Skip to content

Commit

Permalink
Limit the Prometheus role to two namespaces
Browse files Browse the repository at this point in the history
Unless clusterRole is specified, the Prometheus role will be
restricted to scraping from only a single namespace.

This fixes issue: #717 where I user complained that they did
not want to create a ClusterRole in their cluster.

It has been tested with k3d and K8s 1.19 with and without the
--set clusterRole=true flag passed into the faas-netes helm
chart.

The second Role and RoleBinding needed a different name to the
ones in the primary namespace in order for the RBAC error to
go away in Prometheus.

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>
  • Loading branch information
alexellis committed Nov 29, 2020
1 parent 2c470fc commit 86b96b0
Showing 1 changed file with 87 additions and 0 deletions.
87 changes: 87 additions & 0 deletions chart/openfaas/templates/prometheus-rbac.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
{{- $functionNs := default .Release.Namespace .Values.functionNamespace }}
{{- if .Values.prometheus.create }}

---
apiVersion: v1
kind: ServiceAccount
Expand All @@ -13,6 +14,9 @@ metadata:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
---

{{- if .Values.clusterRole }}

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand Down Expand Up @@ -72,4 +76,87 @@ subjects:
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
{{- end }}

{{- else -}}

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Release.Name }}-prometheus
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources:
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
{{- if ne $functionNs (.Release.Namespace | toString) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ .Release.Name }}-prometheus-fn
namespace: {{ $functionNs | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources:
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ .Release.Name }}-prometheus-fn
namespace: {{ $functionNs | quote }}
labels:
app: {{ template "openfaas.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: prometheus
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-prometheus-fn
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-prometheus
namespace: {{ .Release.Namespace | quote }}
{{- end }}

{{- end }}
{{- end }}

0 comments on commit 86b96b0

Please sign in to comment.