kube-prometheus: Add RBAC authorization to metrics endpoints

2018-01-05 16:03:04 +01:00
parent fb01fe91dc
commit 4402d451ae
10 changed files with 121 additions and 21 deletions
--- a/manifests/kube-state-metrics/kube-state-metrics-cluster-role.yaml
+++ b/manifests/kube-state-metrics/kube-state-metrics-cluster-role.yaml
@@ -27,4 +27,12 @@ rules:
  resources:
  - cronjobs
  - jobs
-  verbs: ["list", "watch"]
+  verbs: ["list", "watch"]
+- apiGroups: ["authentication.k8s.io"]
+  resources:
+  - tokenreviews
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources:
+  - subjectaccessreviews
+  verbs: ["create"]
--- a/manifests/kube-state-metrics/kube-state-metrics-deployment.yaml
+++ b/manifests/kube-state-metrics/kube-state-metrics-deployment.yaml
@@ -11,17 +11,43 @@ spec:
    spec:
      serviceAccountName: kube-state-metrics
      containers:
-      - name: kube-state-metrics
-        image: quay.io/coreos/kube-state-metrics:v1.0.1
+      - name: kube-rbac-proxy-main
+        image: quay.io/brancz/kube-rbac-proxy:v0.2.0
+        args:
+        - "--secure-listen-address=:8443"
+        - "--upstream=http://127.0.0.1:8081/"
        ports:
-        - name: metrics
-          containerPort: 8080
-        readinessProbe:
-          httpGet:
-            path: /healthz
-            port: 8080
-          initialDelaySeconds: 5
-          timeoutSeconds: 5
+        - name: https-main
+          containerPort: 8443
+        resources:
+          requests:
+            memory: 20Mi
+            cpu: 10m
+          limits:
+            memory: 40Mi
+            cpu: 20m
+      - name: kube-rbac-proxy-self
+        image: quay.io/brancz/kube-rbac-proxy:v0.2.0
+        args:
+        - "--secure-listen-address=:9443"
+        - "--upstream=http://127.0.0.1:8082/"
+        ports:
+        - name: https-self
+          containerPort: 9443
+        resources:
+          requests:
+            memory: 20Mi
+            cpu: 10m
+          limits:
+            memory: 40Mi
+            cpu: 20m
+      - name: kube-state-metrics
+        image: quay.io/coreos/kube-state-metrics:v1.2.0-rc.0
+        args:
+        - "--host=127.0.0.1"
+        - "--port=8081"
+        - "--telemetry-host=127.0.0.1"
+        - "--telemetry-port=8082"
      - name: addon-resizer
        image: gcr.io/google_containers/addon-resizer:1.0
        resources:
--- a/manifests/kube-state-metrics/kube-state-metrics-service.yaml
+++ b/manifests/kube-state-metrics/kube-state-metrics-service.yaml
@@ -6,10 +6,15 @@ metadata:
    k8s-app: kube-state-metrics
  name: kube-state-metrics
 spec:
+  clusterIP: None
  ports:
-  - name: http-metrics
-    port: 8080
-    targetPort: metrics
+  - name: https-main
+    port: 8443
+    targetPort: https-main
+    protocol: TCP
+  - name: https-self
+    port: 9443
+    targetPort: https-self
    protocol: TCP
  selector:
    app: kube-state-metrics