documentation: Adapt Kubernetes RBAC to use metrics roles (#3661)

This commit is contained in:
Frederic Branczyk 2020-07-24 16:36:56 +02:00 committed by GitHub
parent e05c19da5d
commit 9f9fb1ab33
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 34 additions and 19 deletions

View file

@ -70,6 +70,13 @@ scrape_configs:
# <kubernetes_sd_config>. # <kubernetes_sd_config>.
tls_config: tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# If your node certificates are self-signed or use a different CA to the
# master CA, then disable certificate verification below. Note that
# certificate verification is an integral part of a secure infrastructure
# so this should only be disabled in a controlled environment. You can
# disable certificate verification by uncommenting the line below.
#
# insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs: kubernetes_sd_configs:
@ -78,12 +85,6 @@ scrape_configs:
relabel_configs: relabel_configs:
- action: labelmap - action: labelmap
regex: __meta_kubernetes_node_label_(.+) regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics
# Scrape config for Kubelet cAdvisor. # Scrape config for Kubelet cAdvisor.
# #
@ -93,9 +94,9 @@ scrape_configs:
# retrieve those metrics. # retrieve those metrics.
# #
# In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
# HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" # HTTP endpoint; use the "/metrics" endpoint on the 4194 port of nodes. In
# in that case (and ensure cAdvisor's HTTP server hasn't been disabled with # that case (and ensure cAdvisor's HTTP server hasn't been disabled with the
# the --cadvisor-port=0 Kubelet flag). # --cadvisor-port=0 Kubelet flag).
# #
# This job is not necessary and should be removed in Kubernetes 1.6 and # This job is not necessary and should be removed in Kubernetes 1.6 and
# earlier versions, or it will cause the metrics to be scraped twice. # earlier versions, or it will cause the metrics to be scraped twice.
@ -105,6 +106,12 @@ scrape_configs:
# `http`. # `http`.
scheme: https scheme: https
# Starting Kubernetes 1.7.3 the cAdvisor metrics are under /metrics/cadvisor.
# Kubernetes CIS Benchmark recommends against enabling the insecure HTTP
# servers of Kubernetes, therefore the cAdvisor metrics on the secure handler
# are used.
metrics_path: /metrics/cadvisor
# This TLS & bearer token file config is used to connect to the actual scrape # This TLS & bearer token file config is used to connect to the actual scrape
# endpoints for cluster components. This is separate to discovery auth # endpoints for cluster components. This is separate to discovery auth
# configuration because discovery & scraping are two separate concerns in # configuration because discovery & scraping are two separate concerns in
@ -113,6 +120,13 @@ scrape_configs:
# <kubernetes_sd_config>. # <kubernetes_sd_config>.
tls_config: tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# If your node certificates are self-signed or use a different CA to the
# master CA, then disable certificate verification below. Note that
# certificate verification is an integral part of a secure infrastructure
# so this should only be disabled in a controlled environment. You can
# disable certificate verification by uncommenting the line below.
#
# insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs: kubernetes_sd_configs:
@ -121,12 +135,6 @@ scrape_configs:
relabel_configs: relabel_configs:
- action: labelmap - action: labelmap
regex: __meta_kubernetes_node_label_(.+) regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
# Example scrape config for service endpoints. # Example scrape config for service endpoints.
# #

View file

@ -1,4 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1beta1 # To have Prometheus retrieve metrics from Kubelets with authentication and
# authorization enabled (which is highly recommended and included in security
# benchmarks) the following flags must be set on the kubelet(s):
#
# --authentication-token-webhook
# --authorization-mode=Webhook
#
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: prometheus name: prometheus
@ -6,7 +13,7 @@ rules:
- apiGroups: [""] - apiGroups: [""]
resources: resources:
- nodes - nodes
- nodes/proxy - nodes/metrics
- services - services
- endpoints - endpoints
- pods - pods
@ -16,7 +23,7 @@ rules:
resources: resources:
- ingresses - ingresses
verbs: ["get", "list", "watch"] verbs: ["get", "list", "watch"]
- nonResourceURLs: ["/metrics"] - nonResourceURLs: ["/metrics", "/metrics/cadvisor"]
verbs: ["get"] verbs: ["get"]
--- ---
apiVersion: v1 apiVersion: v1
@ -25,7 +32,7 @@ metadata:
name: prometheus name: prometheus
namespace: default namespace: default
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: prometheus name: prometheus