From 85d6c48f9869318115ea12b30eff77f29bbe4076 Mon Sep 17 00:00:00 2001 From: prune Date: Thu, 26 Jul 2018 14:58:12 -0400 Subject: [PATCH 1/3] allow creation of role and rolebindings for other namespaces in jsonnet --- docs/monitoring-other-namespaces.md | 28 +++++++++++++++ .../prometheus/prometheus.libsonnet | 36 +++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 docs/monitoring-other-namespaces.md diff --git a/docs/monitoring-other-namespaces.md b/docs/monitoring-other-namespaces.md new file mode 100644 index 00000000..c1ee7ae7 --- /dev/null +++ b/docs/monitoring-other-namespaces.md @@ -0,0 +1,28 @@ +# Monitoring other Kubernetes Namespaces +This guide will help you monitor applications in other Namespaces, which is only enabled for the `Default` Namespace during Install. + +# Setup +You have to give the list of the Namespaces that you want to be able to monitor. +This is done in the variable `prometheus.roleSpecificNamespaces`. You usually set this in your `.jsonnet` file when building the manifests. + +Ex to create the needed `Role` and `Rolebindig` for the Namespace `foo` : +``` +local kp = (import 'kube-prometheus/kube-prometheus.libsonnet') + { + _config+:: { + namespace: 'monitoring', + + prometheus+:: { + roleSpecificNamespaces: ["foo"], + }, + }, +}; + +{ ['00namespace-' + name]: kp.kubePrometheus[name] for name in std.objectFields(kp.kubePrometheus) } + +{ ['0prometheus-operator-' + name]: kp.prometheusOperator[name] for name in std.objectFields(kp.prometheusOperator) } + +{ ['node-exporter-' + name]: kp.nodeExporter[name] for name in std.objectFields(kp.nodeExporter) } + +{ ['kube-state-metrics-' + name]: kp.kubeStateMetrics[name] for name in std.objectFields(kp.kubeStateMetrics) } + +{ ['alertmanager-' + name]: kp.alertmanager[name] for name in std.objectFields(kp.alertmanager) } + +{ ['prometheus-' + name]: kp.prometheus[name] for name in std.objectFields(kp.prometheus) } + +{ ['grafana-' + name]: kp.grafana[name] for name in std.objectFields(kp.grafana) } + +``` \ No newline at end of file diff --git a/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet b/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet index e84986f5..d4010d5b 100644 --- a/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet +++ b/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet @@ -21,6 +21,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; replicas: 2, rules: {}, renderedRules: {}, + roleSpecificNamespaces: [], }, }, @@ -65,6 +66,20 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) + roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) + roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]), + roleBindingSpecificNamespace: + local roleBinding = k.rbac.v1.roleBinding; + + local newSpecificRoleBinding(namespace) = + roleBinding.new() + + roleBinding.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) + + roleBinding.mixin.metadata.withNamespace(namespace) + + roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') + + roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) + + roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) + + roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: namespace }]); + + local roleBindigList = k.rbac.v1.roleBindingList; + roleBindigList.new([newSpecificRoleBinding(x) for x in $._config.prometheus.roleSpecificNamespaces]), clusterRole: local clusterRole = k.rbac.v1.clusterRole; local policyRule = clusterRole.rulesType; @@ -163,6 +178,27 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) + role.mixin.metadata.withNamespace('default') + role.withRules(coreRule), + roleSpecificNamespace: + local role = k.rbac.v1.role; + local policyRule = role.rulesType; + local coreRule = policyRule.new() + + policyRule.withApiGroups(['']) + + policyRule.withResources([ + 'nodes', + 'services', + 'endpoints', + 'pods', + ]) + + policyRule.withVerbs(['get', 'list', 'watch']); + + local newSpecificRole(namespace) = + role.new() + + role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) + + role.mixin.metadata.withNamespace(namespace) + + role.withRules(coreRule); + + local roleList = k.rbac.v1.roleList; + roleList.new([newSpecificRole(x) for x in $._config.prometheus.roleSpecificNamespaces]), roleBindingKubeSystem: local roleBinding = k.rbac.v1.roleBinding; From 88f79258f50632eb5d061470e416474b3cece513 Mon Sep 17 00:00:00 2001 From: prune Date: Fri, 27 Jul 2018 07:05:42 -0400 Subject: [PATCH 2/3] replaced default namespaces rbac rules by a loop --- docs/monitoring-other-namespaces.md | 4 +- .../prometheus/prometheus.libsonnet | 86 +------------------ 2 files changed, 3 insertions(+), 87 deletions(-) diff --git a/docs/monitoring-other-namespaces.md b/docs/monitoring-other-namespaces.md index c1ee7ae7..56c72062 100644 --- a/docs/monitoring-other-namespaces.md +++ b/docs/monitoring-other-namespaces.md @@ -1,5 +1,5 @@ # Monitoring other Kubernetes Namespaces -This guide will help you monitor applications in other Namespaces, which is only enabled for the `Default` Namespace during Install. +This guide will help you monitor applications in other Namespaces. By default the RBAC rules are only enabled for the `Default` and `kube-system` Namespace during Install. # Setup You have to give the list of the Namespaces that you want to be able to monitor. @@ -12,7 +12,7 @@ local kp = (import 'kube-prometheus/kube-prometheus.libsonnet') + { namespace: 'monitoring', prometheus+:: { - roleSpecificNamespaces: ["foo"], + namespaces: ["default", "kube-system","foo"], }, }, }; diff --git a/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet b/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet index d4010d5b..375a8b70 100644 --- a/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet +++ b/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet @@ -21,7 +21,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; replicas: 2, rules: {}, renderedRules: {}, - roleSpecificNamespaces: [], + namespaces: ["default", "kube-system",$._config.namespace], }, }, @@ -56,16 +56,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; groups: $._config.prometheus.rules.groups, }, }, - roleBindingDefault: - local roleBinding = k.rbac.v1.roleBinding; - - roleBinding.new() + - roleBinding.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) + - roleBinding.mixin.metadata.withNamespace('default') + - roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') + - roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) + - roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) + - roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]), roleBindingSpecificNamespace: local roleBinding = k.rbac.v1.roleBinding; @@ -123,16 +113,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name + '-config') + roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) + roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]), - roleBindingNamespace: - local roleBinding = k.rbac.v1.roleBinding; - - roleBinding.new() + - roleBinding.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) + - roleBinding.mixin.metadata.withNamespace($._config.namespace) + - roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') + - roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) + - roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) + - roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]), clusterRoleBinding: local clusterRoleBinding = k.rbac.v1.clusterRoleBinding; @@ -142,42 +122,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; clusterRoleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) + clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) + clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]), - roleKubeSystem: - local role = k.rbac.v1.role; - local policyRule = role.rulesType; - - local coreRule = policyRule.new() + - policyRule.withApiGroups(['']) + - policyRule.withResources([ - 'nodes', - 'services', - 'endpoints', - 'pods', - ]) + - policyRule.withVerbs(['get', 'list', 'watch']); - - role.new() + - role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) + - role.mixin.metadata.withNamespace('kube-system') + - role.withRules(coreRule), - roleDefault: - local role = k.rbac.v1.role; - local policyRule = role.rulesType; - - local coreRule = policyRule.new() + - policyRule.withApiGroups(['']) + - policyRule.withResources([ - 'nodes', - 'services', - 'endpoints', - 'pods', - ]) + - policyRule.withVerbs(['get', 'list', 'watch']); - - role.new() + - role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) + - role.mixin.metadata.withNamespace('default') + - role.withRules(coreRule), roleSpecificNamespace: local role = k.rbac.v1.role; local policyRule = role.rulesType; @@ -199,34 +143,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; local roleList = k.rbac.v1.roleList; roleList.new([newSpecificRole(x) for x in $._config.prometheus.roleSpecificNamespaces]), - roleBindingKubeSystem: - local roleBinding = k.rbac.v1.roleBinding; - - roleBinding.new() + - roleBinding.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) + - roleBinding.mixin.metadata.withNamespace('kube-system') + - roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') + - roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) + - roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) + - roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]), - roleNamespace: - local role = k.rbac.v1.role; - local policyRule = role.rulesType; - - local coreRule = policyRule.new() + - policyRule.withApiGroups(['']) + - policyRule.withResources([ - 'nodes', - 'services', - 'endpoints', - 'pods', - ]) + - policyRule.withVerbs(['get', 'list', 'watch']); - - role.new() + - role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) + - role.mixin.metadata.withNamespace($._config.namespace) + - role.withRules(coreRule), prometheus: local container = k.core.v1.pod.mixin.spec.containersType; local resourceRequirements = container.mixin.resourcesType; From 20ec197cd443556cbbae5556668d15dff95fbb26 Mon Sep 17 00:00:00 2001 From: prune Date: Fri, 27 Jul 2018 07:47:03 -0400 Subject: [PATCH 3/3] set right variable name --- jsonnet/kube-prometheus/prometheus/prometheus.libsonnet | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet b/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet index 375a8b70..330a022e 100644 --- a/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet +++ b/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet @@ -69,7 +69,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: namespace }]); local roleBindigList = k.rbac.v1.roleBindingList; - roleBindigList.new([newSpecificRoleBinding(x) for x in $._config.prometheus.roleSpecificNamespaces]), + roleBindigList.new([newSpecificRoleBinding(x) for x in $._config.prometheus.namespaces]), clusterRole: local clusterRole = k.rbac.v1.clusterRole; local policyRule = clusterRole.rulesType; @@ -142,7 +142,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet'; role.withRules(coreRule); local roleList = k.rbac.v1.roleList; - roleList.new([newSpecificRole(x) for x in $._config.prometheus.roleSpecificNamespaces]), + roleList.new([newSpecificRole(x) for x in $._config.prometheus.namespaces]), prometheus: local container = k.core.v1.pod.mixin.spec.containersType; local resourceRequirements = container.mixin.resourcesType;