Skip to content

Instantly share code, notes, and snippets.

@saschagrunert

saschagrunert/crio-metrics.yml

Created June 9, 2021 11:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save saschagrunert/be10084f66f4b96bbe2bb17d6bdda490 to your computer and use it in GitHub Desktop.
Save saschagrunert/be10084f66f4b96bbe2bb17d6bdda490 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
crio-metrics.yml
# Before deploying this, run:
# oc adm policy add-scc-to-user hostnetwork -z crio-metrics -n crio-metrics
---
# Only required for demoing purposes because the ServiceMonitor is part of the
# user monitoring and should move to the system level later on.
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
enableUserWorkload: true
---
apiVersion: v1
kind: Namespace
metadata:
name: crio-metrics
---
# TODO: Bootstrap this secret from /etc/crio/certs
# the server certificate should contain at least the following SANs:
# - metrics
# - metrics.crio-metrics
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: tls
namespace: crio-metrics
data:
tls.crt: …
tls.key: …
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: crio-metrics
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: crio-metrics
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: crio-metrics
subjects:
- kind: ServiceAccount
name: crio-metrics
namespace: crio-metrics
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crio-metrics
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: proxy
namespace: crio-metrics
spec:
selector:
matchLabels:
name: proxy
template:
metadata:
labels:
name: proxy
spec:
hostNetwork: true
serviceAccountName: crio-metrics
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
containers:
- name: proxy
image: quay.io/brancz/kube-rbac-proxy:v0.9.0
args:
# TODO: use https if CRI-O supports it
- --upstream=http://127.0.0.1:9537
- --secure-listen-address=0.0.0.0:9538
- --v=10
- --tls-cert-file=/tls/tls.crt
- --tls-private-key-file=/tls/tls.key
ports:
- name: https
containerPort: 9538
volumeMounts:
- mountPath: /tls
name: tls
volumes:
- name: tls
secret:
secretName: tls
---
apiVersion: v1
kind: Service
metadata:
name: metrics
namespace: crio-metrics
labels:
name: metrics
spec:
ports:
- name: https
port: 443
targetPort: 9538
selector:
name: proxy
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crio-metrics-client
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: crio-metrics-client
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: crio-metrics-client
subjects:
- kind: ServiceAccount
name: default
namespace: crio-metrics
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: token
namespace: crio-metrics
annotations:
kubernetes.io/service-account.name: default
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: metrics
namespace: crio-metrics
spec:
endpoints:
- bearerTokenSecret:
key: token
name: token
interval: 10s
path: /metrics
port: https
scheme: https
tlsConfig:
serverName: metrics
ca:
secret:
key: tls.crt
name: tls
selector:
matchLabels:
name: metrics
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment