From b39b1bfcfcc99be504e2c1548208d0cdbc4f5f05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=81LFALVI=20Tam=C3=A1s?= Date: Wed, 11 Nov 2020 21:08:39 +0100 Subject: [PATCH 1/9] install a blackbox-exporter instance --- README.md | 32 +++ docs/blackbox-exporter.md | 86 +++++++ .../blackbox-exporter.libsonnet | 211 ++++++++++++++++++ 3 files changed, 329 insertions(+) create mode 100644 docs/blackbox-exporter.md create mode 100644 jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet diff --git a/README.md b/README.md index 4b67ad11..042652b8 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,7 @@ This stack is meant for cluster monitoring, so it is pre-configured to collect m - [Stripping container resource limits](#stripping-container-resource-limits) - [Customizing Prometheus alerting/recording rules and Grafana dashboards](#customizing-prometheus-alertingrecording-rules-and-grafana-dashboards) - [Exposing Prometheus/Alermanager/Grafana via Ingress](#exposing-prometheusalermanagergrafana-via-ingress) + - [Setting up a blackbox exporter](#setting-up-a-blackbox exporter) - [Minikube Example](#minikube-example) - [Troubleshooting](#troubleshooting) - [Error retrieving kubelet metrics](#error-retrieving-kubelet-metrics) @@ -729,6 +730,37 @@ See [developing Prometheus rules and Grafana dashboards](docs/developing-prometh See [exposing Prometheus/Alertmanager/Grafana](docs/exposing-prometheus-alertmanager-grafana-ingress.md) guide. +### Setting up a blackbox exporter + +```jsonnet +local kp = (import 'kube-prometheus/kube-prometheus.libsonnet') + + // ... other necessary mixins ... + (import 'kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet') + + { + _config+:: { + // ... configuration for other features ... + blackboxExporter+:: { + modules+:: { + tls_connect: { + prober: 'tcp', + tcp: { + tls: true + } + } + } + } + } + }; + +{ ['setup/0namespace-' + name]: kp.kubePrometheus[name] for name in std.objectFields(kp.kubePrometheus) } + +// ... other rendering blocks ... +{ ['blackbox-exporter-' + name]: kp.blackboxExporter[name] for name in std.objectFields(kp.blackboxExporter) } +``` + +Then describe the actual blackbox checks you want to run using `Probe` resources. Specify `blackbox-exporter..svc.cluster.local:9115` as the `spec.prober.url` field of the `Probe` resource. + +See the [blackbox exporter guide](docs/blackbox-exporter.md) for the list of configurable options and a complete example. + ## Minikube Example To use an easy to reproduce example, see [minikube.jsonnet](examples/minikube.jsonnet), which uses the minikube setup as demonstrated in [Prerequisites](#prerequisites). Because we would like easy access to our Prometheus, Alertmanager and Grafana UIs, `minikube.jsonnet` exposes the services as NodePort type services. diff --git a/docs/blackbox-exporter.md b/docs/blackbox-exporter.md new file mode 100644 index 00000000..4c3adb97 --- /dev/null +++ b/docs/blackbox-exporter.md @@ -0,0 +1,86 @@ +# Setting up a blackbox exporter + +The `prometheus-operator` defines a `Probe` resource type that can be used to describe blackbox checks. To execute these, a separate component called [`blackbox_exporter`](https://github.com/prometheus/blackbox_exporter) has to be deployed, which can be scraped to retrieve the results of these checks. You can use `kube-prometheus` to set up such a blackbox exporter within your Kubernetes cluster. + +## Adding blackbox exporter manifests to an existing `kube-prometheus` configuration + +1. Add the blackbox exporter mixin to the list of imports: +``` +(import 'kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet') +``` +2. Override blackbox-related configuration parameters as needed. +3. Add the following to the list of renderers to render the blackbox exporter manifests: +``` +{ ['blackbox-exporter-' + name]: kp.blackboxExporter[name] for name in std.objectFields(kp.blackboxExporter) } +``` + +## Configuration parameters influencing the blackbox exporter + +* `_config.namespace`: the namespace where the various generated resources (`ConfigMap`, `Deployment`, `Service`, `ServiceAccount` and `ServiceMonitor`) will reside. This does not affect where you can place `Probe` objects; that is determined by the configuration of the `Prometheus` resource. This option is shared with other `kube-prometheus` components; defaults to `default`. +* `_config.imageRepos.blackboxExporter`: the name of the blackbox exporter image to deploy. Defaults to `quay.io/prometheus/blackbox-exporter`. +* `_config.versions.blackboxExporter`: the tag of the blackbox exporter image to deploy. Defaults to the version `kube-prometheus` was tested with. +* `_config.imageRepos.configmapReloader`: the name of the ConfigMap reloader image to deploy. Defaults to `jimmidyson/configmap-reload`. +* `_config.versions.configmapReloader`: the tag of the ConfigMap reloader image to deploy. Defaults to the version `kube-prometheus` was tested with. +* `_config.resources.blackbox-exporter.requests`: the requested resources; this is used for each container. Defaults to `10m` CPU and `20Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details. +* `_config.resources.blackbox-exporter.limits`: the resource limits; this is used for each container. Defaults to `20m` CPU and `40Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details. +* `_config.blackboxExporter.port`: the port of the exporter. Defaults to `9115`. +* `_config.blackboxExporter.replicas`: the number of exporter replicas to be deployed. Defaults to `1`. +* `_config.blackboxExporter.matchLabels`: map of the labels to be used to select resources belonging to the instance deployed. Defaults to `{ 'app.kubernetes.io/name': 'blackbox-exporter' }` +* `_config.blackboxExporter.assignLabels`: map of the labels applied to components of the instance deployed. Defaults to all the labels included in the `matchLabels` option, and additionally `app.kubernetes.io/version` is set to the version of the blackbox exporter. +* `_config.blackboxExporter.modules`: the modules available in the blackbox exporter installation, i.e. the types of checks it can perform. The default value includes most of the modules defined in the default blackbox exporter configuration: `http_2xx`, `http_post_2xx`, `tcp_connect`, `pop3s_banner`, `ssh_banner`, and `irc_banner`. `icmp` is omitted so the exporter can be run with minimum privileges, but you can add it back if needed - see the example below. See https://github.com/prometheus/blackbox_exporter/blob/master/CONFIGURATION.md for the configuration format, except you have to use JSON instead of YAML here. +* `_config.blackboxExporter.privileged`: whether the `blackbox-exporter` container should be running as non-root (`false`) or root with heavily-restricted capability set (`true`). Defaults to `true` if you have any ICMP modules defined (which need the extra permissions) and `false` otherwise. + +## Complete example + +```jsonnet +local kp = + (import 'kube-prometheus/kube-prometheus.libsonnet') + + (import 'kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet') + { + _config+:: { + namespace: 'monitoring', + blackboxExporter+:: { + modules+:: { + icmp: { + prober: 'icmp', + }, + }, + }, + }, + }; + +{ ['setup/0namespace-' + name]: kp.kubePrometheus[name] for name in std.objectFields(kp.kubePrometheus) } + +{ + ['setup/prometheus-operator-' + name]: kp.prometheusOperator[name] + for name in std.filter((function(name) name != 'serviceMonitor'), std.objectFields(kp.prometheusOperator)) +} + +// serviceMonitor is separated so that it can be created after the CRDs are ready +{ 'prometheus-operator-serviceMonitor': kp.prometheusOperator.serviceMonitor } + +{ ['node-exporter-' + name]: kp.nodeExporter[name] for name in std.objectFields(kp.nodeExporter) } + +{ ['kube-state-metrics-' + name]: kp.kubeStateMetrics[name] for name in std.objectFields(kp.kubeStateMetrics) } + +{ ['blackbox-exporter-' + name]: kp.blackboxExporter[name] for name in std.objectFields(kp.blackboxExporter) } + +{ ['alertmanager-' + name]: kp.alertmanager[name] for name in std.objectFields(kp.alertmanager) } + +{ ['prometheus-' + name]: kp.prometheus[name] for name in std.objectFields(kp.prometheus) } + +{ ['prometheus-adapter-' + name]: kp.prometheusAdapter[name] for name in std.objectFields(kp.prometheusAdapter) } + +{ ['grafana-' + name]: kp.grafana[name] for name in std.objectFields(kp.grafana) } +``` + +After installing the generated manifests, you can create `Probe` resources, for example: + +```yaml +kind: Probe +apiVersion: monitoring.coreos.com/v1 +metadata: + name: example-com-website + namespace: monitoring +spec: + interval: 60s + module: http_2xx + prober: + url: blackbox-exporter.monitoring.svc.cluster.local:9115 + targets: + staticConfig: + static: + - http://example.com + - https://example.com +``` diff --git a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet new file mode 100644 index 00000000..e8d6c25b --- /dev/null +++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet @@ -0,0 +1,211 @@ +{ + _config+:: { + namespace: 'default', + + versions+:: { + blackboxExporter: 'v0.18.0', + configmapReloader: 'v0.4.0' + }, + + imageRepos+:: { + blackboxExporter: 'quay.io/prometheus/blackbox-exporter', + configmapReloader: 'jimmidyson/configmap-reload' + }, + + resources+:: { + 'blackbox-exporter': { + requests: { cpu: '10m', memory: '20Mi' }, + limits: { cpu: '20m', memory: '40Mi' }, + } + }, + + blackboxExporter: { + port: 9115, + replicas: 1, + matchLabels: { + 'app.kubernetes.io/name': 'blackbox-exporter', + }, + assignLabels: self.matchLabels + { + 'app.kubernetes.io/version': $._config.versions.blackboxExporter + }, + modules: { + http_2xx: { + prober: 'http' + }, + http_post_2xx: { + prober: 'http', + http: { + method: 'POST' + } + }, + tcp_connect: { + prober: 'tcp' + }, + pop3s_banner: { + prober: 'tcp', + tcp: { + query_response: [ + { expect: '^+OK' } + ], + tls: true, + tls_config: { + insecure_skip_verify: false + } + } + }, + ssh_banner: { + prober: 'tcp', + tcp: { + query_response: [ + { expect: '^SSH-2.0-' } + ] + } + }, + irc_banner: { + prober: 'tcp', + tcp: { + query_response: [ + { send: 'NICK prober' }, + { send: 'USER prober prober prober :prober' }, + { expect: 'PING :([^ ]+)', send: 'PONG ${1}' }, + { expect: '^:[^ ]+ 001' } + ] + } + }, + }, + privileged: + local icmpModules = [self.modules[m] for m in std.objectFields(self.modules) if self.modules[m].prober == 'icmp']; + std.length(icmpModules) > 0 + } + }, + + blackboxExporter+:: + local bb = $._config.blackboxExporter; + { + configuration: { + apiVersion: 'v1', + kind: 'ConfigMap', + metadata: { + name: 'blackbox-exporter-configuration', + namespace: $._config.namespace + }, + data: { + 'config.yml': std.manifestYamlDoc({ modules: bb.modules }) + } + }, + + serviceAccount: { + apiVersion: 'v1', + kind: 'ServiceAccount', + metadata: { + name: 'blackbox-exporter', + namespace: $._config.namespace, + }, + }, + + deployment: { + apiVersion: 'apps/v1', + kind: 'Deployment', + metadata: { + name: 'blackbox-exporter', + namespace: $._config.namespace, + labels: bb.assignLabels, + }, + spec: { + replicas: bb.replicas, + selector: { matchLabels: bb.matchLabels }, + template: { + metadata: { labels: bb.assignLabels }, + spec: { + containers: [ + { + name: 'blackbox-exporter', + image: $._config.imageRepos.blackboxExporter + ':' + $._config.versions.blackboxExporter, + ports: [{ + name: 'http', + containerPort: bb.port, + }], + resources: { + requests: $._config.resources['blackbox-exporter'].requests, + limits: $._config.resources['blackbox-exporter'].limits + }, + securityContext: if bb.privileged then { + runAsNonRoot: false, + capabilities: { drop: [ 'ALL' ], add: [ 'NET_RAW'] } + } else { + runAsNonRoot: true, + runAsUser: 65534 + }, + volumeMounts: [{ + mountPath: '/etc/blackbox_exporter/', + name: 'config', + readOnly: true + }] + }, + { + name: 'module-configmap-reloader', + image: $._config.imageRepos.configmapReloader + ':' + $._config.versions.configmapReloader, + args: [ + '--webhook-url=http://localhost:' + bb.port + '/-/reload', + '--volume-dir=/etc/blackbox_exporter/' + ], + resources: { + requests: $._config.resources['blackbox-exporter'].requests, + limits: $._config.resources['blackbox-exporter'].limits + }, + securityContext: { runAsNonRoot: true, runAsUser: 65534 }, + terminationMessagePath: '/dev/termination-log', + terminationMessagePolicy: 'FallbackToLogsOnError', + volumeMounts: [{ + mountPath: '/etc/blackbox_exporter/', + name: 'config', + readOnly: true + }] + } + ], + nodeSelector: { 'kubernetes.io/os': 'linux' }, + serviceAccountName: 'blackbox-exporter', + volumes: [{ + name: 'config', + configMap: { name: 'blackbox-exporter-configuration' } + }] + } + } + } + }, + + service: { + apiVersion: 'v1', + kind: 'Service', + metadata: { + name: 'blackbox-exporter', + namespace: $._config.namespace, + labels: bb.assignLabels, + }, + spec: { + ports: [{ name: 'http', port: bb.port, targetPort: 'http' }], + selector: bb.matchLabels, + } + }, + + serviceMonitor: + { + apiVersion: 'monitoring.coreos.com/v1', + kind: 'ServiceMonitor', + metadata: { + name: 'blackbox-exporter', + labels: bb.assignLabels + }, + spec: { + endpoints: [ { + interval: '30s', + path: '/metrics', + port: 'http' + } ], + selector: { + matchLabels: bb.matchLabels + } + } + } + } +} From c2fb1f42089f0dd22a4e92eb3cf1e52a688b850f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=81LFALVI=20Tam=C3=A1s?= Date: Thu, 26 Nov 2020 22:26:23 +0100 Subject: [PATCH 2/9] include the blackbox exporter mixin by default --- README.md | 3 +-- docs/blackbox-exporter.md | 9 ++------- jsonnet/kube-prometheus/kube-prometheus.libsonnet | 1 + 3 files changed, 4 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 042652b8..c8afb50b 100644 --- a/README.md +++ b/README.md @@ -734,8 +734,7 @@ See [exposing Prometheus/Alertmanager/Grafana](docs/exposing-prometheus-alertman ```jsonnet local kp = (import 'kube-prometheus/kube-prometheus.libsonnet') + - // ... other necessary mixins ... - (import 'kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet') + + // ... all necessary mixins ... { _config+:: { // ... configuration for other features ... diff --git a/docs/blackbox-exporter.md b/docs/blackbox-exporter.md index 4c3adb97..cb40fd5f 100644 --- a/docs/blackbox-exporter.md +++ b/docs/blackbox-exporter.md @@ -4,12 +4,8 @@ The `prometheus-operator` defines a `Probe` resource type that can be used to de ## Adding blackbox exporter manifests to an existing `kube-prometheus` configuration -1. Add the blackbox exporter mixin to the list of imports: -``` -(import 'kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet') -``` -2. Override blackbox-related configuration parameters as needed. -3. Add the following to the list of renderers to render the blackbox exporter manifests: +1. Override blackbox-related configuration parameters as needed. +2. Add the following to the list of renderers to render the blackbox exporter manifests: ``` { ['blackbox-exporter-' + name]: kp.blackboxExporter[name] for name in std.objectFields(kp.blackboxExporter) } ``` @@ -35,7 +31,6 @@ The `prometheus-operator` defines a `Probe` resource type that can be used to de ```jsonnet local kp = (import 'kube-prometheus/kube-prometheus.libsonnet') + - (import 'kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet') { _config+:: { namespace: 'monitoring', diff --git a/jsonnet/kube-prometheus/kube-prometheus.libsonnet b/jsonnet/kube-prometheus/kube-prometheus.libsonnet index 3bfd4768..38bb061e 100644 --- a/jsonnet/kube-prometheus/kube-prometheus.libsonnet +++ b/jsonnet/kube-prometheus/kube-prometheus.libsonnet @@ -5,6 +5,7 @@ local kubeRbacProxyContainer = import './kube-rbac-proxy/container.libsonnet'; (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-state-metrics-mixin/mixin.libsonnet') + (import './node-exporter/node-exporter.libsonnet') + (import 'github.com/prometheus/node_exporter/docs/node-mixin/mixin.libsonnet') + +(import './blackbox-exporter/blackbox-exporter.libsonnet') + (import './alertmanager/alertmanager.libsonnet') + (import 'github.com/prometheus/alertmanager/doc/alertmanager-mixin/mixin.libsonnet') + (import 'github.com/prometheus-operator/prometheus-operator/jsonnet/prometheus-operator/prometheus-operator.libsonnet') + From 8d53477ec884e907e9f324cdfaad6acf047b9a10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=81LFALVI=20Tam=C3=A1s?= Date: Fri, 27 Nov 2020 13:43:39 +0100 Subject: [PATCH 3/9] put the service monitor for the blackbox exporter in the configured namespace --- .../blackbox-exporter/blackbox-exporter.libsonnet | 1 + 1 file changed, 1 insertion(+) diff --git a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet index e8d6c25b..a9b2614a 100644 --- a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet +++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet @@ -194,6 +194,7 @@ kind: 'ServiceMonitor', metadata: { name: 'blackbox-exporter', + namespace: $._config.namespace, labels: bb.assignLabels }, spec: { From 8b4effaba0fe790121727fe4b7795ecda94ee3f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=81LFALVI=20Tam=C3=A1s?= Date: Sat, 28 Nov 2020 21:22:36 +0100 Subject: [PATCH 4/9] update examples and regenerate manifests --- README.md | 1 + ...prometheus-rules-and-grafana-dashboards.md | 1 + example.jsonnet | 1 + examples/kustomize.jsonnet | 1 + kustomization.yaml | 5 ++ .../blackbox-exporter-configuration.yaml | 38 +++++++++++ manifests/blackbox-exporter-deployment.yaml | 67 +++++++++++++++++++ manifests/blackbox-exporter-service.yaml | 15 +++++ .../blackbox-exporter-serviceAccount.yaml | 5 ++ .../blackbox-exporter-serviceMonitor.yaml | 16 +++++ 10 files changed, 150 insertions(+) create mode 100644 manifests/blackbox-exporter-configuration.yaml create mode 100644 manifests/blackbox-exporter-deployment.yaml create mode 100644 manifests/blackbox-exporter-service.yaml create mode 100644 manifests/blackbox-exporter-serviceAccount.yaml create mode 100644 manifests/blackbox-exporter-serviceMonitor.yaml diff --git a/README.md b/README.md index c8afb50b..eff1e4e9 100644 --- a/README.md +++ b/README.md @@ -224,6 +224,7 @@ local kp = // serviceMonitor is separated so that it can be created after the CRDs are ready { 'prometheus-operator-serviceMonitor': kp.prometheusOperator.serviceMonitor } + { ['node-exporter-' + name]: kp.nodeExporter[name] for name in std.objectFields(kp.nodeExporter) } + +{ ['blackbox-exporter-' + name]: kp.blackboxExporter[name] for name in std.objectFields(kp.blackboxExporter) } + { ['kube-state-metrics-' + name]: kp.kubeStateMetrics[name] for name in std.objectFields(kp.kubeStateMetrics) } + { ['alertmanager-' + name]: kp.alertmanager[name] for name in std.objectFields(kp.alertmanager) } + { ['prometheus-' + name]: kp.prometheus[name] for name in std.objectFields(kp.prometheus) } + diff --git a/docs/developing-prometheus-rules-and-grafana-dashboards.md b/docs/developing-prometheus-rules-and-grafana-dashboards.md index ee7be4e0..f9decdcd 100644 --- a/docs/developing-prometheus-rules-and-grafana-dashboards.md +++ b/docs/developing-prometheus-rules-and-grafana-dashboards.md @@ -34,6 +34,7 @@ local kp = // serviceMonitor is separated so that it can be created after the CRDs are ready { 'prometheus-operator-serviceMonitor': kp.prometheusOperator.serviceMonitor } + { ['node-exporter-' + name]: kp.nodeExporter[name] for name in std.objectFields(kp.nodeExporter) } + +{ ['blackbox-exporter-' + name]: kp.blackboxExporter[name] for name in std.objectFields(kp.blackboxExporter) } + { ['kube-state-metrics-' + name]: kp.kubeStateMetrics[name] for name in std.objectFields(kp.kubeStateMetrics) } + { ['alertmanager-' + name]: kp.alertmanager[name] for name in std.objectFields(kp.alertmanager) } + { ['prometheus-' + name]: kp.prometheus[name] for name in std.objectFields(kp.prometheus) } + diff --git a/example.jsonnet b/example.jsonnet index 15a801f8..a459460d 100644 --- a/example.jsonnet +++ b/example.jsonnet @@ -22,6 +22,7 @@ local kp = // serviceMonitor is separated so that it can be created after the CRDs are ready { 'prometheus-operator-serviceMonitor': kp.prometheusOperator.serviceMonitor } + { ['node-exporter-' + name]: kp.nodeExporter[name] for name in std.objectFields(kp.nodeExporter) } + +{ ['blackbox-exporter-' + name]: kp.blackboxExporter[name] for name in std.objectFields(kp.blackboxExporter) } + { ['kube-state-metrics-' + name]: kp.kubeStateMetrics[name] for name in std.objectFields(kp.kubeStateMetrics) } + { ['alertmanager-' + name]: kp.alertmanager[name] for name in std.objectFields(kp.alertmanager) } + { ['prometheus-' + name]: kp.prometheus[name] for name in std.objectFields(kp.prometheus) } + diff --git a/examples/kustomize.jsonnet b/examples/kustomize.jsonnet index 38dd6c89..7b1cf6a2 100644 --- a/examples/kustomize.jsonnet +++ b/examples/kustomize.jsonnet @@ -16,6 +16,7 @@ local manifests = // serviceMonitor is separated so that it can be created after the CRDs are ready { 'prometheus-operator-serviceMonitor': kp.prometheusOperator.serviceMonitor } + { ['node-exporter-' + name]: kp.nodeExporter[name] for name in std.objectFields(kp.nodeExporter) } + + { ['blackbox-exporter-' + name]: kp.blackboxExporter[name] for name in std.objectFields(kp.blackboxExporter) } + { ['kube-state-metrics-' + name]: kp.kubeStateMetrics[name] for name in std.objectFields(kp.kubeStateMetrics) } + { ['alertmanager-' + name]: kp.alertmanager[name] for name in std.objectFields(kp.alertmanager) } + { ['prometheus-' + name]: kp.prometheus[name] for name in std.objectFields(kp.prometheus) } + diff --git a/kustomization.yaml b/kustomization.yaml index b067b22f..bd00d54f 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -6,6 +6,11 @@ resources: - ./manifests/alertmanager-service.yaml - ./manifests/alertmanager-serviceAccount.yaml - ./manifests/alertmanager-serviceMonitor.yaml +- ./manifests/blackbox-exporter-configuration.yaml +- ./manifests/blackbox-exporter-deployment.yaml +- ./manifests/blackbox-exporter-service.yaml +- ./manifests/blackbox-exporter-serviceAccount.yaml +- ./manifests/blackbox-exporter-serviceMonitor.yaml - ./manifests/grafana-dashboardDatasources.yaml - ./manifests/grafana-dashboardDefinitions.yaml - ./manifests/grafana-dashboardSources.yaml diff --git a/manifests/blackbox-exporter-configuration.yaml b/manifests/blackbox-exporter-configuration.yaml new file mode 100644 index 00000000..497945ec --- /dev/null +++ b/manifests/blackbox-exporter-configuration.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +data: + config.yml: |- + "modules": + "http_2xx": + "prober": "http" + "http_post_2xx": + "http": + "method": "POST" + "prober": "http" + "irc_banner": + "prober": "tcp" + "tcp": + "query_response": + - "send": "NICK prober" + - "send": "USER prober prober prober :prober" + - "expect": "PING :([^ ]+)" + "send": "PONG ${1}" + - "expect": "^:[^ ]+ 001" + "pop3s_banner": + "prober": "tcp" + "tcp": + "query_response": + - "expect": "^+OK" + "tls": true + "tls_config": + "insecure_skip_verify": false + "ssh_banner": + "prober": "tcp" + "tcp": + "query_response": + - "expect": "^SSH-2.0-" + "tcp_connect": + "prober": "tcp" +kind: ConfigMap +metadata: + name: blackbox-exporter-configuration + namespace: monitoring diff --git a/manifests/blackbox-exporter-deployment.yaml b/manifests/blackbox-exporter-deployment.yaml new file mode 100644 index 00000000..c7874949 --- /dev/null +++ b/manifests/blackbox-exporter-deployment.yaml @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: blackbox-exporter + app.kubernetes.io/version: v0.18.0 + name: blackbox-exporter + namespace: monitoring +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: blackbox-exporter + template: + metadata: + labels: + app.kubernetes.io/name: blackbox-exporter + app.kubernetes.io/version: v0.18.0 + spec: + containers: + - image: quay.io/prometheus/blackbox-exporter:v0.18.0 + name: blackbox-exporter + ports: + - containerPort: 9115 + name: http + resources: + limits: + cpu: 20m + memory: 40Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + runAsNonRoot: true + runAsUser: 65534 + volumeMounts: + - mountPath: /etc/blackbox_exporter/ + name: config + readOnly: true + - args: + - --webhook-url=http://localhost:9115/-/reload + - --volume-dir=/etc/blackbox_exporter/ + image: jimmidyson/configmap-reload:v0.4.0 + name: module-configmap-reloader + resources: + limits: + cpu: 20m + memory: 40Mi + requests: + cpu: 10m + memory: 20Mi + securityContext: + runAsNonRoot: true + runAsUser: 65534 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/blackbox_exporter/ + name: config + readOnly: true + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: blackbox-exporter + volumes: + - configMap: + name: blackbox-exporter-configuration + name: config diff --git a/manifests/blackbox-exporter-service.yaml b/manifests/blackbox-exporter-service.yaml new file mode 100644 index 00000000..b4895e71 --- /dev/null +++ b/manifests/blackbox-exporter-service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: blackbox-exporter + app.kubernetes.io/version: v0.18.0 + name: blackbox-exporter + namespace: monitoring +spec: + ports: + - name: http + port: 9115 + targetPort: http + selector: + app.kubernetes.io/name: blackbox-exporter diff --git a/manifests/blackbox-exporter-serviceAccount.yaml b/manifests/blackbox-exporter-serviceAccount.yaml new file mode 100644 index 00000000..ac2acefb --- /dev/null +++ b/manifests/blackbox-exporter-serviceAccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: blackbox-exporter + namespace: monitoring diff --git a/manifests/blackbox-exporter-serviceMonitor.yaml b/manifests/blackbox-exporter-serviceMonitor.yaml new file mode 100644 index 00000000..ae39c5a8 --- /dev/null +++ b/manifests/blackbox-exporter-serviceMonitor.yaml @@ -0,0 +1,16 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + app.kubernetes.io/name: blackbox-exporter + app.kubernetes.io/version: v0.18.0 + name: blackbox-exporter + namespace: monitoring +spec: + endpoints: + - interval: 30s + path: /metrics + port: http + selector: + matchLabels: + app.kubernetes.io/name: blackbox-exporter From 97aaa1f534a1fa34a7c95d669892696128dcd135 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=81LFALVI=20Tam=C3=A1s?= Date: Sat, 28 Nov 2020 21:40:21 +0100 Subject: [PATCH 5/9] accept formatting changes made by jsonnetfmt --- .../blackbox-exporter.libsonnet | 106 +++++++++--------- 1 file changed, 53 insertions(+), 53 deletions(-) diff --git a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet index a9b2614a..06599f94 100644 --- a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet +++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet @@ -4,19 +4,19 @@ versions+:: { blackboxExporter: 'v0.18.0', - configmapReloader: 'v0.4.0' + configmapReloader: 'v0.4.0', }, imageRepos+:: { blackboxExporter: 'quay.io/prometheus/blackbox-exporter', - configmapReloader: 'jimmidyson/configmap-reload' + configmapReloader: 'jimmidyson/configmap-reload', }, resources+:: { 'blackbox-exporter': { requests: { cpu: '10m', memory: '20Mi' }, limits: { cpu: '20m', memory: '40Mi' }, - } + }, }, blackboxExporter: { @@ -25,41 +25,41 @@ matchLabels: { 'app.kubernetes.io/name': 'blackbox-exporter', }, - assignLabels: self.matchLabels + { - 'app.kubernetes.io/version': $._config.versions.blackboxExporter + assignLabels: self.matchLabels { + 'app.kubernetes.io/version': $._config.versions.blackboxExporter, }, modules: { http_2xx: { - prober: 'http' + prober: 'http', }, http_post_2xx: { prober: 'http', http: { - method: 'POST' - } + method: 'POST', + }, }, tcp_connect: { - prober: 'tcp' + prober: 'tcp', }, pop3s_banner: { prober: 'tcp', tcp: { query_response: [ - { expect: '^+OK' } + { expect: '^+OK' }, ], tls: true, tls_config: { - insecure_skip_verify: false - } - } + insecure_skip_verify: false, + }, + }, }, ssh_banner: { prober: 'tcp', tcp: { query_response: [ - { expect: '^SSH-2.0-' } - ] - } + { expect: '^SSH-2.0-' }, + ], + }, }, irc_banner: { prober: 'tcp', @@ -68,15 +68,15 @@ { send: 'NICK prober' }, { send: 'USER prober prober prober :prober' }, { expect: 'PING :([^ ]+)', send: 'PONG ${1}' }, - { expect: '^:[^ ]+ 001' } - ] - } + { expect: '^:[^ ]+ 001' }, + ], + }, }, }, privileged: local icmpModules = [self.modules[m] for m in std.objectFields(self.modules) if self.modules[m].prober == 'icmp']; - std.length(icmpModules) > 0 - } + std.length(icmpModules) > 0, + }, }, blackboxExporter+:: @@ -87,11 +87,11 @@ kind: 'ConfigMap', metadata: { name: 'blackbox-exporter-configuration', - namespace: $._config.namespace + namespace: $._config.namespace, }, data: { - 'config.yml': std.manifestYamlDoc({ modules: bb.modules }) - } + 'config.yml': std.manifestYamlDoc({ modules: bb.modules }), + }, }, serviceAccount: { @@ -127,31 +127,31 @@ }], resources: { requests: $._config.resources['blackbox-exporter'].requests, - limits: $._config.resources['blackbox-exporter'].limits + limits: $._config.resources['blackbox-exporter'].limits, }, securityContext: if bb.privileged then { - runAsNonRoot: false, - capabilities: { drop: [ 'ALL' ], add: [ 'NET_RAW'] } - } else { - runAsNonRoot: true, - runAsUser: 65534 - }, + runAsNonRoot: false, + capabilities: { drop: ['ALL'], add: ['NET_RAW'] }, + } else { + runAsNonRoot: true, + runAsUser: 65534, + }, volumeMounts: [{ mountPath: '/etc/blackbox_exporter/', name: 'config', - readOnly: true - }] + readOnly: true, + }], }, { name: 'module-configmap-reloader', image: $._config.imageRepos.configmapReloader + ':' + $._config.versions.configmapReloader, args: [ '--webhook-url=http://localhost:' + bb.port + '/-/reload', - '--volume-dir=/etc/blackbox_exporter/' + '--volume-dir=/etc/blackbox_exporter/', ], resources: { requests: $._config.resources['blackbox-exporter'].requests, - limits: $._config.resources['blackbox-exporter'].limits + limits: $._config.resources['blackbox-exporter'].limits, }, securityContext: { runAsNonRoot: true, runAsUser: 65534 }, terminationMessagePath: '/dev/termination-log', @@ -159,19 +159,19 @@ volumeMounts: [{ mountPath: '/etc/blackbox_exporter/', name: 'config', - readOnly: true - }] - } + readOnly: true, + }], + }, ], nodeSelector: { 'kubernetes.io/os': 'linux' }, serviceAccountName: 'blackbox-exporter', volumes: [{ name: 'config', - configMap: { name: 'blackbox-exporter-configuration' } - }] - } - } - } + configMap: { name: 'blackbox-exporter-configuration' }, + }], + }, + }, + }, }, service: { @@ -185,7 +185,7 @@ spec: { ports: [{ name: 'http', port: bb.port, targetPort: 'http' }], selector: bb.matchLabels, - } + }, }, serviceMonitor: @@ -195,18 +195,18 @@ metadata: { name: 'blackbox-exporter', namespace: $._config.namespace, - labels: bb.assignLabels + labels: bb.assignLabels, }, spec: { - endpoints: [ { + endpoints: [{ interval: '30s', path: '/metrics', - port: 'http' - } ], + port: 'http', + }], selector: { - matchLabels: bb.matchLabels - } - } - } - } + matchLabels: bb.matchLabels, + }, + }, + }, + }, } From eda90b68333b8e8b2230c96036f5d213e9508aa8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=81LFALVI=20Tam=C3=A1s?= Date: Sat, 26 Dec 2020 11:21:04 +0100 Subject: [PATCH 6/9] put blackbox-exporter behind kube-rbac-proxy --- docs/blackbox-exporter.md | 3 ++- .../blackbox-exporter.libsonnet | 26 ++++++++++++++++--- manifests/blackbox-exporter-deployment.yaml | 21 ++++++++++++--- 3 files changed, 43 insertions(+), 7 deletions(-) diff --git a/docs/blackbox-exporter.md b/docs/blackbox-exporter.md index cb40fd5f..9136944d 100644 --- a/docs/blackbox-exporter.md +++ b/docs/blackbox-exporter.md @@ -19,7 +19,8 @@ The `prometheus-operator` defines a `Probe` resource type that can be used to de * `_config.versions.configmapReloader`: the tag of the ConfigMap reloader image to deploy. Defaults to the version `kube-prometheus` was tested with. * `_config.resources.blackbox-exporter.requests`: the requested resources; this is used for each container. Defaults to `10m` CPU and `20Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details. * `_config.resources.blackbox-exporter.limits`: the resource limits; this is used for each container. Defaults to `20m` CPU and `40Mi` RAM. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details. -* `_config.blackboxExporter.port`: the port of the exporter. Defaults to `9115`. +* `_config.blackboxExporter.port`: the exposed HTTPS port of the exporter. This is where Prometheus should send the probe requests. Defaults to `9115`. +* `_config.blackboxExporter.internalPort`: the internal plaintext port of the exporter. Not accessible from outside the pod. Defaults to `19115`. * `_config.blackboxExporter.replicas`: the number of exporter replicas to be deployed. Defaults to `1`. * `_config.blackboxExporter.matchLabels`: map of the labels to be used to select resources belonging to the instance deployed. Defaults to `{ 'app.kubernetes.io/name': 'blackbox-exporter' }` * `_config.blackboxExporter.assignLabels`: map of the labels applied to components of the instance deployed. Defaults to all the labels included in the `matchLabels` option, and additionally `app.kubernetes.io/version` is set to the version of the blackbox exporter. diff --git a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet index 06599f94..fcd2280b 100644 --- a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet +++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet @@ -1,3 +1,5 @@ +local kubeRbacProxyContainer = import '../kube-rbac-proxy/container.libsonnet'; + { _config+:: { namespace: 'default', @@ -21,6 +23,7 @@ blackboxExporter: { port: 9115, + internalPort: 19115, replicas: 1, matchLabels: { 'app.kubernetes.io/name': 'blackbox-exporter', @@ -121,9 +124,13 @@ { name: 'blackbox-exporter', image: $._config.imageRepos.blackboxExporter + ':' + $._config.versions.blackboxExporter, + args: [ + '--config.file=/etc/blackbox_exporter/config.yml', + '--web.listen-address=:%d' % bb.internalPort, + ], ports: [{ name: 'http', - containerPort: bb.port, + containerPort: bb.internalPort, }], resources: { requests: $._config.resources['blackbox-exporter'].requests, @@ -146,7 +153,7 @@ name: 'module-configmap-reloader', image: $._config.imageRepos.configmapReloader + ':' + $._config.versions.configmapReloader, args: [ - '--webhook-url=http://localhost:' + bb.port + '/-/reload', + '--webhook-url=http://localhost:%d/-/reload' % bb.internalPort, '--volume-dir=/etc/blackbox_exporter/', ], resources: { @@ -208,5 +215,18 @@ }, }, }, - }, + } + + (kubeRbacProxyContainer { + config+:: { + kubeRbacProxy: { + image: $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy, + name: 'kube-rbac-proxy', + securePortName: 'https', + securePort: bb.port, + secureListenAddress: ':%d' % self.securePort, + upstream: 'http://127.0.0.1:%d/' % bb.internalPort, + tlsCipherSuites: $._config.tlsCipherSuites, + }, + }, + }).deploymentMixin, } diff --git a/manifests/blackbox-exporter-deployment.yaml b/manifests/blackbox-exporter-deployment.yaml index c7874949..3a4bd821 100644 --- a/manifests/blackbox-exporter-deployment.yaml +++ b/manifests/blackbox-exporter-deployment.yaml @@ -18,10 +18,13 @@ spec: app.kubernetes.io/version: v0.18.0 spec: containers: - - image: quay.io/prometheus/blackbox-exporter:v0.18.0 + - args: + - --config.file=/etc/blackbox_exporter/config.yml + - --web.listen-address=:19115 + image: quay.io/prometheus/blackbox-exporter:v0.18.0 name: blackbox-exporter ports: - - containerPort: 9115 + - containerPort: 19115 name: http resources: limits: @@ -38,7 +41,7 @@ spec: name: config readOnly: true - args: - - --webhook-url=http://localhost:9115/-/reload + - --webhook-url=http://localhost:19115/-/reload - --volume-dir=/etc/blackbox_exporter/ image: jimmidyson/configmap-reload:v0.4.0 name: module-configmap-reloader @@ -58,6 +61,18 @@ spec: - mountPath: /etc/blackbox_exporter/ name: config readOnly: true + - args: + - --logtostderr + - --secure-listen-address=:9115 + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - --upstream=http://127.0.0.1:19115/ + image: quay.io/brancz/kube-rbac-proxy:v0.8.0 + name: kube-rbac-proxy + ports: + - containerPort: 9115 + name: https + securityContext: + runAsUser: 65534 nodeSelector: kubernetes.io/os: linux serviceAccountName: blackbox-exporter From 66aca046886c36288114b051b9e139dc091df6e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=81LFALVI=20Tam=C3=A1s?= Date: Sat, 26 Dec 2020 13:13:36 +0100 Subject: [PATCH 7/9] monitor blackbox-exporter over https --- .../blackbox-exporter/blackbox-exporter.libsonnet | 6 +++++- manifests/blackbox-exporter-service.yaml | 2 +- manifests/blackbox-exporter-serviceMonitor.yaml | 3 +++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet index fcd2280b..91f2d29f 100644 --- a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet +++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet @@ -190,7 +190,7 @@ local kubeRbacProxyContainer = import '../kube-rbac-proxy/container.libsonnet'; labels: bb.assignLabels, }, spec: { - ports: [{ name: 'http', port: bb.port, targetPort: 'http' }], + ports: [{ name: 'http', port: bb.port, targetPort: 'https' }], selector: bb.matchLabels, }, }, @@ -209,6 +209,10 @@ local kubeRbacProxyContainer = import '../kube-rbac-proxy/container.libsonnet'; interval: '30s', path: '/metrics', port: 'http', + scheme: 'https', + tlsConfig: { + insecureSkipVerify: true, + }, }], selector: { matchLabels: bb.matchLabels, diff --git a/manifests/blackbox-exporter-service.yaml b/manifests/blackbox-exporter-service.yaml index b4895e71..587fff2b 100644 --- a/manifests/blackbox-exporter-service.yaml +++ b/manifests/blackbox-exporter-service.yaml @@ -10,6 +10,6 @@ spec: ports: - name: http port: 9115 - targetPort: http + targetPort: https selector: app.kubernetes.io/name: blackbox-exporter diff --git a/manifests/blackbox-exporter-serviceMonitor.yaml b/manifests/blackbox-exporter-serviceMonitor.yaml index ae39c5a8..add64359 100644 --- a/manifests/blackbox-exporter-serviceMonitor.yaml +++ b/manifests/blackbox-exporter-serviceMonitor.yaml @@ -11,6 +11,9 @@ spec: - interval: 30s path: /metrics port: http + scheme: https + tlsConfig: + insecureSkipVerify: true selector: matchLabels: app.kubernetes.io/name: blackbox-exporter From dcd99f7d6834df5e2800c8cdc8703c003cb50bec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=81LFALVI=20Tam=C3=A1s?= Date: Sat, 26 Dec 2020 13:14:40 +0100 Subject: [PATCH 8/9] set up authorization for blackbox-exporter --- .../blackbox-exporter.libsonnet | 39 +++++++++++++++++++ kustomization.yaml | 2 + manifests/blackbox-exporter-clusterRole.yaml | 17 ++++++++ .../blackbox-exporter-clusterRoleBinding.yaml | 12 ++++++ .../blackbox-exporter-serviceMonitor.yaml | 3 +- 5 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 manifests/blackbox-exporter-clusterRole.yaml create mode 100644 manifests/blackbox-exporter-clusterRoleBinding.yaml diff --git a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet index 91f2d29f..8bd08e12 100644 --- a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet +++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet @@ -106,6 +106,44 @@ local kubeRbacProxyContainer = import '../kube-rbac-proxy/container.libsonnet'; }, }, + clusterRole: { + apiVersion: 'rbac.authorization.k8s.io/v1', + kind: 'ClusterRole', + metadata: { + name: 'blackbox-exporter', + }, + rules: [ + { + apiGroups: ['authentication.k8s.io'], + resources: ['tokenreviews'], + verbs: ['create'], + }, + { + apiGroups: ['authorization.k8s.io'], + resources: ['subjectaccessreviews'], + verbs: ['create'], + }, + ], + }, + + clusterRoleBinding: { + apiVersion: 'rbac.authorization.k8s.io/v1', + kind: 'ClusterRoleBinding', + metadata: { + name: 'blackbox-exporter', + }, + roleRef: { + apiGroup: 'rbac.authorization.k8s.io', + kind: 'ClusterRole', + name: 'blackbox-exporter', + }, + subjects: [{ + kind: 'ServiceAccount', + name: 'blackbox-exporter', + namespace: $._config.namespace, + }], + }, + deployment: { apiVersion: 'apps/v1', kind: 'Deployment', @@ -206,6 +244,7 @@ local kubeRbacProxyContainer = import '../kube-rbac-proxy/container.libsonnet'; }, spec: { endpoints: [{ + bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token', interval: '30s', path: '/metrics', port: 'http', diff --git a/kustomization.yaml b/kustomization.yaml index bd00d54f..7066018a 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -6,6 +6,8 @@ resources: - ./manifests/alertmanager-service.yaml - ./manifests/alertmanager-serviceAccount.yaml - ./manifests/alertmanager-serviceMonitor.yaml +- ./manifests/blackbox-exporter-clusterRole.yaml +- ./manifests/blackbox-exporter-clusterRoleBinding.yaml - ./manifests/blackbox-exporter-configuration.yaml - ./manifests/blackbox-exporter-deployment.yaml - ./manifests/blackbox-exporter-service.yaml diff --git a/manifests/blackbox-exporter-clusterRole.yaml b/manifests/blackbox-exporter-clusterRole.yaml new file mode 100644 index 00000000..c7824058 --- /dev/null +++ b/manifests/blackbox-exporter-clusterRole.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: blackbox-exporter +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/manifests/blackbox-exporter-clusterRoleBinding.yaml b/manifests/blackbox-exporter-clusterRoleBinding.yaml new file mode 100644 index 00000000..7b3ae320 --- /dev/null +++ b/manifests/blackbox-exporter-clusterRoleBinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: blackbox-exporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: blackbox-exporter +subjects: +- kind: ServiceAccount + name: blackbox-exporter + namespace: monitoring diff --git a/manifests/blackbox-exporter-serviceMonitor.yaml b/manifests/blackbox-exporter-serviceMonitor.yaml index add64359..81eec23d 100644 --- a/manifests/blackbox-exporter-serviceMonitor.yaml +++ b/manifests/blackbox-exporter-serviceMonitor.yaml @@ -8,7 +8,8 @@ metadata: namespace: monitoring spec: endpoints: - - interval: 30s + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + interval: 30s path: /metrics port: http scheme: https From 5083ae2e894e102ce5e70d6c44644fd536e80b51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=81LFALVI=20Tam=C3=A1s?= Date: Wed, 30 Dec 2020 23:12:45 +0100 Subject: [PATCH 9/9] regenerate manifests --- manifests/blackbox-exporter-deployment.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/manifests/blackbox-exporter-deployment.yaml b/manifests/blackbox-exporter-deployment.yaml index 3a4bd821..ca71dafb 100644 --- a/manifests/blackbox-exporter-deployment.yaml +++ b/manifests/blackbox-exporter-deployment.yaml @@ -72,7 +72,9 @@ spec: - containerPort: 9115 name: https securityContext: - runAsUser: 65534 + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 nodeSelector: kubernetes.io/os: linux serviceAccountName: blackbox-exporter