diff --git a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
index 91f2d29f2f2d75dce72903d91943236cac6c258c..8bd08e12ee870c96a8bab8b28e37e7a34007888a 100644
--- a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
@@ -106,6 +106,44 @@ local kubeRbacProxyContainer = import '../kube-rbac-proxy/container.libsonnet';
},
},
+ clusterRole: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRole',
+ metadata: {
+ name: 'blackbox-exporter',
+ },
+ rules: [
+ {
+ apiGroups: ['authentication.k8s.io'],
+ resources: ['tokenreviews'],
+ verbs: ['create'],
+ },
+ {
+ apiGroups: ['authorization.k8s.io'],
+ resources: ['subjectaccessreviews'],
+ verbs: ['create'],
+ },
+ ],
+ },
+
+ clusterRoleBinding: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRoleBinding',
+ metadata: {
+ name: 'blackbox-exporter',
+ },
+ roleRef: {
+ apiGroup: 'rbac.authorization.k8s.io',
+ kind: 'ClusterRole',
+ name: 'blackbox-exporter',
+ },
+ subjects: [{
+ kind: 'ServiceAccount',
+ name: 'blackbox-exporter',
+ namespace: $._config.namespace,
+ }],
+ },
+
deployment: {
apiVersion: 'apps/v1',
kind: 'Deployment',
@@ -206,6 +244,7 @@ local kubeRbacProxyContainer = import '../kube-rbac-proxy/container.libsonnet';
},
spec: {
endpoints: [{
+ bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
interval: '30s',
path: '/metrics',
port: 'http',
diff --git a/kustomization.yaml b/kustomization.yaml
index bd00d54fcf6b34d99cf2e8ea4ffe1acdfbaec7b1..7066018a01560f7e1e5b940a699fe58b39b5fbc9 100644
--- a/kustomization.yaml
+++ b/kustomization.yaml
@@ -6,6 +6,8 @@ resources:
- ./manifests/alertmanager-service.yaml
- ./manifests/alertmanager-serviceAccount.yaml
- ./manifests/alertmanager-serviceMonitor.yaml
+- ./manifests/blackbox-exporter-clusterRole.yaml
+- ./manifests/blackbox-exporter-clusterRoleBinding.yaml
- ./manifests/blackbox-exporter-configuration.yaml
- ./manifests/blackbox-exporter-deployment.yaml
- ./manifests/blackbox-exporter-service.yaml
diff --git a/manifests/blackbox-exporter-clusterRole.yaml b/manifests/blackbox-exporter-clusterRole.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c7824058e1b24902c6eaf01dd8b48e2bb213a523
--- /dev/null
+++ b/manifests/blackbox-exporter-clusterRole.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: blackbox-exporter
+rules:
+- apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
diff --git a/manifests/blackbox-exporter-clusterRoleBinding.yaml b/manifests/blackbox-exporter-clusterRoleBinding.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..7b3ae320903f9916cd2ed4191139142db3eb1558
--- /dev/null
+++ b/manifests/blackbox-exporter-clusterRoleBinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: blackbox-exporter
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: blackbox-exporter
+subjects:
+- kind: ServiceAccount
+ name: blackbox-exporter
+ namespace: monitoring
diff --git a/manifests/blackbox-exporter-serviceMonitor.yaml b/manifests/blackbox-exporter-serviceMonitor.yaml
index add643595286ee813f2d1e218580258fafecf4ae..81eec23d4175a2ca1a9e370f23fff5cee33fa547 100644
--- a/manifests/blackbox-exporter-serviceMonitor.yaml
+++ b/manifests/blackbox-exporter-serviceMonitor.yaml
@@ -8,7 +8,8 @@ metadata:
namespace: monitoring
spec:
endpoints:
- - interval: 30s
+ - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+ interval: 30s
path: /metrics
port: http
scheme: https