From 3fecdadf1549f5a87612796286df1a4fbd0eb474 Mon Sep 17 00:00:00 2001
From: Cyril Jouve <jv.cyril@gmail.com>
Date: Wed, 11 Sep 2024 11:22:05 +0200
Subject: [PATCH] add monitor and rules resources to user-facing roles (#2238)

in cluster with separation between (cluster) admin and (namespaced)
users, it allows the namespaced users to create monitor and rules in
their namespaces according to the default k8s model of user-facing
roles.

ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
---
 .../addons/user-facing-roles.libsonnet        | 67 +++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 jsonnet/kube-prometheus/addons/user-facing-roles.libsonnet

diff --git a/jsonnet/kube-prometheus/addons/user-facing-roles.libsonnet b/jsonnet/kube-prometheus/addons/user-facing-roles.libsonnet
new file mode 100644
index 0000000000..423db89653
--- /dev/null
+++ b/jsonnet/kube-prometheus/addons/user-facing-roles.libsonnet
@@ -0,0 +1,67 @@
+// user facing roles for monitors, probe, and rules
+// ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+{
+  prometheusOperator+: {
+    local po = self,
+    clusterRoleView: {
+      apiVersion: 'rbac.authorization.k8s.io/v1',
+      kind: 'ClusterRole',
+      metadata: po._metadata {
+        name: 'monitoring-view',
+        namespace:: null,
+        labels+: {
+          'rbac.authorization.k8s.io/aggregate-to-view': 'true',
+        },
+      },
+      rules: [
+        {
+          apiGroups: [
+            'monitoring.coreos.com',
+          ],
+          resources: [
+            'podmonitors',
+            'probes',
+            'prometheusrules',
+            'servicemonitors',
+          ],
+          verbs: [
+            'get',
+            'list',
+            'watch',
+          ],
+        },
+      ],
+    },
+    clusterRoleEdit: {
+      apiVersion: 'rbac.authorization.k8s.io/v1',
+      kind: 'ClusterRole',
+      metadata: po._metadata {
+        name: 'monitoring-edit',
+        namespace:: null,
+        labels+: {
+          'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
+        },
+      },
+      rules: [
+        {
+          apiGroups: [
+            'monitoring.coreos.com',
+          ],
+          resources: [
+            'podmonitors',
+            'probes',
+            'prometheusrules',
+            'servicemonitors',
+          ],
+          verbs: [
+            'create',
+            'delete',
+            'deletecollection',
+            'patch',
+            'update',
+          ],
+        },
+      ],
+    },
+  },
+}