3fecdadf15
in cluster with separation between (cluster) admin and (namespaced) users, it allows the namespaced users to create monitor and rules in their namespaces according to the default k8s model of user-facing roles. ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
68 lines
1.5 KiB
Jsonnet
68 lines
1.5 KiB
Jsonnet
// user facing roles for monitors, probe, and rules
|
|
// ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
|
|
{
|
|
prometheusOperator+: {
|
|
local po = self,
|
|
clusterRoleView: {
|
|
apiVersion: 'rbac.authorization.k8s.io/v1',
|
|
kind: 'ClusterRole',
|
|
metadata: po._metadata {
|
|
name: 'monitoring-view',
|
|
namespace:: null,
|
|
labels+: {
|
|
'rbac.authorization.k8s.io/aggregate-to-view': 'true',
|
|
},
|
|
},
|
|
rules: [
|
|
{
|
|
apiGroups: [
|
|
'monitoring.coreos.com',
|
|
],
|
|
resources: [
|
|
'podmonitors',
|
|
'probes',
|
|
'prometheusrules',
|
|
'servicemonitors',
|
|
],
|
|
verbs: [
|
|
'get',
|
|
'list',
|
|
'watch',
|
|
],
|
|
},
|
|
],
|
|
},
|
|
clusterRoleEdit: {
|
|
apiVersion: 'rbac.authorization.k8s.io/v1',
|
|
kind: 'ClusterRole',
|
|
metadata: po._metadata {
|
|
name: 'monitoring-edit',
|
|
namespace:: null,
|
|
labels+: {
|
|
'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
|
|
},
|
|
},
|
|
rules: [
|
|
{
|
|
apiGroups: [
|
|
'monitoring.coreos.com',
|
|
],
|
|
resources: [
|
|
'podmonitors',
|
|
'probes',
|
|
'prometheusrules',
|
|
'servicemonitors',
|
|
],
|
|
verbs: [
|
|
'create',
|
|
'delete',
|
|
'deletecollection',
|
|
'patch',
|
|
'update',
|
|
],
|
|
},
|
|
],
|
|
},
|
|
},
|
|
}
|