2020-07-24 22:36:56 +08:00
|
|
|
# To have Prometheus retrieve metrics from Kubelets with authentication and
|
|
|
|
|
# authorization enabled (which is highly recommended and included in security
|
|
|
|
|
# benchmarks) the following flags must be set on the kubelet(s):
|
|
|
|
|
#
|
|
|
|
|
# --authentication-token-webhook
|
|
|
|
|
# --authorization-mode=Webhook
|
|
|
|
|
#
|
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2017-05-09 19:57:49 +08:00
|
|
|
kind: ClusterRole
|
|
|
|
|
metadata:
|
|
|
|
|
name: prometheus
|
|
|
|
|
rules:
|
2021-06-12 18:47:47 +08:00
|
|
|
- apiGroups: [""]
|
|
|
|
|
resources:
|
|
|
|
|
- nodes
|
|
|
|
|
- nodes/metrics
|
|
|
|
|
- services
|
|
|
|
|
- endpoints
|
|
|
|
|
- pods
|
|
|
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- extensions
|
|
|
|
|
- networking.k8s.io
|
|
|
|
|
resources:
|
|
|
|
|
- ingresses
|
|
|
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
|
- nonResourceURLs: ["/metrics", "/metrics/cadvisor"]
|
|
|
|
|
verbs: ["get"]
|
2017-05-09 19:57:49 +08:00
|
|
|
---
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: ServiceAccount
|
|
|
|
|
metadata:
|
|
|
|
|
name: prometheus
|
|
|
|
|
namespace: default
|
2023-01-02 22:17:11 +08:00
|
|
|
---
|
|
|
|
|
apiVersion: v1
|
|
|
|
|
kind: Secret
|
|
|
|
|
metadata:
|
|
|
|
|
name: prometheus-sa-token
|
|
|
|
|
namespace: default
|
|
|
|
|
annotations:
|
|
|
|
|
kubernetes.io/service-account.name: prometheus
|
|
|
|
|
type: kubernetes.io/service-account-token
|
2017-05-09 19:57:49 +08:00
|
|
|
---
|
2020-07-24 22:36:56 +08:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2017-05-09 19:57:49 +08:00
|
|
|
kind: ClusterRoleBinding
|
|
|
|
|
metadata:
|
|
|
|
|
name: prometheus
|
|
|
|
|
roleRef:
|
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
|
kind: ClusterRole
|
|
|
|
|
name: prometheus
|
|
|
|
|
subjects:
|
2021-06-12 18:47:47 +08:00
|
|
|
- kind: ServiceAccount
|
|
|
|
|
name: prometheus
|
|
|
|
|
namespace: default
|
