--- apiVersion: v1 kind: Namespace metadata: name: monitoring --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/name: ksm name: ksm namespace: monitoring --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/name: ksm name: ksm rules: - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - list - watch - apiGroups: - "" resources: - configmaps verbs: - list - watch - apiGroups: - batch resources: - cronjobs verbs: - list - watch - apiGroups: - extensions - apps resources: - daemonsets verbs: - list - watch - apiGroups: - extensions - apps resources: - deployments verbs: - list - watch - apiGroups: - "" resources: - endpoints verbs: - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - list - watch - apiGroups: - extensions - networking.k8s.io resources: - ingresses verbs: - list - watch - apiGroups: - batch resources: - jobs verbs: - list - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - list - watch - apiGroups: - "" resources: - limitranges verbs: - list - watch - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations verbs: - list - watch - apiGroups: - "" resources: - namespaces verbs: - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - list - watch - apiGroups: - "" resources: - nodes verbs: - list - watch - apiGroups: - "" resources: - persistentvolumeclaims verbs: - list - watch - apiGroups: - "" resources: - persistentvolumes verbs: - list - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - list - watch - apiGroups: - "" resources: - pods verbs: - get - list - watch - apiGroups: - extensions - apps resources: - replicasets verbs: - list - watch - apiGroups: - "" resources: - replicationcontrollers verbs: - list - watch - apiGroups: - "" resources: - resourcequotas verbs: - list - watch - apiGroups: - "" resources: - secrets verbs: - list - watch - apiGroups: - "" resources: - services verbs: - list - watch - apiGroups: - apps resources: - statefulsets verbs: - get - list - watch - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - list - watch - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations verbs: - list - watch - apiGroups: - storage.k8s.io resources: - volumeattachments verbs: - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: ksm name: ksm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ksm subjects: - kind: ServiceAccount name: ksm namespace: monitoring --- apiVersion: apps/v1 kind: StatefulSet metadata: labels: app.kubernetes.io/component: exporter app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/version: 2.13.0 name: ksm-shard namespace: monitoring spec: replicas: 2 selector: matchLabels: app.kubernetes.io/name: kube-state-metrics serviceName: kube-state-metrics template: metadata: annotations: adx-mon/path: /metrics adx-mon/port: "8080" adx-mon/scrape: "true" labels: app.kubernetes.io/component: exporter app.kubernetes.io/name: kube-state-metrics app.kubernetes.io/version: 2.13.0 spec: automountServiceAccountToken: true containers: - args: - --pod=$(POD_NAME) - --pod-namespace=$(POD_NAMESPACE) env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: mcr.microsoft.com/oss/kubernetes/kube-state-metrics:v2.12.0 livenessProbe: httpGet: path: /livez port: http-metrics initialDelaySeconds: 5 timeoutSeconds: 5 name: kube-state-metrics ports: - containerPort: 8080 name: http-metrics - containerPort: 8081 name: telemetry readinessProbe: httpGet: path: /readyz port: telemetry initialDelaySeconds: 5 timeoutSeconds: 5 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 65534 seccompProfile: type: RuntimeDefault nodeSelector: kubernetes.io/os: linux serviceAccountName: ksm