jsonnet: format

2021-01-12 16:03:13 +01:00
parent b5ab602911
commit d00a923299
6 changed files with 325 additions and 326 deletions
--- a/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
+++ b/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
@@ -58,8 +58,6 @@ local defaults = {
 };
 function(params) {
  local am = self,
  config:: defaults + params,
--- a/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/blackbox-exporter/blackbox-exporter.libsonnet
@@ -92,191 +92,191 @@ function(params) {
  // Safety check
  assert std.isObject(bb.config.resources),
-      configuration: {
+  configuration: {
-        apiVersion: 'v1',
+    apiVersion: 'v1',
-        kind: 'ConfigMap',
+    kind: 'ConfigMap',
-        metadata: {
+    metadata: {
-          name: 'blackbox-exporter-configuration',
+      name: 'blackbox-exporter-configuration',
-          namespace: bb.config.namespace,
+      namespace: bb.config.namespace,
-          labels: bb.config.commonLabels,
+      labels: bb.config.commonLabels,
-        },
+    },
-        data: {
+    data: {
-          'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }),
+      'config.yml': std.manifestYamlDoc({ modules: bb.config.modules }),
-        },
+    },
  },
  serviceAccount: {
    apiVersion: 'v1',
    kind: 'ServiceAccount',
    metadata: {
      name: 'blackbox-exporter',
      namespace: bb.config.namespace,
    },
  },
  clusterRole: {
    apiVersion: 'rbac.authorization.k8s.io/v1',
    kind: 'ClusterRole',
    metadata: {
      name: 'blackbox-exporter',
    },
    rules: [
      {
        apiGroups: ['authentication.k8s.io'],
        resources: ['tokenreviews'],
        verbs: ['create'],
      },
-
+      {
-      serviceAccount: {
+        apiGroups: ['authorization.k8s.io'],
-        apiVersion: 'v1',
+        resources: ['subjectaccessreviews'],
-        kind: 'ServiceAccount',
+        verbs: ['create'],
        metadata: {
          name: 'blackbox-exporter',
          namespace: bb.config.namespace,
        },
      },
    ],
  },
-      clusterRole: {
+  clusterRoleBinding: {
-        apiVersion: 'rbac.authorization.k8s.io/v1',
+    apiVersion: 'rbac.authorization.k8s.io/v1',
-        kind: 'ClusterRole',
+    kind: 'ClusterRoleBinding',
-        metadata: {
+    metadata: {
-          name: 'blackbox-exporter',
+      name: 'blackbox-exporter',
-        },
+    },
-        rules: [
+    roleRef: {
-          {
+      apiGroup: 'rbac.authorization.k8s.io',
-            apiGroups: ['authentication.k8s.io'],
+      kind: 'ClusterRole',
-            resources: ['tokenreviews'],
+      name: 'blackbox-exporter',
-            verbs: ['create'],
+    },
-          },
+    subjects: [{
-          {
+      kind: 'ServiceAccount',
-            apiGroups: ['authorization.k8s.io'],
+      name: 'blackbox-exporter',
-            resources: ['subjectaccessreviews'],
+      namespace: bb.config.namespace,
-            verbs: ['create'],
+    }],
-          },
+  },
-        ],
+
  deployment:
    local blackboxExporter = {
      name: 'blackbox-exporter',
      image: bb.config.image,
      args: [
        '--config.file=/etc/blackbox_exporter/config.yml',
        '--web.listen-address=:%d' % bb.config.internalPort,
      ],
      ports: [{
        name: 'http',
        containerPort: bb.config.internalPort,
      }],
      resources: bb.config.resources,
      securityContext: if bb.config.privileged then {
        runAsNonRoot: false,
        capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
      } else {
        runAsNonRoot: true,
        runAsUser: 65534,
      },
      volumeMounts: [{
        mountPath: '/etc/blackbox_exporter/',
        name: 'config',
        readOnly: true,
      }],
    };
-      clusterRoleBinding: {
+    local reloader = {
-        apiVersion: 'rbac.authorization.k8s.io/v1',
+      name: 'module-configmap-reloader',
-        kind: 'ClusterRoleBinding',
+      image: bb.config.configmapReloaderImage,
-        metadata: {
+      args: [
-          name: 'blackbox-exporter',
+        '--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort,
-        },
+        '--volume-dir=/etc/blackbox_exporter/',
-        roleRef: {
+      ],
-          apiGroup: 'rbac.authorization.k8s.io',
+      resources: bb.config.resources,
-          kind: 'ClusterRole',
+      securityContext: { runAsNonRoot: true, runAsUser: 65534 },
-          name: 'blackbox-exporter',
+      terminationMessagePath: '/dev/termination-log',
-        },
+      terminationMessagePolicy: 'FallbackToLogsOnError',
-        subjects: [{
+      volumeMounts: [{
-          kind: 'ServiceAccount',
+        mountPath: '/etc/blackbox_exporter/',
-          name: 'blackbox-exporter',
+        name: 'config',
-          namespace: bb.config.namespace,
+        readOnly: true,
-        }],
+      }],
    };
    local kubeRbacProxy = krp({
      name: 'kube-rbac-proxy',
      upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/',
      secureListenAddress: ':' + bb.config.port,
      ports: [
        { name: 'https', containerPort: bb.config.port },
      ],
    });
    {
      apiVersion: 'apps/v1',
      kind: 'Deployment',
      metadata: {
        name: 'blackbox-exporter',
        namespace: bb.config.namespace,
        labels: bb.config.commonLabels,
      },
-
+      spec: {
-      deployment:
+        replicas: bb.config.replicas,
-        local blackboxExporter = {
+        selector: { matchLabels: bb.config.selectorLabels },
-          name: 'blackbox-exporter',
+        template: {
-          image: bb.config.image,
+          metadata: { labels: bb.config.commonLabels },
          args: [
            '--config.file=/etc/blackbox_exporter/config.yml',
            '--web.listen-address=:%d' % bb.config.internalPort,
          ],
          ports: [{
            name: 'http',
            containerPort: bb.config.internalPort,
          }],
          resources: bb.config.resources,
          securityContext: if bb.config.privileged then {
            runAsNonRoot: false,
            capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
          } else {
            runAsNonRoot: true,
            runAsUser: 65534,
          },
          volumeMounts: [{
            mountPath: '/etc/blackbox_exporter/',
            name: 'config',
            readOnly: true,
          }],
        };
        local reloader = {
          name: 'module-configmap-reloader',
          image: bb.config.configmapReloaderImage,
          args: [
            '--webhook-url=http://localhost:%d/-/reload' % bb.config.internalPort,
            '--volume-dir=/etc/blackbox_exporter/',
          ],
          resources: bb.config.resources,
          securityContext: { runAsNonRoot: true, runAsUser: 65534 },
          terminationMessagePath: '/dev/termination-log',
          terminationMessagePolicy: 'FallbackToLogsOnError',
          volumeMounts: [{
            mountPath: '/etc/blackbox_exporter/',
            name: 'config',
            readOnly: true,
          }],
        };
        local kubeRbacProxy = krp({
          name: 'kube-rbac-proxy',
          upstream: 'http://127.0.0.1:' + bb.config.internalPort + '/',
          secureListenAddress: ':' + bb.config.port,
          ports: [
            { name: 'https', containerPort: bb.config.port },
          ],
        });
        {
          apiVersion: 'apps/v1',
          kind: 'Deployment',
          metadata: {
            name: 'blackbox-exporter',
            namespace: bb.config.namespace,
            labels: bb.config.commonLabels,
          },
          spec: {
-            replicas: bb.config.replicas,
+            containers: [blackboxExporter, reloader, kubeRbacProxy],
-            selector: { matchLabels: bb.config.selectorLabels },
+            nodeSelector: { 'kubernetes.io/os': 'linux' },
-            template: {
+            serviceAccountName: 'blackbox-exporter',
-              metadata: { labels: bb.config.commonLabels },
+            volumes: [{
-              spec: {
+              name: 'config',
-                containers: [blackboxExporter, reloader, kubeRbacProxy],
+              configMap: { name: 'blackbox-exporter-configuration' },
                nodeSelector: { 'kubernetes.io/os': 'linux' },
                serviceAccountName: 'blackbox-exporter',
                volumes: [{
                  name: 'config',
                  configMap: { name: 'blackbox-exporter-configuration' },
                }],
              },
            },
          },
        },
      service: {
        apiVersion: 'v1',
        kind: 'Service',
        metadata: {
          name: 'blackbox-exporter',
          namespace: bb.config.namespace,
          labels: bb.config.commonLabels,
        },
        spec: {
          ports: [{
            name: 'https',
            port: bb.config.port,
            targetPort: 'https',
          }, {
            name: 'probe',
            port: bb.config.internalPort,
            targetPort: 'http',
          }],
          selector: bb.config.selectorLabels,
        },
      },
      serviceMonitor:
        {
          apiVersion: 'monitoring.coreos.com/v1',
          kind: 'ServiceMonitor',
          metadata: {
            name: 'blackbox-exporter',
            namespace: bb.config.namespace,
            labels: bb.config.commonLabels,
          },
          spec: {
            endpoints: [{
              bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
              interval: '30s',
              path: '/metrics',
              port: 'https',
              scheme: 'https',
              tlsConfig: {
                insecureSkipVerify: true,
              },
            }],
            selector: {
              matchLabels: bb.config.selectorLabels,
            },
          },
        },
-    }
+      },
    },
  service: {
    apiVersion: 'v1',
    kind: 'Service',
    metadata: {
      name: 'blackbox-exporter',
      namespace: bb.config.namespace,
      labels: bb.config.commonLabels,
    },
    spec: {
      ports: [{
        name: 'https',
        port: bb.config.port,
        targetPort: 'https',
      }, {
        name: 'probe',
        port: bb.config.internalPort,
        targetPort: 'http',
      }],
      selector: bb.config.selectorLabels,
    },
  },
  serviceMonitor:
    {
      apiVersion: 'monitoring.coreos.com/v1',
      kind: 'ServiceMonitor',
      metadata: {
        name: 'blackbox-exporter',
        namespace: bb.config.namespace,
        labels: bb.config.commonLabels,
      },
      spec: {
        endpoints: [{
          bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
          interval: '30s',
          path: '/metrics',
          port: 'https',
          scheme: 'https',
          tlsConfig: {
            insecureSkipVerify: true,
          },
        }],
        selector: {
          matchLabels: bb.config.selectorLabels,
        },
      },
    },
 }
--- a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
+++ b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
@@ -9,33 +9,33 @@ local defaults = {
    limits: { cpu: '20m', memory: '40Mi' },
  },
  tlsCipherSuites: [
-      'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',  // required by h2: http://golang.org/cl/30721
+    'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',  // required by h2: http://golang.org/cl/30721
-      'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',  // required by h2: http://golang.org/cl/30721
+    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',  // required by h2: http://golang.org/cl/30721
-      // 'TLS_RSA_WITH_RC4_128_SHA',                // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+    // 'TLS_RSA_WITH_RC4_128_SHA',                // insecure: https://access.redhat.com/security/cve/cve-2013-2566
-      // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA',           // insecure: https://access.redhat.com/articles/2548661
+    // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA',           // insecure: https://access.redhat.com/articles/2548661
-      // 'TLS_RSA_WITH_AES_128_CBC_SHA',            // disabled by h2
+    // 'TLS_RSA_WITH_AES_128_CBC_SHA',            // disabled by h2
-      // 'TLS_RSA_WITH_AES_256_CBC_SHA',            // disabled by h2
+    // 'TLS_RSA_WITH_AES_256_CBC_SHA',            // disabled by h2
-      // 'TLS_RSA_WITH_AES_128_CBC_SHA256',         // insecure: https://access.redhat.com/security/cve/cve-2013-0169
+    // 'TLS_RSA_WITH_AES_128_CBC_SHA256',         // insecure: https://access.redhat.com/security/cve/cve-2013-0169
-      // 'TLS_RSA_WITH_AES_128_GCM_SHA256',         // disabled by h2
+    // 'TLS_RSA_WITH_AES_128_GCM_SHA256',         // disabled by h2
-      // 'TLS_RSA_WITH_AES_256_GCM_SHA384',         // disabled by h2
+    // 'TLS_RSA_WITH_AES_256_GCM_SHA384',         // disabled by h2
-      // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA',        // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+    // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA',        // insecure: https://access.redhat.com/security/cve/cve-2013-2566
-      // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',    // disabled by h2
+    // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',    // disabled by h2
-      // 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',    // disabled by h2
+    // 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',    // disabled by h2
-      // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA',          // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+    // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA',          // insecure: https://access.redhat.com/security/cve/cve-2013-2566
-      // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA',     // insecure: https://access.redhat.com/articles/2548661
+    // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA',     // insecure: https://access.redhat.com/articles/2548661
-      // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',      // disabled by h2
+    // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',      // disabled by h2
-      // 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',      // disabled by h2
+    // 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',      // disabled by h2
-      // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
+    // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', // insecure: https://access.redhat.com/security/cve/cve-2013-0169
-      // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',   // insecure: https://access.redhat.com/security/cve/cve-2013-0169
+    // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',   // insecure: https://access.redhat.com/security/cve/cve-2013-0169
-      // disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
+    // disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
-      'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+    'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
-      'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
+    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
-      'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
+    'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
-      'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
+    'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
-    ],
+  ],
 };
@@ -45,19 +45,19 @@ function(params) {
  // Safety check
  assert std.isObject(krp.config.resources),
-    name: krp.config.name,
+  name: krp.config.name,
-    image: krp.config.image,
+  image: krp.config.image,
-    args: [
+  args: [
-      '--logtostderr',
+    '--logtostderr',
-      '--secure-listen-address=' + krp.config.secureListenAddress,
+    '--secure-listen-address=' + krp.config.secureListenAddress,
-      '--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites),
+    '--tls-cipher-suites=' + std.join(',', krp.config.tlsCipherSuites),
-      '--upstream=' + krp.config.upstream,
+    '--upstream=' + krp.config.upstream,
-    ],
+  ],
-    resources: krp.config.resources,
+  resources: krp.config.resources,
-    ports: krp.config.ports,
+  ports: krp.config.ports,
-    securityContext: {
+  securityContext: {
-      runAsUser: 65532,
+    runAsUser: 65532,
-      runAsGroup: 65532,
+    runAsGroup: 65532,
-      runAsNonRoot: true,
+    runAsNonRoot: true,
-    },
+  },
 }
--- a/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
@@ -60,7 +60,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
    upstream: 'http://127.0.0.1:8081/',
    secureListenAddress: ':8443',
    ports: [
-      { name: 'https-main', containerPort: 8443,  },
+      { name: 'https-main', containerPort: 8443 },
    ],
  }),
@@ -69,7 +69,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
    upstream: 'http://127.0.0.1:8082/',
    secureListenAddress: ':9443',
    ports: [
-      { name: 'https-self', containerPort: 9443,  },
+      { name: 'https-self', containerPort: 9443 },
    ],
  }),
--- a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
@@ -67,8 +67,9 @@ function(params) {
        apiGroups: ['authorization.k8s.io'],
        resources: ['subjectaccessreviews'],
        verbs: ['create'],
-      }],
+      },
-    },
+    ],
  },
  serviceAccount: {
    apiVersion: 'v1',
@@ -169,7 +170,7 @@ function(params) {
    }) + {
      env: [
        { name: 'IP', valueFrom: { fieldRef: { fieldPath: 'status.podIP' } } },
-      ]
+      ],
    };
    {
--- a/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/prometheus-adapter/prometheus-adapter.libsonnet
@@ -186,117 +186,117 @@ function(params) {
      },
    },
-    serviceAccount: {
+  serviceAccount: {
-      apiVersion: 'v1',
+    apiVersion: 'v1',
    kind: 'ServiceAccount',
    metadata: {
      name: pa.config.name,
      namespace: pa.config.namespace,
      labels: pa.config.commonLabels,
    },
  },
  clusterRole: {
    apiVersion: 'rbac.authorization.k8s.io/v1',
    kind: 'ClusterRole',
    metadata: {
      name: pa.config.name,
      labels: pa.config.commonLabels,
    },
    rules: [{
      apiGroups: [''],
      resources: ['nodes', 'namespaces', 'pods', 'services'],
      verbs: ['get', 'list', 'watch'],
    }],
  },
  clusterRoleBinding: {
    apiVersion: 'rbac.authorization.k8s.io/v1',
    kind: 'ClusterRoleBinding',
    metadata: {
      name: pa.config.name,
      labels: pa.config.commonLabels,
    },
    roleRef: {
      apiGroup: 'rbac.authorization.k8s.io',
      kind: 'ClusterRole',
      name: $.clusterRole.metadata.name,
    },
    subjects: [{
      kind: 'ServiceAccount',
-      metadata: {
+      name: $.serviceAccount.metadata.name,
-        name: pa.config.name,
+      namespace: pa.config.namespace,
-        namespace: pa.config.namespace,
+    }],
-        labels: pa.config.commonLabels,
+  },
      },
    },
-    clusterRole: {
+  clusterRoleBindingDelegator: {
-      apiVersion: 'rbac.authorization.k8s.io/v1',
+    apiVersion: 'rbac.authorization.k8s.io/v1',
    kind: 'ClusterRoleBinding',
    metadata: {
      name: 'resource-metrics:system:auth-delegator',
      labels: pa.config.commonLabels,
    },
    roleRef: {
      apiGroup: 'rbac.authorization.k8s.io',
      kind: 'ClusterRole',
-      metadata: {
+      name: 'system:auth-delegator',
        name: pa.config.name,
        labels: pa.config.commonLabels,
      },
      rules: [{
        apiGroups: [''],
        resources: ['nodes', 'namespaces', 'pods', 'services'],
        verbs: ['get', 'list', 'watch'],
      }],
    },
    subjects: [{
      kind: 'ServiceAccount',
      name: $.serviceAccount.metadata.name,
      namespace: pa.config.namespace,
    }],
  },
-    clusterRoleBinding: {
+  clusterRoleServerResources: {
-      apiVersion: 'rbac.authorization.k8s.io/v1',
+    apiVersion: 'rbac.authorization.k8s.io/v1',
-      kind: 'ClusterRoleBinding',
+    kind: 'ClusterRole',
-      metadata: {
+    metadata: {
-        name: pa.config.name,
+      name: 'resource-metrics-server-resources',
-        labels: pa.config.commonLabels,
+      labels: pa.config.commonLabels,
      },
      roleRef: {
        apiGroup: 'rbac.authorization.k8s.io',
        kind: 'ClusterRole',
        name: $.clusterRole.metadata.name,
      },
      subjects: [{
        kind: 'ServiceAccount',
        name: $.serviceAccount.metadata.name,
        namespace: pa.config.namespace,
      }],
    },
    rules: [{
      apiGroups: ['metrics.k8s.io'],
      resources: ['*'],
      verbs: ['*'],
    }],
  },
-    clusterRoleBindingDelegator: {
+  clusterRoleAggregatedMetricsReader: {
-      apiVersion: 'rbac.authorization.k8s.io/v1',
+    apiVersion: 'rbac.authorization.k8s.io/v1',
-      kind: 'ClusterRoleBinding',
+    kind: 'ClusterRole',
-      metadata: {
+    metadata: {
-        name: 'resource-metrics:system:auth-delegator',
+      name: 'system:aggregated-metrics-reader',
-        labels: pa.config.commonLabels,
+      labels: {
-      },
+        'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
-      roleRef: {
+        'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
-        apiGroup: 'rbac.authorization.k8s.io',
+        'rbac.authorization.k8s.io/aggregate-to-view': 'true',
-        kind: 'ClusterRole',
+      } + pa.config.commonLabels,
        name: 'system:auth-delegator',
      },
      subjects: [{
        kind: 'ServiceAccount',
        name: $.serviceAccount.metadata.name,
        namespace: pa.config.namespace,
      }],
    },
    rules: [{
      apiGroups: ['metrics.k8s.io'],
      resources: ['pods', 'nodes'],
      verbs: ['get', 'list', 'watch'],
    }],
  },
-    clusterRoleServerResources: {
+  roleBindingAuthReader: {
-      apiVersion: 'rbac.authorization.k8s.io/v1',
+    apiVersion: 'rbac.authorization.k8s.io/v1',
-      kind: 'ClusterRole',
+    kind: 'RoleBinding',
-      metadata: {
+    metadata: {
-        name: 'resource-metrics-server-resources',
+      name: 'resource-metrics-auth-reader',
-        labels: pa.config.commonLabels,
+      namespace: 'kube-system',
-      },
+      labels: pa.config.commonLabels,
      rules: [{
        apiGroups: ['metrics.k8s.io'],
        resources: ['*'],
        verbs: ['*'],
      }],
    },
-
+    roleRef: {
-    clusterRoleAggregatedMetricsReader: {
+      apiGroup: 'rbac.authorization.k8s.io',
-      apiVersion: 'rbac.authorization.k8s.io/v1',
+      kind: 'Role',
-      kind: 'ClusterRole',
+      name: 'extension-apiserver-authentication-reader',
      metadata: {
        name: 'system:aggregated-metrics-reader',
        labels: {
          'rbac.authorization.k8s.io/aggregate-to-admin': 'true',
          'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
          'rbac.authorization.k8s.io/aggregate-to-view': 'true',
        } + pa.config.commonLabels,
      },
      rules: [{
        apiGroups: ['metrics.k8s.io'],
        resources: ['pods', 'nodes'],
        verbs: ['get', 'list', 'watch'],
      }],
    },
    roleBindingAuthReader: {
      apiVersion: 'rbac.authorization.k8s.io/v1',
      kind: 'RoleBinding',
      metadata: {
        name: 'resource-metrics-auth-reader',
        namespace: 'kube-system',
        labels: pa.config.commonLabels,
      },
      roleRef: {
        apiGroup: 'rbac.authorization.k8s.io',
        kind: 'Role',
        name: 'extension-apiserver-authentication-reader',
      },
      subjects: [{
        kind: 'ServiceAccount',
        name: $.serviceAccount.metadata.name,
        namespace: pa.config.namespace,
      }],
    },
    subjects: [{
      kind: 'ServiceAccount',
      name: $.serviceAccount.metadata.name,
      namespace: pa.config.namespace,
    }],
  },
 }