Created
June 9, 2021 11:13
-
-
Save saschagrunert/be10084f66f4b96bbe2bb17d6bdda490 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Before deploying this, run: | |
# oc adm policy add-scc-to-user hostnetwork -z crio-metrics -n crio-metrics | |
--- | |
# Only required for demoing purposes because the ServiceMonitor is part of the | |
# user monitoring and should move to the system level later on. | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: cluster-monitoring-config | |
namespace: openshift-monitoring | |
data: | |
config.yaml: | | |
enableUserWorkload: true | |
--- | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: crio-metrics | |
--- | |
# TODO: Bootstrap this secret from /etc/crio/certs | |
# the server certificate should contain at least the following SANs: | |
# - metrics | |
# - metrics.crio-metrics | |
apiVersion: v1 | |
kind: Secret | |
type: kubernetes.io/tls | |
metadata: | |
name: tls | |
namespace: crio-metrics | |
data: | |
tls.crt: … | |
tls.key: … | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: crio-metrics | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: crio-metrics | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: crio-metrics | |
subjects: | |
- kind: ServiceAccount | |
name: crio-metrics | |
namespace: crio-metrics | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: crio-metrics | |
rules: | |
- apiGroups: | |
- authentication.k8s.io | |
resources: | |
- tokenreviews | |
verbs: | |
- create | |
- apiGroups: | |
- authorization.k8s.io | |
resources: | |
- subjectaccessreviews | |
verbs: | |
- create | |
--- | |
apiVersion: apps/v1 | |
kind: DaemonSet | |
metadata: | |
name: proxy | |
namespace: crio-metrics | |
spec: | |
selector: | |
matchLabels: | |
name: proxy | |
template: | |
metadata: | |
labels: | |
name: proxy | |
spec: | |
hostNetwork: true | |
serviceAccountName: crio-metrics | |
tolerations: | |
- effect: NoSchedule | |
key: node-role.kubernetes.io/master | |
containers: | |
- name: proxy | |
image: quay.io/brancz/kube-rbac-proxy:v0.9.0 | |
args: | |
# TODO: use https if CRI-O supports it | |
- --upstream=http://127.0.0.1:9537 | |
- --secure-listen-address=0.0.0.0:9538 | |
- --v=10 | |
- --tls-cert-file=/tls/tls.crt | |
- --tls-private-key-file=/tls/tls.key | |
ports: | |
- name: https | |
containerPort: 9538 | |
volumeMounts: | |
- mountPath: /tls | |
name: tls | |
volumes: | |
- name: tls | |
secret: | |
secretName: tls | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: metrics | |
namespace: crio-metrics | |
labels: | |
name: metrics | |
spec: | |
ports: | |
- name: https | |
port: 443 | |
targetPort: 9538 | |
selector: | |
name: proxy | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: crio-metrics-client | |
rules: | |
- nonResourceURLs: | |
- /metrics | |
verbs: | |
- get | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: crio-metrics-client | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: crio-metrics-client | |
subjects: | |
- kind: ServiceAccount | |
name: default | |
namespace: crio-metrics | |
--- | |
apiVersion: v1 | |
kind: Secret | |
type: kubernetes.io/service-account-token | |
metadata: | |
name: token | |
namespace: crio-metrics | |
annotations: | |
kubernetes.io/service-account.name: default | |
--- | |
apiVersion: monitoring.coreos.com/v1 | |
kind: ServiceMonitor | |
metadata: | |
name: metrics | |
namespace: crio-metrics | |
spec: | |
endpoints: | |
- bearerTokenSecret: | |
key: token | |
name: token | |
interval: 10s | |
path: /metrics | |
port: https | |
scheme: https | |
tlsConfig: | |
serverName: metrics | |
ca: | |
secret: | |
key: tls.crt | |
name: tls | |
selector: | |
matchLabels: | |
name: metrics |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment