From c8ea92987318f10a5c14af59ac4d45bc8a549061 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 26 Sep 2023 06:27:20 +0930 Subject: [PATCH] feat(kyverno): add clusterpolicy role and rolebinding cluster policy creates the role and rolebindings for prometheuse to monitor the ns !1 --- templates/ClusterPolicy-Prometheus-Role.yaml | 75 +++++++++++++++++++ .../ClusterPolicy-Prometheus-RoleBinding.yaml | 53 +++++++++++++ values.yaml | 10 ++- 3 files changed, 136 insertions(+), 2 deletions(-) create mode 100644 templates/ClusterPolicy-Prometheus-Role.yaml create mode 100644 templates/ClusterPolicy-Prometheus-RoleBinding.yaml diff --git a/templates/ClusterPolicy-Prometheus-Role.yaml b/templates/ClusterPolicy-Prometheus-Role.yaml new file mode 100644 index 0000000..bf01441 --- /dev/null +++ b/templates/ClusterPolicy-Prometheus-Role.yaml @@ -0,0 +1,75 @@ +{{ if .Values.nfc_monitoring.prometheus.kyverno_role_policy }} +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-prometheus-role + annotations: + policies.kyverno.io/title: Add Prometheus Role + policies.kyverno.io/category: Monitoring + policies.kyverno.io/subject: RoleBinding + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + This policy is responsible for ensuring that a Role for the prometheus + monitoring instances is created to enable monitoring of the namespace in + question. + labels: + app.kubernetes.io/component: prometheus + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: {{ $.Chart.Name }} + app.kubernetes.io/managed-by: {{ $.Release.Service }} + app.kubernetes.io/version: {{ $.Chart.Version }} +spec: + background: true + generateExisting: true + rules: + - name: generate-prometheus-role + match: + any: + - resources: + kinds: + - Namespace + generate: + synchronize: true + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + name: prometheus-k8s + namespace: "{{ `{{` }}request.object.metadata.name }}" + data: + metadata: + labels: + app.kubernetes.io/component: prometheus + app.kubernetes.io/instance: k8s + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: {{ $.Chart.Name }} + app.kubernetes.io/version: {{ $.Chart.Version }} + + rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + +{{ end }} diff --git a/templates/ClusterPolicy-Prometheus-RoleBinding.yaml b/templates/ClusterPolicy-Prometheus-RoleBinding.yaml new file mode 100644 index 0000000..2ec1e33 --- /dev/null +++ b/templates/ClusterPolicy-Prometheus-RoleBinding.yaml @@ -0,0 +1,53 @@ +{{ if .Values.nfc_monitoring.prometheus.kyverno_role_policy }} +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-prometheus-role-binding + annotations: + policies.kyverno.io/title: Add Prometheus RoleBinding + policies.kyverno.io/category: Monitoring + policies.kyverno.io/subject: RoleBinding + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + This policy is responsible for ensuring that a RoleBinding for the prometheus + monitoring instances is created to enable monitoring of the namespace in + question. + labels: + app.kubernetes.io/component: prometheus + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: {{ $.Chart.Name }} + app.kubernetes.io/managed-by: {{ $.Release.Service }} + app.kubernetes.io/version: {{ $.Chart.Version }} +spec: + background: true + generateExisting: true + rules: + - name: generate-prometheus-binding + match: + any: + - resources: + kinds: + - Namespace + generate: + synchronize: true + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + name: prometheus-k8s + namespace: "{{ `{{` }}request.object.metadata.name }}" + data: + metadata: + labels: + app.kubernetes.io/component: prometheus + app.kubernetes.io/name: prometheus + app.kubernetes.io/part-of: {{ $.Chart.Name }} + app.kubernetes.io/version: {{ $.Chart.Version }} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prometheus-k8s + subjects: + - kind: ServiceAccount + name: prometheus-k8s + namespace: "{{ .Values.nfc_monitoring.prometheus.namespace }}" +{{ end }} diff --git a/values.yaml b/values.yaml index f979bf4..b7a4793 100644 --- a/values.yaml +++ b/values.yaml @@ -72,8 +72,9 @@ nfc_monitoring: name: grafana/loki tag: 2.7.4 - namespace: loki + namespace: logging + # service name and port are used for the connection to your loki instance service_name: loki-gateway service_port: 80 @@ -152,6 +153,11 @@ nfc_monitoring: # - olm # - operators + # Deploy a generate policy for kyverno to create Role and RoleBindings + # for the prometheus service account so it can monitor + # new/existing namespaces + kyverno_role_policy: true + storage: volumeClaimTemplate: spec: @@ -212,7 +218,7 @@ nfc_monitoring: matchLabels: app: rook-ceph-mgr - # Add sidcar to grafana pod to load dashboards from configMap + # Add sidecar to grafana pod to load dashboards from configMap dashboard_sidecar: enabled: true