commit c9f3a52c44f67f60eae8ad40f7a0de9db338e7c0
author Alexander Noskov <anoskov@mirantis.com> Mon Jan 22 12:47:20 2018 +0400
committer Tomas Kukral <tkukral@mirantis.com> Thu Feb 01 17:10:50 2018 +0000
tree 5fe0c72910d6ad47ef9c5b964daf01870a074628
parent 12a5ba387672c2d8050e5b54bdea37c9e1a8f08c

[RBAC] Add role binging for prometheus-server

In case of using RBAC in k8s we need to create role binding for
prometheus-server user to unlock creation of kubernetes-api target in
prometheus, otherwise we will get error:
`User \"prometheus-server\" cannot list nodes at the cluster scope`

Change-Id: I7ec27483f16169a5040aad24c9076c6361e02127

kubernetes/files/kube-addons/prometheus/prometheus-roles.yml

diff --git a/kubernetes/files/kube-addons/prometheus/prometheus-roles.yml b/kubernetes/files/kube-addons/prometheus/prometheus-roles.yml
new file mode 100644
index 0000000..011986d
--- /dev/null
+++ b/kubernetes/files/kube-addons/prometheus/prometheus-roles.yml
@@ -0,0 +1,47 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: prometheus-server
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+      - nodes/proxy
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - nonResourceURLs:
+      - /metrics
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: prometheus-server
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: prometheus-server
+subjects:
+  - kind: User
+    name: prometheus-server
+    namespace: default

kubernetes/master/kube-addons.sls

diff --git a/kubernetes/master/kube-addons.sls b/kubernetes/master/kube-addons.sls
index b885192..43d81d9 100644
--- a/kubernetes/master/kube-addons.sls
+++ b/kubernetes/master/kube-addons.sls
@@ -136,6 +136,22 @@
 
 {% endif %}
 
+{%- if common.monitoring.get('backend', "") == 'prometheus' %}
+
+{%- if 'RBAC' in master.auth.get('mode', "") %}
+
+/etc/kubernetes/addons/prometheus/prometheus-roles.yml:
+  file.managed:
+    - source: salt://kubernetes/files/kube-addons/prometheus/prometheus-roles.yml
+    - template: jinja
+    - group: root
+    - dir_mode: 755
+    - makedirs: True
+
+{%- endif %}
+
+{%- endif %}
+
 {%- if common.addons.get('dns', {'enabled': False}).enabled %}
 
 /etc/kubernetes/addons/dns/kubedns-svc.yaml:

tests/pillar/common_storageclass.sls

diff --git a/tests/pillar/common_storageclass.sls b/tests/pillar/common_storageclass.sls
index 47c3cec..6050fe9 100644
--- a/tests/pillar/common_storageclass.sls
+++ b/tests/pillar/common_storageclass.sls
@@ -70,3 +70,5 @@
             nfs:
               server: 10.0.0.1
               path: /exported_path/inlfux01
+    monitoring:
+      backend: prometheus

tests/pillar/master_cluster.sls

diff --git a/tests/pillar/master_cluster.sls b/tests/pillar/master_cluster.sls
index a75c173..a0c2a2c 100644
--- a/tests/pillar/master_cluster.sls
+++ b/tests/pillar/master_cluster.sls
@@ -43,6 +43,8 @@
         - cmp01
         - cmp02
         image: mirantis/virtlet:v0.8.0
+    monitoring:
+      backend: prometheus
   master:
     admin:
       password: password

tests/pillar/master_contrail.sls

diff --git a/tests/pillar/master_contrail.sls b/tests/pillar/master_contrail.sls
index b562e66..c9b2ab3 100644
--- a/tests/pillar/master_contrail.sls
+++ b/tests/pillar/master_contrail.sls
@@ -47,6 +47,8 @@
         enabled: true
         namespace: kube-system
         image: yashulyak/contrail-controller:latest
+    monitoring:
+      backend: prometheus
   master:
     admin:
       password: password

tests/pillar/master_contrail4_0.sls

diff --git a/tests/pillar/master_contrail4_0.sls b/tests/pillar/master_contrail4_0.sls
index fe63c4a..dbf8e87 100644
--- a/tests/pillar/master_contrail4_0.sls
+++ b/tests/pillar/master_contrail4_0.sls
@@ -43,6 +43,8 @@
         hosts:
         - cmp01
         - cmp02
+    monitoring:
+      backend: prometheus
   master:
     service_addresses: 127.0.0.1/24
     admin:

tests/pillar/pool_cluster.sls

diff --git a/tests/pillar/pool_cluster.sls b/tests/pillar/pool_cluster.sls
index 35523bb..1dc2f0b 100644
--- a/tests/pillar/pool_cluster.sls
+++ b/tests/pillar/pool_cluster.sls
@@ -22,6 +22,8 @@
         hosts:
         - cmp01
         - cmp02
+    monitoring:
+      backend: prometheus
   pool:
     enabled: true
     version: v1.2.0

tests/pillar/pool_cluster_with_domain.sls

diff --git a/tests/pillar/pool_cluster_with_domain.sls b/tests/pillar/pool_cluster_with_domain.sls
index 595e39e..f756dd4 100644
--- a/tests/pillar/pool_cluster_with_domain.sls
+++ b/tests/pillar/pool_cluster_with_domain.sls
@@ -22,6 +22,8 @@
         hosts:
         - cmp01
         - cmp02
+    monitoring:
+      backend: prometheus
   pool:
     enabled: true
     version: v1.2.0

tests/pillar/pool_contrail4_0.sls

diff --git a/tests/pillar/pool_contrail4_0.sls b/tests/pillar/pool_contrail4_0.sls
index bdd87b7..da58e06 100644
--- a/tests/pillar/pool_contrail4_0.sls
+++ b/tests/pillar/pool_contrail4_0.sls
@@ -22,6 +22,8 @@
         hosts:
         - cmp01
         - cmp02
+    monitoring:
+      backend: prometheus
   pool:
     enabled: true
     version: v1.2.0