easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #812 from paulfantom/jsonnet-lint

Browse Source
This commit is contained in:
Paweł Krupa
2021-01-12 16:11:54 +01:00
committed by GitHub
parent e255923c05 d00a923299
commit 4c1ff463db
14 changed files with 348 additions and 333 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.github/workflows/ci.yaml vendored
View File

@@ -20,6 +20,18 @@ jobs:
with:
go-version: ${{ env.golang-version }}
- run: make --always-make generate && git diff --exit-code
lint:
runs-on: ubuntu-latest
name: Jsonnet linter
steps:
- uses: actions/checkout@v2
- run: make --always-make lint
fmt:
runs-on: ubuntu-latest
name: Jsonnet formatter
steps:
- uses: actions/checkout@v2
- run: make --always-make fmt && git diff --exit-code
unit-tests:
runs-on: ubuntu-latest
name: Unit tests

8
Makefile
View File

@@ -6,8 +6,9 @@ EMBEDMD_BIN=$(BIN_DIR)/embedmd
JB_BIN=$(BIN_DIR)/jb
GOJSONTOYAML_BIN=$(BIN_DIR)/gojsontoyaml
JSONNET_BIN=$(BIN_DIR)/jsonnet
JSONNETLINT_BIN=$(BIN_DIR)/jsonnet-lint
JSONNETFMT_BIN=$(BIN_DIR)/jsonnetfmt
TOOLING=$(EMBEDMD_BIN) $(JB_BIN) $(GOJSONTOYAML_BIN) $(JSONNET_BIN) $(JSONNETFMT_BIN)
TOOLING=$(EMBEDMD_BIN) $(JB_BIN) $(GOJSONTOYAML_BIN) $(JSONNET_BIN) $(JSONNETLINT_BIN) $(JSONNETFMT_BIN)
JSONNETFMT_ARGS=-n 2 --max-blank-lines 2 --string-style s --comment-style s
@@ -36,6 +37,11 @@ fmt: $(JSONNETFMT_BIN)
find . -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \
xargs -n 1 -- $(JSONNETFMT_BIN) $(JSONNETFMT_ARGS) -i
.PHONY: lint
lint: $(JSONNETLINT_BIN) vendor
find jsonnet/ -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \
xargs -n 1 -- $(JSONNETLINT_BIN) -J vendor
.PHONY: test
test: $(JB_BIN)
$(JB_BIN) install

2
jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
View File

@@ -58,8 +58,6 @@ local defaults = {
};
function(params) {
local am = self,
config:: defaults + params,

356
jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
View File

@@ -92,191 +92,191 @@ function(params) {
// Safety check
assert std.isObject(bb.config.resources),
configuration: {
apiVersion: 'v1',
kind: 'ConfigMap',
metadata: {
name: 'blackbox-exporter-configuration',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
data: {
'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }),
},
configuration: {
apiVersion: 'v1',
kind: 'ConfigMap',
metadata: {
name: 'blackbox-exporter-configuration',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
data: {
'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }),
},
},
serviceAccount: {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
},
},
clusterRole: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: 'blackbox-exporter',
},
rules: [
{
apiGroups: ['authentication.k8s.io'],
resources: ['tokenreviews'],
verbs: ['create'],
},
serviceAccount: {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
},
{
apiGroups: ['authorization.k8s.io'],
resources: ['subjectaccessreviews'],
verbs: ['create'],
},
],
},
clusterRole: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: 'blackbox-exporter',
},
rules: [
{
apiGroups: ['authentication.k8s.io'],
resources: ['tokenreviews'],
verbs: ['create'],
},
{
apiGroups: ['authorization.k8s.io'],
resources: ['subjectaccessreviews'],
verbs: ['create'],
},
],
clusterRoleBinding: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: 'blackbox-exporter',
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
name: 'blackbox-exporter',
},
subjects: [{
kind: 'ServiceAccount',
name: 'blackbox-exporter',
namespace: bb.config.namespace,
}],
},
deployment:
local blackboxExporter = {
name: 'blackbox-exporter',
image: bb.config.image,
args: [
'--config.file=/etc/blackbox_exporter/config.yml',
'--web.listen-address=:%d' % bb.config.internalPort,
],
ports: [{
name: 'http',
containerPort: bb.config.internalPort,
}],
resources: bb.config.resources,
securityContext: if bb.config.privileged then {
runAsNonRoot: false,
capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
} else {
runAsNonRoot: true,
runAsUser: 65534,
},
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
name: 'config',
readOnly: true,
}],
};
clusterRoleBinding: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: 'blackbox-exporter',
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
name: 'blackbox-exporter',
},
subjects: [{
kind: 'ServiceAccount',
name: 'blackbox-exporter',
namespace: bb.config.namespace,
}],
local reloader = {
name: 'module-configmap-reloader',
image: bb.config.configmapReloaderImage,
args: [
'--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort,
'--volume-dir=/etc/blackbox_exporter/',
],
resources: bb.config.resources,
securityContext: { runAsNonRoot: true, runAsUser: 65534 },
terminationMessagePath: '/dev/termination-log',
terminationMessagePolicy: 'FallbackToLogsOnError',
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
name: 'config',
readOnly: true,
}],
};
local kubeRbacProxy = krp({
name: 'kube-rbac-proxy',
upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/',
secureListenAddress: ':' + bb.config.port,
ports: [
{ name: 'https', containerPort: bb.config.port },
],
});
{
apiVersion: 'apps/v1',
kind: 'Deployment',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
deployment:
local blackboxExporter = {
name: 'blackbox-exporter',
image: bb.config.image,
args: [
'--config.file=/etc/blackbox_exporter/config.yml',
'--web.listen-address=:%d' % bb.config.internalPort,
],
ports: [{
name: 'http',
containerPort: bb.config.internalPort,
}],
resources: bb.config.resources,
securityContext: if bb.config.privileged then {
runAsNonRoot: false,
capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
} else {
runAsNonRoot: true,
runAsUser: 65534,
},
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
name: 'config',
readOnly: true,
}],
};
local reloader = {
name: 'module-configmap-reloader',
image: bb.config.configmapReloaderImage,
args: [
'--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort,
'--volume-dir=/etc/blackbox_exporter/',
],
resources: bb.config.resources,
securityContext: { runAsNonRoot: true, runAsUser: 65534 },
terminationMessagePath: '/dev/termination-log',
terminationMessagePolicy: 'FallbackToLogsOnError',
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
name: 'config',
readOnly: true,
}],
};
local kubeRbacProxy = krp({
name: 'kube-rbac-proxy',
upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/',
secureListenAddress: ':' + bb.config.port,
ports: [
{ name: 'https', containerPort: bb.config.port },
],
});
{
apiVersion: 'apps/v1',
kind: 'Deployment',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
replicas: bb.config.replicas,
selector: { matchLabels: bb.config.selectorLabels },
template: {
metadata: { labels: bb.config.commonLabels },
spec: {
replicas: bb.config.replicas,
selector: { matchLabels: bb.config.selectorLabels },
template: {
metadata: { labels: bb.config.commonLabels },
spec: {
containers: [blackboxExporter, reloader, kubeRbacProxy],
nodeSelector: { 'kubernetes.io/os': 'linux' },
serviceAccountName: 'blackbox-exporter',
volumes: [{
name: 'config',
configMap: { name: 'blackbox-exporter-configuration' },
}],
},
},
},
},
service: {
apiVersion: 'v1',
kind: 'Service',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
ports: [{
name: 'https',
port: bb.config.port,
targetPort: 'https',
}, {
name: 'probe',
port: bb.config.internalPort,
targetPort: 'http',
}],
selector: bb.config.selectorLabels,
},
},
serviceMonitor:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
endpoints: [{
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
interval: '30s',
path: '/metrics',
port: 'https',
scheme: 'https',
tlsConfig: {
insecureSkipVerify: true,
},
containers: [blackboxExporter, reloader, kubeRbacProxy],
nodeSelector: { 'kubernetes.io/os': 'linux' },
serviceAccountName: 'blackbox-exporter',
volumes: [{
name: 'config',
configMap: { name: 'blackbox-exporter-configuration' },
}],
selector: {
matchLabels: bb.config.selectorLabels,
},
},
},
}
},
},
service: {
apiVersion: 'v1',
kind: 'Service',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
ports: [{
name: 'https',
port: bb.config.port,
targetPort: 'https',
}, {
name: 'probe',
port: bb.config.internalPort,
targetPort: 'http',
}],
selector: bb.config.selectorLabels,
},
},
serviceMonitor:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
endpoints: [{
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
interval: '30s',
path: '/metrics',
port: 'https',
scheme: 'https',
tlsConfig: {
insecureSkipVerify: true,
},
}],
selector: {
matchLabels: bb.config.selectorLabels,
},
},
},
}

2
jsonnet/kube-prometheus/kube-prometheus-anti-affinity.libsonnet
View File

@@ -30,8 +30,6 @@
},
prometheus+:: {
local p = self,
prometheus+: {
spec+:
antiaffinity('prometheus', [$._config.prometheus.name], $._config.namespace),

1
jsonnet/kube-prometheus/kube-prometheus.libsonnet
View File

@@ -100,7 +100,6 @@ local prometheusAdapter = import './prometheus-adapter/prometheus-adapter.libson
(kubeRbacProxyContainer {
config+:: {
kubeRbacProxy: {
local cfg = self,
image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
name: 'kube-rbac-proxy',
securePortName: 'https',

79
jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
View File

@@ -1,5 +1,4 @@
local defaults = {
local defaults = self,
namespace: error 'must provide namespace',
image: 'quay.io/brancz/kube-rbac-proxy:v0.8.0',
ports: error 'must provide ports',
@@ -10,33 +9,33 @@ local defaults = {
limits: { cpu: '20m', memory: '40Mi' },
},
tlsCipherSuites: [
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
// 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
// 'TLS_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// 'TLS_RSA_WITH_AES_128_GCM_SHA256', // disabled by h2
// 'TLS_RSA_WITH_AES_256_GCM_SHA384', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
// 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
// 'TLS_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// 'TLS_RSA_WITH_AES_128_GCM_SHA256', // disabled by h2
// 'TLS_RSA_WITH_AES_256_GCM_SHA384', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
// 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
// disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
],
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
],
};
@@ -46,19 +45,19 @@ function(params) {
// Safety check
assert std.isObject(krp.config.resources),
name: krp.config.name,
image: krp.config.image,
args: [
'--logtostderr',
'--secure-listen-address=' + krp.config.secureListenAddress,
'--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites),
'--upstream=' + krp.config.upstream,
],
resources: krp.config.resources,
ports: krp.config.ports,
securityContext: {
runAsUser: 65532,
runAsGroup: 65532,
runAsNonRoot: true,
},
name: krp.config.name,
image: krp.config.image,
args: [
'--logtostderr',
'--secure-listen-address=' + krp.config.secureListenAddress,
'--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites),
'--upstream=' + krp.config.upstream,
],
resources: krp.config.resources,
ports: krp.config.ports,
securityContext: {
runAsUser: 65532,
runAsGroup: 65532,
runAsNonRoot: true,
},
}

1
jsonnet/kube-prometheus/kube-rbac-proxy/containerMixin.libsonnet
View File

@@ -16,7 +16,6 @@
},
specMixin:: {
local sm = self,
config+:: {
kubeRbacProxy: {
image: error 'must provide image',

4
jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
View File

@@ -60,7 +60,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
upstream: 'http://127.0.0.1:8081/',
secureListenAddress: ':8443',
ports: [
{ name: 'https-main', containerPort: 8443, },
{ name: 'https-main', containerPort: 8443 },
],
}),
@@ -69,7 +69,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
upstream: 'http://127.0.0.1:8082/',
secureListenAddress: ':9443',
ports: [
{ name: 'https-self', containerPort: 9443, },
{ name: 'https-self', containerPort: 9443 },
],
}),

7
jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
View File

@@ -67,8 +67,9 @@ function(params) {
apiGroups: ['authorization.k8s.io'],
resources: ['subjectaccessreviews'],
verbs: ['create'],
}],
},
},
],
},
serviceAccount: {
apiVersion: 'v1',
@@ -169,7 +170,7 @@ function(params) {
}) + {
env: [
{ name: 'IP', valueFrom: { fieldRef: { fieldPath: 'status.podIP' } } },
]
],
};
{

204
jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
View File

@@ -186,117 +186,117 @@ function(params) {
},
},
serviceAccount: {
apiVersion: 'v1',
serviceAccount: {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: {
name: pa.config.name,
namespace: pa.config.namespace,
labels: pa.config.commonLabels,
},
},
clusterRole: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: pa.config.name,
labels: pa.config.commonLabels,
},
rules: [{
apiGroups: [''],
resources: ['nodes', 'namespaces', 'pods', 'services'],
verbs: ['get', 'list', 'watch'],
}],
},
clusterRoleBinding: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: pa.config.name,
labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
name: $.clusterRole.metadata.name,
},
subjects: [{
kind: 'ServiceAccount',
metadata: {
name: pa.config.name,
namespace: pa.config.namespace,
labels: pa.config.commonLabels,
},
},
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
},
clusterRole: {
apiVersion: 'rbac.authorization.k8s.io/v1',
clusterRoleBindingDelegator: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: 'resource-metrics:system:auth-delegator',
labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
metadata: {
name: pa.config.name,
labels: pa.config.commonLabels,
},
rules: [{
apiGroups: [''],
resources: ['nodes', 'namespaces', 'pods', 'services'],
verbs: ['get', 'list', 'watch'],
}],
name: 'system:auth-delegator',
},
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
},
clusterRoleBinding: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: pa.config.name,
labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
name: $.clusterRole.metadata.name,
},
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
clusterRoleServerResources: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: 'resource-metrics-server-resources',
labels: pa.config.commonLabels,
},
rules: [{
apiGroups: ['metrics.k8s.io'],
resources: ['*'],
verbs: ['*'],
}],
},
clusterRoleBindingDelegator: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: 'resource-metrics:system:auth-delegator',
labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
name: 'system:auth-delegator',
},
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
clusterRoleAggregatedMetricsReader: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: 'system:aggregated-metrics-reader',
labels: {
'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
'rbac.authorization.k8s.io/aggregate-to-view': 'true',
} + pa.config.commonLabels,
},
rules: [{
apiGroups: ['metrics.k8s.io'],
resources: ['pods', 'nodes'],
verbs: ['get', 'list', 'watch'],
}],
},
clusterRoleServerResources: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: 'resource-metrics-server-resources',
labels: pa.config.commonLabels,
},
rules: [{
apiGroups: ['metrics.k8s.io'],
resources: ['*'],
verbs: ['*'],
}],
roleBindingAuthReader: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'RoleBinding',
metadata: {
name: 'resource-metrics-auth-reader',
namespace: 'kube-system',
labels: pa.config.commonLabels,
},
clusterRoleAggregatedMetricsReader: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: 'system:aggregated-metrics-reader',
labels: {
'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
'rbac.authorization.k8s.io/aggregate-to-view': 'true',
} + pa.config.commonLabels,
},
rules: [{
apiGroups: ['metrics.k8s.io'],
resources: ['pods', 'nodes'],
verbs: ['get', 'list', 'watch'],
}],
},
roleBindingAuthReader: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'RoleBinding',
metadata: {
name: 'resource-metrics-auth-reader',
namespace: 'kube-system',
labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'Role',
name: 'extension-apiserver-authentication-reader',
},
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'Role',
name: 'extension-apiserver-authentication-reader',
},
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
},
}

2
scripts/go.mod
View File

@@ -5,6 +5,6 @@ go 1.15
require (
github.com/brancz/gojsontoyaml v0.0.0-20200602132005-3697ded27e8c
github.com/campoy/embedmd v1.0.0
github.com/google/go-jsonnet v0.17.0
github.com/google/go-jsonnet v0.17.1-0.20210101181740-31d71aaccda6 // 7 commits after 0.17.0. Needed by jsonnet linter
github.com/jsonnet-bundler/jsonnet-bundler v0.4.0
)

2
scripts/go.sum
View File

@@ -16,6 +16,8 @@ github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/google/go-jsonnet v0.17.0 h1:/9NIEfhK1NQRKl3sP2536b2+x5HnZMdql7x3yK/l8JY=
github.com/google/go-jsonnet v0.17.0/go.mod h1:sOcuej3UW1vpPTZOr8L7RQimqai1a57bt5j22LzGZCw=
github.com/google/go-jsonnet v0.17.1-0.20210101181740-31d71aaccda6 h1:91EupyycmO5ctzKuWEZ9nX0Cal1NveMiWcXxmRtLyLQ=
github.com/google/go-jsonnet v0.17.1-0.20210101181740-31d71aaccda6/go.mod h1:sOcuej3UW1vpPTZOr8L7RQimqai1a57bt5j22LzGZCw=
github.com/jsonnet-bundler/jsonnet-bundler v0.4.0 h1:4BKZ6LDqPc2wJDmaKnmYD/vDjUptJtnUpai802MibFc=
github.com/jsonnet-bundler/jsonnet-bundler v0.4.0/go.mod h1:/by7P/OoohkI3q4CgSFqcoFsVY+IaNbzOVDknEsKDeU=
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=

1
scripts/tools.go
View File

@@ -8,6 +8,7 @@ import (
_ "github.com/brancz/gojsontoyaml"
_ "github.com/campoy/embedmd"
_ "github.com/google/go-jsonnet/cmd/jsonnet"
_ "github.com/google/go-jsonnet/cmd/jsonnet-lint"
_ "github.com/google/go-jsonnet/cmd/jsonnetfmt"
_ "github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb"
)