonLabels,
},
-
- clusterRoleBindingDelegator: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'ClusterRoleBinding',
- metadata: {
- name: 'resource-metrics:system:auth-delegator',
- labels: pa.config.commonLabels,
- },
- roleRef: {
- apiGroup: 'rbac.authorization.k8s.io',
- kind: 'ClusterRole',
- name: 'system:auth-delegator',
- },
- subjects: [{
- kind: 'ServiceAccount',
- name: $.serviceAccount.metadata.name,
- namespace: pa.config.namespace,
- }],
+ roleRef: {
+ apiGroup: 'rbac.authorization.k8s.io',
+ kind: 'ClusterRole',
+ name: $.clusterRole.metadata.name,
},
+ subjects: [{
+ kind: 'ServiceAccount',
+ name: $.serviceAccount.metadata.name,
+ namespace: pa.config.namespace,
+ }],
+ },
- clusterRoleServerResources: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
+ clusterRoleBindingDelegator: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRoleBinding',
+ metadata: {
+ name: 'resource-metrics:system:auth-delegator',
+ labels: pa.config.commonLabels,
+ },
+ roleRef: {
+ apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
- metadata: {
- name: 'resource-metrics-server-resources',
- labels: pa.config.commonLabels,
- },
- rules: [{
- apiGroups: ['metrics.k8s.io'],
- resources: ['*'],
- verbs: ['*'],
- }],
+ name: 'system:auth-delegator',
},
+ subjects: [{
+ kind: 'ServiceAccount',
+ name: $.serviceAccount.metadata.name,
+ namespace: pa.config.namespace,
+ }],
+ },
- clusterRoleAggregatedMetricsReader: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'ClusterRole',
- metadata: {
- name: 'system:aggregated-metrics-reader',
- labels: {
- 'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
- 'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
- 'rbac.authorization.k8s.io/aggregate-to-view': 'true',
- } + pa.config.commonLabels,
- },
- rules: [{
- apiGroups: ['metrics.k8s.io'],
- resources: ['pods', 'nodes'],
- verbs: ['get', 'list', 'watch'],
- }],
+ clusterRoleServerResources: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRole',
+ metadata: {
+ name: 'resource-metrics-server-resources',
+ labels: pa.config.commonLabels,
},
+ rules: [{
+ apiGroups: ['metrics.k8s.io'],
+ resources: ['*'],
+ verbs: ['*'],
+ }],
+ },
- roleBindingAuthReader: {
- apiVersion: 'rbac.authorization.k8s.io/v1',
- kind: 'RoleBinding',
- metadata: {
- name: 'resource-metrics-auth-reader',
- namespace: 'kube-system',
- labels: pa.config.commonLabels,
- },
- roleRef: {
- apiGroup: 'rbac.authorization.k8s.io',
- kind: 'Role',
- name: 'extension-apiserver-authentication-reader',
- },
- subjects: [{
- kind: 'ServiceAccount',
- name: $.serviceAccount.metadata.name,
- namespace: pa.config.namespace,
- }],
+ clusterRoleAggregatedMetricsReader: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRole',
+ metadata: {
+ name: 'system:aggregated-metrics-reader',
+ labels: {
+ 'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
+ 'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
+ 'rbac.authorization.k8s.io/aggregate-to-view': 'true',
+ } + pa.config.commonLabels,
},
+ rules: [{
+ apiGroups: ['metrics.k8s.io'],
+ resources: ['pods', 'nodes'],
+ verbs: ['get', 'list', 'watch'],
+ }],
+ },
+
+ roleBindingAuthReader: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'RoleBinding',
+ metadata: {
+ name: 'resource-metrics-auth-reader',
+ namespace: 'kube-system',
+ labels: pa.config.commonLabels,
+ },
+ roleRef: {
+ apiGroup: 'rbac.authorization.k8s.io',
+ kind: 'Role',
+ name: 'extension-apiserver-authentication-reader',
+ },
+ subjects: [{
+ kind: 'ServiceAccount',
+ name: $.serviceAccount.metadata.name,
+ namespace: pa.config.namespace,
+ }],
+ },
}