553d6b0c63
Since PR 460 [1] the Prometheus Operator is using Kubernetes Custom Resource Definitions instead of Kubernetes Third Party Resources. Permissions to handle Third Party Resources in the RBAC rules of the Prometheus Operator is thereby obsolete. [1] https://github.com/coreos/prometheus-operator/pull/460
146 lines
6.3 KiB
Jsonnet
146 lines
6.3 KiB
Jsonnet
local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
|
|
|
|
{
|
|
_config+:: {
|
|
namespace: 'default',
|
|
|
|
versions+:: {
|
|
prometheusOperator: 'v0.19.0',
|
|
},
|
|
|
|
imageRepos+:: {
|
|
prometheusOperator: 'quay.io/coreos/prometheus-operator',
|
|
},
|
|
},
|
|
|
|
prometheusOperator+:: {
|
|
// Prefixing with 0 to ensure these manifests are listed and therefore created first.
|
|
'0alertmanagerCustomResourceDefinition': import 'alertmanager-crd.libsonnet',
|
|
'0prometheusCustomResourceDefinition': import 'prometheus-crd.libsonnet',
|
|
'0servicemonitorCustomResourceDefinition': import 'servicemonitor-crd.libsonnet',
|
|
|
|
clusterRoleBinding:
|
|
local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
|
|
|
|
clusterRoleBinding.new() +
|
|
clusterRoleBinding.mixin.metadata.withName('prometheus-operator') +
|
|
clusterRoleBinding.mixin.roleRef.withApiGroup('rbac.authorization.k8s.io') +
|
|
clusterRoleBinding.mixin.roleRef.withName('prometheus-operator') +
|
|
clusterRoleBinding.mixin.roleRef.mixinInstance({ kind: 'ClusterRole' }) +
|
|
clusterRoleBinding.withSubjects([{ kind: 'ServiceAccount', name: 'prometheus-operator', namespace: $._config.namespace }]),
|
|
|
|
clusterRole:
|
|
local clusterRole = k.rbac.v1.clusterRole;
|
|
local policyRule = clusterRole.rulesType;
|
|
|
|
local apiExtensionsRule = policyRule.new() +
|
|
policyRule.withApiGroups(['apiextensions.k8s.io']) +
|
|
policyRule.withResources([
|
|
'customresourcedefinitions',
|
|
]) +
|
|
policyRule.withVerbs(['*']);
|
|
|
|
local monitoringRule = policyRule.new() +
|
|
policyRule.withApiGroups(['monitoring.coreos.com']) +
|
|
policyRule.withResources([
|
|
'alertmanagers',
|
|
'prometheuses',
|
|
'prometheuses/finalizers',
|
|
'alertmanagers/finalizers',
|
|
'servicemonitors',
|
|
]) +
|
|
policyRule.withVerbs(['*']);
|
|
|
|
local appsRule = policyRule.new() +
|
|
policyRule.withApiGroups(['apps']) +
|
|
policyRule.withResources([
|
|
'statefulsets',
|
|
]) +
|
|
policyRule.withVerbs(['*']);
|
|
|
|
local coreRule = policyRule.new() +
|
|
policyRule.withApiGroups(['']) +
|
|
policyRule.withResources([
|
|
'configmaps',
|
|
'secrets',
|
|
]) +
|
|
policyRule.withVerbs(['*']);
|
|
|
|
local podRule = policyRule.new() +
|
|
policyRule.withApiGroups(['']) +
|
|
policyRule.withResources([
|
|
'pods',
|
|
]) +
|
|
policyRule.withVerbs(['list', 'delete']);
|
|
|
|
local routingRule = policyRule.new() +
|
|
policyRule.withApiGroups(['']) +
|
|
policyRule.withResources([
|
|
'services',
|
|
'endpoints',
|
|
]) +
|
|
policyRule.withVerbs(['get', 'create', 'update']);
|
|
|
|
local nodeRule = policyRule.new() +
|
|
policyRule.withApiGroups(['']) +
|
|
policyRule.withResources([
|
|
'nodes',
|
|
]) +
|
|
policyRule.withVerbs(['list', 'watch']);
|
|
|
|
local namespaceRule = policyRule.new() +
|
|
policyRule.withApiGroups(['']) +
|
|
policyRule.withResources([
|
|
'namespaces',
|
|
]) +
|
|
policyRule.withVerbs(['list', 'watch']);
|
|
|
|
local rules = [apiExtensionsRule, monitoringRule, appsRule, coreRule, podRule, routingRule, nodeRule, namespaceRule];
|
|
|
|
clusterRole.new() +
|
|
clusterRole.mixin.metadata.withName('prometheus-operator') +
|
|
clusterRole.withRules(rules),
|
|
|
|
deployment:
|
|
local deployment = k.apps.v1beta2.deployment;
|
|
local container = k.apps.v1beta2.deployment.mixin.spec.template.spec.containersType;
|
|
local containerPort = container.portsType;
|
|
|
|
local targetPort = 8080;
|
|
local podLabels = { 'k8s-app': 'prometheus-operator' };
|
|
|
|
local operatorContainer =
|
|
container.new('prometheus-operator', $._config.imageRepos.prometheusOperator + ':' + $._config.versions.prometheusOperator) +
|
|
container.withPorts(containerPort.newNamed('http', targetPort)) +
|
|
container.withArgs(['--kubelet-service=kube-system/kubelet', '--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1']) +
|
|
container.mixin.resources.withRequests({ cpu: '100m', memory: '50Mi' }) +
|
|
container.mixin.resources.withLimits({ cpu: '200m', memory: '100Mi' });
|
|
|
|
deployment.new('prometheus-operator', 1, operatorContainer, podLabels) +
|
|
deployment.mixin.metadata.withNamespace($._config.namespace) +
|
|
deployment.mixin.metadata.withLabels(podLabels) +
|
|
deployment.mixin.spec.selector.withMatchLabels(podLabels) +
|
|
deployment.mixin.spec.template.spec.withNodeSelector({ 'beta.kubernetes.io/os': 'linux' }) +
|
|
deployment.mixin.spec.template.spec.securityContext.withRunAsNonRoot(true) +
|
|
deployment.mixin.spec.template.spec.securityContext.withRunAsUser(65534) +
|
|
deployment.mixin.spec.template.spec.withServiceAccountName('prometheus-operator'),
|
|
|
|
serviceAccount:
|
|
local serviceAccount = k.core.v1.serviceAccount;
|
|
|
|
serviceAccount.new('prometheus-operator') +
|
|
serviceAccount.mixin.metadata.withNamespace($._config.namespace),
|
|
|
|
service:
|
|
local service = k.core.v1.service;
|
|
local servicePort = k.core.v1.service.mixin.spec.portsType;
|
|
|
|
local poServicePort = servicePort.newNamed('http', 8080, 'http');
|
|
|
|
service.new('prometheus-operator', $.prometheusOperator.deployment.spec.selector.matchLabels, [poServicePort]) +
|
|
service.mixin.metadata.withLabels({ 'k8s-app': 'prometheus-operator' }) +
|
|
service.mixin.metadata.withNamespace($._config.namespace) +
|
|
service.mixin.spec.withClusterIp('None'),
|
|
},
|
|
}
|