mirror of
https://github.com/prometheus/prometheus.git
synced 2024-12-24 05:04:05 -08:00
documentation: Adapt Kubernetes RBAC to use metrics roles (#3661)
This commit is contained in:
parent
e05c19da5d
commit
9f9fb1ab33
|
@ -70,6 +70,13 @@ scrape_configs:
|
||||||
# <kubernetes_sd_config>.
|
# <kubernetes_sd_config>.
|
||||||
tls_config:
|
tls_config:
|
||||||
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||||
|
# If your node certificates are self-signed or use a different CA to the
|
||||||
|
# master CA, then disable certificate verification below. Note that
|
||||||
|
# certificate verification is an integral part of a secure infrastructure
|
||||||
|
# so this should only be disabled in a controlled environment. You can
|
||||||
|
# disable certificate verification by uncommenting the line below.
|
||||||
|
#
|
||||||
|
# insecure_skip_verify: true
|
||||||
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
|
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||||
|
|
||||||
kubernetes_sd_configs:
|
kubernetes_sd_configs:
|
||||||
|
@ -78,12 +85,6 @@ scrape_configs:
|
||||||
relabel_configs:
|
relabel_configs:
|
||||||
- action: labelmap
|
- action: labelmap
|
||||||
regex: __meta_kubernetes_node_label_(.+)
|
regex: __meta_kubernetes_node_label_(.+)
|
||||||
- target_label: __address__
|
|
||||||
replacement: kubernetes.default.svc:443
|
|
||||||
- source_labels: [__meta_kubernetes_node_name]
|
|
||||||
regex: (.+)
|
|
||||||
target_label: __metrics_path__
|
|
||||||
replacement: /api/v1/nodes/${1}/proxy/metrics
|
|
||||||
|
|
||||||
# Scrape config for Kubelet cAdvisor.
|
# Scrape config for Kubelet cAdvisor.
|
||||||
#
|
#
|
||||||
|
@ -93,9 +94,9 @@ scrape_configs:
|
||||||
# retrieve those metrics.
|
# retrieve those metrics.
|
||||||
#
|
#
|
||||||
# In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
|
# In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
|
||||||
# HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
|
# HTTP endpoint; use the "/metrics" endpoint on the 4194 port of nodes. In
|
||||||
# in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
|
# that case (and ensure cAdvisor's HTTP server hasn't been disabled with the
|
||||||
# the --cadvisor-port=0 Kubelet flag).
|
# --cadvisor-port=0 Kubelet flag).
|
||||||
#
|
#
|
||||||
# This job is not necessary and should be removed in Kubernetes 1.6 and
|
# This job is not necessary and should be removed in Kubernetes 1.6 and
|
||||||
# earlier versions, or it will cause the metrics to be scraped twice.
|
# earlier versions, or it will cause the metrics to be scraped twice.
|
||||||
|
@ -105,6 +106,12 @@ scrape_configs:
|
||||||
# `http`.
|
# `http`.
|
||||||
scheme: https
|
scheme: https
|
||||||
|
|
||||||
|
# Starting Kubernetes 1.7.3 the cAdvisor metrics are under /metrics/cadvisor.
|
||||||
|
# Kubernetes CIS Benchmark recommends against enabling the insecure HTTP
|
||||||
|
# servers of Kubernetes, therefore the cAdvisor metrics on the secure handler
|
||||||
|
# are used.
|
||||||
|
metrics_path: /metrics/cadvisor
|
||||||
|
|
||||||
# This TLS & bearer token file config is used to connect to the actual scrape
|
# This TLS & bearer token file config is used to connect to the actual scrape
|
||||||
# endpoints for cluster components. This is separate to discovery auth
|
# endpoints for cluster components. This is separate to discovery auth
|
||||||
# configuration because discovery & scraping are two separate concerns in
|
# configuration because discovery & scraping are two separate concerns in
|
||||||
|
@ -113,6 +120,13 @@ scrape_configs:
|
||||||
# <kubernetes_sd_config>.
|
# <kubernetes_sd_config>.
|
||||||
tls_config:
|
tls_config:
|
||||||
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||||
|
# If your node certificates are self-signed or use a different CA to the
|
||||||
|
# master CA, then disable certificate verification below. Note that
|
||||||
|
# certificate verification is an integral part of a secure infrastructure
|
||||||
|
# so this should only be disabled in a controlled environment. You can
|
||||||
|
# disable certificate verification by uncommenting the line below.
|
||||||
|
#
|
||||||
|
# insecure_skip_verify: true
|
||||||
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
|
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||||
|
|
||||||
kubernetes_sd_configs:
|
kubernetes_sd_configs:
|
||||||
|
@ -121,12 +135,6 @@ scrape_configs:
|
||||||
relabel_configs:
|
relabel_configs:
|
||||||
- action: labelmap
|
- action: labelmap
|
||||||
regex: __meta_kubernetes_node_label_(.+)
|
regex: __meta_kubernetes_node_label_(.+)
|
||||||
- target_label: __address__
|
|
||||||
replacement: kubernetes.default.svc:443
|
|
||||||
- source_labels: [__meta_kubernetes_node_name]
|
|
||||||
regex: (.+)
|
|
||||||
target_label: __metrics_path__
|
|
||||||
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
|
|
||||||
|
|
||||||
# Example scrape config for service endpoints.
|
# Example scrape config for service endpoints.
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,4 +1,11 @@
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
# To have Prometheus retrieve metrics from Kubelets with authentication and
|
||||||
|
# authorization enabled (which is highly recommended and included in security
|
||||||
|
# benchmarks) the following flags must be set on the kubelet(s):
|
||||||
|
#
|
||||||
|
# --authentication-token-webhook
|
||||||
|
# --authorization-mode=Webhook
|
||||||
|
#
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
name: prometheus
|
name: prometheus
|
||||||
|
@ -6,7 +13,7 @@ rules:
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources:
|
resources:
|
||||||
- nodes
|
- nodes
|
||||||
- nodes/proxy
|
- nodes/metrics
|
||||||
- services
|
- services
|
||||||
- endpoints
|
- endpoints
|
||||||
- pods
|
- pods
|
||||||
|
@ -16,7 +23,7 @@ rules:
|
||||||
resources:
|
resources:
|
||||||
- ingresses
|
- ingresses
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ["get", "list", "watch"]
|
||||||
- nonResourceURLs: ["/metrics"]
|
- nonResourceURLs: ["/metrics", "/metrics/cadvisor"]
|
||||||
verbs: ["get"]
|
verbs: ["get"]
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
|
@ -25,7 +32,7 @@ metadata:
|
||||||
name: prometheus
|
name: prometheus
|
||||||
namespace: default
|
namespace: default
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: prometheus
|
name: prometheus
|
||||||
|
|
Loading…
Reference in a new issue