Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #7064 from mrsiano/readersa

Automatic merge from submit-queue.

Add prometheus reader role for lightweight privileges.

Standardise lightweight service account with read\view privileges as "prometheus-reader", for security best practices.
so that "prometheus-reader" sa token will be available especially for monitor purposes.

the main use-case is to facilitate grafana and prometheus integration CI.
OpenShift Merge Robot 7 years ago
parent
6728971c3a 2546bed6d6
commit
ce0bd0f505
2 changed files with 17 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      roles/openshift_prometheus/defaults/main.yaml
  2. 16 0
      roles/openshift_prometheus/tasks/install_prometheus.yaml

+ 1 - 0
roles/openshift_prometheus/defaults/main.yaml
View File 

@@ -15,6 +15,7 @@ openshift_prometheus_node_selector: {"region":"infra"}
 
 openshift_prometheus_service_port: 443
 
 openshift_prometheus_service_targetport: 8443
 
 openshift_prometheus_service_name: prometheus
 
+openshift_prometheus_reader_serviceaccount_name: prometheus-reader
 
 openshift_prometheus_alerts_service_targetport: 9443
 
 openshift_prometheus_alerts_service_name: alerts
 
 openshift_prometheus_alertmanager_service_targetport: 10443

+ 16 - 0
roles/openshift_prometheus/tasks/install_prometheus.yaml
View File 

@@ -39,6 +39,13 @@
 
     namespace: "{{ openshift_prometheus_namespace }}"
 
   changed_when: no
 
 
+# serviceaccount reader
 
+- name: create openshift_prometheus_reader_serviceaccount_name serviceaccount
 
+  oc_serviceaccount:
 
+    state: present
 
+    name: "{{ openshift_prometheus_reader_serviceaccount_name }}"
 
+    namespace: "{{ openshift_prometheus_namespace }}"
 
+  changed_when: no
 
 
 # TODO remove this when annotations are supported by oc_serviceaccount
 
 - name: annotate serviceaccount
 
@@ -57,6 +64,15 @@
 
     resource_name: cluster-reader
 
     user: "system:serviceaccount:{{ openshift_prometheus_namespace }}:{{ openshift_prometheus_service_name }}"
 
 
+# create view role for prometheus-reader serviceaccount
 
+- name: Set view permissions for prometheus reader
 
+  oc_adm_policy_user:
 
+    state: present
 
+    namespace: "{{ openshift_prometheus_namespace }}"
 
+    resource_kind: cluster-role
 
+    resource_name: view
 
+    user: "system:serviceaccount:{{ openshift_prometheus_namespace }}:{{ openshift_prometheus_reader_serviceaccount_name }}"
 
+
 
 
 - name: create services for prometheus
 
   oc_service: