feat(kyverno): add clusterpolicy role and rolebinding

cluster policy creates the role and rolebindings for prometheuse to monitor the ns !1
2023-09-26 06:27:20 +09:30
parent 899c6a3d78
commit c8ea929873
3 changed files with 136 additions and 2 deletions
--- a/templates/ClusterPolicy-Prometheus-Role.yaml
+++ b/templates/ClusterPolicy-Prometheus-Role.yaml
@ -0,0 +1,75 @@
+{{ if .Values.nfc_monitoring.prometheus.kyverno_role_policy }}
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-prometheus-role
+  annotations:
+    policies.kyverno.io/title: Add Prometheus Role
+    policies.kyverno.io/category: Monitoring
+    policies.kyverno.io/subject: RoleBinding
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/description: >-
+      This policy is responsible for ensuring that a Role for the prometheus
+      monitoring instances is created to enable monitoring of  the namespace in
+      question.
+  labels:
+    app.kubernetes.io/component: prometheus
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/part-of: {{ $.Chart.Name }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service }}
+    app.kubernetes.io/version: {{ $.Chart.Version }}
+spec:
+  background: true
+  generateExisting: true
+  rules:
+    - name: generate-prometheus-role
+      match:
+        any:
+        - resources:
+            kinds:
+              - Namespace
+      generate:
+        synchronize: true
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: Role
+        name: prometheus-k8s
+        namespace: "{{ `{{` }}request.object.metadata.name }}"
+        data:
+          metadata:
+            labels:
+              app.kubernetes.io/component: prometheus
+              app.kubernetes.io/instance: k8s
+              app.kubernetes.io/name: prometheus
+              app.kubernetes.io/part-of: {{ $.Chart.Name }}
+              app.kubernetes.io/version: {{ $.Chart.Version }}
+            
+          rules:
+          - apiGroups:
+            - ""
+            resources:
+            - services
+            - endpoints
+            - pods
+            verbs:
+            - get
+            - list
+            - watch
+          - apiGroups:
+            - extensions
+            resources:
+            - ingresses
+            verbs:
+            - get
+            - list
+            - watch
+          - apiGroups:
+            - networking.k8s.io
+            resources:
+            - ingresses
+            verbs:
+            - get
+            - list
+            - watch
+
+{{ end }}
--- a/templates/ClusterPolicy-Prometheus-RoleBinding.yaml
+++ b/templates/ClusterPolicy-Prometheus-RoleBinding.yaml
@ -0,0 +1,53 @@
+{{ if .Values.nfc_monitoring.prometheus.kyverno_role_policy }}
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-prometheus-role-binding
+  annotations:
+    policies.kyverno.io/title: Add Prometheus RoleBinding
+    policies.kyverno.io/category: Monitoring
+    policies.kyverno.io/subject: RoleBinding
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/description: >-
+      This policy is responsible for ensuring that a RoleBinding for the prometheus
+      monitoring instances is created to enable monitoring of  the namespace in
+      question.
+  labels:
+    app.kubernetes.io/component: prometheus
+    app.kubernetes.io/name: prometheus
+    app.kubernetes.io/part-of: {{ $.Chart.Name }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service }}
+    app.kubernetes.io/version: {{ $.Chart.Version }}
+spec:
+  background: true
+  generateExisting: true
+  rules:
+    - name: generate-prometheus-binding
+      match:
+        any:
+        - resources:
+            kinds:
+              - Namespace
+      generate:
+        synchronize: true
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: RoleBinding
+        name: prometheus-k8s
+        namespace: "{{ `{{` }}request.object.metadata.name }}"
+        data:
+          metadata:
+            labels:
+              app.kubernetes.io/component: prometheus
+              app.kubernetes.io/name: prometheus
+              app.kubernetes.io/part-of: {{ $.Chart.Name }}
+              app.kubernetes.io/version: {{ $.Chart.Version }}
+          roleRef:
+            apiGroup: rbac.authorization.k8s.io
+            kind: Role
+            name: prometheus-k8s
+          subjects:
+          - kind: ServiceAccount
+            name: prometheus-k8s
+            namespace: "{{ .Values.nfc_monitoring.prometheus.namespace }}"
+{{ end }}
--- a/values.yaml
+++ b/values.yaml
@ -72,8 +72,9 @@ nfc_monitoring:
      name: grafana/loki
      tag: 2.7.4

-    namespace: loki
+    namespace: logging

+    # service name and port are used for the connection to your loki instance
    service_name: loki-gateway
    service_port: 80

@ -152,6 +153,11 @@ nfc_monitoring:
      # - olm
      # - operators

+    # Deploy a generate policy for kyverno to create Role and RoleBindings
+    # for the prometheus service account so it can monitor
+    # new/existing namespaces
+    kyverno_role_policy: true
+
    storage:
      volumeClaimTemplate:
        spec:
@ -212,7 +218,7 @@ nfc_monitoring:
          matchLabels:
            app: rook-ceph-mgr

-    # Add sidcar to grafana pod to load dashboards from configMap
+    # Add sidecar to grafana pod to load dashboards from configMap
    dashboard_sidecar: 
      
      enabled: true