allow creation of role and rolebindings for other namespaces in jsonnet
This commit is contained in:
prune
28
docs/monitoring-other-namespaces.md
Normal file
28
docs/monitoring-other-namespaces.md
Normal file
@@ -0,0 +1,28 @@
|
|||||||
|
# Monitoring other Kubernetes Namespaces
|
||||||
|
This guide will help you monitor applications in other Namespaces, which is only enabled for the `Default` Namespace during Install.
|
||||||
|
|
||||||
|
# Setup
|
||||||
|
You have to give the list of the Namespaces that you want to be able to monitor.
|
||||||
|
This is done in the variable `prometheus.roleSpecificNamespaces`. You usually set this in your `.jsonnet` file when building the manifests.
|
||||||
|
|
||||||
|
Ex to create the needed `Role` and `Rolebindig` for the Namespace `foo` :
|
||||||
|
```
|
||||||
|
local kp = (import 'kube-prometheus/kube-prometheus.libsonnet') + {
|
||||||
|
_config+:: {
|
||||||
|
namespace: 'monitoring',
|
||||||
|
|
||||||
|
prometheus+:: {
|
||||||
|
roleSpecificNamespaces: ["foo"],
|
||||||
|
},
|
||||||
|
},
|
||||||
|
};
|
||||||
|
|
||||||
|
{ ['00namespace-' + name]: kp.kubePrometheus[name] for name in std.objectFields(kp.kubePrometheus) } +
|
||||||
|
{ ['0prometheus-operator-' + name]: kp.prometheusOperator[name] for name in std.objectFields(kp.prometheusOperator) } +
|
||||||
|
{ ['node-exporter-' + name]: kp.nodeExporter[name] for name in std.objectFields(kp.nodeExporter) } +
|
||||||
|
{ ['kube-state-metrics-' + name]: kp.kubeStateMetrics[name] for name in std.objectFields(kp.kubeStateMetrics) } +
|
||||||
|
{ ['alertmanager-' + name]: kp.alertmanager[name] for name in std.objectFields(kp.alertmanager) } +
|
||||||
|
{ ['prometheus-' + name]: kp.prometheus[name] for name in std.objectFields(kp.prometheus) } +
|
||||||
|
{ ['grafana-' + name]: kp.grafana[name] for name in std.objectFields(kp.grafana) }
|
||||||
|
|
||||||
|
```
|
||||||
@@ -21,6 +21,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
|
|||||||
replicas: 2,
|
replicas: 2,
|
||||||
rules: {},
|
rules: {},
|
||||||
renderedRules: {},
|
renderedRules: {},
|
||||||
|
roleSpecificNamespaces: [],
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
||||||
@@ -65,6 +66,20 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
|
|||||||
roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) +
|
roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) +
|
||||||
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
|
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
|
||||||
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]),
|
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]),
|
||||||
|
roleBindingSpecificNamespace:
|
||||||
|
local roleBinding = k.rbac.v1.roleBinding;
|
||||||
|
|
||||||
|
local newSpecificRoleBinding(namespace) =
|
||||||
|
roleBinding.new() +
|
||||||
|
roleBinding.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
|
||||||
|
roleBinding.mixin.metadata.withNamespace(namespace) +
|
||||||
|
roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
|
||||||
|
roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) +
|
||||||
|
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
|
||||||
|
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: namespace }]);
|
||||||
|
|
||||||
|
local roleBindigList = k.rbac.v1.roleBindingList;
|
||||||
|
roleBindigList.new([newSpecificRoleBinding(x) for x in $._config.prometheus.roleSpecificNamespaces]),
|
||||||
clusterRole:
|
clusterRole:
|
||||||
local clusterRole = k.rbac.v1.clusterRole;
|
local clusterRole = k.rbac.v1.clusterRole;
|
||||||
local policyRule = clusterRole.rulesType;
|
local policyRule = clusterRole.rulesType;
|
||||||
@@ -163,6 +178,27 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
|
|||||||
role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
|
role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
|
||||||
role.mixin.metadata.withNamespace('default') +
|
role.mixin.metadata.withNamespace('default') +
|
||||||
role.withRules(coreRule),
|
role.withRules(coreRule),
|
||||||
|
roleSpecificNamespace:
|
||||||
|
local role = k.rbac.v1.role;
|
||||||
|
local policyRule = role.rulesType;
|
||||||
|
local coreRule = policyRule.new() +
|
||||||
|
policyRule.withApiGroups(['']) +
|
||||||
|
policyRule.withResources([
|
||||||
|
'nodes',
|
||||||
|
'services',
|
||||||
|
'endpoints',
|
||||||
|
'pods',
|
||||||
|
]) +
|
||||||
|
policyRule.withVerbs(['get', 'list', 'watch']);
|
||||||
|
|
||||||
|
local newSpecificRole(namespace) =
|
||||||
|
role.new() +
|
||||||
|
role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
|
||||||
|
role.mixin.metadata.withNamespace(namespace) +
|
||||||
|
role.withRules(coreRule);
|
||||||
|
|
||||||
|
local roleList = k.rbac.v1.roleList;
|
||||||
|
roleList.new([newSpecificRole(x) for x in $._config.prometheus.roleSpecificNamespaces]),
|
||||||
roleBindingKubeSystem:
|
roleBindingKubeSystem:
|
||||||
local roleBinding = k.rbac.v1.roleBinding;
|
local roleBinding = k.rbac.v1.roleBinding;
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user