Skip to content

Commit

Permalink
Imported ClusterRole and ClusterRoleBinding
Browse files Browse the repository at this point in the history 
Signed-off-by: Matt Ray <[email protected]>
  • Loading branch information
@mattray
mattray committed Oct 7, 2023
1 parent bf94175 commit 983331c
Show file tree
Hide file tree
Showing 3 changed files with 100 additions and 238 deletions.
79 changes: 79 additions & 0 deletions charts/prometheus-opencost-exporter/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
# Cluster role giving opencost to get, list, watch required resources
# No write permissions are required
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "prometheus-opencost-exporter.fullname" . }}
labels: {{- include "prometheus-opencost-exporter.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources:
- configmaps
- deployments
- nodes
- pods
- services
- resourcequotas
- replicationcontrollers
- limitranges
- persistentvolumeclaims
- persistentvolumes
- namespaces
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- statefulsets
- deployments
- daemonsets
- replicasets
verbs:
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
18 changes: 18 additions & 0 deletions charts/prometheus-opencost-exporter/templates/clusterrolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if .Values.rbac.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "prometheus-opencost-exporter.fullname" . }}
labels: {{- include "prometheus-opencost-exporter.labels" . | nindent 4 }}
{{- with .Values.annotations }}
annotations: {{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "prometheus-opencost-exporter.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "prometheus-opencost-exporter.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
241 changes: 3 additions & 238 deletions charts/prometheus-opencost-exporter/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,241 +17,6 @@ serviceAccount:
# -- Whether pods running as this service account should have an API token automatically mounted
automountServiceAccountToken: true

# replicaCount: 1

# image:
# repository: quay.io/kubecost1/kubecost-cost-model
# # if not set appVersion field from Chart.yaml is used
# tag: ""
# pullPolicy: IfNotPresent

# ## Optionally specify an array of imagePullSecrets.
# ## Secrets must be manually created in the namespace.
# ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
# ##
# # pullSecrets:
# # - myRegistrKeySecretName

# service:
# type: ClusterIP
# port: 9003
# targetPort: 9003
# name: opencost
# labels: {}
# annotations: {}

# automountServiceAccountToken: false

# serviceMonitor:
# # When set true then use a ServiceMonitor to configure scraping
# enabled: false
# # Set the namespace the ServiceMonitor should be deployed
# namespace: ""
# # Set how frequently Prometheus should scrape
# scrapeInterval: 30s
# # -- HonorLabels chooses the metric's labels on collisions with target labels
# honorLabels: true
# # -- RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields
# relabelings: []
# # -- MetricRelabelConfigs to apply to samples before ingestion
# metricRelabelings: []

# prometheusRule:
# enabled: false
# additionalLabels: {}
# namespace: ""
# rules: []
# ## These are just examples rules, please adapt them to your needs.
# ## Make sure to constraint the rules to the current prometheus-postgres-exporter service.
# # - alert: HugeReplicationLag
# # expr: pg_replication_lag{service="{{ template "prometheus-postgres-exporter.fullname" . }}"} / 3600 > 1
# # for: 1m
# # labels:
# # severity: critical
# # annotations:
# # description: replication for {{ template "prometheus-postgres-exporter.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s).
# # summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s).

# resources: {}
# # We usually recommend not to specify default resources and to leave this as a conscious
# # choice for the user. This also increases chances charts run on environments with little
# # resources, such as Minikube. If you do want to specify resources, uncomment the following
# # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# # limits:
# # cpu: 100m
# # memory: 128Mi
# # requests:
# # cpu: 100m
# # memory: 128Mi

# rbac:
# # Specifies whether RBAC resources should be created
# create: true

# serviceAccount:
# # Specifies whether a ServiceAccount should be created
# create: true
# # The name of the ServiceAccount to use.
# # If not set and create is true, a name is generated using the fullname template
# name:
# # Add annotations to the ServiceAccount, useful for EKS IAM Roles for Service Accounts or Google Workload Identity.
# annotations: {}

# # Add a default ingress to allow namespace access to service.targetPort
# # Helpful if other NetworkPolicies are configured in the namespace
# networkPolicy:
# # Specifies whether a NetworkPolicy should be created
# enabled: false
# # Set labels for the NetworkPolicy
# labels: {}

# # The securityContext of the pod.
# # See https://kubernetes.io/docs/concepts/policy/security-context/ for more.
# podSecurityContext:
# runAsGroup: 1001
# runAsUser: 1001
# runAsNonRoot: true
# seccompProfile:
# type: RuntimeDefault

# # The securityContext of the container.
# # See https://kubernetes.io/docs/concepts/policy/security-context/ for more.
# securityContext:
# allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
# privileged: false
# readOnlyRootFilesystem: true

# hostAliases: []
# # Set Host Aliases as per https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/
# # - ip: "127.0.0.1"
# # hostnames:
# # - "foo.local"
# # - "bar.local"

# config:
# ## The datasource properties on config are passed through helm tpl function.
# ## ref: https://helm.sh/docs/developing_charts/#using-the-tpl-function
# datasource:
# # Specify one of both datasource or datasourceSecret
# host: ''
# user: postgres
# userSecret: {}
# # Secret name
# # name:
# # User key inside secret
# # key:
# # Only one of password, passwordFile, passwordSecret and pgpassfile can be specified
# password:
# # Specify passwordFile if DB password is stored in a file.
# # For example, to use with vault-injector from Hashicorp
# passwordFile: ''
# # Specify passwordSecret if DB password is stored in secret.
# passwordSecret: {}
# # Secret name
# # name:
# # Password key inside secret
# # key:
# pgpassfile: ''
# # If pgpassfile is set, it is used to initialize the PGPASSFILE environment variable.
# # See https://www.postgresql.org/docs/14/libpq-pgpass.html for more info.
# port: "5432"
# database: ''
# sslmode: disable
# extraParams: ''
# datasourceSecret: {}
# # Specifies if datasource should be sourced from secret value in format: postgresql://login:password@hostname:port/dbname?sslmode=disable
# # Multiple Postgres databases can be configured by comma separated postgres connection strings
# # Secret name
# # name:
# # Connection string key inside secret
# # key:
# disableCollectorDatabase: false
# disableCollectorBgwriter: false
# disableDefaultMetrics: false
# disableSettingsMetrics: false

# # possible values debug, info, warn, error, fatal
# logLevel: ""
# # possible values logfmt, json
# logFormat: ""
# extraArgs: []

# # postgres_exporter.yml
# postgresExporter: ""
# # auth_modules:
# # first:
# # type: userpass
# # userpass:
# # username: first
# # password: firstpass
# # options:
# # sslmode: disable

# nodeSelector: {}

# tolerations: []

# affinity: {}

# annotations: {}

# podLabels: {}

# # Configurable health checks
# livenessProbe:
# initialDelaySeconds: 0
# timeoutSeconds: 3

# readinessProbe:
# initialDelaySeconds: 0
# timeoutSeconds: 1

# # Labels and annotations to attach to the deployment resource
# deployment:
# labels: {}
# annotations: {}

# # ExtraEnvs
# extraEnvs: []
# # - name: EXTRA_ENV
# # value: value
# # - name: POD_NAMESPACE
# # valueFrom:
# # fieldRef:
# # fieldPath: metadata.namespace

# # Init containers, e. g. for secrets creation before the exporter
# initContainers: []
# # - name:
# # image:
# # volumeMounts:
# # - name: creds
# # mountPath: /creds

# # Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy
# extraContainers: []

# # Additional volumes, e. g. for secrets used in an extraContainer
# extraVolumes: []
# # Uncomment for mounting custom ca-certificates
# # - name: ssl-certs
# # secret:
# # defaultMode: 420
# # items:
# # - key: ca-certificates.crt
# # path: ca-certificates.crt
# # secretName: ssl-certs

# # Additional volume mounts
# extraVolumeMounts: []
# # Uncomment for mounting custom ca-certificates file into container
# # - name: ssl-certs
# # mountPath: /etc/ssl/certs/ca-certificates.crt
# # subPath: ca-certificates.crt

# podDisruptionBudget:
# enabled: false
# maxUnavailable: 1
# Create cluster role policies
rbac:
enabled: true

0 comments on commit 983331c

Please sign in to comment.