From 86b96b0953139cbf7a3110ebad210f5fd88d9670 Mon Sep 17 00:00:00 2001 From: "Alex Ellis (OpenFaaS Ltd)" Date: Sun, 29 Nov 2020 17:00:36 +0000 Subject: [PATCH] Limit the Prometheus role to two namespaces Unless clusterRole is specified, the Prometheus role will be restricted to scraping from only a single namespace. This fixes issue: #717 where I user complained that they did not want to create a ClusterRole in their cluster. It has been tested with k3d and K8s 1.19 with and without the --set clusterRole=true flag passed into the faas-netes helm chart. The second Role and RoleBinding needed a different name to the ones in the primary namespace in order for the RBAC error to go away in Prometheus. Signed-off-by: Alex Ellis (OpenFaaS Ltd) --- chart/openfaas/templates/prometheus-rbac.yaml | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/chart/openfaas/templates/prometheus-rbac.yaml b/chart/openfaas/templates/prometheus-rbac.yaml index d93fea2ca..98d2f48fe 100644 --- a/chart/openfaas/templates/prometheus-rbac.yaml +++ b/chart/openfaas/templates/prometheus-rbac.yaml @@ -1,5 +1,6 @@ {{- $functionNs := default .Release.Namespace .Values.functionNamespace }} {{- if .Values.prometheus.create }} + --- apiVersion: v1 kind: ServiceAccount @@ -13,6 +14,9 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} --- + +{{- if .Values.clusterRole }} + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -72,4 +76,87 @@ subjects: name: {{ .Release.Name }}-prometheus namespace: {{ .Release.Namespace | quote }} {{- end }} + +{{- else -}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-prometheus + labels: + app: {{ template "openfaas.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + component: prometheus + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: + - services + - endpoints + - pods + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-prometheus + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "openfaas.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + component: prometheus + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-prometheus +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }}-prometheus + namespace: {{ .Release.Namespace | quote }} +{{- if ne $functionNs (.Release.Namespace | toString) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-prometheus-fn + namespace: {{ $functionNs | quote }} + labels: + app: {{ template "openfaas.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + component: prometheus + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: + - services + - endpoints + - pods + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-prometheus-fn + namespace: {{ $functionNs | quote }} + labels: + app: {{ template "openfaas.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + component: prometheus + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-prometheus-fn +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }}-prometheus + namespace: {{ .Release.Namespace | quote }} +{{- end }} + {{- end }} +{{- end }} \ No newline at end of file