kube-prometheus: Convert to jsonnet

2025-11-04 10:01:03 +01:00 · 2018-04-08 14:53:30 +02:00 · 2018-04-08 14:53:30 +02:00 · d8692794a9
commit d8692794a9
parent 0d142fe9da
54 changed files with 1249 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+tmp/
--- a/build.sh
+++ b/build.sh
@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -e
+set -x
+
+prefix="tmp/manifests"
+json="tmp/manifests.json"
+
+rm -rf ${prefix}
+mkdir -p $(dirname "${json}")
+jsonnet -J /home/brancz/.jsonnet-bundler/src/git/git@github.com-ksonnet-ksonnet-lib/master jsonnet/kube-prometheus.jsonnet > ${json}
+
+files=$(jq -r 'keys[]' ${json})
+
+for file in ${files}; do
+    dir=$(dirname "${file}")
+    path="${prefix}/${dir}"
+    mkdir -p ${path}
+    jq -r ".[\"${file}\"]" ${json} | yaml2json | json2yaml > "${prefix}/${file}"
+done
--- a/jsonnet/alertmanager/alertmanager-main-secret.libsonnet
+++ b/jsonnet/alertmanager/alertmanager-main-secret.libsonnet
@ -0,0 +1,25 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local secret = k.core.v1.secret;
+
+local plainConfig = "global:
+  resolve_timeout: 5m
+route:
+  group_by: ['job']
+  group_wait: 30s
+  group_interval: 5m
+  repeat_interval: 12h
+  receiver: 'null'
+  routes:
+  - match:
+      alertname: DeadMansSwitch
+    receiver: 'null'
+receivers:
+- name: 'null'";
+
+local config = std.base64(plainConfig);
+
+{
+    new(namespace)::
+        secret.new("alertmanager-main", {"alertmanager.yaml": config}) +
+          secret.mixin.metadata.withNamespace(namespace)
+}
--- a/jsonnet/alertmanager/alertmanager-main-service-account.libsonnet
+++ b/jsonnet/alertmanager/alertmanager-main-service-account.libsonnet
@ -0,0 +1,8 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local serviceAccount = k.core.v1.serviceAccount;
+
+{
+    new(namespace)::
+        serviceAccount.new("alertmanager-main") +
+          serviceAccount.mixin.metadata.withNamespace(namespace)
+}
--- a/jsonnet/alertmanager/alertmanager-main-service.libsonnet
+++ b/jsonnet/alertmanager/alertmanager-main-service.libsonnet
@ -0,0 +1,12 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local service = k.core.v1.service;
+local servicePort = k.core.v1.service.mixin.spec.portsType;
+
+local alertmanagerPort = servicePort.newNamed("web", 9093, "web");
+
+{
+    new(namespace)::
+        service.new("alertmanager-main", {app: "alertmanager", alertmanager: "main"}, alertmanagerPort) +
+          service.mixin.metadata.withNamespace(namespace) +
+          service.mixin.metadata.withLabels({alertmanager: "main"})
+}
--- a/jsonnet/alertmanager/alertmanager-main.libsonnet
+++ b/jsonnet/alertmanager/alertmanager-main.libsonnet
@ -0,0 +1,19 @@
+{
+    new(namespace)::
+        {
+          apiVersion: "monitoring.coreos.com/v1",
+          kind: "Alertmanager",
+          metadata: {
+            name: "main",
+            namespace: namespace,
+            labels: {
+              alertmanager: "main",
+            },
+          },
+          spec: {
+            replicas: 3,
+            version: "v0.14.0",
+            serviceAccountName: "alertmanager-main",
+          },
+        }
+}
--- a/jsonnet/alertmanager/alertmanager.libsonnet
+++ b/jsonnet/alertmanager/alertmanager.libsonnet
@ -0,0 +1,6 @@
+{
+    config:: import "alertmanager-main-secret.libsonnet",
+    serviceAccount:: import "alertmanager-main-service-account.libsonnet",
+    service:: import "alertmanager-main-service.libsonnet",
+    alertmanager:: import "alertmanager-main.libsonnet",
+}
--- a/jsonnet/kube-prometheus.jsonnet
+++ b/jsonnet/kube-prometheus.jsonnet
@ -0,0 +1,62 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+
+local alertmanager = import "alertmanager/alertmanager.libsonnet";
+local ksm = import "kube-state-metrics/kube-state-metrics.libsonnet";
+local nodeExporter = import "node-exporter/node-exporter.libsonnet";
+local po = import "prometheus-operator/prometheus-operator.libsonnet";
+local prometheus = import "prometheus/prometheus.libsonnet";
+
+local namespace = "monitoring";
+
+local objects = {
+    "alertmanager-main/alertmanager-main-secret.yaml":          alertmanager.config.new(namespace),
+    "alertmanager-main/alertmanager-main-service-account.yaml": alertmanager.serviceAccount.new(namespace),
+    "alertmanager-main/alertmanager-main-service.yaml":         alertmanager.service.new(namespace),
+    "alertmanager-main/alertmanager-main.yaml":                 alertmanager.alertmanager.new(namespace),
+
+    "kube-state-metrics/kube-state-metrics-cluster-role-binding": ksm.clusterRoleBinding.new(namespace),
+    "kube-state-metrics/kube-state-metrics-cluster-role.yaml":    ksm.clusterRole.new(),
+    "kube-state-metrics/kube-state-metrics-deployment.yaml":      ksm.deployment.new(namespace),
+    "kube-state-metrics/kube-state-metrics-role-binding.yaml":    ksm.roleBinding.new(namespace),
+    "kube-state-metrics/kube-state-metrics-role.yaml":            ksm.role.new(namespace),
+    "kube-state-metrics/kube-state-metrics-service-account.yaml": ksm.serviceAccount.new(namespace),
+    "kube-state-metrics/kube-state-metrics-service.yaml":         ksm.service.new(namespace),
+
+    "node-exporter/node-exporter-cluster-role-binding.yaml": nodeExporter.clusterRoleBinding.new(namespace),
+    "node-exporter/node-exporter-cluster-role.yaml": nodeExporter.clusterRole.new(),
+    "node-exporter/node-exporter-daemonset.yaml": nodeExporter.daemonset.new(namespace),
+    "node-exporter/node-exporter-service-account.yaml": nodeExporter.serviceAccount.new(namespace),
+    "node-exporter/node-exporter-service.yaml": nodeExporter.service.new(namespace),
+
+    "prometheus-operator/prometheus-operator-cluster-role-binding.yaml": po.clusterRoleBinding.new(namespace),
+    "prometheus-operator/prometheus-operator-cluster-role.yaml":         po.clusterRole.new(),
+    "prometheus-operator/prometheus-operator-deployment.yaml":           po.deployment.new(namespace),
+    "prometheus-operator/prometheus-operator-service.yaml":              po.service.new(namespace),
+    "prometheus-operator/prometheus-operator-service-account.yaml":      po.serviceAccount.new(namespace),
+
+    "prometheus-k8s/prometheus-k8s-cluster-role-binding.yaml":                    prometheus.clusterRoleBinding.new(namespace),
+    "prometheus-k8s/prometheus-k8s-cluster-role.yaml":                            prometheus.clusterRole.new(),
+    "prometheus-k8s/prometheus-k8s-service-account.yaml":                         prometheus.serviceAccount.new(namespace),
+    "prometheus-k8s/prometheus-k8s-service.yaml":                                 prometheus.service.new(namespace),
+    "prometheus-k8s/prometheus-k8s.yaml":                                         prometheus.prometheus.new(namespace),
+    "prometheus-k8s/prometheus-k8s-role-binding-config.yaml":                     prometheus.roleBindingConfig.new(namespace),
+    "prometheus-k8s/prometheus-k8s-role-binding-namespace.yaml":                  prometheus.roleBindingNamespace.new(namespace),
+    "prometheus-k8s/prometheus-k8s-role-binding-kube-system.yaml":                prometheus.roleBindingKubeSystem.new(namespace),
+    "prometheus-k8s/prometheus-k8s-role-binding-default.yaml":                    prometheus.roleBindingDefault.new(namespace),
+    "prometheus-k8s/prometheus-k8s-role-config.yaml":                             prometheus.roleConfig.new(namespace),
+    "prometheus-k8s/prometheus-k8s-role-namespace.yaml":                          prometheus.roleNamespace.new(namespace),
+    "prometheus-k8s/prometheus-k8s-role-kube-system.yaml":                        prometheus.roleKubeSystem.new(),
+    "prometheus-k8s/prometheus-k8s-role-default.yaml":                            prometheus.roleDefault.new(),
+    "prometheus-k8s/prometheus-k8s-service-monitor-alertmanager.yaml":            prometheus.serviceMonitorAlertmanager.new(namespace),
+    "prometheus-k8s/prometheus-k8s-service-monitor-apiserver.yaml":               prometheus.serviceMonitorApiserver.new(namespace),
+    "prometheus-k8s/prometheus-k8s-service-monitor-coredns.yaml":                 prometheus.serviceMonitorCoreDNS.new(namespace),
+    "prometheus-k8s/prometheus-k8s-service-monitor-kube-controller-manager.yaml": prometheus.serviceMonitorControllerManager.new(namespace),
+    "prometheus-k8s/prometheus-k8s-service-monitor-kube-scheduler.yaml":          prometheus.serviceMonitorScheduler.new(namespace),
+    "prometheus-k8s/prometheus-k8s-service-monitor-kube-state-metrics.yaml":      prometheus.serviceMonitorKubeStateMetrics.new(namespace),
+    "prometheus-k8s/prometheus-k8s-service-monitor-kubelet.yaml":                 prometheus.serviceMonitorKubelet.new(namespace),
+    "prometheus-k8s/prometheus-k8s-service-monitor-node-exporter.yaml":           prometheus.serviceMonitorNodeExporter.new(namespace),
+    "prometheus-k8s/prometheus-k8s-service-monitor-prometheus-operator.yaml":     prometheus.serviceMonitorPrometheusOperator.new(namespace),
+    "prometheus-k8s/prometheus-k8s-service-monitor-prometheus.yaml":              prometheus.serviceMonitorPrometheus.new(namespace),
+};
+
+{[path]: std.manifestYamlDoc(objects[path]) for path in std.objectFields(objects)}
--- a/jsonnet/kube-state-metrics/kube-state-metrics-cluster-role-binding.libsonnet
+++ b/jsonnet/kube-state-metrics/kube-state-metrics-cluster-role-binding.libsonnet
@ -0,0 +1,12 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
+
+{
+    new(namespace)::
+        clusterRoleBinding.new() +
+          clusterRoleBinding.mixin.metadata.withName("kube-state-metrics") +
+          clusterRoleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
+          clusterRoleBinding.mixin.roleRef.withName("kube-state-metrics") +
+          clusterRoleBinding.mixin.roleRef.mixinInstance({kind: "ClusterRole"}) +
+          clusterRoleBinding.withSubjects([{kind: "ServiceAccount", name: "kube-state-metrics", namespace: namespace}])
+}
--- a/jsonnet/kube-state-metrics/kube-state-metrics-cluster-role.libsonnet
+++ b/jsonnet/kube-state-metrics/kube-state-metrics-cluster-role.libsonnet
@ -0,0 +1,75 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local clusterRole = k.rbac.v1.clusterRole;
+local policyRule = clusterRole.rulesType;
+
+local coreRule = policyRule.new() +
+  policyRule.withApiGroups([""]) +
+  policyRule.withResources([
+    "configmaps",
+    "secrets",
+    "nodes",
+    "pods",
+    "services",
+    "resourcequotas",
+    "replicationcontrollers",
+    "limitranges",
+    "persistentvolumeclaims",
+    "persistentvolumes",
+    "namespaces",
+    "endpoints",
+  ]) +
+  policyRule.withVerbs(["list", "watch"]);
+
+local extensionsRule = policyRule.new() +
+  policyRule.withApiGroups(["extensions"]) +
+  policyRule.withResources([
+    "daemonsets",
+    "deployments",
+    "replicasets",
+  ]) +
+  policyRule.withVerbs(["list", "watch"]);
+
+local appsRule = policyRule.new() +
+  policyRule.withApiGroups(["apps"]) +
+  policyRule.withResources([
+    "statefulsets",
+  ]) +
+  policyRule.withVerbs(["list", "watch"]);
+
+local batchRule = policyRule.new() +
+  policyRule.withApiGroups(["batch"]) +
+  policyRule.withResources([
+    "cronjobs",
+    "jobs",
+  ]) +
+  policyRule.withVerbs(["list", "watch"]);
+
+local autoscalingRule = policyRule.new() +
+  policyRule.withApiGroups(["autoscaling"]) +
+  policyRule.withResources([
+    "horizontalpodautoscalers",
+  ]) +
+  policyRule.withVerbs(["list", "watch"]);
+
+local authenticationRole = policyRule.new() +
+  policyRule.withApiGroups(["authentication.k8s.io"]) +
+  policyRule.withResources([
+    "tokenreviews",
+  ]) +
+  policyRule.withVerbs(["create"]);
+
+local authorizationRole = policyRule.new() +
+  policyRule.withApiGroups(["authorization.k8s.io"]) +
+  policyRule.withResources([
+    "subjectaccessreviews",
+  ]) +
+  policyRule.withVerbs(["create"]);
+
+local rules = [coreRule, extensionsRule, appsRule, batchRule, autoscalingRule, authenticationRole, authorizationRole];
+
+{
+    new()::
+        clusterRole.new() +
+          clusterRole.mixin.metadata.withName("kube-state-metrics") +
+          clusterRole.withRules(rules)
+}
--- a/jsonnet/kube-state-metrics/kube-state-metrics-deployment.libsonnet
+++ b/jsonnet/kube-state-metrics/kube-state-metrics-deployment.libsonnet
@ -0,0 +1,86 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local deployment = k.apps.v1beta2.deployment;
+
+local deployment = k.apps.v1beta2.deployment;
+local container = k.apps.v1beta2.deployment.mixin.spec.template.spec.containersType;
+local volume = k.apps.v1beta2.deployment.mixin.spec.template.spec.volumesType;
+local containerPort = container.portsType;
+local containerVolumeMount = container.volumeMountsType;
+local podSelector = deployment.mixin.spec.template.spec.selectorType;
+
+local kubeStateMetricsVersion = "v1.3.0";
+local kubeRbacProxyVersion = "v0.3.0";
+local addonResizerVersion = "1.0";
+local podLabels = {"app": "kube-state-metrics"};
+
+local proxyClusterMetrics =
+  container.new("kube-rbac-proxy-main", "quay.io/coreos/kube-rbac-proxy:" + kubeRbacProxyVersion) +
+  container.withArgs([
+	"--secure-listen-address=:8443",
+	"--upstream=http://127.0.0.1:8081/",
+  ]) +
+  container.withPorts(containerPort.newNamed("https-main", 8443)) +
+  container.mixin.resources.withRequests({cpu: "10m", memory: "20Mi"}) +
+  container.mixin.resources.withLimits({cpu: "20m", memory: "40Mi"});
+
+local proxySelfMetrics =
+  container.new("kube-rbac-proxy-self", "quay.io/coreos/kube-rbac-proxy:" + kubeRbacProxyVersion) +
+  container.withArgs([
+	"--secure-listen-address=:9443",
+	"--upstream=http://127.0.0.1:8082/",
+  ]) +
+  container.withPorts(containerPort.newNamed("https-self", 9443)) +
+  container.mixin.resources.withRequests({cpu: "10m", memory: "20Mi"}) +
+  container.mixin.resources.withLimits({cpu: "20m", memory: "40Mi"});
+
+local kubeStateMetrics =
+  container.new("kube-state-metrics", "quay.io/coreos/kube-state-metrics:" + kubeStateMetricsVersion) +
+  container.withArgs([
+	"--host=127.0.0.1",
+	"--port=8081",
+	"--telemetry-host=127.0.0.1",
+	"--telemetry-port=8082",
+  ]) +
+  container.mixin.resources.withRequests({cpu: "102m", memory: "180Mi"}) +
+  container.mixin.resources.withLimits({cpu: "102m", memory: "180Mi"});
+
+local addonResizer =
+  container.new("addon-resizer", "quay.io/coreos/addon-resizer:" + addonResizerVersion) +
+  container.withCommand([
+	"/pod_nanny",
+	"--container=kube-state-metrics",
+	"--cpu=100m",
+	"--extra-cpu=2m",
+	"--memory=150Mi",
+	"--extra-memory=30Mi",
+	"--threshold=5",
+	"--deployment=kube-state-metrics",
+  ]) +
+  container.withEnv([
+	{
+	  name: "MY_POD_NAME",
+      valueFrom: {
+		fieldRef: {apiVersion: "v1", fieldPath: "metadata.name"}
+      }
+	}, {
+	  name: "MY_POD_NAMESPACE",
+      valueFrom: {
+		fieldRef: {apiVersion: "v1", fieldPath: "metadata.namespace"}
+      }
+	}
+  ]) +
+  container.mixin.resources.withRequests({cpu: "10m", memory: "30Mi"}) +
+  container.mixin.resources.withLimits({cpu: "10m", memory: "30Mi"});
+
+local c = [proxyClusterMetrics, proxySelfMetrics, kubeStateMetrics, addonResizer];
+
+{
+    new(namespace)::
+        deployment.new("kube-state-metrics", 1, c, podLabels) +
+          deployment.mixin.metadata.withNamespace(namespace) +
+          deployment.mixin.metadata.withLabels(podLabels) +
+          deployment.mixin.spec.selector.withMatchLabels(podLabels) +
+          deployment.mixin.spec.template.spec.securityContext.withRunAsNonRoot(true) +
+          deployment.mixin.spec.template.spec.securityContext.withRunAsUser(65534) +
+          deployment.mixin.spec.template.spec.withServiceAccountName("kube-state-metrics")
+}
--- a/jsonnet/kube-state-metrics/kube-state-metrics-role-binding.libsonnet
+++ b/jsonnet/kube-state-metrics/kube-state-metrics-role-binding.libsonnet
@ -0,0 +1,13 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local roleBinding = k.rbac.v1.roleBinding;
+
+{
+    new(namespace)::
+        roleBinding.new() +
+          roleBinding.mixin.metadata.withName("kube-state-metrics") +
+          roleBinding.mixin.metadata.withNamespace(namespace) +
+          roleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
+          roleBinding.mixin.roleRef.withName("kube-state-metrics-addon-resizer") +
+          roleBinding.mixin.roleRef.mixinInstance({kind: "Role"}) +
+          roleBinding.withSubjects([{kind: "ServiceAccount", name: "kube-state-metrics"}])
+}
--- a/jsonnet/kube-state-metrics/kube-state-metrics-role.libsonnet
+++ b/jsonnet/kube-state-metrics/kube-state-metrics-role.libsonnet
@ -0,0 +1,28 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local role = k.rbac.v1.role;
+local policyRule = role.rulesType;
+
+local coreRule = policyRule.new() +
+  policyRule.withApiGroups([""]) +
+  policyRule.withResources([
+    "pods",
+  ]) +
+  policyRule.withVerbs(["get"]);
+
+local extensionsRule = policyRule.new() +
+  policyRule.withApiGroups(["extensions"]) +
+  policyRule.withResources([
+    "deployments",
+  ]) +
+  policyRule.withVerbs(["get", "update"]) +
+  policyRule.withResourceNames(["kube-state-metrics"]);
+
+local rules = [coreRule, extensionsRule];
+
+{
+    new(namespace)::
+        role.new() +
+          role.mixin.metadata.withName("kube-state-metrics") +
+          role.mixin.metadata.withNamespace(namespace) +
+          role.withRules(rules)
+}
--- a/jsonnet/kube-state-metrics/kube-state-metrics-service-account.libsonnet
+++ b/jsonnet/kube-state-metrics/kube-state-metrics-service-account.libsonnet
@ -0,0 +1,8 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local serviceAccount = k.core.v1.serviceAccount;
+
+{
+    new(namespace)::
+        serviceAccount.new("kube-state-metrics") +
+          serviceAccount.mixin.metadata.withNamespace(namespace)
+}
--- a/jsonnet/kube-state-metrics/kube-state-metrics-service.libsonnet
+++ b/jsonnet/kube-state-metrics/kube-state-metrics-service.libsonnet
@ -0,0 +1,15 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local service = k.core.v1.service;
+local servicePort = k.core.v1.service.mixin.spec.portsType;
+
+local ksmDeployment = import "kube-state-metrics-deployment.libsonnet";
+
+local ksmServicePortMain = servicePort.newNamed("https-main", 8443, "https-main");
+local ksmServicePortSelf = servicePort.newNamed("https-self", 9443, "https-self");
+
+{
+    new(namespace)::
+        service.new("kube-state-metrics", ksmDeployment.new(namespace).spec.selector.matchLabels, [ksmServicePortMain, ksmServicePortSelf]) +
+          service.mixin.metadata.withNamespace(namespace) +
+          service.mixin.metadata.withLabels({"k8s-app": "kube-state-metrics"})
+}
--- a/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet
@ -0,0 +1,9 @@
+{
+    clusterRoleBinding:: import "kube-state-metrics-cluster-role-binding.libsonnet",
+    clusterRole:: import "kube-state-metrics-cluster-role.libsonnet",
+    deployment:: import "kube-state-metrics-deployment.libsonnet",
+    roleBinding:: import "kube-state-metrics-role-binding.libsonnet",
+    role:: import "kube-state-metrics-role.libsonnet",
+    serviceAccount:: import "kube-state-metrics-service-account.libsonnet",
+    service:: import "kube-state-metrics-service.libsonnet",
+}
--- a/jsonnet/node-exporter/node-exporter-cluster-role-binding.libsonnet
+++ b/jsonnet/node-exporter/node-exporter-cluster-role-binding.libsonnet
@ -0,0 +1,12 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
+
+{
+    new(namespace)::
+        clusterRoleBinding.new() +
+          clusterRoleBinding.mixin.metadata.withName("node-exporter") +
+          clusterRoleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
+          clusterRoleBinding.mixin.roleRef.withName("node-exporter") +
+          clusterRoleBinding.mixin.roleRef.mixinInstance({kind: "ClusterRole"}) +
+          clusterRoleBinding.withSubjects([{kind: "ServiceAccount", name: "node-exporter", namespace: namespace}])
+}
--- a/jsonnet/node-exporter/node-exporter-cluster-role.libsonnet
+++ b/jsonnet/node-exporter/node-exporter-cluster-role.libsonnet
@ -0,0 +1,26 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local clusterRole = k.rbac.v1.clusterRole;
+local policyRule = clusterRole.rulesType;
+
+local authenticationRole = policyRule.new() +
+  policyRule.withApiGroups(["authentication.k8s.io"]) +
+  policyRule.withResources([
+    "tokenreviews",
+  ]) +
+  policyRule.withVerbs(["create"]);
+
+local authorizationRole = policyRule.new() +
+  policyRule.withApiGroups(["authorization.k8s.io"]) +
+  policyRule.withResources([
+    "subjectaccessreviews",
+  ]) +
+  policyRule.withVerbs(["create"]);
+
+local rules = [authenticationRole, authorizationRole];
+
+{
+    new()::
+        clusterRole.new() +
+          clusterRole.mixin.metadata.withName("node-exporter") +
+          clusterRole.withRules(rules)
+}
--- a/jsonnet/node-exporter/node-exporter-daemonset.libsonnet
+++ b/jsonnet/node-exporter/node-exporter-daemonset.libsonnet
@ -0,0 +1,58 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+
+local daemonset = k.apps.v1beta2.daemonSet;
+local container = daemonset.mixin.spec.template.spec.containersType;
+local volume = daemonset.mixin.spec.template.spec.volumesType;
+local containerPort = container.portsType;
+local containerVolumeMount = container.volumeMountsType;
+local podSelector = daemonset.mixin.spec.template.spec.selectorType;
+
+local nodeExporterVersion = "v0.15.2";
+local kubeRbacProxyVersion = "v0.3.0";
+local podLabels = {"app": "node-exporter"};
+
+local procVolumeName = "proc";
+local procVolume = volume.fromHostPath(procVolumeName, "/proc");
+local procVolumeMount = containerVolumeMount.new(procVolumeName, "/host/proc");
+
+local sysVolumeName = "sys";
+local sysVolume = volume.fromHostPath(sysVolumeName, "/sys");
+local sysVolumeMount = containerVolumeMount.new(sysVolumeName, "/host/sys");
+
+local nodeExporter =
+  container.new("node-exporter", "quay.io/prometheus/node-exporter:" + nodeExporterVersion) +
+  container.withArgs([
+    "--web.listen-address=127.0.0.1:9101",
+    "--path.procfs=/host/proc",
+    "--path.sysfs=/host/sys",
+  ]) +
+  container.withVolumeMounts([procVolumeMount, sysVolumeMount]) +
+  container.mixin.resources.withRequests({cpu: "102m", memory: "180Mi"}) +
+  container.mixin.resources.withLimits({cpu: "102m", memory: "180Mi"});
+
+local proxy =
+  container.new("kube-rbac-proxy", "quay.io/coreos/kube-rbac-proxy:" + kubeRbacProxyVersion) +
+  container.withArgs([
+	"--secure-listen-address=:9100",
+	"--upstream=http://127.0.0.1:9101/",
+  ]) +
+  container.withPorts(containerPort.newNamed("https", 9100)) +
+  container.mixin.resources.withRequests({cpu: "10m", memory: "20Mi"}) +
+  container.mixin.resources.withLimits({cpu: "20m", memory: "40Mi"});
+
+local c = [nodeExporter, proxy];
+
+{
+    new(namespace)::
+        daemonset.new() +
+          daemonset.mixin.metadata.withName("node-exporter") +
+          daemonset.mixin.metadata.withNamespace(namespace) +
+          daemonset.mixin.metadata.withLabels(podLabels) +
+          daemonset.mixin.spec.selector.withMatchLabels(podLabels) +
+          daemonset.mixin.spec.template.metadata.withLabels(podLabels) +
+          daemonset.mixin.spec.template.spec.withContainers(c) +
+          daemonset.mixin.spec.template.spec.withVolumes([procVolume, sysVolume]) +
+          daemonset.mixin.spec.template.spec.securityContext.withRunAsNonRoot(true) +
+          daemonset.mixin.spec.template.spec.securityContext.withRunAsUser(65534) +
+          daemonset.mixin.spec.template.spec.withServiceAccountName("node-exporter")
+}
--- a/jsonnet/node-exporter/node-exporter-service-account.libsonnet
+++ b/jsonnet/node-exporter/node-exporter-service-account.libsonnet
@ -0,0 +1,8 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local serviceAccount = k.core.v1.serviceAccount;
+
+{
+    new(namespace)::
+        serviceAccount.new("node-exporter") +
+          serviceAccount.mixin.metadata.withNamespace(namespace)
+}
--- a/jsonnet/node-exporter/node-exporter-service.libsonnet
+++ b/jsonnet/node-exporter/node-exporter-service.libsonnet
@ -0,0 +1,14 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local service = k.core.v1.service;
+local servicePort = k.core.v1.service.mixin.spec.portsType;
+
+local nodeExporterDaemonset = import "node-exporter-daemonset.libsonnet";
+
+local nodeExporterPort = servicePort.newNamed("https", 9100, "https");
+
+{
+    new(namespace)::
+        service.new("node-exporter", nodeExporterDaemonset.new(namespace).spec.selector.matchLabels, nodeExporterPort) +
+          service.mixin.metadata.withNamespace(namespace) +
+          service.mixin.metadata.withLabels({"k8s-app": "node-exporter"})
+}
--- a/jsonnet/node-exporter/node-exporter.libsonnet
+++ b/jsonnet/node-exporter/node-exporter.libsonnet
@ -0,0 +1,7 @@
+{
+    clusterRoleBinding:: import "node-exporter-cluster-role-binding.libsonnet",
+    clusterRole:: import "node-exporter-cluster-role.libsonnet",
+    daemonset:: import "node-exporter-daemonset.libsonnet",
+    serviceAccount:: import "node-exporter-service-account.libsonnet",
+    service:: import "node-exporter-service.libsonnet",
+}
--- a/jsonnet/prometheus-operator/prometheus-operator-cluster-role-binding.libsonnet
+++ b/jsonnet/prometheus-operator/prometheus-operator-cluster-role-binding.libsonnet
@ -0,0 +1,12 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
+
+{
+    new(namespace)::
+        clusterRoleBinding.new() +
+          clusterRoleBinding.mixin.metadata.withName("prometheus-operator") +
+          clusterRoleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
+          clusterRoleBinding.mixin.roleRef.withName("prometheus-operator") +
+          clusterRoleBinding.mixin.roleRef.mixinInstance({kind: "ClusterRole"}) +
+          clusterRoleBinding.withSubjects([{kind: "ServiceAccount", name: "prometheus-operator", namespace: namespace}])
+}
--- a/jsonnet/prometheus-operator/prometheus-operator-cluster-role.libsonnet
+++ b/jsonnet/prometheus-operator/prometheus-operator-cluster-role.libsonnet
@ -0,0 +1,80 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local clusterRole = k.rbac.v1.clusterRole;
+local policyRule = clusterRole.rulesType;
+
+local extensionsRule = policyRule.new() +
+  policyRule.withApiGroups(["extensions"]) +
+  policyRule.withResources([
+    "thirdpartyresources",
+  ]) +
+  policyRule.withVerbs(["*"]);
+
+local apiExtensionsRule = policyRule.new() +
+  policyRule.withApiGroups(["apiextensions.k8s.io"]) +
+  policyRule.withResources([
+    "customresourcedefinitions",
+  ]) +
+  policyRule.withVerbs(["*"]);
+
+local monitoringRule = policyRule.new() +
+  policyRule.withApiGroups(["monitoring.coreos.com"]) +
+  policyRule.withResources([
+    "alertmanagers",
+    "prometheuses",
+    "prometheuses/finalizers",
+    "alertmanagers/finalizers",
+    "servicemonitors",
+  ]) +
+  policyRule.withVerbs(["*"]);
+
+local appsRule = policyRule.new() +
+  policyRule.withApiGroups(["apps"]) +
+  policyRule.withResources([
+    "statefulsets",
+  ]) +
+  policyRule.withVerbs(["*"]);
+
+local coreRule = policyRule.new() +
+  policyRule.withApiGroups([""]) +
+  policyRule.withResources([
+    "configmaps",
+    "secrets",
+  ]) +
+  policyRule.withVerbs(["*"]);
+
+local podRule = policyRule.new() +
+  policyRule.withApiGroups([""]) +
+  policyRule.withResources([
+    "pods",
+  ]) +
+  policyRule.withVerbs(["list", "delete"]);
+
+local routingRule = policyRule.new() +
+  policyRule.withApiGroups([""]) +
+  policyRule.withResources([
+    "services",
+  ]) +
+  policyRule.withVerbs(["get", "create", "update"]);
+
+local nodeRule = policyRule.new() +
+  policyRule.withApiGroups([""]) +
+  policyRule.withResources([
+    "nodes",
+  ]) +
+  policyRule.withVerbs(["list", "watch"]);
+
+local namespaceRule = policyRule.new() +
+  policyRule.withApiGroups([""]) +
+  policyRule.withResources([
+    "namespaces",
+  ]) +
+  policyRule.withVerbs(["list"]);
+
+local rules = [extensionsRule, apiExtensionsRule, monitoringRule, appsRule, coreRule, podRule, routingRule, nodeRule, namespaceRule];
+
+{
+    new()::
+        clusterRole.new() +
+          clusterRole.mixin.metadata.withName("prometheus-operator") +
+          clusterRole.withRules(rules)
+}
--- a/jsonnet/prometheus-operator/prometheus-operator-deployment.libsonnet
+++ b/jsonnet/prometheus-operator/prometheus-operator-deployment.libsonnet
@ -0,0 +1,30 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local rawVersion = importstr "../../../../VERSION";
+
+local removeLineBreaks = function(str) std.join("", std.filter(function(c) c != "\n", std.stringChars(str)));
+local version = removeLineBreaks(rawVersion);
+
+local deployment = k.apps.v1beta2.deployment;
+local container = k.apps.v1beta2.deployment.mixin.spec.template.spec.containersType;
+local containerPort = container.portsType;
+
+local targetPort = 8080;
+local podLabels = {"k8s-app": "prometheus-operator"};
+
+local operatorContainer =
+  container.new("prometheus-operator", "quay.io/coreos/prometheus-operator:v" + version) +
+  container.withPorts(containerPort.newNamed("http", targetPort)) +
+  container.withArgs(["--kubelet-service=kube-system/kubelet", "--config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1"]) +
+  container.mixin.resources.withRequests({cpu: "100m", memory: "50Mi"}) +
+  container.mixin.resources.withLimits({cpu: "200m", memory: "100Mi"});
+
+{
+    new(namespace)::
+        deployment.new("prometheus-operator", 1, operatorContainer, podLabels) +
+          deployment.mixin.metadata.withNamespace(namespace) +
+          deployment.mixin.metadata.withLabels(podLabels) +
+          deployment.mixin.spec.selector.withMatchLabels(podLabels) +
+          deployment.mixin.spec.template.spec.securityContext.withRunAsNonRoot(true) +
+          deployment.mixin.spec.template.spec.securityContext.withRunAsUser(65534) +
+          deployment.mixin.spec.template.spec.withServiceAccountName("prometheus-operator")
+}
--- a/jsonnet/prometheus-operator/prometheus-operator-service-account.libsonnet
+++ b/jsonnet/prometheus-operator/prometheus-operator-service-account.libsonnet
@ -0,0 +1,8 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local serviceAccount = k.core.v1.serviceAccount;
+
+{
+    new(namespace)::
+        serviceAccount.new("prometheus-operator") +
+          serviceAccount.mixin.metadata.withNamespace(namespace)
+}
--- a/jsonnet/prometheus-operator/prometheus-operator-service.libsonnet
+++ b/jsonnet/prometheus-operator/prometheus-operator-service.libsonnet
@ -0,0 +1,14 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local service = k.core.v1.service;
+local servicePort = k.core.v1.service.mixin.spec.portsType;
+
+local poDeployment = import "prometheus-operator-deployment.libsonnet";
+
+local poServicePort = servicePort.newNamed("http", 8080, "http");
+
+
+{
+    new(namespace)::
+        service.new("prometheus-operator", poDeployment.new(namespace).spec.selector.matchLabels, [poServicePort]) +
+        service.mixin.metadata.withNamespace(namespace)
+}
--- a/jsonnet/prometheus-operator/prometheus-operator.libsonnet
+++ b/jsonnet/prometheus-operator/prometheus-operator.libsonnet
@ -0,0 +1,7 @@
+{
+  clusterRoleBinding:: import "prometheus-operator-cluster-role-binding.libsonnet",
+  clusterRole:: import "prometheus-operator-cluster-role.libsonnet",
+  deployment:: import "prometheus-operator-deployment.libsonnet",
+  serviceAccount:: import "prometheus-operator-service-account.libsonnet",
+  service:: import "prometheus-operator-service.libsonnet",
+}
--- a/jsonnet/prometheus/prometheus-k8s-cluster-role-binding.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-cluster-role-binding.libsonnet
@ -0,0 +1,12 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local clusterRoleBinding = k.rbac.v1.clusterRoleBinding;
+
+{
+    new(namespace)::
+        clusterRoleBinding.new() +
+          clusterRoleBinding.mixin.metadata.withName("prometheus-k8s") +
+          clusterRoleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
+          clusterRoleBinding.mixin.roleRef.withName("prometheus-k8s") +
+          clusterRoleBinding.mixin.roleRef.mixinInstance({kind: "ClusterRole"}) +
+          clusterRoleBinding.withSubjects([{kind: "ServiceAccount", name: "prometheus-k8s", namespace: namespace}])
+}
--- a/jsonnet/prometheus/prometheus-k8s-cluster-role.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-cluster-role.libsonnet
@ -0,0 +1,21 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local clusterRole = k.rbac.v1.clusterRole;
+local policyRule = clusterRole.rulesType;
+
+local nodeMetricsRule = policyRule.new() +
+  policyRule.withApiGroups([""]) +
+  policyRule.withResources(["nodes/metrics"]) +
+  policyRule.withVerbs(["get"]);
+
+local metricsRule = policyRule.new() +
+  policyRule.withNonResourceUrls("/metrics") +
+  policyRule.withVerbs(["get"]);
+
+local rules = [nodeMetricsRule, metricsRule];
+
+{
+    new()::
+        clusterRole.new() +
+          clusterRole.mixin.metadata.withName("prometheus-k8s") +
+          clusterRole.withRules(rules)
+}
--- a/jsonnet/prometheus/prometheus-k8s-role-binding-config.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-role-binding-config.libsonnet
@ -0,0 +1,5 @@
+local prometheusNamespaceRoleBinding = import "prometheus-namespace-role-binding.libsonnet";
+
+{
+    new(namespace):: prometheusNamespaceRoleBinding.new(namespace, namespace, "prometheus-k8s-config")
+}
--- a/jsonnet/prometheus/prometheus-k8s-role-binding-default.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-role-binding-default.libsonnet
@ -0,0 +1,5 @@
+local prometheusNamespaceRoleBinding = import "prometheus-namespace-role-binding.libsonnet";
+
+{
+    new(namespace):: prometheusNamespaceRoleBinding.new(namespace, "default", "prometheus-k8s")
+}
--- a/jsonnet/prometheus/prometheus-k8s-role-binding-kube-system.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-role-binding-kube-system.libsonnet
@ -0,0 +1,5 @@
+local prometheusNamespaceRoleBinding = import "prometheus-namespace-role-binding.libsonnet";
+
+{
+    new(namespace):: prometheusNamespaceRoleBinding.new(namespace, "kube-system", "prometheus-k8s")
+}
--- a/jsonnet/prometheus/prometheus-k8s-role-binding-namespace.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-role-binding-namespace.libsonnet
@ -0,0 +1,5 @@
+local prometheusNamespaceRoleBinding = import "prometheus-namespace-role-binding.libsonnet";
+
+{
+    new(namespace):: prometheusNamespaceRoleBinding.new(namespace, namespace, "prometheus-k8s")
+}
--- a/jsonnet/prometheus/prometheus-k8s-role-config.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-role-config.libsonnet
@ -0,0 +1,18 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local role = k.rbac.v1.role;
+local policyRule = role.rulesType;
+
+local configmapRule = policyRule.new() +
+  policyRule.withApiGroups([""]) +
+  policyRule.withResources([
+    "configmaps",
+  ]) +
+  policyRule.withVerbs(["get"]);
+
+{
+    new(namespace)::
+        role.new() +
+          role.mixin.metadata.withName("prometheus-k8s-config") +
+          role.mixin.metadata.withNamespace(namespace) +
+          role.withRules(configmapRule),
+}
--- a/jsonnet/prometheus/prometheus-k8s-role-default.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-role-default.libsonnet
@ -0,0 +1,5 @@
+local prometheusNamespaceRole = import "prometheus-namespace-role.libsonnet";
+
+{
+    new():: prometheusNamespaceRole.new("default")
+}
--- a/jsonnet/prometheus/prometheus-k8s-role-kube-system.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-role-kube-system.libsonnet
@ -0,0 +1,5 @@
+local prometheusNamespaceRole = import "prometheus-namespace-role.libsonnet";
+
+{
+    new():: prometheusNamespaceRole.new("kube-system")
+}
--- a/jsonnet/prometheus/prometheus-k8s-role-namespace.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-role-namespace.libsonnet
@ -0,0 +1,5 @@
+local prometheusNamespaceRole = import "prometheus-namespace-role.libsonnet";
+
+{
+    new(namespace):: prometheusNamespaceRole.new(namespace)
+}
--- a/jsonnet/prometheus/prometheus-k8s-service-account.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-service-account.libsonnet
@ -0,0 +1,8 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local serviceAccount = k.core.v1.serviceAccount;
+
+{
+    new(namespace)::
+        serviceAccount.new("prometheus-k8s") +
+          serviceAccount.mixin.metadata.withNamespace(namespace)
+}
--- a/jsonnet/prometheus/prometheus-k8s-service-monitor-alertmanager.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-service-monitor-alertmanager.libsonnet
@ -0,0 +1,32 @@
+{
+    new(namespace)::
+        {
+            "apiVersion": "monitoring.coreos.com/v1",
+            "kind": "ServiceMonitor",
+            "metadata": {
+                "name": "alertmanager",
+                "namespace": namespace,
+                "labels": {
+                    "k8s-app": "alertmanager"
+                }
+            },
+            "spec": {
+                "selector": {
+                    "matchLabels": {
+                        "alertmanager": "main"
+                    }
+                },
+                "namespaceSelector": {
+                    "matchNames": [
+                        "monitoring"
+                    ]
+                },
+                "endpoints": [
+                    {
+                        "port": "web",
+                        "interval": "30s"
+                    }
+                ]
+            }
+        }
+}
--- a/jsonnet/prometheus/prometheus-k8s-service-monitor-apiserver.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-service-monitor-apiserver.libsonnet
@ -0,0 +1,40 @@
+{
+    new(namespace)::
+        {
+            "apiVersion": "monitoring.coreos.com/v1",
+            "kind": "ServiceMonitor",
+            "metadata": {
+                "name": "kube-apiserver",
+                "namespace": namespace,
+                "labels": {
+                    "k8s-app": "apiserver"
+                }
+            },
+            "spec": {
+                "jobLabel": "component",
+                "selector": {
+                    "matchLabels": {
+                        "component": "apiserver",
+                        "provider": "kubernetes"
+                    }
+                },
+                "namespaceSelector": {
+                    "matchNames": [
+                        "default"
+                    ]
+                },
+                "endpoints": [
+                    {
+                        "port": "https",
+                        "interval": "30s",
+                        "scheme": "https",
+                        "tlsConfig": {
+                            "caFile": "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
+                            "serverName": "kubernetes"
+                        },
+                        "bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token"
+                    }
+                ]
+            }
+        }
+}
--- a/jsonnet/prometheus/prometheus-k8s-service-monitor-coredns.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-service-monitor-coredns.libsonnet
@ -0,0 +1,35 @@
+{
+    new(namespace)::
+        {
+            "apiVersion": "monitoring.coreos.com/v1",
+            "kind": "ServiceMonitor",
+            "metadata": {
+                "name": "coredns",
+                "namespace": namespace,
+                "labels": {
+                    "k8s-app": "coredns"
+                },
+            },
+            "spec": {
+                "jobLabel": "k8s-app",
+                "selector": {
+                    "matchLabels": {
+                        "k8s-app": "coredns",
+                        "component": "metrics"
+                    }
+                },
+                "namespaceSelector": {
+                    "matchNames": [
+                        "kube-system"
+                    ]
+                },
+                "endpoints": [
+                    {
+                        "port": "http-metrics",
+                        "interval": "15s",
+                        "bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token"
+                    }
+                ]
+            }
+        }
+}
--- a/jsonnet/prometheus/prometheus-k8s-service-monitor-kube-controller-manager.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-service-monitor-kube-controller-manager.libsonnet
@ -0,0 +1,33 @@
+{
+    new(namespace)::
+        {
+            "apiVersion": "monitoring.coreos.com/v1",
+            "kind": "ServiceMonitor",
+            "metadata": {
+                "name": "kube-controller-manager",
+                "namespace": namespace,
+                "labels": {
+                    "k8s-app": "kube-controller-manager"
+                }
+            },
+            "spec": {
+                "jobLabel": "k8s-app",
+                "endpoints": [
+                    {
+                        "port": "http-metrics",
+                        "interval": "30s"
+                    }
+                ],
+                "selector": {
+                    "matchLabels": {
+                        "k8s-app": "kube-controller-manager"
+                    }
+                },
+                "namespaceSelector": {
+                    "matchNames": [
+                        "kube-system"
+                    ]
+                }
+            }
+        }
+}
--- a/jsonnet/prometheus/prometheus-k8s-service-monitor-kube-scheduler.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-service-monitor-kube-scheduler.libsonnet
@ -0,0 +1,33 @@
+{
+    new(namespace)::
+        {
+            "apiVersion": "monitoring.coreos.com/v1",
+            "kind": "ServiceMonitor",
+            "metadata": {
+                "name": "kube-scheduler",
+                "namespace": namespace,
+                "labels": {
+                    "k8s-app": "kube-scheduler"
+                }
+            },
+            "spec": {
+                "jobLabel": "k8s-app",
+                "endpoints": [
+                    {
+                        "port": "http-metrics",
+                        "interval": "30s"
+                    }
+                ],
+                "selector": {
+                    "matchLabels": {
+                        "k8s-app": "kube-scheduler"
+                    }
+                },
+                "namespaceSelector": {
+                    "matchNames": [
+                        "kube-system"
+                    ]
+                }
+            }
+        }
+}
--- a/jsonnet/prometheus/prometheus-k8s-service-monitor-kube-state-metrics.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-service-monitor-kube-state-metrics.libsonnet
@ -0,0 +1,48 @@
+{
+    new(namespace)::
+        {
+            "apiVersion": "monitoring.coreos.com/v1",
+            "kind": "ServiceMonitor",
+            "metadata": {
+                "name": "kube-state-metrics",
+                "namespace": namespace,
+                "labels": {
+                    "k8s-app": "kube-state-metrics"
+                }
+            },
+            "spec": {
+                "jobLabel": "k8s-app",
+                "selector": {
+                    "matchLabels": {
+                        "k8s-app": "kube-state-metrics"
+                    }
+                },
+                "namespaceSelector": {
+                    "matchNames": [
+                        "monitoring"
+                    ]
+                },
+                "endpoints": [
+                    {
+                        "port": "https-main",
+                        "scheme": "https",
+                        "interval": "30s",
+                        "honorLabels": true,
+                        "bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                        "tlsConfig": {
+                            "insecureSkipVerify": true
+                        }
+                    },
+                    {
+                        "port": "https-self",
+                        "scheme": "https",
+                        "interval": "30s",
+                        "bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                        "tlsConfig": {
+                            "insecureSkipVerify": true
+                        }
+                    }
+                ]
+            }
+        }
+}
--- a/jsonnet/prometheus/prometheus-k8s-service-monitor-kubelet.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-service-monitor-kubelet.libsonnet
@ -0,0 +1,49 @@
+{
+    new(namespace)::
+        {
+            "apiVersion": "monitoring.coreos.com/v1",
+            "kind": "ServiceMonitor",
+            "metadata": {
+                "name": "kubelet",
+                "namespace": namespace,
+                "labels": {
+                    "k8s-app": "kubelet"
+                }
+            },
+            "spec": {
+                "jobLabel": "k8s-app",
+                "endpoints": [
+                    {
+                        "port": "https-metrics",
+                        "scheme": "https",
+                        "interval": "30s",
+                        "tlsConfig": {
+                            "insecureSkipVerify": true
+                        },
+                        "bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token"
+                    },
+                    {
+                        "port": "https-metrics",
+                        "scheme": "https",
+                        "path": "/metrics/cadvisor",
+                        "interval": "30s",
+                        "honorLabels": true,
+                        "tlsConfig": {
+                            "insecureSkipVerify": true
+                        },
+                        "bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token"
+                    }
+                ],
+                "selector": {
+                    "matchLabels": {
+                        "k8s-app": "kubelet"
+                    }
+                },
+                "namespaceSelector": {
+                    "matchNames": [
+                        "kube-system"
+                    ]
+                }
+            }
+        }
+}
--- a/jsonnet/prometheus/prometheus-k8s-service-monitor-node-exporter.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-service-monitor-node-exporter.libsonnet
@ -0,0 +1,38 @@
+{
+    new(namespace)::
+        {
+            "apiVersion": "monitoring.coreos.com/v1",
+            "kind": "ServiceMonitor",
+            "metadata": {
+                "name": "node-exporter",
+                "namespace": namespace,
+                "labels": {
+                    "k8s-app": "node-exporter"
+                }
+            },
+            "spec": {
+                "jobLabel": "k8s-app",
+                "selector": {
+                    "matchLabels": {
+                        "k8s-app": "node-exporter"
+                    }
+                },
+                "namespaceSelector": {
+                    "matchNames": [
+                        "monitoring"
+                    ]
+                },
+                "endpoints": [
+                    {
+                        "port": "https",
+                        "scheme": "https",
+                        "interval": "30s",
+                        "bearerTokenFile": "/var/run/secrets/kubernetes.io/serviceaccount/token",
+                        "tlsConfig": {
+                            "insecureSkipVerify": true
+                        }
+                    }
+                ]
+            }
+        }
+}
--- a/jsonnet/prometheus/prometheus-k8s-service-monitor-prometheus-operator.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-service-monitor-prometheus-operator.libsonnet
@ -0,0 +1,26 @@
+{
+    new(namespace)::
+        {
+            "apiVersion": "monitoring.coreos.com/v1",
+            "kind": "ServiceMonitor",
+            "metadata": {
+                "name": "prometheus-operator",
+                "namespace": namespace,
+                "labels": {
+                    "k8s-app": "prometheus-operator"
+                }
+            },
+            "spec": {
+                "endpoints": [
+                    {
+                        "port": "http"
+                    }
+                ],
+                "selector": {
+                    "matchLabels": {
+                        "k8s-app": "prometheus-operator"
+                    }
+                }
+            }
+        }
+}
--- a/jsonnet/prometheus/prometheus-k8s-service-monitor-prometheus.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-service-monitor-prometheus.libsonnet
@ -0,0 +1,32 @@
+{
+    new(namespace)::
+        {
+            "apiVersion": "monitoring.coreos.com/v1",
+            "kind": "ServiceMonitor",
+            "metadata": {
+                "name": "prometheus",
+                "namespace": namespace,
+                "labels": {
+                    "k8s-app": "prometheus"
+                }
+            },
+            "spec": {
+                "selector": {
+                    "matchLabels": {
+                        "prometheus": "k8s"
+                    }
+                },
+                "namespaceSelector": {
+                    "matchNames": [
+                        "monitoring"
+                    ]
+                },
+                "endpoints": [
+                    {
+                        "port": "web",
+                        "interval": "30s"
+                    }
+                ]
+            }
+        }
+}
--- a/jsonnet/prometheus/prometheus-k8s-service.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s-service.libsonnet
@ -0,0 +1,13 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local service = k.core.v1.service;
+local servicePort = k.core.v1.service.mixin.spec.portsType;
+
+local prometheusPort = servicePort.newNamed("web", 9090, "web");
+
+
+{
+    new(namespace)::
+        service.new("prometheus-k8s", {app: "prometheus", prometheus: "k8s"}, prometheusPort) +
+          service.mixin.metadata.withNamespace(namespace) +
+          service.mixin.metadata.withLabels({prometheus: "k8s"})
+}
--- a/jsonnet/prometheus/prometheus-k8s.libsonnet
+++ b/jsonnet/prometheus/prometheus-k8s.libsonnet
@ -0,0 +1,43 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+
+local container = k.core.v1.pod.mixin.spec.containersType;
+local resourceRequirements = container.mixin.resourcesType;
+local selector = k.apps.v1beta2.deployment.mixin.spec.selectorType;
+
+local resources = resourceRequirements.new() +
+  resourceRequirements.withRequests({memory: "400Mi"});
+
+{
+    new(namespace)::
+        {
+          apiVersion: "monitoring.coreos.com/v1",
+          kind: "Prometheus",
+          metadata: {
+            name: "k8s",
+            namespace: namespace,
+            labels: {
+              prometheus: "k8s",
+            },
+          },
+          spec: {
+            replicas: 2,
+            version: "v2.2.1",
+            serviceAccountName: "prometheus-k8s",
+            serviceMonitorSelector: selector.withMatchExpressions({key: "k8s-app", operator: "Exists"}),
+            ruleSelector: selector.withMatchLabels({
+              role: "alert-rules",
+              prometheus: "k8s",
+            }),
+            resources: resources,
+            alerting: {
+              alertmanagers: [
+                {
+                  namespace: "monitoring",
+                  name: "alertmanager-main",
+                  port: "web",
+                },
+              ],
+            },
+          },
+        }
+}
--- a/jsonnet/prometheus/prometheus-namespace-role-binding.libsonnet
+++ b/jsonnet/prometheus/prometheus-namespace-role-binding.libsonnet
@ -0,0 +1,13 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local roleBinding = k.rbac.v1.roleBinding;
+
+{
+  new(serviceAccountNamespace, namespace, name)::
+    roleBinding.new() +
+      roleBinding.mixin.metadata.withName(name) +
+      roleBinding.mixin.metadata.withNamespace(namespace) +
+      roleBinding.mixin.roleRef.withApiGroup("rbac.authorization.k8s.io") +
+      roleBinding.mixin.roleRef.withName(name) +
+      roleBinding.mixin.roleRef.mixinInstance({kind: "Role"}) +
+      roleBinding.withSubjects([{kind: "ServiceAccount", name: name, namespace: serviceAccountNamespace}])
+}
--- a/jsonnet/prometheus/prometheus-namespace-role.libsonnet
+++ b/jsonnet/prometheus/prometheus-namespace-role.libsonnet
@ -0,0 +1,21 @@
+local k = import "ksonnet.beta.3/k.libsonnet";
+local role = k.rbac.v1.role;
+local policyRule = role.rulesType;
+
+{
+    new(namespace)::
+        local coreRule = policyRule.new() +
+          policyRule.withApiGroups([""]) +
+          policyRule.withResources([
+              "nodes",
+              "services",
+              "endpoints",
+              "pods",
+          ]) +
+          policyRule.withVerbs(["get", "list", "watch"]);
+
+        role.new() +
+          role.mixin.metadata.withName("prometheus-k8s") +
+          role.mixin.metadata.withNamespace(namespace) +
+          role.withRules(coreRule)
+}
--- a/jsonnet/prometheus/prometheus.libsonnet
+++ b/jsonnet/prometheus/prometheus.libsonnet
@ -0,0 +1,25 @@
+{
+    clusterRoleBinding:: import "prometheus-k8s-cluster-role-binding.libsonnet",
+    clusterRole:: import "prometheus-k8s-cluster-role.libsonnet",
+    roleBindingConfig:: import "prometheus-k8s-role-binding-config.libsonnet",
+    roleBindingNamespace:: import "prometheus-k8s-role-binding-namespace.libsonnet",
+    roleBindingKubeSystem:: import "prometheus-k8s-role-binding-kube-system.libsonnet",
+    roleBindingDefault:: import "prometheus-k8s-role-binding-default.libsonnet",
+    roleConfig:: import "prometheus-k8s-role-config.libsonnet",
+    roleNamespace:: import "prometheus-k8s-role-namespace.libsonnet",
+    roleKubeSystem:: import "prometheus-k8s-role-kube-system.libsonnet",
+    roleDefault:: import "prometheus-k8s-role-default.libsonnet",
+    serviceAccount:: import "prometheus-k8s-service-account.libsonnet",
+    serviceMonitorAlertmanager:: import "prometheus-k8s-service-monitor-alertmanager.libsonnet",
+    serviceMonitorApiserver:: import "prometheus-k8s-service-monitor-apiserver.libsonnet",
+    serviceMonitorCoreDNS:: import "prometheus-k8s-service-monitor-coredns.libsonnet",
+    serviceMonitorControllerManager:: import "prometheus-k8s-service-monitor-kube-controller-manager.libsonnet",
+    serviceMonitorScheduler:: import "prometheus-k8s-service-monitor-kube-scheduler.libsonnet",
+    serviceMonitorKubeStateMetrics:: import "prometheus-k8s-service-monitor-kube-state-metrics.libsonnet",
+    serviceMonitorKubelet:: import "prometheus-k8s-service-monitor-kubelet.libsonnet",
+    serviceMonitorNodeExporter:: import "prometheus-k8s-service-monitor-node-exporter.libsonnet",
+    serviceMonitorPrometheusOperator:: import "prometheus-k8s-service-monitor-prometheus-operator.libsonnet",
+    serviceMonitorPrometheus:: import "prometheus-k8s-service-monitor-prometheus.libsonnet",
+    service:: import "prometheus-k8s-service.libsonnet",
+    prometheus:: import "prometheus-k8s.libsonnet",
+}