[kube-prometheus-stack] add namespaced roles for Prometheus/Operator

Signed-off-by: Jan-Otto Kröpke <[email protected]>

charts/kube-prometheus-stack/ci/06-namespaced-values.yaml

@@ -0,0 +1,58 @@
+---
+prometheusOperator:
+  rbac:
+    namespaced: true
+  namespaces:
+    releaseNamespace: true
+  kubeletService:
+    enabled: false
+  additionalRulesForClusterRole:
+    - apiGroups:
+        - ""
+      resources:
+        - events
+      verbs:
+        - create
+        - patch
+    - apiGroups:
+        - storage.k8s.io
+      resources:
+        - storageclasses
+      verbs:
+        - get
+
+prometheus:
+  rbac:
+    namespaced: true
+  additionalRulesForClusterRole:
+    - apiGroups:
+        - ""
+      resources:
+        - nodes
+      verbs:
+        - list
+        - watch
+
+kubelet:
+  enabled: false
+
+coreDns:
+  enabled: false
+
+kubeDns:
+  enabled: false
+
+kubeApiServer:
+  enabled: false
+
+kubeControllerManager:
+  enabled: false
+
+kubeEtcd:
+  enabled: false
+
+kubeProxy:
+  enabled: false
+
+kubeScheduler:
+  enabled: false

charts/kube-prometheus-stack/templates/prometheus-operator/clusterrole.yaml

@@ -1,8 +1,11 @@
 {{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: {{ .Values.prometheusOperator.rbac.namespaced | ternary "Role" "ClusterRole" }}
 metadata:
   name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+  {{- if .Values.prometheusOperator.rbac.namespaced }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  {{- end }}
   labels:
     {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
 rules:
@@ -60,13 +63,15 @@ rules:
   - create
   - update
   - delete
+{{- if not .Values.prometheusOperator.rbac.namespaced }}
 - apiGroups:
   - ""
   resources:
   - nodes
   verbs:
   - list
   - watch
+{{- end }}
 - apiGroups:
   - ""
   resources:
@@ -106,4 +111,20 @@ rules:
   - list
   - watch
 {{- end }}
+{{- if .Values.prometheusOperator.rbac.namespaced }}
+  {{- with .Values.prometheusOperator.additionalRulesForRole }}
+  {{- toYaml . | nindent 0 }}
+  {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+rules:
+{{- end }}
+{{- with .Values.prometheusOperator.additionalRulesForClusterRole }}
+{{- toYaml . | nindent 0 }}
+{{- end }}
 {{- end }}

charts/kube-prometheus-stack/templates/prometheus-operator/clusterrolebinding.yaml

@@ -1,5 +1,24 @@
 {{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ .Values.prometheusOperator.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
+metadata:
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+  {{- if .Values.prometheusOperator.rbac.namespaced }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  {{- end }}
+  labels:
+    {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ .Values.prometheusOperator.rbac.namespaced | ternary "Role" "ClusterRole" }}
+  name: {{ template "kube-prometheus-stack.operator.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+{{- if and .Values.prometheusOperator.rbac.namespaced .Values.prometheusOperator.additionalRulesForClusterRole }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ template "kube-prometheus-stack.operator.fullname" . }}
@@ -14,3 +33,4 @@ subjects:
   name: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}
   namespace: {{ template "kube-prometheus-stack.namespace" . }}
 {{- end }}
+{{- end }}

charts/kube-prometheus-stack/templates/prometheus/clusterrole.yaml

@@ -1,8 +1,11 @@
 {{- if and .Values.prometheus.enabled .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: {{ .Values.prometheus.rbac.namespaced | ternary "Role" "ClusterRole" }}
 metadata:
   name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus
+  {{- if .Values.prometheus.rbac.namespaced }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" . }}-prometheus
 {{ include "kube-prometheus-stack.labels" . | indent 4 }}
@@ -11,8 +14,10 @@ rules:
 # they're grabbed from https://github.com/prometheus/prometheus/blob/master/documentation/examples/rbac-setup.yml
 - apiGroups: [""]
   resources:
+  {{- if not .Values.prometheus.rbac.namespaced }}
   - nodes
   - nodes/metrics
+  {{- end }}
   - services
   - endpoints
   - pods
@@ -22,16 +27,32 @@ rules:
   resources:
   - ingresses
   verbs: ["get", "list", "watch"]
+{{- if not .Values.prometheus.rbac.namespaced }}
 - nonResourceURLs: ["/metrics", "/metrics/cadvisor"]
   verbs: ["get"]
+{{- end }}
 {{/* fix(#3338): add required rules to use node-exporter with the RBAC proxy */}}
 {{- if and .Values.nodeExporter.enabled (index .Values "prometheus-node-exporter").kubeRBACProxy.enabled }}
 - apiGroups: [ "" ]
   resources:
   - services/{{ include "prometheus-node-exporter.fullname" (index .Subcharts "prometheus-node-exporter") }}
   verbs: [ "get", "list", "watch" ]
 {{- end }}
-{{- if .Values.prometheus.additionalRulesForClusterRole }}
-{{ toYaml .Values.prometheus.additionalRulesForClusterRole | indent 0 }}
+{{- if .Values.prometheusOperator.rbac.namespaced }}
+  {{- with .Values.prometheus.additionalRulesForRole }}
+  {{- toYaml . | nindent 0 }}
+  {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-prometheus
+    {{- include "kube-prometheus-stack.labels" . | nindent 4 }}
+rules:
+{{- end }}
+{{- with .Values.prometheus.additionalRulesForClusterRole }}
+{{- toYaml . | nindent 0 }}
 {{- end }}
 {{- end }}

charts/kube-prometheus-stack/templates/prometheus/clusterrolebinding.yaml

@@ -1,11 +1,31 @@
 {{- if and .Values.prometheus.enabled .Values.global.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{ .Values.prometheus.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
 metadata:
   name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus
+  {{- if .Values.prometheus.rbac.namespaced }}
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  {{- end }}
   labels:
     app: {{ template "kube-prometheus-stack.name" . }}-prometheus
 {{ include "kube-prometheus-stack.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ .Values.prometheus.rbac.namespaced | ternary "Role" "ClusterRole" }}
+  name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kube-prometheus-stack.prometheus.serviceAccountName" . }}
+    namespace: {{ template "kube-prometheus-stack.namespace" . }}
+{{- if and .Values.prometheus.rbac.namespaced .Values.prometheus.additionalRulesForClusterRole }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus
+  labels:
+    app: {{ template "kube-prometheus-stack.name" . }}-prometheus
+    {{- include "kube-prometheus-stack.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -15,4 +35,5 @@ subjects:
     name: {{ template "kube-prometheus-stack.prometheus.serviceAccountName" . }}
     namespace: {{ template "kube-prometheus-stack.namespace" . }}
 {{- end }}
+{{- end }}
 

charts/kube-prometheus-stack/values.yaml

@@ -2477,6 +2477,12 @@ prometheusOperator:
   ##
   denyNamespaces: []
 
+  rbac:
+    # If true, the following values should be also defined:
+    # - prometheusOperator.namespaces.releaseNamespace=true
+    # - prometheusOperator.kubeletService.enabled=false
+    namespaced: false
+
   ## Filter namespaces to look for prometheus-operator custom resources
   ##
   alertmanagerInstanceNamespaces: []
@@ -2589,6 +2595,19 @@ prometheusOperator:
     ## Use '{{ template "kube-prometheus-stack.fullname" . }}-kubelet' by default
     name: ""
 
+  additionalRulesForClusterRole: []
+  #  - apiGroups: [ "" ]
+  #    resources:
+  #      - nodes/proxy
+  #    verbs: [ "get", "list", "watch" ]
+
+  ## Only used, if prometheus.rbac.namespaced=true
+  additionalRulesForRole: []
+  #  - apiGroups: [ "" ]
+  #    resources:
+  #      - secrets
+  #    verbs: [ "get", "list", "watch" ]
+
   ## Create a servicemonitor for the operator
   ##
   serviceMonitor:
@@ -2871,6 +2890,9 @@ prometheus:
     #   matchLabels:
     #     app: prometheus
 
+  rbac:
+    namespaced: false
+
   ## Service account for Prometheuses to use.
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
   ##
@@ -3998,6 +4020,13 @@ prometheus:
   #      - nodes/proxy
   #    verbs: [ "get", "list", "watch" ]
 
+  ## Only used, if prometheus.rbac.namespaced=true
+  additionalRulesForRole: []
+  #  - apiGroups: [ "" ]
+  #    resources:
+  #      - secrets
+  #    verbs: [ "get", "list", "watch" ]
+
   additionalServiceMonitors: []
   ## Name of the ServiceMonitor to create
   ##