Merge pull request #229 from brancz/kube-prometheus-rbac

kube-prometheus: add RBAC resources

hack/cluster-monitoring/deploy

@@ -14,7 +14,7 @@ kctl() {
     kubectl --namespace "$NAMESPACE" "$@"
 }
 
-kctl apply -f manifests/prometheus-operator.yaml
+kctl apply -f manifests/prometheus-operator
 
 # Wait for TPRs to be ready.
 printf "Waiting for Operator to register third party objects..."
@@ -28,6 +28,9 @@ kctl apply -f manifests/grafana
 
 kctl apply -f manifests/prometheus/prometheus-k8s-rules.yaml
 kctl apply -f manifests/prometheus/prometheus-k8s-service.yaml
+kctl apply -f manifests/prometheus/prometheus-cluster-role-binding.yaml
+kctl apply -f manifests/prometheus/prometheus-cluster-role.yaml
+kctl apply -f manifests/prometheus/prometheus-k8s-service-account.yaml
 
 kctl apply -f manifests/alertmanager/alertmanager-config.yaml
 kctl apply -f manifests/alertmanager/alertmanager-service.yaml

hack/cluster-monitoring/teardown

@@ -20,5 +20,5 @@ kctl delete -f manifests/alertmanager
 # Hack: wait a bit to let the controller delete the deployed Prometheus server.
 sleep 5
 
-kctl delete -f manifests/prometheus-operator.yaml
+kctl delete -f manifests/prometheus-operator
 

manifests/exporters/kube-state-metrics-cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-state-metrics
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-state-metrics
+subjects:
+- kind: ServiceAccount
+  name: kube-state-metrics
+  namespace: monitoring

manifests/exporters/kube-state-metrics-cluster-role.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRole
+metadata:
+  name: kube-state-metrics
+rules:
+- apiGroups: [""]
+  resources:
+  - nodes
+  - pods
+  - resourcequotas
+  verbs: ["list", "watch"]
+- apiGroups: ["extensions"]
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  verbs: ["list", "watch"]

manifests/exporters/kube-state-metrics-deployment.yaml

@@ -9,6 +9,7 @@ spec:
       labels:
         app: kube-state-metrics
     spec:
+      serviceAccountName: kube-state-metrics
       containers:
       - name: kube-state-metrics
         image: gcr.io/google_containers/kube-state-metrics:v0.4.1

manifests/exporters/kube-state-metrics-service-account.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-state-metrics

manifests/prometheus-operator/prometheus-operator-cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-operator
+subjects:
+- kind: ServiceAccount
+  name: prometheus-operator
+  namespace: default

manifests/prometheus-operator/prometheus-operator-cluster-role.yaml

@@ -0,0 +1,42 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRole
+metadata:
+  name: prometheus-operator
+rules:
+- apiGroups:
+  - extensions
+  resources:
+  - thirdpartyresources
+  verbs:
+  - create
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - alertmanagers
+  - prometheuses
+  - servicemonitors
+  verbs:
+  - "*"
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs: ["*"]
+- apiGroups: [""]
+  resources:
+  - configmaps
+  - secrets
+  verbs: ["*"]
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs: ["list", "delete"]
+- apiGroups: [""]
+  resources:
+  - services
+  - endpoints
+  verbs: ["get", "create", "update"]
+- apiGroups: [""]
+  resources:
+  - nodes
+  verbs: ["list", "watch"]

manifests/prometheus-operator/prometheus-operator-service-account.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-operator

manifests/prometheus-operator/prometheus-operator.yaml

@@ -11,12 +11,13 @@ spec:
       labels:
         operator: prometheus
     spec:
+      serviceAccountName: prometheus-operator
       containers:
        - name: prometheus-operator
          image: quay.io/coreos/prometheus-operator:v0.7.0
          args:
-           - "--kubelet-object=kube-system/kubelet"
+         - "--kubelet-object=kube-system/kubelet"
-           - "--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1"
+         - "--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1"
          resources:
            requests:
              cpu: 100m

manifests/prometheus/prometheus-cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: monitoring

manifests/prometheus/prometheus-cluster-role.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRole
+metadata:
+  name: prometheus
+rules:
+- apiGroups: [""]
+  resources:
+  - nodes
+  - services
+  - endpoints
+  - pods
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources:
+  - configmaps
+  verbs: ["get"]

manifests/prometheus/prometheus-k8s-service-account.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prometheus-k8s

manifests/prometheus/prometheus-k8s.yaml

@@ -7,6 +7,7 @@ metadata:
 spec:
   replicas: 2
   version: v1.5.2
+  serviceAccountName: prometheus-k8s
   serviceMonitorSelector:
     matchExpression:
     - {key: k8s-apps, operator: Exists}