easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #812 from paulfantom/jsonnet-lint

Browse Source
This commit is contained in:
Paweł Krupa
2021-01-12 16:11:54 +01:00
committed by GitHub
parent e255923c05 d00a923299
commit 4c1ff463db
14 changed files with 348 additions and 333 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.github/workflows/ci.yaml vendored
View File

@@ -20,6 +20,18 @@ jobs:
with: with:
go-version: ${{ env.golang-version }} go-version: ${{ env.golang-version }}
- run: make --always-make generate && git diff --exit-code - run: make --always-make generate && git diff --exit-code
lint:
runs-on: ubuntu-latest
name: Jsonnet linter
steps:
- uses: actions/checkout@v2
- run: make --always-make lint
fmt:
runs-on: ubuntu-latest
name: Jsonnet formatter
steps:
- uses: actions/checkout@v2
- run: make --always-make fmt && git diff --exit-code
unit-tests: unit-tests:
runs-on: ubuntu-latest runs-on: ubuntu-latest
name: Unit tests name: Unit tests

8
Makefile
View File

@@ -6,8 +6,9 @@ EMBEDMD_BIN=$(BIN_DIR)/embedmd
JB_BIN=$(BIN_DIR)/jb JB_BIN=$(BIN_DIR)/jb
GOJSONTOYAML_BIN=$(BIN_DIR)/gojsontoyaml GOJSONTOYAML_BIN=$(BIN_DIR)/gojsontoyaml
JSONNET_BIN=$(BIN_DIR)/jsonnet JSONNET_BIN=$(BIN_DIR)/jsonnet
JSONNETLINT_BIN=$(BIN_DIR)/jsonnet-lint
JSONNETFMT_BIN=$(BIN_DIR)/jsonnetfmt JSONNETFMT_BIN=$(BIN_DIR)/jsonnetfmt
TOOLING=$(EMBEDMD_BIN) $(JB_BIN) $(GOJSONTOYAML_BIN) $(JSONNET_BIN) $(JSONNETFMT_BIN) TOOLING=$(EMBEDMD_BIN) $(JB_BIN) $(GOJSONTOYAML_BIN) $(JSONNET_BIN) $(JSONNETLINT_BIN) $(JSONNETFMT_BIN)
JSONNETFMT_ARGS=-n 2 --max-blank-lines 2 --string-style s --comment-style s JSONNETFMT_ARGS=-n 2 --max-blank-lines 2 --string-style s --comment-style s
@@ -36,6 +37,11 @@ fmt: $(JSONNETFMT_BIN)
find . -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \ find . -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \
xargs -n 1 -- $(JSONNETFMT_BIN) $(JSONNETFMT_ARGS) -i xargs -n 1 -- $(JSONNETFMT_BIN) $(JSONNETFMT_ARGS) -i
.PHONY: lint
lint: $(JSONNETLINT_BIN) vendor
find jsonnet/ -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \
xargs -n 1 -- $(JSONNETLINT_BIN) -J vendor
.PHONY: test .PHONY: test
test: $(JB_BIN) test: $(JB_BIN)
$(JB_BIN) install $(JB_BIN) install

2
jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
View File

@@ -58,8 +58,6 @@ local defaults = {
}; };
function(params) { function(params) {
local am = self, local am = self,
config:: defaults + params, config:: defaults + params,

356
jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
View File

@@ -92,191 +92,191 @@ function(params) {
// Safety check // Safety check
assert std.isObject(bb.config.resources), assert std.isObject(bb.config.resources),
configuration: { configuration: {
apiVersion: 'v1', apiVersion: 'v1',
kind: 'ConfigMap', kind: 'ConfigMap',
metadata: { metadata: {
name: 'blackbox-exporter-configuration', name: 'blackbox-exporter-configuration',
namespace: bb.config.namespace, namespace: bb.config.namespace,
labels: bb.config.commonLabels, labels: bb.config.commonLabels,
}, },
data: { data: {
'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }), 'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }),
}, },
},
serviceAccount: {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
},
},
clusterRole: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: 'blackbox-exporter',
},
rules: [
{
apiGroups: ['authentication.k8s.io'],
resources: ['tokenreviews'],
verbs: ['create'],
}, },
{
serviceAccount: { apiGroups: ['authorization.k8s.io'],
apiVersion: 'v1', resources: ['subjectaccessreviews'],
kind: 'ServiceAccount', verbs: ['create'],
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
},
}, },
],
},
clusterRole: { clusterRoleBinding: {
apiVersion: 'rbac.authorization.k8s.io/v1', apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole', kind: 'ClusterRoleBinding',
metadata: { metadata: {
name: 'blackbox-exporter', name: 'blackbox-exporter',
}, },
rules: [ roleRef: {
{ apiGroup: 'rbac.authorization.k8s.io',
apiGroups: ['authentication.k8s.io'], kind: 'ClusterRole',
resources: ['tokenreviews'], name: 'blackbox-exporter',
verbs: ['create'], },
}, subjects: [{
{ kind: 'ServiceAccount',
apiGroups: ['authorization.k8s.io'], name: 'blackbox-exporter',
resources: ['subjectaccessreviews'], namespace: bb.config.namespace,
verbs: ['create'], }],
}, },
],
deployment:
local blackboxExporter = {
name: 'blackbox-exporter',
image: bb.config.image,
args: [
'--config.file=/etc/blackbox_exporter/config.yml',
'--web.listen-address=:%d' % bb.config.internalPort,
],
ports: [{
name: 'http',
containerPort: bb.config.internalPort,
}],
resources: bb.config.resources,
securityContext: if bb.config.privileged then {
runAsNonRoot: false,
capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
} else {
runAsNonRoot: true,
runAsUser: 65534,
}, },
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
name: 'config',
readOnly: true,
}],
};
clusterRoleBinding: { local reloader = {
apiVersion: 'rbac.authorization.k8s.io/v1', name: 'module-configmap-reloader',
kind: 'ClusterRoleBinding', image: bb.config.configmapReloaderImage,
metadata: { args: [
name: 'blackbox-exporter', '--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort,
}, '--volume-dir=/etc/blackbox_exporter/',
roleRef: { ],
apiGroup: 'rbac.authorization.k8s.io', resources: bb.config.resources,
kind: 'ClusterRole', securityContext: { runAsNonRoot: true, runAsUser: 65534 },
name: 'blackbox-exporter', terminationMessagePath: '/dev/termination-log',
}, terminationMessagePolicy: 'FallbackToLogsOnError',
subjects: [{ volumeMounts: [{
kind: 'ServiceAccount', mountPath: '/etc/blackbox_exporter/',
name: 'blackbox-exporter', name: 'config',
namespace: bb.config.namespace, readOnly: true,
}], }],
};
local kubeRbacProxy = krp({
name: 'kube-rbac-proxy',
upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/',
secureListenAddress: ':' + bb.config.port,
ports: [
{ name: 'https', containerPort: bb.config.port },
],
});
{
apiVersion: 'apps/v1',
kind: 'Deployment',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
}, },
spec: {
deployment: replicas: bb.config.replicas,
local blackboxExporter = { selector: { matchLabels: bb.config.selectorLabels },
name: 'blackbox-exporter', template: {
image: bb.config.image, metadata: { labels: bb.config.commonLabels },
args: [
'--config.file=/etc/blackbox_exporter/config.yml',
'--web.listen-address=:%d' % bb.config.internalPort,
],
ports: [{
name: 'http',
containerPort: bb.config.internalPort,
}],
resources: bb.config.resources,
securityContext: if bb.config.privileged then {
runAsNonRoot: false,
capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
} else {
runAsNonRoot: true,
runAsUser: 65534,
},
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
name: 'config',
readOnly: true,
}],
};
local reloader = {
name: 'module-configmap-reloader',
image: bb.config.configmapReloaderImage,
args: [
'--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort,
'--volume-dir=/etc/blackbox_exporter/',
],
resources: bb.config.resources,
securityContext: { runAsNonRoot: true, runAsUser: 65534 },
terminationMessagePath: '/dev/termination-log',
terminationMessagePolicy: 'FallbackToLogsOnError',
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
name: 'config',
readOnly: true,
}],
};
local kubeRbacProxy = krp({
name: 'kube-rbac-proxy',
upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/',
secureListenAddress: ':' + bb.config.port,
ports: [
{ name: 'https', containerPort: bb.config.port },
],
});
{
apiVersion: 'apps/v1',
kind: 'Deployment',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: { spec: {
replicas: bb.config.replicas, containers: [blackboxExporter, reloader, kubeRbacProxy],
selector: { matchLabels: bb.config.selectorLabels }, nodeSelector: { 'kubernetes.io/os': 'linux' },
template: { serviceAccountName: 'blackbox-exporter',
metadata: { labels: bb.config.commonLabels }, volumes: [{
spec: { name: 'config',
containers: [blackboxExporter, reloader, kubeRbacProxy], configMap: { name: 'blackbox-exporter-configuration' },
nodeSelector: { 'kubernetes.io/os': 'linux' },
serviceAccountName: 'blackbox-exporter',
volumes: [{
name: 'config',
configMap: { name: 'blackbox-exporter-configuration' },
}],
},
},
},
},
service: {
apiVersion: 'v1',
kind: 'Service',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
ports: [{
name: 'https',
port: bb.config.port,
targetPort: 'https',
}, {
name: 'probe',
port: bb.config.internalPort,
targetPort: 'http',
}],
selector: bb.config.selectorLabels,
},
},
serviceMonitor:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
endpoints: [{
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
interval: '30s',
path: '/metrics',
port: 'https',
scheme: 'https',
tlsConfig: {
insecureSkipVerify: true,
},
}], }],
selector: {
matchLabels: bb.config.selectorLabels,
},
}, },
}, },
} },
},
service: {
apiVersion: 'v1',
kind: 'Service',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
ports: [{
name: 'https',
port: bb.config.port,
targetPort: 'https',
}, {
name: 'probe',
port: bb.config.internalPort,
targetPort: 'http',
}],
selector: bb.config.selectorLabels,
},
},
serviceMonitor:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'ServiceMonitor',
metadata: {
name: 'blackbox-exporter',
namespace: bb.config.namespace,
labels: bb.config.commonLabels,
},
spec: {
endpoints: [{
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
interval: '30s',
path: '/metrics',
port: 'https',
scheme: 'https',
tlsConfig: {
insecureSkipVerify: true,
},
}],
selector: {
matchLabels: bb.config.selectorLabels,
},
},
},
}

2
jsonnet/kube-prometheus/kube-prometheus-anti-affinity.libsonnet
View File

@@ -30,8 +30,6 @@
}, },
prometheus+:: { prometheus+:: {
local p = self,
prometheus+: { prometheus+: {
spec+: spec+:
antiaffinity('prometheus', [$._config.prometheus.name], $._config.namespace), antiaffinity('prometheus', [$._config.prometheus.name], $._config.namespace),

1
jsonnet/kube-prometheus/kube-prometheus.libsonnet
View File

@@ -100,7 +100,6 @@ local prometheusAdapter = import './prometheus-adapter/prometheus-adapter.libson
(kubeRbacProxyContainer { (kubeRbacProxyContainer {
config+:: { config+:: {
kubeRbacProxy: { kubeRbacProxy: {
local cfg = self,
image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy, image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy,
name: 'kube-rbac-proxy', name: 'kube-rbac-proxy',
securePortName: 'https', securePortName: 'https',

79
jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
View File

@@ -1,5 +1,4 @@
local defaults = { local defaults = {
local defaults = self,
namespace: error 'must provide namespace', namespace: error 'must provide namespace',
image: 'quay.io/brancz/kube-rbac-proxy:v0.8.0', image: 'quay.io/brancz/kube-rbac-proxy:v0.8.0',
ports: error 'must provide ports', ports: error 'must provide ports',
@@ -10,33 +9,33 @@ local defaults = {
limits: { cpu: '20m', memory: '40Mi' }, limits: { cpu: '20m', memory: '40Mi' },
}, },
tlsCipherSuites: [ tlsCipherSuites: [
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
// 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566 // 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661 // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
// 'TLS_RSA_WITH_AES_128_CBC_SHA', // disabled by h2 // 'TLS_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_RSA_WITH_AES_256_CBC_SHA', // disabled by h2 // 'TLS_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169 // 'TLS_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// 'TLS_RSA_WITH_AES_128_GCM_SHA256', // disabled by h2 // 'TLS_RSA_WITH_AES_128_GCM_SHA256', // disabled by h2
// 'TLS_RSA_WITH_AES_256_GCM_SHA384', // disabled by h2 // 'TLS_RSA_WITH_AES_256_GCM_SHA384', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566 // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', // disabled by h2 // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // disabled by h2 // 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566 // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661 // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
// 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // disabled by h2 // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // disabled by h2 // 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169 // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169 // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
// disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go // disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
], ],
}; };
@@ -46,19 +45,19 @@ function(params) {
// Safety check // Safety check
assert std.isObject(krp.config.resources), assert std.isObject(krp.config.resources),
name: krp.config.name, name: krp.config.name,
image: krp.config.image, image: krp.config.image,
args: [ args: [
'--logtostderr', '--logtostderr',
'--secure-listen-address=' + krp.config.secureListenAddress, '--secure-listen-address=' + krp.config.secureListenAddress,
'--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites), '--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites),
'--upstream=' + krp.config.upstream, '--upstream=' + krp.config.upstream,
], ],
resources: krp.config.resources, resources: krp.config.resources,
ports: krp.config.ports, ports: krp.config.ports,
securityContext: { securityContext: {
runAsUser: 65532, runAsUser: 65532,
runAsGroup: 65532, runAsGroup: 65532,
runAsNonRoot: true, runAsNonRoot: true,
}, },
} }

1
jsonnet/kube-prometheus/kube-rbac-proxy/containerMixin.libsonnet
View File

@@ -16,7 +16,6 @@
}, },
specMixin:: { specMixin:: {
local sm = self,
config+:: { config+:: {
kubeRbacProxy: { kubeRbacProxy: {
image: error 'must provide image', image: error 'must provide image',

4
jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
View File

@@ -60,7 +60,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
upstream: 'http://127.0.0.1:8081/', upstream: 'http://127.0.0.1:8081/',
secureListenAddress: ':8443', secureListenAddress: ':8443',
ports: [ ports: [
{ name: 'https-main', containerPort: 8443, }, { name: 'https-main', containerPort: 8443 },
], ],
}), }),
@@ -69,7 +69,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
upstream: 'http://127.0.0.1:8082/', upstream: 'http://127.0.0.1:8082/',
secureListenAddress: ':9443', secureListenAddress: ':9443',
ports: [ ports: [
{ name: 'https-self', containerPort: 9443, }, { name: 'https-self', containerPort: 9443 },
], ],
}), }),

7
jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
View File

@@ -67,8 +67,9 @@ function(params) {
apiGroups: ['authorization.k8s.io'], apiGroups: ['authorization.k8s.io'],
resources: ['subjectaccessreviews'], resources: ['subjectaccessreviews'],
verbs: ['create'], verbs: ['create'],
}], },
}, ],
},
serviceAccount: { serviceAccount: {
apiVersion: 'v1', apiVersion: 'v1',
@@ -169,7 +170,7 @@ function(params) {
}) + { }) + {
env: [ env: [
{ name: 'IP', valueFrom: { fieldRef: { fieldPath: 'status.podIP' } } }, { name: 'IP', valueFrom: { fieldRef: { fieldPath: 'status.podIP' } } },
] ],
}; };
{ {

204
jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
View File

@@ -186,117 +186,117 @@ function(params) {
}, },
}, },
serviceAccount: { serviceAccount: {
apiVersion: 'v1', apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: {
name: pa.config.name,
namespace: pa.config.namespace,
labels: pa.config.commonLabels,
},
},
clusterRole: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole',
metadata: {
name: pa.config.name,
labels: pa.config.commonLabels,
},
rules: [{
apiGroups: [''],
resources: ['nodes', 'namespaces', 'pods', 'services'],
verbs: ['get', 'list', 'watch'],
}],
},
clusterRoleBinding: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: pa.config.name,
labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
name: $.clusterRole.metadata.name,
},
subjects: [{
kind: 'ServiceAccount', kind: 'ServiceAccount',
metadata: { name: $.serviceAccount.metadata.name,
name: pa.config.name, namespace: pa.config.namespace,
namespace: pa.config.namespace, }],
labels: pa.config.commonLabels, },
},
},
clusterRole: { clusterRoleBindingDelegator: {
apiVersion: 'rbac.authorization.k8s.io/v1', apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding',
metadata: {
name: 'resource-metrics:system:auth-delegator',
labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole', kind: 'ClusterRole',
metadata: { name: 'system:auth-delegator',
name: pa.config.name,
labels: pa.config.commonLabels,
},
rules: [{
apiGroups: [''],
resources: ['nodes', 'namespaces', 'pods', 'services'],
verbs: ['get', 'list', 'watch'],
}],
}, },
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
},
clusterRoleBinding: { clusterRoleServerResources: {
apiVersion: 'rbac.authorization.k8s.io/v1', apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding', kind: 'ClusterRole',
metadata: { metadata: {
name: pa.config.name, name: 'resource-metrics-server-resources',
labels: pa.config.commonLabels, labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'ClusterRole',
name: $.clusterRole.metadata.name,
},
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
}, },
rules: [{
apiGroups: ['metrics.k8s.io'],
resources: ['*'],
verbs: ['*'],
}],
},
clusterRoleBindingDelegator: { clusterRoleAggregatedMetricsReader: {
apiVersion: 'rbac.authorization.k8s.io/v1', apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRoleBinding', kind: 'ClusterRole',
metadata: { metadata: {
name: 'resource-metrics:system:auth-delegator', name: 'system:aggregated-metrics-reader',
labels: pa.config.commonLabels, labels: {
}, 'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
roleRef: { 'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
apiGroup: 'rbac.authorization.k8s.io', 'rbac.authorization.k8s.io/aggregate-to-view': 'true',
kind: 'ClusterRole', } + pa.config.commonLabels,
name: 'system:auth-delegator',
},
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
}, },
rules: [{
apiGroups: ['metrics.k8s.io'],
resources: ['pods', 'nodes'],
verbs: ['get', 'list', 'watch'],
}],
},
clusterRoleServerResources: { roleBindingAuthReader: {
apiVersion: 'rbac.authorization.k8s.io/v1', apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'ClusterRole', kind: 'RoleBinding',
metadata: { metadata: {
name: 'resource-metrics-server-resources', name: 'resource-metrics-auth-reader',
labels: pa.config.commonLabels, namespace: 'kube-system',
}, labels: pa.config.commonLabels,
rules: [{
apiGroups: ['metrics.k8s.io'],
resources: ['*'],
verbs: ['*'],
}],
}, },
roleRef: {
clusterRoleAggregatedMetricsReader: { apiGroup: 'rbac.authorization.k8s.io',
apiVersion: 'rbac.authorization.k8s.io/v1', kind: 'Role',
kind: 'ClusterRole', name: 'extension-apiserver-authentication-reader',
metadata: {
name: 'system:aggregated-metrics-reader',
labels: {
'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
'rbac.authorization.k8s.io/aggregate-to-view': 'true',
} + pa.config.commonLabels,
},
rules: [{
apiGroups: ['metrics.k8s.io'],
resources: ['pods', 'nodes'],
verbs: ['get', 'list', 'watch'],
}],
},
roleBindingAuthReader: {
apiVersion: 'rbac.authorization.k8s.io/v1',
kind: 'RoleBinding',
metadata: {
name: 'resource-metrics-auth-reader',
namespace: 'kube-system',
labels: pa.config.commonLabels,
},
roleRef: {
apiGroup: 'rbac.authorization.k8s.io',
kind: 'Role',
name: 'extension-apiserver-authentication-reader',
},
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
}, },
subjects: [{
kind: 'ServiceAccount',
name: $.serviceAccount.metadata.name,
namespace: pa.config.namespace,
}],
},
} }

2
scripts/go.mod
View File

@@ -5,6 +5,6 @@ go 1.15
require ( require (
github.com/brancz/gojsontoyaml v0.0.0-20200602132005-3697ded27e8c github.com/brancz/gojsontoyaml v0.0.0-20200602132005-3697ded27e8c
github.com/campoy/embedmd v1.0.0 github.com/campoy/embedmd v1.0.0
github.com/google/go-jsonnet v0.17.0 github.com/google/go-jsonnet v0.17.1-0.20210101181740-31d71aaccda6 // 7 commits after 0.17.0. Needed by jsonnet linter
github.com/jsonnet-bundler/jsonnet-bundler v0.4.0 github.com/jsonnet-bundler/jsonnet-bundler v0.4.0
) )

2
scripts/go.sum
View File

@@ -16,6 +16,8 @@ github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/google/go-jsonnet v0.17.0 h1:/9NIEfhK1NQRKl3sP2536b2+x5HnZMdql7x3yK/l8JY= github.com/google/go-jsonnet v0.17.0 h1:/9NIEfhK1NQRKl3sP2536b2+x5HnZMdql7x3yK/l8JY=
github.com/google/go-jsonnet v0.17.0/go.mod h1:sOcuej3UW1vpPTZOr8L7RQimqai1a57bt5j22LzGZCw= github.com/google/go-jsonnet v0.17.0/go.mod h1:sOcuej3UW1vpPTZOr8L7RQimqai1a57bt5j22LzGZCw=
github.com/google/go-jsonnet v0.17.1-0.20210101181740-31d71aaccda6 h1:91EupyycmO5ctzKuWEZ9nX0Cal1NveMiWcXxmRtLyLQ=
github.com/google/go-jsonnet v0.17.1-0.20210101181740-31d71aaccda6/go.mod h1:sOcuej3UW1vpPTZOr8L7RQimqai1a57bt5j22LzGZCw=
github.com/jsonnet-bundler/jsonnet-bundler v0.4.0 h1:4BKZ6LDqPc2wJDmaKnmYD/vDjUptJtnUpai802MibFc= github.com/jsonnet-bundler/jsonnet-bundler v0.4.0 h1:4BKZ6LDqPc2wJDmaKnmYD/vDjUptJtnUpai802MibFc=
github.com/jsonnet-bundler/jsonnet-bundler v0.4.0/go.mod h1:/by7P/OoohkI3q4CgSFqcoFsVY+IaNbzOVDknEsKDeU= github.com/jsonnet-bundler/jsonnet-bundler v0.4.0/go.mod h1:/by7P/OoohkI3q4CgSFqcoFsVY+IaNbzOVDknEsKDeU=
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=

1
scripts/tools.go
View File

@@ -8,6 +8,7 @@ import (
_ "github.com/brancz/gojsontoyaml" _ "github.com/brancz/gojsontoyaml"
_ "github.com/campoy/embedmd" _ "github.com/campoy/embedmd"
_ "github.com/google/go-jsonnet/cmd/jsonnet" _ "github.com/google/go-jsonnet/cmd/jsonnet"
_ "github.com/google/go-jsonnet/cmd/jsonnet-lint"
_ "github.com/google/go-jsonnet/cmd/jsonnetfmt" _ "github.com/google/go-jsonnet/cmd/jsonnetfmt"
_ "github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb" _ "github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb"
) )