feat(kyverno): add clusterpolicy role and rolebinding

cluster policy creates the role and rolebindings for prometheuse to monitor the ns

!1

templates/ClusterPolicy-Prometheus-Role.yaml

@@ -0,0 +1,75 @@
+{{ if .Values.nfc_monitoring.prometheus.kyverno_role_policy }}
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-prometheus-role
+  annotations:
+    policies.kyverno.io/title: Add Prometheus Role
+    policies.kyverno.io/category: Monitoring
+    policies.kyverno.io/subject: RoleBinding
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/description: >-
+      This policy is responsible for ensuring that a Role for the prometheus
+      monitoring instances is created to enable monitoring of  the namespace in
+      question.
+  labels:
+    app.kubernetes.io/component: prometheus
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/part-of: {{ $.Chart.Name }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service }}
+    app.kubernetes.io/version: {{ $.Chart.Version }}
+spec:
+  background: true
+  generateExisting: true
+  rules:
+    - name: generate-prometheus-role
+      match:
+        any:
+        - resources:
+            kinds:
+              - Namespace
+      generate:
+        synchronize: true
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: Role
+        name: prometheus-k8s
+        namespace: "{{ `{{` }}request.object.metadata.name }}"
+        data:
+          metadata:
+            labels:
+              app.kubernetes.io/component: prometheus
+              app.kubernetes.io/instance: k8s
+              app.kubernetes.io/name: prometheus
+              app.kubernetes.io/part-of: {{ $.Chart.Name }}
+              app.kubernetes.io/version: {{ $.Chart.Version }}
+            
+          rules:
+          - apiGroups:
+            - ""
+            resources:
+            - services
+            - endpoints
+            - pods
+            verbs:
+            - get
+            - list
+            - watch
+          - apiGroups:
+            - extensions
+            resources:
+            - ingresses
+            verbs:
+            - get
+            - list
+            - watch
+          - apiGroups:
+            - networking.k8s.io
+            resources:
+            - ingresses
+            verbs:
+            - get
+            - list
+            - watch
+
+{{ end }}

templates/ClusterPolicy-Prometheus-RoleBinding.yaml

@@ -0,0 +1,53 @@
+{{ if .Values.nfc_monitoring.prometheus.kyverno_role_policy }}
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-prometheus-role-binding
+  annotations:
+    policies.kyverno.io/title: Add Prometheus RoleBinding
+    policies.kyverno.io/category: Monitoring
+    policies.kyverno.io/subject: RoleBinding
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/description: >-
+      This policy is responsible for ensuring that a RoleBinding for the prometheus
+      monitoring instances is created to enable monitoring of  the namespace in
+      question.
+  labels:
+    app.kubernetes.io/component: prometheus
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/part-of: {{ $.Chart.Name }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service }}
+    app.kubernetes.io/version: {{ $.Chart.Version }}
+spec:
+  background: true
+  generateExisting: true
+  rules:
+    - name: generate-prometheus-binding
+      match:
+        any:
+        - resources:
+            kinds:
+              - Namespace
+      generate:
+        synchronize: true
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: RoleBinding
+        name: prometheus-k8s
+        namespace: "{{ `{{` }}request.object.metadata.name }}"
+        data:
+          metadata:
+            labels:
+              app.kubernetes.io/component: prometheus
+              app.kubernetes.io/name: prometheus
+              app.kubernetes.io/part-of: {{ $.Chart.Name }}
+              app.kubernetes.io/version: {{ $.Chart.Version }}
+          roleRef:
+            apiGroup: rbac.authorization.k8s.io
+            kind: Role
+            name: prometheus-k8s
+          subjects:
+          - kind: ServiceAccount
+            name: prometheus-k8s
+            namespace: "{{ .Values.nfc_monitoring.prometheus.namespace }}"
+{{ end }}

values.yaml

@@ -72,8 +72,9 @@ nfc_monitoring:
       name: grafana/loki
       tag: 2.7.4
 
-    namespace: loki
+    namespace: logging
 
+    # service name and port are used for the connection to your loki instance
     service_name: loki-gateway
     service_port: 80
 
@@ -152,6 +153,11 @@ nfc_monitoring:
       # - olm
       # - operators
 
+    # Deploy a generate policy for kyverno to create Role and RoleBindings
+    # for the prometheus service account so it can monitor
+    # new/existing namespaces
+    kyverno_role_policy: true
+
     storage:
       volumeClaimTemplate:
         spec:
@@ -212,7 +218,7 @@ nfc_monitoring:
           matchLabels:
             app: rook-ceph-mgr
 
-    # Add sidcar to grafana pod to load dashboards from configMap
+    # Add sidecar to grafana pod to load dashboards from configMap
     dashboard_sidecar: 
       
       enabled: true