easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

replaced default namespaces rbac rules by a loop

Browse Source
This commit is contained in:
prune
2018-07-27 07:05:42 -04:00
parent 85d6c48f98
commit 88f79258f5
2 changed files with 3 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/monitoring-other-namespaces.md
View File

@@ -1,5 +1,5 @@
# Monitoring other Kubernetes Namespaces # Monitoring other Kubernetes Namespaces
This guide will help you monitor applications in other Namespaces, which is only enabled for the `Default` Namespace during Install. This guide will help you monitor applications in other Namespaces. By default the RBAC rules are only enabled for the `Default` and `kube-system` Namespace during Install.
# Setup # Setup
You have to give the list of the Namespaces that you want to be able to monitor. You have to give the list of the Namespaces that you want to be able to monitor.
@@ -12,7 +12,7 @@ local kp = (import 'kube-prometheus/kube-prometheus.libsonnet') + {
namespace: 'monitoring', namespace: 'monitoring',
prometheus+:: { prometheus+:: {
roleSpecificNamespaces: ["foo"], namespaces: ["default", "kube-system","foo"],
}, },
}, },
}; };

86
jsonnet/kube-prometheus/prometheus/prometheus.libsonnet
View File

@@ -21,7 +21,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
replicas: 2, replicas: 2,
rules: {}, rules: {},
renderedRules: {}, renderedRules: {},
roleSpecificNamespaces: [], namespaces: ["default", "kube-system",$._config.namespace],
}, },
}, },
@@ -56,16 +56,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
groups: $._config.prometheus.rules.groups, groups: $._config.prometheus.rules.groups,
}, },
}, },
roleBindingDefault:
local roleBinding = k.rbac.v1.roleBinding;
roleBinding.new() +
roleBinding.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
roleBinding.mixin.metadata.withNamespace('default') +
roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) +
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]),
roleBindingSpecificNamespace: roleBindingSpecificNamespace:
local roleBinding = k.rbac.v1.roleBinding; local roleBinding = k.rbac.v1.roleBinding;
@@ -123,16 +113,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name + '-config') + roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name + '-config') +
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) + roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]), roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]),
roleBindingNamespace:
local roleBinding = k.rbac.v1.roleBinding;
roleBinding.new() +
roleBinding.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
roleBinding.mixin.metadata.withNamespace($._config.namespace) +
roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) +
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]),
clusterRoleBinding: clusterRoleBinding:
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding; local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
@@ -142,42 +122,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
clusterRoleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) + clusterRoleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) +
clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) + clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) +
clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]), clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]),
roleKubeSystem:
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
local coreRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'nodes',
'services',
'endpoints',
'pods',
]) +
policyRule.withVerbs(['get', 'list', 'watch']);
role.new() +
role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
role.mixin.metadata.withNamespace('kube-system') +
role.withRules(coreRule),
roleDefault:
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
local coreRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'nodes',
'services',
'endpoints',
'pods',
]) +
policyRule.withVerbs(['get', 'list', 'watch']);
role.new() +
role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
role.mixin.metadata.withNamespace('default') +
role.withRules(coreRule),
roleSpecificNamespace: roleSpecificNamespace:
local role = k.rbac.v1.role; local role = k.rbac.v1.role;
local policyRule = role.rulesType; local policyRule = role.rulesType;
@@ -199,34 +143,6 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local roleList = k.rbac.v1.roleList; local roleList = k.rbac.v1.roleList;
roleList.new([newSpecificRole(x) for x in $._config.prometheus.roleSpecificNamespaces]), roleList.new([newSpecificRole(x) for x in $._config.prometheus.roleSpecificNamespaces]),
roleBindingKubeSystem:
local roleBinding = k.rbac.v1.roleBinding;
roleBinding.new() +
roleBinding.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
roleBinding.mixin.metadata.withNamespace('kube-system') +
roleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
roleBinding.mixin.roleRef.withName('prometheus-' + $._config.prometheus.name) +
roleBinding.mixin.roleRef.mixinInstance({ kind: 'Role' }) +
roleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-' + $._config.prometheus.name, namespace: $._config.namespace }]),
roleNamespace:
local role = k.rbac.v1.role;
local policyRule = role.rulesType;
local coreRule = policyRule.new() +
policyRule.withApiGroups(['']) +
policyRule.withResources([
'nodes',
'services',
'endpoints',
'pods',
]) +
policyRule.withVerbs(['get', 'list', 'watch']);
role.new() +
role.mixin.metadata.withName('prometheus-' + $._config.prometheus.name) +
role.mixin.metadata.withNamespace($._config.namespace) +
role.withRules(coreRule),
prometheus: prometheus:
local container = k.core.v1.pod.mixin.spec.containersType; local container = k.core.v1.pod.mixin.spec.containersType;
local resourceRequirements = container.mixin.resourcesType; local resourceRequirements = container.mixin.resourcesType;