Skip to content

Commit

Permalink
helm: add RBAC for mgr to create service monitor
Browse files Browse the repository at this point in the history 
Signed-off-by: Mathieu Parent <mathieu.parent@insee.fr>
  • Loading branch information
@sathieu
sathieu committed Dec 10, 2021
1 parent 3309e9a commit 9df7933
Show file tree
Hide file tree
Showing 4 changed files with 82 additions and 0 deletions.
1 change: 1 addition & 0 deletions Documentation/helm-operator.md
View file
Expand Up @@ -83,6 +83,7 @@ The following tables lists the configurable parameters of the rook-operator char
| `crds.enabled` | If true, the helm chart will create the Rook CRDs. Do NOT change to `false` in a running cluster or CRs will be deleted! | `true` |
| `rbacEnable` | If true, create & use RBAC resources | `true` |
| `pspEnable` | If true, create & use PSP resources | `true` |
| `monitoring.enabled` | Enable Prometheus integration, currently will only create necessary RBAC rules | `true` |
| `resources` | Pod resource requests & limits | `{}` |
| `annotations` | Pod annotations | `{}` |
| `logLevel` | Global log level | `INFO` |
Expand Down
10 changes: 10 additions & 0 deletions deploy/charts/rook-ceph/templates/cluster-rbac.yaml
View file
Expand Up @@ -26,8 +26,18 @@ roles
---
{{ include "library.cluster.roles" . }}

{{- if .Values.monitoring.enabled }}
---
{{ include "library.cluster.monitoring.roles" . }}
{{- end }}

{{/*
rolebindings
*/}}
---
{{ include "library.cluster.rolebindings" . }}

{{- if .Values.monitoring.enabled }}
---
{{ include "library.cluster.monitoring.rolebindings" . }}
{{- end }}
4 changes: 4 additions & 0 deletions deploy/charts/rook-ceph/values.yaml
View file
Expand Up @@ -52,6 +52,10 @@ rbacEnable: true
##
pspEnable: true

monitoring:
# enabling will create RBAC rules to allow Operator to create ServiceMonitors
enabled: true

## Settings for whether to disable the drivers or other daemons if they are not
## needed
csi:
Expand Down
67 changes: 67 additions & 0 deletions deploy/examples/common.yaml
View file
Expand Up @@ -876,6 +876,43 @@ rules:
verbs:
- delete
---
# ---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-monitoring
namespace: rook-ceph # namespace:cluster
rules:
- apiGroups:
- "monitoring.coreos.com"
resources:
- servicemonitors
- prometheusrules
verbs:
- get
- list
- watch
- create
- update
- delete
---
# Allow management of monitoring resources in the mgr
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-monitoring-mgr
namespace: rook-ceph # namespace:cluster
rules:
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- list
- create
- update
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Expand Down Expand Up @@ -1093,6 +1130,36 @@ subjects:
name: rook-ceph-mgr
namespace: rook-ceph # namespace:cluster
---
# Allow the operator to get ServiceMonitors in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-monitoring
namespace: rook-ceph # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rook-ceph-monitoring
subjects:
- kind: ServiceAccount
name: rook-ceph-system
namespace: rook-ceph # namespace:cluster
---
# Allow creation of monitoring resources in the mgr
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-monitoring-mgr
namespace: rook-ceph # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rook-ceph-monitoring-mgr
subjects:
- kind: ServiceAccount
name: rook-ceph-mgr
namespace: rook-ceph # namespace:cluster
---
# Allow the osd pods in this namespace to work with configmaps
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
Expand Down

0 comments on commit 9df7933

Please sign in to comment.