Skip to content

Commit 3fecdad

Browse files
jouvejouve
authored
add monitor and rules resources to user-facing roles (#2238)
in cluster with separation between (cluster) admin and (namespaced) users, it allows the namespaced users to create monitor and rules in their namespaces according to the default k8s model of user-facing roles. ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
1 parent 1deaee5 commit 3fecdad

File tree

1 file changed

+67
-0
lines changed

1 file changed

+67
-0
lines changed

jsonnet/kube-prometheus/addons/user-facing-roles.libsonnet

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
// user facing roles for monitors, probe, and rules
2+
// ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
3+
{
4+
prometheusOperator+: {
5+
local po = self,
6+
clusterRoleView: {
7+
apiVersion: 'rbac.authorization.k8s.io/v1',
8+
kind: 'ClusterRole',
9+
metadata: po._metadata {
10+
name: 'monitoring-view',
11+
namespace:: null,
12+
labels+: {
13+
'rbac.authorization.k8s.io/aggregate-to-view': 'true',
14+
},
15+
},
16+
rules: [
17+
{
18+
apiGroups: [
19+
'monitoring.coreos.com',
20+
],
21+
resources: [
22+
'podmonitors',
23+
'probes',
24+
'prometheusrules',
25+
'servicemonitors',
26+
],
27+
verbs: [
28+
'get',
29+
'list',
30+
'watch',
31+
],
32+
},
33+
],
34+
},
35+
clusterRoleEdit: {
36+
apiVersion: 'rbac.authorization.k8s.io/v1',
37+
kind: 'ClusterRole',
38+
metadata: po._metadata {
39+
name: 'monitoring-edit',
40+
namespace:: null,
41+
labels+: {
42+
'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
43+
},
44+
},
45+
rules: [
46+
{
47+
apiGroups: [
48+
'monitoring.coreos.com',
49+
],
50+
resources: [
51+
'podmonitors',
52+
'probes',
53+
'prometheusrules',
54+
'servicemonitors',
55+
],
56+
verbs: [
57+
'create',
58+
'delete',
59+
'deletecollection',
60+
'patch',
61+
'update',
62+
],
63+
},
64+
],
65+
},
66+
},
67+
}

0 commit comments

Comments
 (0)