diff --git a/charts/kube-prometheus-stack/.editorconfig b/charts/kube-prometheus-stack/.editorconfig index f5ee2f461039..3692ba391b3c 100644 --- a/charts/kube-prometheus-stack/.editorconfig +++ b/charts/kube-prometheus-stack/.editorconfig @@ -1,5 +1,8 @@ root = true +[*] +insert_final_newline = true + [files/dashboards/*.json] indent_size = 2 -indent_style = space \ No newline at end of file +indent_style = space diff --git a/charts/kube-prometheus-stack/Chart.yaml b/charts/kube-prometheus-stack/Chart.yaml index 379a94a4ab1c..898841b3571d 100644 --- a/charts/kube-prometheus-stack/Chart.yaml +++ b/charts/kube-prometheus-stack/Chart.yaml @@ -23,7 +23,7 @@ name: kube-prometheus-stack sources: - https://github.com/prometheus-community/helm-charts - https://github.com/prometheus-operator/kube-prometheus -version: 58.1.3 +version: 58.2.0 appVersion: v0.73.1 kubeVersion: ">=1.19.0-0" home: https://github.com/prometheus-operator/kube-prometheus diff --git a/charts/kube-prometheus-stack/ci/06-namespaced-values.yaml b/charts/kube-prometheus-stack/ci/06-namespaced-values.yaml new file mode 100644 index 000000000000..fbaa736886a2 --- /dev/null +++ b/charts/kube-prometheus-stack/ci/06-namespaced-values.yaml @@ -0,0 +1,58 @@ +--- +prometheusOperator: + rbac: + namespaced: true + namespaces: + releaseNamespace: true + kubeletService: + enabled: false + additionalRulesForClusterRole: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + +prometheus: + rbac: + namespaced: true + additionalRulesForClusterRole: + - apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch + +kubelet: + enabled: false + +coreDns: + enabled: false + +kubeDns: + enabled: false + +kubeApiServer: + enabled: false + +kubeControllerManager: + enabled: false + +kubeEtcd: + enabled: false + +kubeProxy: + enabled: false + +kubeScheduler: + enabled: false diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/clusterrole.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/clusterrole.yaml index fd11b69eed4c..cbcfce7331a6 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/clusterrole.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/clusterrole.yaml @@ -1,8 +1,11 @@ {{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.prometheusOperator.rbac.namespaced | ternary "Role" "ClusterRole" }} metadata: name: {{ template "kube-prometheus-stack.operator.fullname" . }} + {{- if .Values.prometheusOperator.rbac.namespaced }} + namespace: {{ template "kube-prometheus-stack.namespace" . }} + {{- end }} labels: {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }} rules: @@ -60,6 +63,7 @@ rules: - create - update - delete +{{- if not .Values.prometheusOperator.rbac.namespaced }} - apiGroups: - "" resources: @@ -67,6 +71,7 @@ rules: verbs: - list - watch +{{- end }} - apiGroups: - "" resources: @@ -106,4 +111,20 @@ rules: - list - watch {{- end }} +{{- if .Values.prometheusOperator.rbac.namespaced }} + {{- with .Values.prometheusOperator.additionalRulesForRole }} + {{- toYaml . | nindent 0 }} + {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kube-prometheus-stack.operator.fullname" . }} + labels: + {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }} +rules: +{{- end }} +{{- with .Values.prometheusOperator.additionalRulesForClusterRole }} +{{- toYaml . | nindent 0 }} +{{- end }} {{- end }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/clusterrolebinding.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/clusterrolebinding.yaml index ad9e3ef6c537..d3f08f04d29c 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/clusterrolebinding.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/clusterrolebinding.yaml @@ -1,5 +1,24 @@ {{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ .Values.prometheusOperator.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }} +metadata: + name: {{ template "kube-prometheus-stack.operator.fullname" . }} + {{- if .Values.prometheusOperator.rbac.namespaced }} + namespace: {{ template "kube-prometheus-stack.namespace" . }} + {{- end }} + labels: + {{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: {{ .Values.prometheusOperator.rbac.namespaced | ternary "Role" "ClusterRole" }} + name: {{ template "kube-prometheus-stack.operator.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }} + namespace: {{ template "kube-prometheus-stack.namespace" . }} +{{- if and .Values.prometheusOperator.rbac.namespaced .Values.prometheusOperator.additionalRulesForClusterRole }} +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "kube-prometheus-stack.operator.fullname" . }} @@ -14,3 +33,4 @@ subjects: name: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }} namespace: {{ template "kube-prometheus-stack.namespace" . }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kube-prometheus-stack/templates/prometheus/clusterrole.yaml b/charts/kube-prometheus-stack/templates/prometheus/clusterrole.yaml index 249144d8013c..ee1a30df0777 100644 --- a/charts/kube-prometheus-stack/templates/prometheus/clusterrole.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus/clusterrole.yaml @@ -1,8 +1,11 @@ {{- if and .Values.prometheus.enabled .Values.global.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.prometheus.rbac.namespaced | ternary "Role" "ClusterRole" }} metadata: name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus + {{- if .Values.prometheus.rbac.namespaced }} + namespace: {{ template "kube-prometheus-stack.namespace" . }} + {{- end }} labels: app: {{ template "kube-prometheus-stack.name" . }}-prometheus {{ include "kube-prometheus-stack.labels" . | indent 4 }} @@ -11,8 +14,10 @@ rules: # they're grabbed from https://github.com/prometheus/prometheus/blob/master/documentation/examples/rbac-setup.yml - apiGroups: [""] resources: + {{- if not .Values.prometheus.rbac.namespaced }} - nodes - nodes/metrics + {{- end }} - services - endpoints - pods @@ -22,8 +27,10 @@ rules: resources: - ingresses verbs: ["get", "list", "watch"] +{{- if not .Values.prometheus.rbac.namespaced }} - nonResourceURLs: ["/metrics", "/metrics/cadvisor"] verbs: ["get"] +{{- end }} {{/* fix(#3338): add required rules to use node-exporter with the RBAC proxy */}} {{- if and .Values.nodeExporter.enabled (index .Values "prometheus-node-exporter").kubeRBACProxy.enabled }} - apiGroups: [ "" ] @@ -31,7 +38,21 @@ rules: - services/{{ include "prometheus-node-exporter.fullname" (index .Subcharts "prometheus-node-exporter") }} verbs: [ "get", "list", "watch" ] {{- end }} -{{- if .Values.prometheus.additionalRulesForClusterRole }} -{{ toYaml .Values.prometheus.additionalRulesForClusterRole | indent 0 }} +{{- if .Values.prometheusOperator.rbac.namespaced }} + {{- with .Values.prometheus.additionalRulesForRole }} + {{- toYaml . | nindent 0 }} + {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus + labels: + app: {{ template "kube-prometheus-stack.name" . }}-prometheus + {{- include "kube-prometheus-stack.labels" . | nindent 4 }} +rules: +{{- end }} +{{- with .Values.prometheus.additionalRulesForClusterRole }} +{{- toYaml . | nindent 0 }} {{- end }} {{- end }} diff --git a/charts/kube-prometheus-stack/templates/prometheus/clusterrolebinding.yaml b/charts/kube-prometheus-stack/templates/prometheus/clusterrolebinding.yaml index 9fc4f65da429..0bcc22a3757f 100644 --- a/charts/kube-prometheus-stack/templates/prometheus/clusterrolebinding.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus/clusterrolebinding.yaml @@ -1,11 +1,31 @@ {{- if and .Values.prometheus.enabled .Values.global.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.prometheus.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus + {{- if .Values.prometheus.rbac.namespaced }} + namespace: {{ template "kube-prometheus-stack.namespace" . }} + {{- end }} labels: app: {{ template "kube-prometheus-stack.name" . }}-prometheus {{ include "kube-prometheus-stack.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: {{ .Values.prometheus.rbac.namespaced | ternary "Role" "ClusterRole" }} + name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus +subjects: + - kind: ServiceAccount + name: {{ template "kube-prometheus-stack.prometheus.serviceAccountName" . }} + namespace: {{ template "kube-prometheus-stack.namespace" . }} +{{- if and .Values.prometheus.rbac.namespaced .Values.prometheus.additionalRulesForClusterRole }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus + labels: + app: {{ template "kube-prometheus-stack.name" . }}-prometheus + {{- include "kube-prometheus-stack.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -15,4 +35,5 @@ subjects: name: {{ template "kube-prometheus-stack.prometheus.serviceAccountName" . }} namespace: {{ template "kube-prometheus-stack.namespace" . }} {{- end }} +{{- end }} diff --git a/charts/kube-prometheus-stack/values.yaml b/charts/kube-prometheus-stack/values.yaml index 8fcb6e35de52..15d453fbac45 100644 --- a/charts/kube-prometheus-stack/values.yaml +++ b/charts/kube-prometheus-stack/values.yaml @@ -2477,6 +2477,12 @@ prometheusOperator: ## denyNamespaces: [] + rbac: + # If true, the following values should be also defined: + # - prometheusOperator.namespaces.releaseNamespace=true + # - prometheusOperator.kubeletService.enabled=false + namespaced: false + ## Filter namespaces to look for prometheus-operator custom resources ## alertmanagerInstanceNamespaces: [] @@ -2589,6 +2595,19 @@ prometheusOperator: ## Use '{{ template "kube-prometheus-stack.fullname" . }}-kubelet' by default name: "" + additionalRulesForClusterRole: [] + # - apiGroups: [ "" ] + # resources: + # - nodes/proxy + # verbs: [ "get", "list", "watch" ] + + ## Only used, if prometheus.rbac.namespaced=true + additionalRulesForRole: [] + # - apiGroups: [ "" ] + # resources: + # - secrets + # verbs: [ "get", "list", "watch" ] + ## Create a servicemonitor for the operator ## serviceMonitor: @@ -2871,6 +2890,11 @@ prometheus: # matchLabels: # app: prometheus + ## Restrict RBAC permission to release namespaces. + ## You have to disable cluster-wide and node-level scrape jobs + rbac: + namespaced: false + ## Service account for Prometheuses to use. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## @@ -3998,6 +4022,13 @@ prometheus: # - nodes/proxy # verbs: [ "get", "list", "watch" ] + ## Only used, if prometheus.rbac.namespaced=true + additionalRulesForRole: [] + # - apiGroups: [ "" ] + # resources: + # - secrets + # verbs: [ "get", "list", "watch" ] + additionalServiceMonitors: [] ## Name of the ServiceMonitor to create ##