From dcd99f7d6834df5e2800c8cdc8703c003cb50bec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=81LFALVI=20Tam=C3=A1s?= <tamas.palfalvi@inbuss.hu>
Date: Sat, 26 Dec 2020 13:14:40 +0100
Subject: [PATCH] set up authorization for blackbox-exporter

---
 .../blackbox-exporter.libsonnet               | 39 +++++++++++++++++++
 kustomization.yaml                            |  2 +
 manifests/blackbox-exporter-clusterRole.yaml  | 17 ++++++++
 .../blackbox-exporter-clusterRoleBinding.yaml | 12 ++++++
 .../blackbox-exporter-serviceMonitor.yaml     |  3 +-
 5 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 manifests/blackbox-exporter-clusterRole.yaml
 create mode 100644 manifests/blackbox-exporter-clusterRoleBinding.yaml

diff --git a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
index 91f2d29f..8bd08e12 100644
--- a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
@@ -106,6 +106,44 @@ local kubeRbacProxyContainer = import '../kube-rbac-proxy/container.libsonnet';
         },
       },
 
+      clusterRole: {
+        apiVersion: 'rbac.authorization.k8s.io/v1',
+        kind: 'ClusterRole',
+        metadata: {
+          name: 'blackbox-exporter',
+        },
+        rules: [
+          {
+            apiGroups: ['authentication.k8s.io'],
+            resources: ['tokenreviews'],
+            verbs: ['create'],
+          },
+          {
+            apiGroups: ['authorization.k8s.io'],
+            resources: ['subjectaccessreviews'],
+            verbs: ['create'],
+          },
+        ],
+      },
+
+      clusterRoleBinding: {
+        apiVersion: 'rbac.authorization.k8s.io/v1',
+        kind: 'ClusterRoleBinding',
+        metadata: {
+          name: 'blackbox-exporter',
+        },
+        roleRef: {
+          apiGroup: 'rbac.authorization.k8s.io',
+          kind: 'ClusterRole',
+          name: 'blackbox-exporter',
+        },
+        subjects: [{
+          kind: 'ServiceAccount',
+          name: 'blackbox-exporter',
+          namespace: $._config.namespace,
+        }],
+      },
+
       deployment: {
         apiVersion: 'apps/v1',
         kind: 'Deployment',
@@ -206,6 +244,7 @@ local kubeRbacProxyContainer = import '../kube-rbac-proxy/container.libsonnet';
           },
           spec: {
             endpoints: [{
+              bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
               interval: '30s',
               path: '/metrics',
               port: 'http',
diff --git a/kustomization.yaml b/kustomization.yaml
index bd00d54f..7066018a 100644
--- a/kustomization.yaml
+++ b/kustomization.yaml
@@ -6,6 +6,8 @@ resources:
 - ./manifests/alertmanager-service.yaml
 - ./manifests/alertmanager-serviceAccount.yaml
 - ./manifests/alertmanager-serviceMonitor.yaml
+- ./manifests/blackbox-exporter-clusterRole.yaml
+- ./manifests/blackbox-exporter-clusterRoleBinding.yaml
 - ./manifests/blackbox-exporter-configuration.yaml
 - ./manifests/blackbox-exporter-deployment.yaml
 - ./manifests/blackbox-exporter-service.yaml
diff --git a/manifests/blackbox-exporter-clusterRole.yaml b/manifests/blackbox-exporter-clusterRole.yaml
new file mode 100644
index 00000000..c7824058
--- /dev/null
+++ b/manifests/blackbox-exporter-clusterRole.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: blackbox-exporter
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
diff --git a/manifests/blackbox-exporter-clusterRoleBinding.yaml b/manifests/blackbox-exporter-clusterRoleBinding.yaml
new file mode 100644
index 00000000..7b3ae320
--- /dev/null
+++ b/manifests/blackbox-exporter-clusterRoleBinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: blackbox-exporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: blackbox-exporter
+subjects:
+- kind: ServiceAccount
+  name: blackbox-exporter
+  namespace: monitoring
diff --git a/manifests/blackbox-exporter-serviceMonitor.yaml b/manifests/blackbox-exporter-serviceMonitor.yaml
index add64359..81eec23d 100644
--- a/manifests/blackbox-exporter-serviceMonitor.yaml
+++ b/manifests/blackbox-exporter-serviceMonitor.yaml
@@ -8,7 +8,8 @@ metadata:
   namespace: monitoring
 spec:
   endpoints:
-  - interval: 30s
+  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    interval: 30s
     path: /metrics
     port: http
     scheme: https
-- 
GitLab