easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

jsonnet: add networkpolicies for components accessed by prometheus

Browse Source 
(cherry picked from commit f8c00b9963)
(cherry picked from commit f09b8e5de2e46db85f090549d37eeb878a81842f)
This commit is contained in:
paulfantom
2021-11-01 10:44:50 +01:00
committed by ArthurSens
parent 494b84d038
commit fddf642de7
5 changed files with 110 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
View File

@@ -250,6 +250,30 @@ function(params) {
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: bb.service.metadata,
spec: {
podSelector: {
matchLabels: bb._config.selectorLabels,
},
ingress: [{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, bb.service.spec.ports),
}],
},
},
service: { service: {
apiVersion: 'v1', apiVersion: 'v1',
kind: 'Service', kind: 'Service',

24
jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
View File

@@ -124,6 +124,30 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
image: ksm._config.kubeRbacProxyImage, image: ksm._config.kubeRbacProxyImage,
}), }),
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: ksm.service.metadata,
spec: {
podSelector: {
matchLabels: ksm._config.selectorLabels,
},
ingress: [{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, ksm.service.spec.ports),
}],
},
},
deployment+: { deployment+: {
spec+: { spec+: {
template+: { template+: {

24
jsonnet/kube-prometheus/components/node-exporter.libsonnet
View File

@@ -160,6 +160,30 @@ function(params) {
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: ne.service.metadata,
spec: {
podSelector: {
matchLabels: ne._config.selectorLabels,
},
ingress: [{
from: [{
podSelector: {
matchLabels: {
'app.kubernetes.io/name': 'prometheus',
},
},
}],
ports: std.map(function(o) {
port: o.port,
protocol: 'TCP',
}, ne.service.spec.ports),
}],
},
},
daemonset: daemonset:
local nodeExporter = { local nodeExporter = {
name: ne._config.name, name: ne._config.name,

15
jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
View File

@@ -206,6 +206,21 @@ function(params) {
}, },
}, },
networkPolicy: {
apiVersion: 'networking.k8s.io/v1',
kind: 'NetworkPolicy',
metadata: pa.service.metadata,
spec: {
podSelector: {
matchLabels: pa._config.selectorLabels,
},
policyTypes: ['Egress', 'Ingress'],
egress: [{}],
// Prometheus-adapter needs ingress allowed so HPAs can request metrics from it.
ingress: [{}],
},
},
deployment: deployment:
local c = { local c = {
name: pa._config.name, name: pa._config.name,

23
manifests/prometheusAdapter-networkPolicy.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: metrics-adapter
app.kubernetes.io/name: prometheus-adapter
app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 0.9.1
name: prometheus-adapter
namespace: monitoring
spec:
egress:
- {}
ingress:
- {}
podSelector:
matchLabels:
app.kubernetes.io/component: metrics-adapter
app.kubernetes.io/name: prometheus-adapter
app.kubernetes.io/part-of: kube-prometheus
policyTypes:
- Egress
- Ingress