/
_cluster-monitoring.tpl
74 lines (72 loc) · 1.79 KB
/
_cluster-monitoring.tpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
{{/*
RBAC needed for enabling monitoring for a Rook CephCluster.
These should be scoped to the namespace where the CephCluster is located.
*/}}
{{- define "library.cluster.monitoring.roles" -}}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-monitoring
namespace: {{ .Release.Namespace }} # namespace:cluster
rules:
- apiGroups:
- "monitoring.coreos.com"
resources:
- servicemonitors
- prometheusrules
verbs:
- get
- list
- watch
- create
- update
- delete
---
# Allow management of monitoring resources in the mgr
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-monitoring-mgr
namespace: {{ .Release.Namespace }} # namespace:cluster
rules:
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- list
- create
- update
{{- end }}
{{- define "library.cluster.monitoring.rolebindings" }}
# Allow the operator to get ServiceMonitors in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-monitoring
namespace: {{ .Release.Namespace }} # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rook-ceph-monitoring
subjects:
- kind: ServiceAccount
name: rook-ceph-system
namespace: {{ .Release.Namespace }} # namespace:cluster
---
# Allow creation of monitoring resources in the mgr
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-monitoring-mgr
namespace: {{ .Release.Namespace }} # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rook-ceph-monitoring-mgr
subjects:
- kind: ServiceAccount
name: rook-ceph-mgr
namespace: {{ .Release.Namespace }} # namespace:cluster
{{- end }}