k8s/prometheus/resources/service-accounts.yaml (104 lines of code) (raw):
apiVersion: v1
kind: ServiceAccount
metadata:
name: $PROMETHEUS_SERVICE_ACCOUNT
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: $PROMETHEUS_SERVICE_ACCOUNT
rules:
- apiGroups: [""]
resources:
- nodes
- nodes/metrics
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- nonResourceURLs: ["/metrics", "/metrics/cadvisor"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: $PROMETHEUS_SERVICE_ACCOUNT
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: $PROMETHEUS_SERVICE_ACCOUNT
subjects:
- kind: ServiceAccount
name: $PROMETHEUS_SERVICE_ACCOUNT
namespace: $NAMESPACE
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: $KUBE_STATE_METRICS_SERVICE_ACCOUNT
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: $KUBE_STATE_METRICS_SERVICE_ACCOUNT
rules:
- apiGroups: [""]
resources:
- configmaps
- secrets
- nodes
- pods
- services
- resourcequotas
- replicationcontrollers
- limitranges
- persistentvolumeclaims
- persistentvolumes
- namespaces
- endpoints
verbs: ["list", "watch", "get"]
- apiGroups: ["extensions"]
resources:
- daemonsets
- deployments
- replicasets
verbs: ["list", "watch", "get", "update"]
- apiGroups: ["apps"]
resources:
- statefulsets
verbs: ["list", "watch"]
- apiGroups: ["batch"]
resources:
- cronjobs
- jobs
verbs: ["list", "watch"]
- apiGroups: ["autoscaling"]
resources:
- horizontalpodautoscalers
verbs: ["list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: $KUBE_STATE_METRICS_SERVICE_ACCOUNT
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: $KUBE_STATE_METRICS_SERVICE_ACCOUNT
subjects:
- kind: ServiceAccount
name: $KUBE_STATE_METRICS_SERVICE_ACCOUNT
namespace: $NAMESPACE
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: $ALERTMANAGER_SERVICE_ACCOUNT
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: $NODE_EXPORTER_SERVICE_ACCOUNT