kube-prometheus: Add RBAC authorization to metrics endpoints

2018-01-05 16:03:04 +01:00
parent fb01fe91dc
commit 4402d451ae
10 changed files with 121 additions and 21 deletions
--- a/manifests/node-exporter/node-exporter-cluster-role-binding.yaml
+++ b/manifests/node-exporter/node-exporter-cluster-role-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: node-exporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: node-exporter
+subjects:
+- kind: ServiceAccount
+  name: node-exporter
+  namespace: monitoring
--- a/manifests/node-exporter/node-exporter-cluster-role.yaml
+++ b/manifests/node-exporter/node-exporter-cluster-role.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-exporter
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources:
+  - tokenreviews
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources:
+  - subjectaccessreviews
+  verbs: ["create"]
--- a/manifests/node-exporter/node-exporter-daemonset.yaml
+++ b/manifests/node-exporter/node-exporter-daemonset.yaml
@@ -3,24 +3,26 @@ kind: DaemonSet
 metadata:
  name: node-exporter
 spec:
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
  template:
    metadata:
      labels:
        app: node-exporter
      name: node-exporter
    spec:
+      serviceAccountName: node-exporter
      hostNetwork: true
      hostPID: true
      containers:
      - image: quay.io/prometheus/node-exporter:v0.15.0
        args:
+        - "--web.listen-address=127.0.0.1:9101"
        - "--path.procfs=/host/proc"
        - "--path.sysfs=/host/sys"
        name: node-exporter
-        ports:
-        - containerPort: 9100
-          hostPort: 9100
-          name: scrape
        resources:
          requests:
            memory: 30Mi
@@ -35,6 +37,22 @@ spec:
        - name: sys
          readOnly: true
          mountPath: /host/sys
+      - name: kube-rbac-proxy
+        image: quay.io/brancz/kube-rbac-proxy:v0.2.0
+        args:
+        - "--secure-listen-address=:9100"
+        - "--upstream=http://127.0.0.1:9101/"
+        ports:
+        - containerPort: 9100
+          hostPort: 9100
+          name: https
+        resources:
+          requests:
+            memory: 20Mi
+            cpu: 10m
+          limits:
+            memory: 40Mi
+            cpu: 20m
      tolerations:
        - effect: NoSchedule
          operator: Exists
--- a/manifests/node-exporter/node-exporter-service-account.yaml
+++ b/manifests/node-exporter/node-exporter-service-account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: node-exporter
--- a/manifests/node-exporter/node-exporter-service.yaml
+++ b/manifests/node-exporter/node-exporter-service.yaml
@@ -9,7 +9,7 @@ spec:
  type: ClusterIP
  clusterIP: None
  ports:
-  - name: http-metrics
+  - name: https
    port: 9100
    protocol: TCP
  selector: