add monitor and rules resources to user-facing roles (#2238)

in cluster with separation between (cluster) admin and (namespaced) users, it allows the namespaced users to create monitor and rules in their namespaces according to the default k8s model of user-facing roles. ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
prometheus-operator · Sep 11, 2024 · 3fecdad · 3fecdad
1 parent 1deaee5
commit 3fecdad
Showing 1 changed file with 67 additions and 0 deletions.
diff --git a/jsonnet/kube-prometheus/addons/user-facing-roles.libsonnet b/jsonnet/kube-prometheus/addons/user-facing-roles.libsonnet
@@ -0,0 +1,67 @@
+// user facing roles for monitors, probe, and rules
+// ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+{
+ prometheusOperator+: {
+ local po = self,
+ clusterRoleView: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRole',
+ metadata: po._metadata {
+ name: 'monitoring-view',
+ namespace:: null,
+ labels+: {
+ 'rbac.authorization.k8s.io/aggregate-to-view': 'true',
+ },
+ },
+ rules: [
+ {
+ apiGroups: [
+ 'monitoring.coreos.com',
+ ],
+ resources: [
+ 'podmonitors',
+ 'probes',
+ 'prometheusrules',
+ 'servicemonitors',
+ ],
+ verbs: [
+ 'get',
+ 'list',
+ 'watch',
+ ],
+ },
+ ],
+ },
+ clusterRoleEdit: {
+ apiVersion: 'rbac.authorization.k8s.io/v1',
+ kind: 'ClusterRole',
+ metadata: po._metadata {
+ name: 'monitoring-edit',
+ namespace:: null,
+ labels+: {
+ 'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
+ },
+ },
+ rules: [
+ {
+ apiGroups: [
+ 'monitoring.coreos.com',
+ ],
+ resources: [
+ 'podmonitors',
+ 'probes',
+ 'prometheusrules',
+ 'servicemonitors',
+ ],
+ verbs: [
+ 'create',
+ 'delete',
+ 'deletecollection',
+ 'patch',
+ 'update',
+ ],
+ },
+ ],
+ },
+ },
+}