Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[kube-prometheus-stack] add namespaced roles for Prometheus/Operator #4283

Closed
wants to merge 3 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion charts/kube-prometheus-stack/.editorconfig
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
root = true

[*]
insert_final_newline = true

[files/dashboards/*.json]
indent_size = 2
indent_style = space
indent_style = space
2 changes: 1 addition & 1 deletion charts/kube-prometheus-stack/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ name: kube-prometheus-stack
sources:
- https://github.com/prometheus-community/helm-charts
- https://github.com/prometheus-operator/kube-prometheus
version: 58.1.3
version: 58.2.0
appVersion: v0.73.1
kubeVersion: ">=1.19.0-0"
home: https://github.com/prometheus-operator/kube-prometheus
Expand Down
58 changes: 58 additions & 0 deletions charts/kube-prometheus-stack/ci/06-namespaced-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
---
prometheusOperator:
rbac:
namespaced: true
namespaces:
releaseNamespace: true
kubeletService:
enabled: false
additionalRulesForClusterRole:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get

prometheus:
rbac:
namespaced: true
additionalRulesForClusterRole:
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch

kubelet:
enabled: false

coreDns:
enabled: false

kubeDns:
enabled: false

kubeApiServer:
enabled: false

kubeControllerManager:
enabled: false

kubeEtcd:
enabled: false

kubeProxy:
enabled: false

kubeScheduler:
enabled: false
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
{{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
kind: {{ .Values.prometheusOperator.rbac.namespaced | ternary "Role" "ClusterRole" }}
metadata:
name: {{ template "kube-prometheus-stack.operator.fullname" . }}
{{- if .Values.prometheusOperator.rbac.namespaced }}
namespace: {{ template "kube-prometheus-stack.namespace" . }}
{{- end }}
labels:
{{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
rules:
Expand Down Expand Up @@ -60,13 +63,15 @@ rules:
- create
- update
- delete
{{- if not .Values.prometheusOperator.rbac.namespaced }}
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
{{- end }}
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -106,4 +111,20 @@ rules:
- list
- watch
{{- end }}
{{- if .Values.prometheusOperator.rbac.namespaced }}
{{- with .Values.prometheusOperator.additionalRulesForRole }}
{{- toYaml . | nindent 0 }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kube-prometheus-stack.operator.fullname" . }}
labels:
{{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
rules:
{{- end }}
{{- with .Values.prometheusOperator.additionalRulesForClusterRole }}
{{- toYaml . | nindent 0 }}
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
@@ -1,5 +1,24 @@
{{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ .Values.prometheusOperator.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
metadata:
name: {{ template "kube-prometheus-stack.operator.fullname" . }}
{{- if .Values.prometheusOperator.rbac.namespaced }}
namespace: {{ template "kube-prometheus-stack.namespace" . }}
{{- end }}
labels:
{{- include "kube-prometheus-stack.prometheus-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: {{ .Values.prometheusOperator.rbac.namespaced | ternary "Role" "ClusterRole" }}
name: {{ template "kube-prometheus-stack.operator.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}
namespace: {{ template "kube-prometheus-stack.namespace" . }}
{{- if and .Values.prometheusOperator.rbac.namespaced .Values.prometheusOperator.additionalRulesForClusterRole }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "kube-prometheus-stack.operator.fullname" . }}
Expand All @@ -14,3 +33,4 @@ subjects:
name: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }}
namespace: {{ template "kube-prometheus-stack.namespace" . }}
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
{{- if and .Values.prometheus.enabled .Values.global.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
kind: {{ .Values.prometheus.rbac.namespaced | ternary "Role" "ClusterRole" }}
metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus
{{- if .Values.prometheus.rbac.namespaced }}
namespace: {{ template "kube-prometheus-stack.namespace" . }}
{{- end }}
labels:
app: {{ template "kube-prometheus-stack.name" . }}-prometheus
{{ include "kube-prometheus-stack.labels" . | indent 4 }}
Expand All @@ -11,8 +14,10 @@ rules:
# they're grabbed from https://github.com/prometheus/prometheus/blob/master/documentation/examples/rbac-setup.yml
- apiGroups: [""]
resources:
{{- if not .Values.prometheus.rbac.namespaced }}
- nodes
- nodes/metrics
{{- end }}
- services
- endpoints
- pods
Expand All @@ -22,16 +27,32 @@ rules:
resources:
- ingresses
verbs: ["get", "list", "watch"]
{{- if not .Values.prometheus.rbac.namespaced }}
- nonResourceURLs: ["/metrics", "/metrics/cadvisor"]
verbs: ["get"]
{{- end }}
{{/* fix(#3338): add required rules to use node-exporter with the RBAC proxy */}}
{{- if and .Values.nodeExporter.enabled (index .Values "prometheus-node-exporter").kubeRBACProxy.enabled }}
- apiGroups: [ "" ]
resources:
- services/{{ include "prometheus-node-exporter.fullname" (index .Subcharts "prometheus-node-exporter") }}
verbs: [ "get", "list", "watch" ]
{{- end }}
{{- if .Values.prometheus.additionalRulesForClusterRole }}
{{ toYaml .Values.prometheus.additionalRulesForClusterRole | indent 0 }}
{{- if .Values.prometheusOperator.rbac.namespaced }}
{{- with .Values.prometheus.additionalRulesForRole }}
{{- toYaml . | nindent 0 }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus
labels:
app: {{ template "kube-prometheus-stack.name" . }}-prometheus
{{- include "kube-prometheus-stack.labels" . | nindent 4 }}
rules:
{{- end }}
{{- with .Values.prometheus.additionalRulesForClusterRole }}
{{- toYaml . | nindent 0 }}
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
@@ -1,11 +1,31 @@
{{- if and .Values.prometheus.enabled .Values.global.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
kind: {{ .Values.prometheus.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus
{{- if .Values.prometheus.rbac.namespaced }}
namespace: {{ template "kube-prometheus-stack.namespace" . }}
{{- end }}
labels:
app: {{ template "kube-prometheus-stack.name" . }}-prometheus
{{ include "kube-prometheus-stack.labels" . | indent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: {{ .Values.prometheus.rbac.namespaced | ternary "Role" "ClusterRole" }}
name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ template "kube-prometheus-stack.prometheus.serviceAccountName" . }}
namespace: {{ template "kube-prometheus-stack.namespace" . }}
{{- if and .Values.prometheus.rbac.namespaced .Values.prometheus.additionalRulesForClusterRole }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "kube-prometheus-stack.fullname" . }}-prometheus
labels:
app: {{ template "kube-prometheus-stack.name" . }}-prometheus
{{- include "kube-prometheus-stack.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
Expand All @@ -15,4 +35,5 @@ subjects:
name: {{ template "kube-prometheus-stack.prometheus.serviceAccountName" . }}
namespace: {{ template "kube-prometheus-stack.namespace" . }}
{{- end }}
{{- end }}

31 changes: 31 additions & 0 deletions charts/kube-prometheus-stack/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2477,6 +2477,12 @@ prometheusOperator:
##
denyNamespaces: []

rbac:
# If true, the following values should be also defined:
# - prometheusOperator.namespaces.releaseNamespace=true
# - prometheusOperator.kubeletService.enabled=false
namespaced: false

## Filter namespaces to look for prometheus-operator custom resources
##
alertmanagerInstanceNamespaces: []
Expand Down Expand Up @@ -2589,6 +2595,19 @@ prometheusOperator:
## Use '{{ template "kube-prometheus-stack.fullname" . }}-kubelet' by default
name: ""

additionalRulesForClusterRole: []
# - apiGroups: [ "" ]
# resources:
# - nodes/proxy
# verbs: [ "get", "list", "watch" ]

## Only used, if prometheus.rbac.namespaced=true
additionalRulesForRole: []
# - apiGroups: [ "" ]
# resources:
# - secrets
# verbs: [ "get", "list", "watch" ]

## Create a servicemonitor for the operator
##
serviceMonitor:
Expand Down Expand Up @@ -2871,6 +2890,11 @@ prometheus:
# matchLabels:
# app: prometheus

## Restrict RBAC permission to release namespaces.
## You have to disable cluster-wide and node-level scrape jobs
rbac:
namespaced: false

## Service account for Prometheuses to use.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
##
Expand Down Expand Up @@ -3998,6 +4022,13 @@ prometheus:
# - nodes/proxy
# verbs: [ "get", "list", "watch" ]

## Only used, if prometheus.rbac.namespaced=true
additionalRulesForRole: []
# - apiGroups: [ "" ]
# resources:
# - secrets
# verbs: [ "get", "list", "watch" ]

additionalServiceMonitors: []
## Name of the ServiceMonitor to create
##
Expand Down