Prometheus RBAC configuration¶

Prometheus RBAC configuration refers to the Kubernetes Role-Based Access Control (RBAC) setup required to grant the Prometheus server the necessary permissions to discover and scrape metrics targets within a cluster^[400-devops__06-Kubernetes__k8s-paas__07.Promtheus监控k8s企业级应用.md].

Service Account¶

The configuration begins with the creation of a ServiceAccount specifically for the Prometheus application^[400-devops__06-Kubernetes__k8s-paas__07.Promtheus监控k8s企业级应用.md].

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/cluster-service: "true"
  name: prometheus
  namespace: infra

ClusterRole¶

A ClusterRole defines the actual permissions granted to the application^[400-devops__06-Kubernetes__k8s-paas__07.Promtheus监控k8s企业级应用.md]. The rules typically include:

• Core Resources: Permissions to get, list, and watch nodes, services, endpoints, and pods^[400-devops__06-Kubernetes__k8s-paas__07.Promtheus监控k8s企业级应用.md].
• Node Metrics: Access to nodes/metrics resources^[400-devops__06-Kubernetes__k8s-paas__07.Promtheus监控k8s企业级应用.md].
• ConfigMaps: Permissions to get ConfigMaps, which may be used for storing Prometheus configurations^[400-devops__06-Kubernetes__k8s-paas__07.Promtheus监控k8s企业级应用.md].
• Non-Resource URLs: Permissions to get /metrics paths, allowing Prometheus to scrape metrics endpoints that are not strictly Kubernetes resources^[400-devops__06-Kubernetes__k8s-paas__07.Promtheus监控k8s企业级应用.md].

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/cluster-service: "true"
  name: prometheus
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - nodes/metrics
  - services
  - endpoints
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
- nonResourceURLs:
  - /metrics
  verbs:
  - get

ClusterRoleBinding¶

The ClusterRoleBinding associates the ClusterRole with the ServiceAccount, effectively granting the permissions defined in the role to the Prometheus service account within the infra namespace^[400-devops__06-Kubernetes__k8s-paas__07.Promtheus监控k8s企业级应用.md].

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/cluster-service: "true"
  name: prometheus
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: prometheus
subjects:
- kind: ServiceAccount
  name: prometheus
  namespace: infra

Deployment Integration¶

In the Prometheus Deployment specification, the configured ServiceAccount name is referenced to ensure the pods run with the correct identity^[400-devops__06-Kubernetes__k8s-paas__07.Promtheus监控k8s企业级应用.md].

spec:
  containers:
  - name: prometheus
    image: harbor.od.com/infra/prometheus:v2.14.0
    # ... other container config ...
  serviceAccountName: prometheus

Related Concepts¶

• kube-state-metrics
• kubernetes

Sources¶

^[400-devops__06-Kubernetes__k8s-paas__07.Promtheus监控k8s企业级应用.md]