Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Added cluster-roles crd, maybe that would help with application-monitoring

Browse source
This commit is contained in:
Adam Saleh 2021-03-15 15:06:35 +01:00
parent 94444e10c4
commit 8dd920c9b2
16 changed files with 384 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

3
playbooks/openshift-apps/application-monitoring.yml
View file

@ -54,6 +54,9 @@
- name: Grafana CRDs - GrafanaDataSource.yml - name: Grafana CRDs - GrafanaDataSource.yml
command: oc -n application-monitoring apply -f /etc/openshift_apps/application-monitoring/grafana-operator/deploy/crds/GrafanaDataSource.yaml command: oc -n application-monitoring apply -f /etc/openshift_apps/application-monitoring/grafana-operator/deploy/crds/GrafanaDataSource.yaml
- name: Prometheus CRDs - monitoring.coreos.com_podmonitors.yaml
command: oc -n application-monitoring apply -f /etc/openshift_apps/application-monitoring/prometheus-operator/example/rbac/prometheus-operator-crd/prometheus-operator-cluster-roles.yaml
- name: Prometheus CRDs - monitoring.coreos.com_podmonitors.yaml - name: Prometheus CRDs - monitoring.coreos.com_podmonitors.yaml
command: oc -n application-monitoring apply -f /etc/openshift_apps/application-monitoring/prometheus-operator/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml command: oc -n application-monitoring apply -f /etc/openshift_apps/application-monitoring/prometheus-operator/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml

14
roles/openshift-apps/application-monitoring/files/prometheus-operator/.editorconfig
View file

@ -1,14 +0,0 @@
root = true
[*.py]
indent_style = space
end_of_line = lf
insert_final_newline = true
max_line_length = 100
trim_trailing_whitespace = true
indent_size = 4
[*.yaml]
indent_style = space
indent_size = 2
trim_trailing_whitespace = true

36
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml
View file

@ -2786,6 +2786,13 @@ spec:
selectors of replication controllers and services. More info: selectors of replication controllers and services. More info:
http://kubernetes.io/docs/user-guide/labels' http://kubernetes.io/docs/user-guide/labels'
type: object type: object
name:
description: 'Name must be unique within a namespace. Is required
when creating resources, although some resources may allow a client
to request the generation of an appropriate name automatically.
Name is primarily intended for creation idempotence and configuration
definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
type: string
type: object type: object
portName: portName:
description: Port name used for the pods and governing service. This description: Port name used for the pods and governing service. This
@ -3005,7 +3012,34 @@ spec:
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string type: string
metadata: metadata:
description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' description: EmbeddedMetadata contains metadata relevant to
an EmbeddedResource.
properties:
annotations:
additionalProperties:
type: string
description: 'Annotations is an unstructured key value map
stored with a resource that may be set by external tools
to store and retrieve arbitrary metadata. They are not
queryable and should be preserved when modifying objects.
More info: http://kubernetes.io/docs/user-guide/annotations'
type: object
labels:
additionalProperties:
type: string
description: 'Map of string keys and values that can be
used to organize and categorize (scope and select) objects.
May match selectors of replication controllers and services.
More info: http://kubernetes.io/docs/user-guide/labels'
type: object
name:
description: 'Name must be unique within a namespace. Is
required when creating resources, although some resources
may allow a client to request the generation of an appropriate
name automatically. Name is primarily intended for creation
idempotence and configuration definition. Cannot be updated.
More info: http://kubernetes.io/docs/user-guide/identifiers#names'
type: string
type: object type: object
spec: spec:
description: 'Spec defines the desired characteristics of a description: 'Spec defines the desired characteristics of a

40
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml
View file

@ -3269,6 +3269,13 @@ spec:
selectors of replication controllers and services. More info: selectors of replication controllers and services. More info:
http://kubernetes.io/docs/user-guide/labels' http://kubernetes.io/docs/user-guide/labels'
type: object type: object
name:
description: 'Name must be unique within a namespace. Is required
when creating resources, although some resources may allow a client
to request the generation of an appropriate name automatically.
Name is primarily intended for creation idempotence and configuration
definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
type: string
type: object type: object
podMonitorNamespaceSelector: podMonitorNamespaceSelector:
description: Namespaces to be selected for PodMonitor discovery. If description: Namespaces to be selected for PodMonitor discovery. If
@ -4204,7 +4211,9 @@ spec:
type: object type: object
type: object type: object
serviceMonitorSelector: serviceMonitorSelector:
description: ServiceMonitors to be selected for target discovery. description: ServiceMonitors to be selected for target discovery. *Deprecated:*
if neither this nor podMonitorSelector are specified, configuration
is unmanaged.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. description: matchExpressions is a list of label selector requirements.
@ -4291,7 +4300,34 @@ spec:
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string type: string
metadata: metadata:
description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' description: EmbeddedMetadata contains metadata relevant to
an EmbeddedResource.
properties:
annotations:
additionalProperties:
type: string
description: 'Annotations is an unstructured key value map
stored with a resource that may be set by external tools
to store and retrieve arbitrary metadata. They are not
queryable and should be preserved when modifying objects.
More info: http://kubernetes.io/docs/user-guide/annotations'
type: object
labels:
additionalProperties:
type: string
description: 'Map of string keys and values that can be
used to organize and categorize (scope and select) objects.
May match selectors of replication controllers and services.
More info: http://kubernetes.io/docs/user-guide/labels'
type: object
name:
description: 'Name must be unique within a namespace. Is
required when creating resources, although some resources
may allow a client to request the generation of an appropriate
name automatically. Name is primarily intended for creation
idempotence and configuration definition. Cannot be updated.
More info: http://kubernetes.io/docs/user-guide/identifiers#names'
type: string
type: object type: object
spec: spec:
description: 'Spec defines the desired characteristics of a description: 'Spec defines the desired characteristics of a

36
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml
View file

@ -2944,6 +2944,13 @@ spec:
selectors of replication controllers and services. More info: selectors of replication controllers and services. More info:
http://kubernetes.io/docs/user-guide/labels' http://kubernetes.io/docs/user-guide/labels'
type: object type: object
name:
description: 'Name must be unique within a namespace. Is required
when creating resources, although some resources may allow a client
to request the generation of an appropriate name automatically.
Name is primarily intended for creation idempotence and configuration
definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
type: string
type: object type: object
portName: portName:
description: Port name used for the pods and governing service. This description: Port name used for the pods and governing service. This
@ -3259,7 +3266,34 @@ spec:
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string type: string
metadata: metadata:
description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' description: EmbeddedMetadata contains metadata relevant to
an EmbeddedResource.
properties:
annotations:
additionalProperties:
type: string
description: 'Annotations is an unstructured key value map
stored with a resource that may be set by external tools
to store and retrieve arbitrary metadata. They are not
queryable and should be preserved when modifying objects.
More info: http://kubernetes.io/docs/user-guide/annotations'
type: object
labels:
additionalProperties:
type: string
description: 'Map of string keys and values that can be
used to organize and categorize (scope and select) objects.
May match selectors of replication controllers and services.
More info: http://kubernetes.io/docs/user-guide/labels'
type: object
name:
description: 'Name must be unique within a namespace. Is
required when creating resources, although some resources
may allow a client to request the generation of an appropriate
name automatically. Name is primarily intended for creation
idempotence and configuration definition. Cannot be updated.
More info: http://kubernetes.io/docs/user-guide/identifiers#names'
type: string
type: object type: object
spec: spec:
description: 'Spec defines the desired characteristics of a description: 'Spec defines the desired characteristics of a

24
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/rbac/prometheus-operator-crd/prometheus-operator-crd-cluster-roles.yaml Normal file
View file

@ -0,0 +1,24 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: prometheus-crd-view
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["monitoring.coreos.com"]
resources: ["alertmanagers", "prometheuses", "prometheusrules", "servicemonitors", "podmonitors"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: prometheus-crd-edit
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["monitoring.coreos.com"]
resources: ["alertmanagers", "prometheuses", "prometheusrules", "servicemonitors", "podmonitors"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

16
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/rbac/prometheus-operator/prometheus-operator-cluster-role-binding.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/version: v0.38.3
name: prometheus-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-operator
subjects:
- kind: ServiceAccount
name: prometheus-operator
namespace: default

89
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/rbac/prometheus-operator/prometheus-operator-cluster-role.yaml Normal file
View file

@ -0,0 +1,89 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/version: v0.38.3
name: prometheus-operator
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- apiGroups:
- apiextensions.k8s.io
resourceNames:
- alertmanagers.monitoring.coreos.com
- podmonitors.monitoring.coreos.com
- prometheuses.monitoring.coreos.com
- prometheusrules.monitoring.coreos.com
- servicemonitors.monitoring.coreos.com
- thanosrulers.monitoring.coreos.com
resources:
- customresourcedefinitions
verbs:
- get
- update
- apiGroups:
- monitoring.coreos.com
resources:
- alertmanagers
- alertmanagers/finalizers
- prometheuses
- prometheuses/finalizers
- thanosrulers
- thanosrulers/finalizers
- servicemonitors
- podmonitors
- prometheusrules
verbs:
- '*'
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- '*'
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- delete
- apiGroups:
- ""
resources:
- services
- services/finalizers
- endpoints
verbs:
- get
- create
- update
- delete
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch

48
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/rbac/prometheus-operator/prometheus-operator-deployment.yaml Normal file
View file

@ -0,0 +1,48 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/version: v0.38.3
name: prometheus-operator
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/version: v0.38.3
spec:
containers:
- args:
- --kubelet-service=kube-system/kubelet
- --logtostderr=true
- --config-reloader-image=jimmidyson/configmap-reload:v0.3.0
- --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.38.3
image: quay.io/prometheus-operator/prometheus-operator:v0.38.3
name: prometheus-operator
ports:
- containerPort: 8080
name: http
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
beta.kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
runAsUser: 65534
serviceAccountName: prometheus-operator

9
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/rbac/prometheus-operator/prometheus-operator-service-account.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/version: v0.38.3
name: prometheus-operator
namespace: default

18
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/rbac/prometheus-operator/prometheus-operator-service-monitor.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/version: v0.38.3
name: prometheus-operator
namespace: default
spec:
endpoints:
- honorLabels: true
port: http
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/version: v0.38.3

18
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/rbac/prometheus-operator/prometheus-operator-service.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator
app.kubernetes.io/version: v0.38.3
name: prometheus-operator
namespace: default
spec:
clusterIP: None
ports:
- name: http
port: 8080
targetPort: http
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/name: prometheus-operator

12
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/rbac/prometheus/prometheus-cluster-role-binding.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: prometheus
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus
subjects:
- kind: ServiceAccount
name: prometheus
namespace: default

18
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/rbac/prometheus/prometheus-cluster-role.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: prometheus
rules:
- apiGroups: [""]
resources:
- nodes
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- configmaps
verbs: ["get"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]

4
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/rbac/prometheus/prometheus-service-account.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus

17
roles/openshift-apps/application-monitoring/files/prometheus-operator/example/rbac/prometheus/prometheus.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: monitoring.coreos.com/v1
kind: Prometheus
metadata:
name: prometheus
labels:
prometheus: prometheus
spec:
replicas: 2
serviceAccountName: prometheus
serviceMonitorSelector:
matchLabels:
team: frontend
alerting:
alertmanagers:
- namespace: default
name: alertmanager
port: web