Jon
c8ea929873
cluster policy creates the role and rolebindings for prometheuse to monitor the ns !1
76 lines
2.1 KiB
YAML
76 lines
2.1 KiB
YAML
{{ if .Values.nfc_monitoring.prometheus.kyverno_role_policy }}
|
|
---
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: add-prometheus-role
|
|
annotations:
|
|
policies.kyverno.io/title: Add Prometheus Role
|
|
policies.kyverno.io/category: Monitoring
|
|
policies.kyverno.io/subject: RoleBinding
|
|
policies.kyverno.io/minversion: 1.6.0
|
|
policies.kyverno.io/description: >-
|
|
This policy is responsible for ensuring that a Role for the prometheus
|
|
monitoring instances is created to enable monitoring of the namespace in
|
|
question.
|
|
labels:
|
|
app.kubernetes.io/component: prometheus
|
|
app.kubernetes.io/name: prometheus
|
|
app.kubernetes.io/part-of: {{ $.Chart.Name }}
|
|
app.kubernetes.io/managed-by: {{ $.Release.Service }}
|
|
app.kubernetes.io/version: {{ $.Chart.Version }}
|
|
spec:
|
|
background: true
|
|
generateExisting: true
|
|
rules:
|
|
- name: generate-prometheus-role
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
synchronize: true
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
name: prometheus-k8s
|
|
namespace: "{{ `{{` }}request.object.metadata.name }}"
|
|
data:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: prometheus
|
|
app.kubernetes.io/instance: k8s
|
|
app.kubernetes.io/name: prometheus
|
|
app.kubernetes.io/part-of: {{ $.Chart.Name }}
|
|
app.kubernetes.io/version: {{ $.Chart.Version }}
|
|
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
- endpoints
|
|
- pods
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- extensions
|
|
resources:
|
|
- ingresses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
|
|
{{ end }}
|