39 lines
1.3 KiB
YAML
39 lines
1.3 KiB
YAML
---
|
|
# Source: kube-prometheus-stack/charts/kube-prometheus-stack/templates/prometheus/clusterrole.yaml
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kube-prometheus-stack-prometheus
|
|
labels:
|
|
app: kube-prometheus-stack-prometheus
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/instance: kube-prometheus-stack
|
|
app.kubernetes.io/version: "79.11.0"
|
|
app.kubernetes.io/part-of: kube-prometheus-stack
|
|
chart: kube-prometheus-stack-79.11.0
|
|
release: "kube-prometheus-stack"
|
|
heritage: "Helm"
|
|
rules:
|
|
# These permissions (to examine all namespaces) are not in the kube-prometheus repo.
|
|
# They're grabbed from https://github.com/prometheus/prometheus/blob/master/documentation/examples/rbac-setup.yml
|
|
# kube-prometheus deliberately defaults to a more restrictive setup that is not appropriate for our general audience.
|
|
- apiGroups: [""]
|
|
resources:
|
|
- nodes
|
|
- nodes/metrics
|
|
- services
|
|
- endpoints
|
|
- pods
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["discovery.k8s.io"]
|
|
resources:
|
|
- endpointslices
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups:
|
|
- "networking.k8s.io"
|
|
resources:
|
|
- ingresses
|
|
verbs: ["get", "list", "watch"]
|
|
- nonResourceURLs: ["/metrics", "/metrics/cadvisor"]
|
|
verbs: ["get"]
|