From 6bd10026afe06a244ac3555f23ad071f08314fcd Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Wed, 25 Oct 2017 13:50:12 +0200 Subject: [PATCH 1/4] Additional RBAC; prom logs still report ingresses.extensions lacking --- rbac/cluster-rbac-prometheus-k8s.yml | 12 ++++++++++++ rbac/rbac-prometheus-k8s-kafka.yml | 26 +++++++++++++++++++++++++ rbac/rbac-prometheus-k8s-test-kafka.yml | 26 +++++++++++++++++++++++++ 3 files changed, 64 insertions(+) create mode 100644 rbac/cluster-rbac-prometheus-k8s.yml create mode 100644 rbac/rbac-prometheus-k8s-kafka.yml create mode 100644 rbac/rbac-prometheus-k8s-test-kafka.yml diff --git a/rbac/cluster-rbac-prometheus-k8s.yml b/rbac/cluster-rbac-prometheus-k8s.yml new file mode 100644 index 0000000..a18a009 --- /dev/null +++ b/rbac/cluster-rbac-prometheus-k8s.yml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: prometheus-k8s +rules: +- nonResourceURLs: ["/metrics"] + verbs: ["get"] +# the above is from contrib, below is added +- apiGroups: [""] + resources: + - nodes + verbs: ["get", "list", "watch"] diff --git a/rbac/rbac-prometheus-k8s-kafka.yml b/rbac/rbac-prometheus-k8s-kafka.yml new file mode 100644 index 0000000..b72bdee --- /dev/null +++ b/rbac/rbac-prometheus-k8s-kafka.yml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: prometheus-k8s + namespace: kafka +rules: +- apiGroups: [""] + resources: + - services + - endpoints + - pods + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: prometheus-k8s + namespace: kafka +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus-k8s +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: monitoring diff --git a/rbac/rbac-prometheus-k8s-test-kafka.yml b/rbac/rbac-prometheus-k8s-test-kafka.yml new file mode 100644 index 0000000..f3bac17 --- /dev/null +++ b/rbac/rbac-prometheus-k8s-test-kafka.yml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: prometheus-k8s + namespace: test-kafka +rules: +- apiGroups: [""] + resources: + - services + - endpoints + - pods + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: prometheus-k8s + namespace: test-kafka +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus-k8s +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: monitoring From 26d8f7845c89d774d9c5f417623349448010ebb3 Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Mon, 6 Nov 2017 10:22:39 +0100 Subject: [PATCH 2/4] Gives custom a specific SA, like k8s gets by default --- .../prometheus-cluster-role-binding.yaml | 13 ------ .../prometheus-cluster-role.yaml | 18 -------- .../prometheus-service-account.yaml | 4 -- custom-prometheus/prometheus.yaml | 2 +- custom-prometheus/rbac.yaml | 44 +++++++++++++++++++ 5 files changed, 45 insertions(+), 36 deletions(-) delete mode 100644 custom-prometheus/prometheus-cluster-role-binding.yaml delete mode 100644 custom-prometheus/prometheus-cluster-role.yaml delete mode 100644 custom-prometheus/prometheus-service-account.yaml create mode 100644 custom-prometheus/rbac.yaml diff --git a/custom-prometheus/prometheus-cluster-role-binding.yaml b/custom-prometheus/prometheus-cluster-role-binding.yaml deleted file mode 100644 index 714e50b..0000000 --- a/custom-prometheus/prometheus-cluster-role-binding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: prometheus - namespace: monitoring -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: prometheus -subjects: -- kind: ServiceAccount - name: prometheus - namespace: default diff --git a/custom-prometheus/prometheus-cluster-role.yaml b/custom-prometheus/prometheus-cluster-role.yaml deleted file mode 100644 index a85422e..0000000 --- a/custom-prometheus/prometheus-cluster-role.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: prometheus -rules: -- apiGroups: [""] - resources: - - nodes - - services - - endpoints - - pods - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: - - configmaps - verbs: ["get"] -- nonResourceURLs: ["/metrics"] - verbs: ["get"] diff --git a/custom-prometheus/prometheus-service-account.yaml b/custom-prometheus/prometheus-service-account.yaml deleted file mode 100644 index f3fb283..0000000 --- a/custom-prometheus/prometheus-service-account.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: prometheus diff --git a/custom-prometheus/prometheus.yaml b/custom-prometheus/prometheus.yaml index 0d38756..1c17671 100644 --- a/custom-prometheus/prometheus.yaml +++ b/custom-prometheus/prometheus.yaml @@ -8,7 +8,7 @@ metadata: spec: replicas: 1 version: v2.0.0-rc.3 - serviceAccountName: prometheus + serviceAccountName: prometheus-custom serviceMonitorSelector: alerting: alertmanagers: diff --git a/custom-prometheus/rbac.yaml b/custom-prometheus/rbac.yaml new file mode 100644 index 0000000..0ba10da --- /dev/null +++ b/custom-prometheus/rbac.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus-custom + namespace: monitoring + annotations: + manifest-origin: github.com/Yolean/kubernetes-monitoring +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: monitoring-by-prometheus-annotations + annotations: + manifest-origin: github.com/Yolean/kubernetes-monitoring +rules: +- apiGroups: [""] + resources: + - nodes + - services + - endpoints + - pods + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: + - configmaps + verbs: ["get"] +- nonResourceURLs: ["/metrics"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: monitoring-by-prometheus-annotations + annotations: + manifest-origin: github.com/Yolean/kubernetes-monitoring +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: monitoring-by-prometheus-annotations +subjects: +- kind: ServiceAccount + name: prometheus-custom + namespace: monitoring From af9e01bf34c55502109c49915aa33ab0a82a009d Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Mon, 6 Nov 2017 10:42:55 +0100 Subject: [PATCH 3/4] Gets rid of the log error for ingresses.extensions though I first interpreted the error as the SA not being found level=error ts=2017-11-06T09:37:54.446320099Z caller=main.go:211 component=k8s_client_runtime err="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:245: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User \"system:serviceaccount:monitoring:prometheus-custom\" cannot list ingresses.extensions at the cluster scope: Unknown user \"system:serviceaccount:monitoring:prometheus-custom\"" --- custom-prometheus/rbac.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/custom-prometheus/rbac.yaml b/custom-prometheus/rbac.yaml index 0ba10da..7699f9b 100644 --- a/custom-prometheus/rbac.yaml +++ b/custom-prometheus/rbac.yaml @@ -25,6 +25,10 @@ rules: resources: - configmaps verbs: ["get"] +- apiGroups: ["extensions"] + resources: + - ingresses + verbs: ["get", "list", "watch"] - nonResourceURLs: ["/metrics"] verbs: ["get"] --- From 4f165fc9815958633348b1adff8f90ce57cd5763 Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Tue, 7 Nov 2017 08:29:33 +0100 Subject: [PATCH 4/4] Revert me if I'm wrong, but the k8s instance has ... sufficient RBAC already, and each additional instance can add something like custom's rbac.yaml if needed. No warnings remain in logs. --- rbac/cluster-rbac-prometheus-k8s.yml | 12 ------------ rbac/rbac-prometheus-k8s-kafka.yml | 26 ------------------------- rbac/rbac-prometheus-k8s-test-kafka.yml | 26 ------------------------- 3 files changed, 64 deletions(-) delete mode 100644 rbac/cluster-rbac-prometheus-k8s.yml delete mode 100644 rbac/rbac-prometheus-k8s-kafka.yml delete mode 100644 rbac/rbac-prometheus-k8s-test-kafka.yml diff --git a/rbac/cluster-rbac-prometheus-k8s.yml b/rbac/cluster-rbac-prometheus-k8s.yml deleted file mode 100644 index a18a009..0000000 --- a/rbac/cluster-rbac-prometheus-k8s.yml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: prometheus-k8s -rules: -- nonResourceURLs: ["/metrics"] - verbs: ["get"] -# the above is from contrib, below is added -- apiGroups: [""] - resources: - - nodes - verbs: ["get", "list", "watch"] diff --git a/rbac/rbac-prometheus-k8s-kafka.yml b/rbac/rbac-prometheus-k8s-kafka.yml deleted file mode 100644 index b72bdee..0000000 --- a/rbac/rbac-prometheus-k8s-kafka.yml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: prometheus-k8s - namespace: kafka -rules: -- apiGroups: [""] - resources: - - services - - endpoints - - pods - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: prometheus-k8s - namespace: kafka -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: prometheus-k8s -subjects: -- kind: ServiceAccount - name: prometheus-k8s - namespace: monitoring diff --git a/rbac/rbac-prometheus-k8s-test-kafka.yml b/rbac/rbac-prometheus-k8s-test-kafka.yml deleted file mode 100644 index f3bac17..0000000 --- a/rbac/rbac-prometheus-k8s-test-kafka.yml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: prometheus-k8s - namespace: test-kafka -rules: -- apiGroups: [""] - resources: - - services - - endpoints - - pods - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: prometheus-k8s - namespace: test-kafka -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: prometheus-k8s -subjects: -- kind: ServiceAccount - name: prometheus-k8s - namespace: monitoring