easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add monitor and rules resources to user-facing roles (#2238)

Browse Source 
in cluster with separation between (cluster) admin and (namespaced)
users, it allows the namespaced users to create monitor and rules in
their namespaces according to the default k8s model of user-facing
roles.

ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
This commit is contained in:
Cyril Jouve
2024-09-11 11:22:05 +02:00
committed by GitHub
parent 1deaee53f0
commit 3fecdadf15
1 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
jsonnet/kube-prometheus/addons/user-facing-roles.libsonnet Normal file
View File

@@ -0,0 +1,67 @@
// user facing roles for monitors, probe, and rules
// ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
{
prometheusOperator+: {
local po = self,
clusterRoleView: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: po._metadata {
name: 'monitoring-view',
namespace:: null,
labels+: {
'rbac.authorization.k8s.io/aggregate-to-view': 'true',
},
},
rules: [
{
apiGroups: [
'monitoring.coreos.com',
],
resources: [
'podmonitors',
'probes',
'prometheusrules',
'servicemonitors',
],
verbs: [
'get',
'list',
'watch',
],
},
],
},
clusterRoleEdit: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: po._metadata {
name: 'monitoring-edit',
namespace:: null,
labels+: {
'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
},
},
rules: [
{
apiGroups: [
'monitoring.coreos.com',
],
resources: [
'podmonitors',
'probes',
'prometheusrules',
'servicemonitors',
],
verbs: [
'create',
'delete',
'deletecollection',
'patch',
'update',
],
},
],
},
},
}