mirror of https://github.com/prometheus/prometheus
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
56 lines
1.3 KiB
56 lines
1.3 KiB
# To have Prometheus retrieve metrics from Kubelets with authentication and |
|
# authorization enabled (which is highly recommended and included in security |
|
# benchmarks) the following flags must be set on the kubelet(s): |
|
# |
|
# --authentication-token-webhook |
|
# --authorization-mode=Webhook |
|
# |
|
apiVersion: rbac.authorization.k8s.io/v1 |
|
kind: ClusterRole |
|
metadata: |
|
name: prometheus |
|
rules: |
|
- apiGroups: [""] |
|
resources: |
|
- nodes |
|
- nodes/metrics |
|
- services |
|
- endpoints |
|
- pods |
|
verbs: ["get", "list", "watch"] |
|
- apiGroups: |
|
- extensions |
|
- networking.k8s.io |
|
resources: |
|
- ingresses |
|
verbs: ["get", "list", "watch"] |
|
- nonResourceURLs: ["/metrics", "/metrics/cadvisor"] |
|
verbs: ["get"] |
|
--- |
|
apiVersion: v1 |
|
kind: ServiceAccount |
|
metadata: |
|
name: prometheus |
|
namespace: default |
|
--- |
|
apiVersion: v1 |
|
kind: Secret |
|
metadata: |
|
name: prometheus-sa-token |
|
namespace: default |
|
annotations: |
|
kubernetes.io/service-account.name: prometheus |
|
type: kubernetes.io/service-account-token |
|
--- |
|
apiVersion: rbac.authorization.k8s.io/v1 |
|
kind: ClusterRoleBinding |
|
metadata: |
|
name: prometheus |
|
roleRef: |
|
apiGroup: rbac.authorization.k8s.io |
|
kind: ClusterRole |
|
name: prometheus |
|
subjects: |
|
- kind: ServiceAccount |
|
name: prometheus |
|
namespace: default
|
|
|