mirrors/kube-prometheus
1
0
Fork 0
mirror of https://github.com/prometheus-operator/kube-prometheus.git synced 2025-10-31 08:01:32 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #859 from brancz/metrics-rbac

Browse Source 
kube-prometheus: Add RBAC authorization to metrics endpoints
This commit is contained in:
Frederic Branczyk 2018-01-11 15:11:25 +01:00 committed by GitHub
commit 889f7cead4
10 changed files with 121 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
manifests/kube-state-metrics/kube-state-metrics-cluster-role.yaml
View File

@ -28,3 +28,11 @@ rules:
- cronjobs - cronjobs
- jobs - jobs
verbs: ["list", "watch"] verbs: ["list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources:
- subjectaccessreviews
verbs: ["create"]

46
manifests/kube-state-metrics/kube-state-metrics-deployment.yaml
View File

@ -11,17 +11,43 @@ spec:
spec: spec:
serviceAccountName: kube-state-metrics serviceAccountName: kube-state-metrics
containers: containers:
- name: kube-state-metrics - name: kube-rbac-proxy-main
image: quay.io/coreos/kube-state-metrics:v1.0.1 image: quay.io/brancz/kube-rbac-proxy:v0.2.0
args:
- "--secure-listen-address=:8443"
- "--upstream=http://127.0.0.1:8081/"
ports: ports:
- name: metrics - name: https-main
containerPort: 8080 containerPort: 8443
readinessProbe: resources:
httpGet: requests:
path: /healthz memory: 20Mi
port: 8080 cpu: 10m
initialDelaySeconds: 5 limits:
timeoutSeconds: 5 memory: 40Mi
cpu: 20m
- name: kube-rbac-proxy-self
image: quay.io/brancz/kube-rbac-proxy:v0.2.0
args:
- "--secure-listen-address=:9443"
- "--upstream=http://127.0.0.1:8082/"
ports:
- name: https-self
containerPort: 9443
resources:
requests:
memory: 20Mi
cpu: 10m
limits:
memory: 40Mi
cpu: 20m
- name: kube-state-metrics
image: quay.io/coreos/kube-state-metrics:v1.2.0-rc.0
args:
- "--host=127.0.0.1"
- "--port=8081"
- "--telemetry-host=127.0.0.1"
- "--telemetry-port=8082"
- name: addon-resizer - name: addon-resizer
image: gcr.io/google_containers/addon-resizer:1.0 image: gcr.io/google_containers/addon-resizer:1.0
resources: resources:

11
manifests/kube-state-metrics/kube-state-metrics-service.yaml
View File

@ -6,10 +6,15 @@ metadata:
k8s-app: kube-state-metrics k8s-app: kube-state-metrics
name: kube-state-metrics name: kube-state-metrics
spec: spec:
clusterIP: None
ports: ports:
- name: http-metrics - name: https-main
port: 8080 port: 8443
targetPort: metrics targetPort: https-main
protocol: TCP
- name: https-self
port: 9443
targetPort: https-self
protocol: TCP protocol: TCP
selector: selector:
app: kube-state-metrics app: kube-state-metrics

12
manifests/node-exporter/node-exporter-cluster-role-binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: node-exporter
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: node-exporter
subjects:
- kind: ServiceAccount
name: node-exporter
namespace: monitoring

13
manifests/node-exporter/node-exporter-cluster-role.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-exporter
rules:
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources:
- subjectaccessreviews
verbs: ["create"]

26
manifests/node-exporter/node-exporter-daemonset.yaml
View File

@ -3,24 +3,26 @@ kind: DaemonSet
metadata: metadata:
name: node-exporter name: node-exporter
spec: spec:
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template: template:
metadata: metadata:
labels: labels:
app: node-exporter app: node-exporter
name: node-exporter name: node-exporter
spec: spec:
serviceAccountName: node-exporter
hostNetwork: true hostNetwork: true
hostPID: true hostPID: true
containers: containers:
- image: quay.io/prometheus/node-exporter:v0.15.0 - image: quay.io/prometheus/node-exporter:v0.15.0
args: args:
- "--web.listen-address=127.0.0.1:9101"
- "--path.procfs=/host/proc" - "--path.procfs=/host/proc"
- "--path.sysfs=/host/sys" - "--path.sysfs=/host/sys"
name: node-exporter name: node-exporter
ports:
- containerPort: 9100
hostPort: 9100
name: scrape
resources: resources:
requests: requests:
memory: 30Mi memory: 30Mi
@ -35,6 +37,22 @@ spec:
- name: sys - name: sys
readOnly: true readOnly: true
mountPath: /host/sys mountPath: /host/sys
- name: kube-rbac-proxy
image: quay.io/brancz/kube-rbac-proxy:v0.2.0
args:
- "--secure-listen-address=:9100"
- "--upstream=http://127.0.0.1:9101/"
ports:
- containerPort: 9100
hostPort: 9100
name: https
resources:
requests:
memory: 20Mi
cpu: 10m
limits:
memory: 40Mi
cpu: 20m
tolerations: tolerations:
- effect: NoSchedule - effect: NoSchedule
operator: Exists operator: Exists

4
manifests/node-exporter/node-exporter-service-account.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: node-exporter

2
manifests/node-exporter/node-exporter-service.yaml
View File

@ -9,7 +9,7 @@ spec:
type: ClusterIP type: ClusterIP
clusterIP: None clusterIP: None
ports: ports:
- name: http-metrics - name: https
port: 9100 port: 9100
protocol: TCP protocol: TCP
selector: selector:

12
manifests/prometheus/prometheus-k8s-service-monitor-kube-state-metrics.yaml
View File

@ -13,6 +13,16 @@ spec:
matchNames: matchNames:
- monitoring - monitoring
endpoints: endpoints:
- port: http-metrics - port: https-main
scheme: https
interval: 30s interval: 30s
honorLabels: true honorLabels: true
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
tlsConfig:
insecureSkipVerify: true
- port: https-self
scheme: https
interval: 30s
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
tlsConfig:
insecureSkipVerify: true

6
manifests/prometheus/prometheus-k8s-service-monitor-node-exporter.yaml
View File

@ -13,5 +13,9 @@ spec:
matchNames: matchNames:
- monitoring - monitoring
endpoints: endpoints:
- port: http-metrics - port: https
scheme: https
interval: 30s interval: 30s
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
tlsConfig:
insecureSkipVerify: true