mirror of
				https://github.com/prometheus/prometheus.git
				synced 2025-10-24 22:11:02 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			57 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			57 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| # To have Prometheus retrieve metrics from Kubelets with authentication and
 | |
| # authorization enabled (which is highly recommended and included in security
 | |
| # benchmarks) the following flags must be set on the kubelet(s):
 | |
| #
 | |
| # --authentication-token-webhook
 | |
| # --authorization-mode=Webhook
 | |
| #
 | |
| apiVersion: rbac.authorization.k8s.io/v1
 | |
| kind: ClusterRole
 | |
| metadata:
 | |
|   name: prometheus
 | |
| rules:
 | |
|   - apiGroups: [""]
 | |
|     resources:
 | |
|       - nodes
 | |
|       - nodes/metrics
 | |
|       - services
 | |
|       - endpoints
 | |
|       - pods
 | |
|     verbs: ["get", "list", "watch"]
 | |
|   - apiGroups:
 | |
|       - extensions
 | |
|       - networking.k8s.io
 | |
|     resources:
 | |
|       - ingresses
 | |
|     verbs: ["get", "list", "watch"]
 | |
|   - nonResourceURLs: ["/metrics", "/metrics/cadvisor"]
 | |
|     verbs: ["get"]
 | |
| ---
 | |
| apiVersion: v1
 | |
| kind: ServiceAccount
 | |
| metadata:
 | |
|   name: prometheus
 | |
|   namespace: default
 | |
| ---
 | |
| apiVersion: v1
 | |
| kind: Secret
 | |
| metadata:
 | |
|   name: prometheus-sa-token
 | |
|   namespace: default
 | |
|   annotations:
 | |
|     kubernetes.io/service-account.name: prometheus
 | |
| type: kubernetes.io/service-account-token
 | |
| ---
 | |
| apiVersion: rbac.authorization.k8s.io/v1
 | |
| kind: ClusterRoleBinding
 | |
| metadata:
 | |
|   name: prometheus
 | |
| roleRef:
 | |
|   apiGroup: rbac.authorization.k8s.io
 | |
|   kind: ClusterRole
 | |
|   name: prometheus
 | |
| subjects:
 | |
|   - kind: ServiceAccount
 | |
|     name: prometheus
 | |
|     namespace: default
 |