From bf67031b5c9b208935d06ce661a227e9e32324db Mon Sep 17 00:00:00 2001 From: Frederic Branczyk Date: Wed, 22 Mar 2017 19:36:17 +0100 Subject: [PATCH 1/2] kube-prometheus: add RBAC resources --- hack/cluster-monitoring/deploy | 5 ++- hack/cluster-monitoring/teardown | 2 +- ...metheus-operator-cluster-role-binding.yaml | 12 ++++++ .../prometheus-operator-cluster-role.yaml | 42 +++++++++++++++++++ .../prometheus-operator-service-account.yaml | 4 ++ .../prometheus-operator.yaml | 5 ++- .../prometheus-cluster-role-binding.yaml | 12 ++++++ .../prometheus/prometheus-cluster-role.yaml | 16 +++++++ .../prometheus-k8s-service-account.yaml | 4 ++ manifests/prometheus/prometheus-k8s.yaml | 1 + 10 files changed, 99 insertions(+), 4 deletions(-) create mode 100644 manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml create mode 100644 manifests/prometheus-operator/prometheus-operator-cluster-role.yaml create mode 100644 manifests/prometheus-operator/prometheus-operator-service-account.yaml rename manifests/{ => prometheus-operator}/prometheus-operator.yaml (74%) create mode 100644 manifests/prometheus/prometheus-cluster-role-binding.yaml create mode 100644 manifests/prometheus/prometheus-cluster-role.yaml create mode 100644 manifests/prometheus/prometheus-k8s-service-account.yaml diff --git a/hack/cluster-monitoring/deploy b/hack/cluster-monitoring/deploy index 9ad91eb0..098af134 100755 --- a/hack/cluster-monitoring/deploy +++ b/hack/cluster-monitoring/deploy @@ -14,7 +14,7 @@ kctl() { kubectl --namespace "$NAMESPACE" "$@" } -kctl apply -f manifests/prometheus-operator.yaml +kctl apply -f manifests/prometheus-operator # Wait for TPRs to be ready. printf "Waiting for Operator to register third party objects..." @@ -28,6 +28,9 @@ kctl apply -f manifests/grafana kctl apply -f manifests/prometheus/prometheus-k8s-rules.yaml kctl apply -f manifests/prometheus/prometheus-k8s-service.yaml +kctl apply -f manifests/prometheus/prometheus-cluster-role-binding.yaml +kctl apply -f manifests/prometheus/prometheus-cluster-role.yaml +kctl apply -f manifests/prometheus/prometheus-k8s-service-account.yaml kctl apply -f manifests/alertmanager/alertmanager-config.yaml kctl apply -f manifests/alertmanager/alertmanager-service.yaml diff --git a/hack/cluster-monitoring/teardown b/hack/cluster-monitoring/teardown index 45ae61ed..e5e0d9a6 100755 --- a/hack/cluster-monitoring/teardown +++ b/hack/cluster-monitoring/teardown @@ -20,5 +20,5 @@ kctl delete -f manifests/alertmanager # Hack: wait a bit to let the controller delete the deployed Prometheus server. sleep 5 -kctl delete -f manifests/prometheus-operator.yaml +kctl delete -f manifests/prometheus-operator diff --git a/manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml b/manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml new file mode 100644 index 00000000..bd69276f --- /dev/null +++ b/manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1alpha1 +kind: ClusterRoleBinding +metadata: + name: prometheus-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-operator +subjects: +- kind: ServiceAccount + name: prometheus-operator + namespace: default diff --git a/manifests/prometheus-operator/prometheus-operator-cluster-role.yaml b/manifests/prometheus-operator/prometheus-operator-cluster-role.yaml new file mode 100644 index 00000000..c7bebb9d --- /dev/null +++ b/manifests/prometheus-operator/prometheus-operator-cluster-role.yaml @@ -0,0 +1,42 @@ +apiVersion: rbac.authorization.k8s.io/v1alpha1 +kind: ClusterRole +metadata: + name: prometheus-operator +rules: +- apiGroups: + - extensions + resources: + - thirdpartyresources + verbs: + - create +- apiGroups: + - monitoring.coreos.com + resources: + - alertmanagers + - prometheuses + - servicemonitors + verbs: + - "*" +- apiGroups: + - apps + resources: + - statefulsets + verbs: ["*"] +- apiGroups: [""] + resources: + - configmaps + - secrets + verbs: ["*"] +- apiGroups: [""] + resources: + - pods + verbs: ["list", "delete"] +- apiGroups: [""] + resources: + - services + - endpoints + verbs: ["get", "create", "update"] +- apiGroups: [""] + resources: + - nodes + verbs: ["list", "watch"] diff --git a/manifests/prometheus-operator/prometheus-operator-service-account.yaml b/manifests/prometheus-operator/prometheus-operator-service-account.yaml new file mode 100644 index 00000000..38d18cce --- /dev/null +++ b/manifests/prometheus-operator/prometheus-operator-service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus-operator diff --git a/manifests/prometheus-operator.yaml b/manifests/prometheus-operator/prometheus-operator.yaml similarity index 74% rename from manifests/prometheus-operator.yaml rename to manifests/prometheus-operator/prometheus-operator.yaml index 06ddf799..06232af0 100644 --- a/manifests/prometheus-operator.yaml +++ b/manifests/prometheus-operator/prometheus-operator.yaml @@ -11,12 +11,13 @@ spec: labels: operator: prometheus spec: + serviceAccountName: prometheus-operator containers: - name: prometheus-operator image: quay.io/coreos/prometheus-operator:v0.7.0 args: - - "--kubelet-object=kube-system/kubelet" - - "--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1" + - "--kubelet-object=kube-system/kubelet" + - "--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1" resources: requests: cpu: 100m diff --git a/manifests/prometheus/prometheus-cluster-role-binding.yaml b/manifests/prometheus/prometheus-cluster-role-binding.yaml new file mode 100644 index 00000000..e337527f --- /dev/null +++ b/manifests/prometheus/prometheus-cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1alpha1 +kind: ClusterRoleBinding +metadata: + name: prometheus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: monitoring diff --git a/manifests/prometheus/prometheus-cluster-role.yaml b/manifests/prometheus/prometheus-cluster-role.yaml new file mode 100644 index 00000000..458c6158 --- /dev/null +++ b/manifests/prometheus/prometheus-cluster-role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1alpha1 +kind: ClusterRole +metadata: + name: prometheus +rules: +- apiGroups: [""] + resources: + - nodes + - services + - endpoints + - pods + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: + - configmaps + verbs: ["get"] diff --git a/manifests/prometheus/prometheus-k8s-service-account.yaml b/manifests/prometheus/prometheus-k8s-service-account.yaml new file mode 100644 index 00000000..58d5342d --- /dev/null +++ b/manifests/prometheus/prometheus-k8s-service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus-k8s diff --git a/manifests/prometheus/prometheus-k8s.yaml b/manifests/prometheus/prometheus-k8s.yaml index 23156650..a8a14910 100644 --- a/manifests/prometheus/prometheus-k8s.yaml +++ b/manifests/prometheus/prometheus-k8s.yaml @@ -7,6 +7,7 @@ metadata: spec: replicas: 2 version: v1.5.2 + serviceAccountName: prometheus-k8s serviceMonitorSelector: matchExpression: - {key: k8s-apps, operator: Exists} From bbd5684b43638b199ee3057f74e7994de01f14f7 Mon Sep 17 00:00:00 2001 From: Frederic Branczyk Date: Thu, 23 Mar 2017 13:39:32 +0100 Subject: [PATCH 2/2] kube-prometheus: add RBAC roles for kube-state-metrics --- ...kube-state-metrics-cluster-role-binding.yaml | 12 ++++++++++++ .../kube-state-metrics-cluster-role.yaml | 17 +++++++++++++++++ .../kube-state-metrics-deployment.yaml | 1 + .../kube-state-metrics-service-account.yaml | 4 ++++ 4 files changed, 34 insertions(+) create mode 100644 manifests/exporters/kube-state-metrics-cluster-role-binding.yaml create mode 100644 manifests/exporters/kube-state-metrics-cluster-role.yaml create mode 100644 manifests/exporters/kube-state-metrics-service-account.yaml diff --git a/manifests/exporters/kube-state-metrics-cluster-role-binding.yaml b/manifests/exporters/kube-state-metrics-cluster-role-binding.yaml new file mode 100644 index 00000000..d7e421e6 --- /dev/null +++ b/manifests/exporters/kube-state-metrics-cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1alpha1 +kind: ClusterRoleBinding +metadata: + name: kube-state-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-state-metrics +subjects: +- kind: ServiceAccount + name: kube-state-metrics + namespace: monitoring diff --git a/manifests/exporters/kube-state-metrics-cluster-role.yaml b/manifests/exporters/kube-state-metrics-cluster-role.yaml new file mode 100644 index 00000000..fdbd41db --- /dev/null +++ b/manifests/exporters/kube-state-metrics-cluster-role.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1alpha1 +kind: ClusterRole +metadata: + name: kube-state-metrics +rules: +- apiGroups: [""] + resources: + - nodes + - pods + - resourcequotas + verbs: ["list", "watch"] +- apiGroups: ["extensions"] + resources: + - daemonsets + - deployments + - replicasets + verbs: ["list", "watch"] diff --git a/manifests/exporters/kube-state-metrics-deployment.yaml b/manifests/exporters/kube-state-metrics-deployment.yaml index 3fec8cad..4a4e9ffd 100644 --- a/manifests/exporters/kube-state-metrics-deployment.yaml +++ b/manifests/exporters/kube-state-metrics-deployment.yaml @@ -9,6 +9,7 @@ spec: labels: app: kube-state-metrics spec: + serviceAccountName: kube-state-metrics containers: - name: kube-state-metrics image: gcr.io/google_containers/kube-state-metrics:v0.4.1 diff --git a/manifests/exporters/kube-state-metrics-service-account.yaml b/manifests/exporters/kube-state-metrics-service-account.yaml new file mode 100644 index 00000000..99779352 --- /dev/null +++ b/manifests/exporters/kube-state-metrics-service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-state-metrics